Discussed in #13113
Originally posted by mwaag May 7, 2026
Hi,
we noticed cloudstack let you successfully define ACL-Ingress-Rules for TCP (and UDP) without setting a start- and endport.
Many of our users (even we) assumed, that it stands for 'all ports'. But instead the router keeps on blocking traffic.
(We didn't test this on UDP explicitly)
We know, we can workaround this with just setting start- and endports or use protocol: All
Is this expected behaviour or should this be handled as a bug?
(We probably would suggest to either restrict defining rules without setting start- and endports at all or treat this kind of rules as "all ports" - rule)
Tested Versions are:
4.18.2.4
4.20.3.0
Discussed in #13113
Originally posted by mwaag May 7, 2026
Hi,
we noticed cloudstack let you successfully define ACL-Ingress-Rules for TCP (and UDP) without setting a start- and endport.
Many of our users (even we) assumed, that it stands for 'all ports'. But instead the router keeps on blocking traffic.
(We didn't test this on UDP explicitly)
We know, we can workaround this with just setting start- and endports or use protocol: All
Is this expected behaviour or should this be handled as a bug?
(We probably would suggest to either restrict defining rules without setting start- and endports at all or treat this kind of rules as "all ports" - rule)
Tested Versions are:
4.18.2.4
4.20.3.0