Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1D5F51025E for ; Thu, 22 Aug 2013 06:43:15 +0000 (UTC) Received: (qmail 34608 invoked by uid 500); 22 Aug 2013 06:43:14 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 34333 invoked by uid 500); 22 Aug 2013 06:43:14 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 34325 invoked by uid 99); 22 Aug 2013 06:43:13 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Aug 2013 06:43:13 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW X-Spam-Check-By: apache.org Received-SPF: error (nike.apache.org: local policy) Received: from [209.85.128.175] (HELO mail-ve0-f175.google.com) (209.85.128.175) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Aug 2013 06:43:08 +0000 Received: by mail-ve0-f175.google.com with SMTP id oy10so1139901veb.6 for ; Wed, 21 Aug 2013 23:42:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jDuCsIKbUnTe+hQ0sBpFJNHwEs38muMfLKkx01VZjWw=; b=WUOjrb9ZxAYw8UMv05EdAjM17GY54cBvmDhCRatJHO+wQp8WwOMZh+kkG/P5EJeKQi bpSawGwycYganP9BpReJxqbcK9Q5CgAJzhRLuvoS0NmjR7xk6AU4Pogky27FkhN8x44v gVA9TopfDeJH7tg5goHwBlh4B/NUW/XVJCmJ50GfPwVQP/oSMHGaUR3uAbskcHPWShGT ygKWk/tzbZ6bGyDMG04LRmOMbhY5fnSp/dPtmNhiqaMsKMaQi/Zqwlj2i2dIgXQlpye4 X4ORvhEDO22WfYozsNZEQwNtYGiuUJ5DMTMVbN7T1fJiF6nVgpoQ4T0X3AsaDEzDFVXH vamg== X-Gm-Message-State: ALoCoQmZhqGMEKHQ9/0thBCEYXUXMEUSuDWUFomBrL3jebeUirtBwitzSl1VnkqRmYPlUH1V9rZI MIME-Version: 1.0 X-Received: by 10.220.145.75 with SMTP id c11mr27894vcv.30.1377153747062; Wed, 21 Aug 2013 23:42:27 -0700 (PDT) Received: by 10.221.2.71 with HTTP; Wed, 21 Aug 2013 23:42:27 -0700 (PDT) In-Reply-To: References: Date: Thu, 22 Aug 2013 15:42:27 +0900 Message-ID: Subject: Re: Source NAT not applied on network startup (See Jira CLOUDSTACK-234) From: Dave Cahill To: CLOUDSTACK dev list Cc: Murali Reddy , Chiradeep Vittal Content-Type: multipart/alternative; boundary=047d7b343970e5246804e4839761 X-Virus-Checked: Checked by ClamAV on apache.org --047d7b343970e5246804e4839761 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Adding Chiradeep for guidance, as Murali seems to be away at the moment. Prasanna kindly verified that this is an issue with Virtual Router as well as MidoNet, so I have filed a bug against 4.2: https://issues.apache.org/jira/browse/CLOUDSTACK-4442 On Thu, Aug 22, 2013 at 12:10 PM, Dave Cahill wrote: > Also, I tried to find the code review for this change, but couldn't track > it down - could someone point me to it? > > > On Thu, Aug 22, 2013 at 10:26 AM, Dave Cahill wrote= : > >> Hi Murali, >> >> After this change [1], how do Source NAT IPs get applied to a network on >> network startup / first VM launch? >> >> Previously, applyIpAssociations would get called as part of >> reprogramNetworkRules, but this change introduces what it calls "a lazy >> approach". From what I can see, this means that source NAT doesn't work = on >> startup, and I need to add a Static NAT or some other rule in order to w= ake >> up the lazy approach and have the Source NAT + the new rule be applied. >> >> Is there a workaround I'm missing? Maybe it's necessary to also enable >> the firewall service to trigger application of the source NAT rules? >> >> Thanks, >> Dave. >> >> [1] >> https://git-wip-us.apache.org/repos/asf?p=3Dcloudstack.git;a=3Dblobdiff;= f=3Dserver/src/com/cloud/network/NetworkManagerImpl.java;h=3D2b53565297dc7b= d96c6102cdc1c90cb166e9e704;hp=3Ddac6a3a42e75324a963997e17e076f4020a7103e;hb= =3Dfe568fe;hpb=3Dc7f26583a26eb7e4f15feafc292ec9576df61a8d >> >> On Tue, Jul 9, 2013 at 5:47 PM, Murali Reddy (JIRA) wro= te: >> >>> >>> [ >>> https://issues.apache.org/jira/browse/CLOUDSTACK-234?page=3Dcom.atlassi= an.jira.plugin.system.issuetabpanels:all-tabpanel] >>> >>> Murali Reddy resolved CLOUDSTACK-234. >>> ------------------------------------- >>> >>> Resolution: Fixed >>> >>> > create/delete firewa/lb/pf rule: send ip assoc command only on first >>> rule is created on the IP and last rule is revoked on the IP >>> > >>> -----------------------------------------------------------------------= ---------------------------------------------------------- >>> > >>> > Key: CLOUDSTACK-234 >>> > URL: >>> https://issues.apache.org/jira/browse/CLOUDSTACK-234 >>> > Project: CloudStack >>> > Issue Type: Bug >>> > Security Level: Public(Anyone can view this level - this is the >>> default.) >>> > Components: Management Server >>> > Affects Versions: 4.0.0 >>> > Reporter: Alena Prokharchyk >>> > Assignee: Murali Reddy >>> > Fix For: 4.2.0 >>> > >>> > >>> > We have to improve the logic for creating/deleting any kind of >>> firewall rules. At the moment ipAssoc is being called when: >>> > * the first rule for the ip address is being created >>> > * the last rule for the IP address is being removed >>> > As a part of ipAssoc command, we send all ip addresses assigned to th= e >>> guest network of the rule. The behavior has to be fixed the way we send= ip >>> assoc only for the ip address the rule is being created for. >>> >>> -- >>> This message is automatically generated by JIRA. >>> If you think it was sent incorrectly, please contact your JIRA >>> administrators >>> For more information on JIRA, see: >>> http://www.atlassian.com/software/jira >>> >> >> > --047d7b343970e5246804e4839761--