Fix ACL_INBOUND/OUTBOUND rules for PrivateGateway#2367
Conversation
|
This may cause regressions in other cases with the stated assumption, additional review is requested. I'll run some tests. |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1434 |
|
@blueorangutan test |
|
@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
Trillian test result (tid-1840)
|
yadvr
left a comment
There was a problem hiding this comment.
Test lgtm, additional review requested
|
Hrm .. only test_01 can somehow relate to this patch . Will check
All other - something very strange
ср, 20 дек. 2017 г. в 23:37, Blue Orangutan Build Things <
notifications@github.com>:
… *Trillian test result (tid-1840)*
Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
Total time taken: 34293 seconds
Marvin logs:
https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr2367-t1840-kvm-centos7.zip
Smoke tests completed. 63 look OK, 4 have error(s)
Only failed tests results shown below:
Test Result Time (s) Test File
ContextSuite context=TestDeployVirtioSCSIVM>:setup Error 0.00
test_deploy_virtio_scsi_vm.py
test_01_vpc_privategw_acl Failure 72.29 test_privategw_acl.py
test_02_vpc_privategw_static_routes Failure 243.56 test_privategw_acl.py
test_03_vpc_privategw_restart_vpc_cleanup Failure 203.33
test_privategw_acl.py
test_04_rvpc_privategw_static_routes Failure 399.80 test_privategw_acl.py
test_02_create_template_with_checksum_sha1 Error 5.22 test_templates.py
test_03_create_template_with_checksum_sha256 Error 5.23 test_templates.py
test_04_create_template_with_checksum_md5 Error 5.22 test_templates.py
test_01_vpc_remote_access_vpn Error 60.89 test_vpc_vpn.py
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2367 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFTwxtVcYC0yfEMgqL5IT2dHcwHpISyzks5tCX4LgaJpZM4RHwY9>
.
|
rafaelweingartner
left a comment
There was a problem hiding this comment.
@voloshanenko Thanks!
|
Tests LGTM, the failures are caused by known issues and recent regression fixed/merged yesterday. I'll merge based on two code review/lgtms and test results. |
We found bug in ACL rules for PrivateGateway for VPC
At a glance - rules not applied - switching Allow All or Deny All (default ACL) - showed as completed - but rules missed.
Result - traffic via PrivateGateway blocked by next DROP rule in next chains
How to reproduce:
Expected:
ACL rules applied (inserted) into correspondig ACL_INBOUND/OUTBOUND chanins for PrivateGateway interface (ethX) based on ACL which user choose
Current:
No rules inserted. ACL_INBOUND/OUTBOUND_ethX - empty. Traffic blocked by next DROP rule in FORWARD chain
Affect - all our corporate customers blocked with access to their own nets via PG and vice-versa.
Root cause:
Issue happened because of CsNetFilter.py logic for inserting rules for ACL_INBOUND/OUTBOUND chains.
We choose rule numebr to isnert right before last DROP rule - but forget about fact - that if chain empty - we also return 0 as insert position. Which not true for iptables - numeration started from 0.
So we need very small patch to handle this special case - if number of rules inside chain equal to zero - return 1, else - return count of rules inside chain.
It's found only one - just because be default for PrivateGateway - we didn't insert any "service rules" (if SourceNat for PrivateGteway not ticked) - and we have by default empty ACL_INBOUND/OUTBOUND chains. Because same insert happened for all VPC networks (but when we call this insert - we already have at least 1 rule inside chains - and we successfully can process)
https://issues.apache.org/jira/browse/CLOUDSTACK-10200