Reordering ACL rules inside the ACL list - does not apply the rule order inside the VR

apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform

https://cloudstack.apache.org/

Apache License 2.0

2.1k stars 1.11k forks source link

Reordering ACL rules inside the ACL list - does not apply the rule order inside the VR #9398

Open s-novakovic opened 4 months ago

s-novakovic commented 4 months ago

ISSUE TYPE

Bug Report

COMPONENT NAME

UI (maybe also API)

CLOUDSTACK VERSION

4.19.1.0-SNAPSHOT

CONFIGURATION

OS / ENVIRONMENT

SUMMARY

Using DRAG&DROP to arrange ACL rules order inside ACL list, doesn't apply rules inside the VR (the ACL list is already attached to a VPC network) The workaround is to change ACL list for this network to another ACL list and then go back and reapply previously used ACL list.

STEPS TO REPRODUCE

Before changing the order of rules outgoing traffic to port 80 is allowed.

After putting the DENY rule above the port 80 rule, the outgoing traffic to port 80 is still allowed - see the screenshots bellow

EXPECTED RESULTS

At least - show the message in the UI (API output) that the ACL list needs to be reapplied.

ACTUAL RESULTS

DaanHoogland commented 4 months ago

@s-novakovic did you try restarting the network with cleanup?

btzq commented 4 months ago

@DaanHoogland i think this issue is very similar to the one we discussed in https://github.com/apache/cloudstack/issues/8865

DaanHoogland commented 4 months ago

ok, in that case can you check with the new RC for 4.19.1? #9119 could have solved it.

s-novakovic commented 4 months ago

@s-novakovic did you try restarting the network with cleanup?

Yes @DaanHoogland after restarting the network the rules get applied and it works as expected. Maybe we should add a message in the UI/API output, something like "you might need to restart the network for the rules to get applied" or something similar. I we'll check to behavior in the new RC and we'll let you know. Thank you

DaanHoogland commented 4 months ago

Well @s-novakovic , we could add a message, but I think your initial expectations are not wrong. I just saw you had used a snapshot 4.19.1 version. Can you check if that included #9119 ?

s-novakovic commented 4 months ago

@DaanHoogland, I have checked the #9119 and it only modifies 2 UI-based files (.js and .vue), so it can't be fixing it...? However, I have managed to somehow upgrade from 4.19.1.0-snapshot to the 4.19.1.0-RC2 and it still doesn't work.

Will try a clean RC2 install and let you know if there are any changes.

s-novakovic commented 3 months ago

I've managed to test this on the RC2/final 4.19.1.0 version - and the issue is still there. It seems that only the DB records get updated (the order of rules for the ACL list) - but we never check if the ACL list is already attached to a network - and thus we never update the rules inside the VR.

It would be good if we do a check "if ACL is used/attached to a network --> do some nice message that network needs to be restarted (there is no cleanup option for the VPC network, so it's not disruptive and it's a quick action).