Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 321BBE9F3 for ; Thu, 28 Feb 2013 12:39:15 +0000 (UTC) Received: (qmail 52002 invoked by uid 500); 28 Feb 2013 12:39:14 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 51394 invoked by uid 500); 28 Feb 2013 12:39:13 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 51348 invoked by uid 99); 28 Feb 2013 12:39:13 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Feb 2013 12:39:13 +0000 Date: Thu, 28 Feb 2013 12:39:12 +0000 (UTC) From: "Sailaja Mada (JIRA)" To: cloudstack-dev@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (CLOUDSTACK-1452) Public IP's are assigned to private interface with VPC Restart [PF/LB rules are not functional] MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 Sailaja Mada created CLOUDSTACK-1452: ---------------------------------------- Summary: Public IP's are assigned to private interface with VPC Restart [PF/LB rules are not functional] Key: CLOUDSTACK-1452 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1452 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Network Controller Affects Versions: 4.1.0 Reporter: Sailaja Mada Priority: Critical Steps: 1. Advanced Networking - KVM 6.3 host 2. Create VPC and add Tier1 with 1 instance 3. Configure PF or LB rule [22-22] 4. Access Instance and ensure that PF/LB rules are functional Statistics of Router & VM Before restart : Router : root@r-151-VM:~# ip addr 1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 0e:00:a9:fe:01:d3 brd ff:ff:ff:ff:ff:ff inet 169.254.1.211/16 brd 169.254.255.255 scope global eth0 inet6 fe80::c00:a9ff:fefe:1d3/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 06:de:46:00:00:15 brd ff:ff:ff:ff:ff:ff inet 10.102.196.222/24 brd 10.102.196.255 scope global eth1 inet6 fe80::4de:46ff:fe00:15/64 scope link valid_lft forever preferred_lft forever 4: eth2: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 02:00:19:9f:00:01 brd ff:ff:ff:ff:ff:ff inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2 inet6 fe80::19ff:fe9f:1/64 scope link valid_lft forever preferred_lft forever 5: eth3: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 06:f0:c6:00:00:16 brd ff:ff:ff:ff:ff:ff inet 10.102.197.225/24 brd 10.102.197.255 scope global eth3 inet6 fe80::4f0:c6ff:fe00:16/64 scope link valid_lft forever preferred_lft forever root@r-151-VM:~# root@r-151-VM:~# iptables --list Chain INPUT (policy DROP) target prot opt source destination NETWORK_STATS all -- anywhere anywhere ACCEPT all -- anywhere vrrp.mcast.net ACCEPT all -- anywhere 225.0.0.50 ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3922 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT udp -- anywhere 10.2.0.1 udp dpt:domain ACCEPT tcp -- anywhere 10.2.0.1 tcp dpt:domain ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp dpt:www ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp dpt:http-alt Chain FORWARD (policy DROP) target prot opt source destination NETWORK_STATS all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere !anywhere ACL_INBOUND_eth2 all -- anywhere 10.2.0.0/24 Chain OUTPUT (policy ACCEPT) target prot opt source destination NETWORK_STATS all -- anywhere anywhere Chain ACL_INBOUND_eth2 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP all -- anywhere anywhere Chain NETWORK_STATS (3 references) target prot opt source destination all -- anywhere anywhere all -- anywhere anywhere tcp -- anywhere anywhere tcp -- anywhere anywhere root@r-151-VM:~# Instance : [root@cbdbc436-ddbb-4d72-9ca4-96d8a417b6e9 ~]# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited [root@cbdbc436-ddbb-4d72-9ca4-96d8a417b6e9 ~]# ifconfig eth0 Link encap:Ethernet HWaddr 02:00:60:1C:00:02 inet addr:10.2.0.127 Bcast:10.2.0.255 Mask:255.255.255.0 inet6 addr: fe80::60ff:fe1c:2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:180 errors:0 dropped:0 overruns:0 frame:0 TX packets:170 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:16010 (15.6 KiB) TX bytes:22842 (22.3 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32 errors:0 dropped:0 overruns:0 frame:0 TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4076 (3.9 KiB) TX bytes:4076 (3.9 KiB) [root@cbdbc436-ddbb-4d72-9ca4-96d8a417b6e9 ~]# Statistics after restarting VPC : root@r-155-VM:~# ip addr 1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 0e:00:a9:fe:02:88 brd ff:ff:ff:ff:ff:ff inet 169.254.2.136/16 brd 169.254.255.255 scope global eth0 inet6 fe80::c00:a9ff:fefe:288/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 06:4a:24:00:00:15 brd ff:ff:ff:ff:ff:ff inet 10.102.196.222/24 brd 10.102.196.255 scope global eth1 inet6 fe80::44a:24ff:fe00:15/64 scope link valid_lft forever preferred_lft forever 4: eth2: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 06:74:de:00:00:16 brd ff:ff:ff:ff:ff:ff inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2 inet 10.102.197.225/24 brd 10.102.197.255 scope global eth2 inet6 fe80::474:deff:fe00:16/64 scope link valid_lft forever preferred_lft forever 5: eth3: mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 02:00:1a:94:00:03 brd ff:ff:ff:ff:ff:ff root@r-155-VM:~# root@r-155-VM:~# ifconfig eth0 Link encap:Ethernet HWaddr 0e:00:a9:fe:02:88 inet addr:169.254.2.136 Bcast:169.254.255.255 Mask:255.255.0.0 inet6 addr: fe80::c00:a9ff:fefe:288/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:410 errors:0 dropped:0 overruns:0 frame:0 TX packets:355 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:63392 (61.9 KiB) TX bytes:64251 (62.7 KiB) eth1 Link encap:Ethernet HWaddr 06:4a:24:00:00:15 inet addr:10.102.196.222 Bcast:10.102.196.255 Mask:255.255.255.0 inet6 addr: fe80::44a:24ff:fe00:15/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:305 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:15516 (15.1 KiB) TX bytes:404 (404.0 B) eth2 Link encap:Ethernet HWaddr 06:74:de:00:00:16 inet addr:10.2.0.1 Bcast:10.2.0.255 Mask:255.255.255.0 inet6 addr: fe80::474:deff:fe00:16/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:126 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:8080 (7.8 KiB) TX bytes:404 (404.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:414 (414.0 B) TX bytes:414 (414.0 B) root@r-155-VM:~# root@r-155-VM:~# iptables --list Chain INPUT (policy DROP) target prot opt source destination NETWORK_STATS all -- anywhere anywhere ACCEPT all -- anywhere vrrp.mcast.net ACCEPT all -- anywhere 225.0.0.50 ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3922 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT udp -- anywhere 10.2.0.1 udp dpt:domain ACCEPT tcp -- anywhere 10.2.0.1 tcp dpt:domain ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp dpt:www ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp dpt:http-alt Chain FORWARD (policy DROP) target prot opt source destination NETWORK_STATS all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere !anywhere ACL_INBOUND_eth2 all -- anywhere 10.2.0.0/24 Chain OUTPUT (policy ACCEPT) target prot opt source destination NETWORK_STATS all -- anywhere anywhere Chain ACL_INBOUND_eth2 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP all -- anywhere anywhere Chain NETWORK_STATS (3 references) target prot opt source destination all -- anywhere anywhere all -- anywhere anywhere tcp -- anywhere anywhere tcp -- anywhere anywhere root@r-155-VM:~# Observation before restart - VPC : 4: eth2: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 02:00:19:9f:00:01 brd ff:ff:ff:ff:ff:ff inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2 inet6 fe80::19ff:fe9f:1/64 scope link valid_lft forever preferred_lft forever 5: eth3: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 06:f0:c6:00:00:16 brd ff:ff:ff:ff:ff:ff inet 10.102.197.225/24 brd 10.102.197.255 scope global eth3 inet6 fe80::4f0:c6ff:fe00:16/64 scope link valid_lft forever preferred_lft forever root@r-151-VM:~# Observation after restart - VPC : 4: eth2: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 06:74:de:00:00:16 brd ff:ff:ff:ff:ff:ff inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2 inet 10.102.197.225/24 brd 10.102.197.255 scope global eth2 inet6 fe80::474:deff:fe00:16/64 scope link valid_lft forever preferred_lft forever 5: eth3: mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 02:00:1a:94:00:03 brd ff:ff:ff:ff:ff:ff notes: a.Public IP's are assigned to private interface with VPC Restart b. PF/LB rules are not functional. Instances are not accessible. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira