CloudStack
  1. CloudStack
  2. CLOUDSTACK-2930

[VPC][VMware]Exception while applying the user created ACL with protocol as “All” to a tier.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Won't Fix
    • Affects Version/s: 4.2.0
    • Fix Version/s: 4.2.0
    • Component/s: Network Controller
    • Security Level: Public (Anyone can view this level - this is the default.)
    • Labels:
      None

      Description

      Steps:

      1. Have a CS with advanced zone and VMwarehost.
      2. Create a VPC and a tier network
      3. Create a Network ACL list and a ACL rule under it with protocol field as “All”
      4. Apply the rule to the tier .
      Observation:
      Observed the following exception:

      2013-06-11 18:15:48,505 ERROR [utils.ssh.SshHelper] (DirectAgent-137:10.147.40.29) SSH execution of command /opt/cloud/bin/vpc_acl.sh d eth2 -i 10.0.1.1 -m 24 -a Ingress:all:1:65535:0.0.0.0/0:ACCEPT:,Egress:all:1:65535:0.0.0.0/0:ACCEPT:, has an error status code in return. result output: iptables v1.4.14: unknown option "-dport"
      Try `iptables -h' or 'iptables --help' for more information.

      2013-06-11 18:15:48,508 ERROR [vmware.resource.VmwareResource] (DirectAgent-137:10.147.40.29) SetNetworkACLAnswer on domain router 10.147.40.183 failed. message: iptables v1.4.14: unknown option "--dport"
      Try `iptables -h' or 'iptables --help' for more information.

      2013-06-11 18:15:48,510 DEBUG [agent.manager.DirectAgentAttache] (DirectAgent-137:null) Seq 1-1378812142: Response Received:
      2013-06-11 18:15:48,510 DEBUG [agent.transport.Request] (DirectAgent-137:null) Seq 1-1378812142: Processing: { Ans: , MgmtId: 6805241462820, via: 1, Ver: v1, Flags: 0, [{"routing.SetNetworkACLAnswer":{"results":[null,null],"result":false,"wait":0}}] }
      2013-06-11 18:15:48,510 DEBUG [agent.transport.Request] (Job-Executor-15:job-28) Seq 1-1378812142: Received: { Ans: , MgmtId: 6805241462820, via: 1, Ver: v1, Flags: 0,

      { SetNetworkACLAnswer }

      }
      2013-06-11 18:15:48,511 ERROR [cloud.async.AsyncJobManagerImpl] (Job-Executor-15:job-28) Unexpected exception while executing org.apache.cloudstack.api.command.user.network.ReplaceNetworkACLListCmd
      com.cloud.exception.ResourceUnavailableException: Resource [DataCenter:1] is unreachable: Unable to apply network acls on router
      at com.cloud.network.router.VirtualNetworkApplianceManagerImpl.applyRules(VirtualNetworkApplianceManagerImpl.java:3743)
      at com.cloud.network.router.VpcVirtualNetworkApplianceManagerImpl.applyNetworkACLs(VpcVirtualNetworkApplianceManagerImpl.java:717)
      at com.cloud.network.element.VpcVirtualRouterElement.applyNetworkACLs(VpcVirtualRouterElement.java:416)
      at com.cloud.network.vpc.NetworkACLManagerImpl.applyACLItemsToNetwork(NetworkACLManagerImpl.java:409)
      at com.cloud.network.vpc.NetworkACLManagerImpl.applyACLToNetwork(NetworkACLManagerImpl.java:337)
      at com.cloud.network.vpc.NetworkACLManagerImpl.replaceNetworkACL(NetworkACLManagerImpl.java:158)
      at com.cloud.network.vpc.NetworkACLServiceImpl.replaceNetworkACL(NetworkACLServiceImpl.java:233)
      at org.apache.cloudstack.api.command.user.network.ReplaceNetworkACLListCmd.execute(ReplaceNetworkACLListCmd.java:109)
      at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:155)
      at com.cloud.async.AsyncJobManagerImpl$1.run(AsyncJobManagerImpl.java:437)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
      at java.util.concurrent.FutureTask.run(FutureTask.java:166)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
      at java.lang.Thread.run(Thread.java:679)
      2013-06-11 18:15:48,513 DEBUG [cloud.async.AsyncJobManagerImpl] (Job-Executor-15:job-28) Complete async job-28, jobStatus: 2, resultCode: 530, result: Error Code: 530 Error text: Resource [DataCenter:1] is unreachable: Unable to apply network acls on router
      2013-06-11 18:15:50,096 DEBUG [cloud.api.ApiServlet] (catalina-exec-5:null) ===START=== 10.252.192.69 – GET command=queryAsyncJobResult&jobId=c092d23d-ffca-4fa7-b433-54649bc54c49&response=json&sessionkey=ydkJIe0pKVxfZP3S8wS9PfFTNjY%3D&_=1370935298970
      2013-06-11 18:15:50,117 DEBUG [cloud.async.AsyncJobManagerImpl] (catalina-exec-5:null) Async

        Activity

        Hide
        ASF subversion and git services added a comment -

        Commit 5e56e43e31dae8ec505db9b948dfaa476a96deb8 in branch refs/heads/master from Mice Xia
        [ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=5e56e43 ]

        fix CLOUDSTACK-2930, exception while applying ACL rule with protocol as ALL.
        1) change UI, disable startport and endport when protocol=All
        2) validate parameters for API createNetworkACL

        Show
        ASF subversion and git services added a comment - Commit 5e56e43e31dae8ec505db9b948dfaa476a96deb8 in branch refs/heads/master from Mice Xia [ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=5e56e43 ] fix CLOUDSTACK-2930 , exception while applying ACL rule with protocol as ALL. 1) change UI, disable startport and endport when protocol=All 2) validate parameters for API createNetworkACL
        Hide
        Mice Xia added a comment -

        1) change UI, disable startport and endport when protocol=All, ( 'port' is for layer-4 protocol like tcp and udp)
        2) validate parameters for API createNetworkACL

        Show
        Mice Xia added a comment - 1) change UI, disable startport and endport when protocol=All, ( 'port' is for layer-4 protocol like tcp and udp) 2) validate parameters for API createNetworkACL
        Hide
        manasaveloori added a comment -

        verified the issue on latest master.
        Observed that start and end ports are disabled when protocol is "All".
        Hence closing the bug.

        Show
        manasaveloori added a comment - verified the issue on latest master. Observed that start and end ports are disabled when protocol is "All". Hence closing the bug.
        Hide
        Pranav Saxena added a comment -

        Hey Mice ,

        It seems because of your checkin , one is not able to specify start port/end port if we choose protocol number in the drop down . Could you please re-check this ?

        Thanks !

        Show
        Pranav Saxena added a comment - Hey Mice , It seems because of your checkin , one is not able to specify start port/end port if we choose protocol number in the drop down . Could you please re-check this ? Thanks !
        Hide
        Mice Xia added a comment -

        Pranav,

        after i revert commit 5e56e43e31dae8ec505db9b948dfaa476a96deb8, one is still not able to specifiy start/end port if choose protocol number. And I think it is by design and resonbale, unless we assume all protocols specified by protocol number is on layer-4.

        -mice

        Show
        Mice Xia added a comment - Pranav, after i revert commit 5e56e43e31dae8ec505db9b948dfaa476a96deb8, one is still not able to specifiy start/end port if choose protocol number. And I think it is by design and resonbale, unless we assume all protocols specified by protocol number is on layer-4. -mice
        Hide
        Animesh Chaturvedi added a comment -

        This blocker/ critcal was created before July please review and resolve, we are approaching 4.2 code freeze in 7 days

        Show
        Animesh Chaturvedi added a comment - This blocker/ critcal was created before July please review and resolve, we are approaching 4.2 code freeze in 7 days
        Hide
        manasaveloori added a comment -

        working fine on latest build.
        Hence closing the issue.

        Show
        manasaveloori added a comment - working fine on latest build. Hence closing the issue.

          People

          • Assignee:
            Mice Xia
            Reporter:
            manasaveloori
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development