Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1277210F63 for ; Fri, 15 Nov 2013 09:13:03 +0000 (UTC) Received: (qmail 41128 invoked by uid 500); 15 Nov 2013 09:12:15 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 40865 invoked by uid 500); 15 Nov 2013 09:11:52 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 40709 invoked by uid 500); 15 Nov 2013 09:11:41 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 40519 invoked by uid 99); 15 Nov 2013 09:11:27 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Nov 2013 09:11:27 +0000 Date: Fri, 15 Nov 2013 09:11:27 +0000 (UTC) From: "Sanjeev N (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Closed] (CLOUDSTACK-4750) bond.VLAN mapping in iptables FORWARD chain not created consistently MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-4750?page=3Dcom.atl= assian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sanjeev N closed CLOUDSTACK-4750. --------------------------------- With the fix we are using interface wildcard "+" in iptables to cover poten= tial used VLAN interface to allow output on physical interface. Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destina= tion 0 0 BRIDGE-FIREWALL all -- * * 0.0.0.0/0 0= .0.0.0/0 PHYSDEV match --physdev-is-bridged 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 PHYSDEV match --physdev-out bond0+ --physdev-is-bridged Working as expected. Verified in on latest 4.2.1 build. So closing the issu= e. > bond.VLAN mapping in iptables FORWARD chain not created consistently > -------------------------------------------------------------------- > > Key: CLOUDSTACK-4750 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-475= 0 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the defa= ult.)=20 > Affects Versions: 4.2.0 > Environment: CloudStack 4.2, Advanced Zone with Security Groups, = XenServer 6.2 > Reporter: Gerard Lynch > Assignee: Anthony Xu > Priority: Critical > Fix For: 4.2.1, 4.3.0 > > > Create an Advanced Zone with Security Groups. > Setup multiple subnets using multiple VLANs (e.g. 1230,1231,1232,1233,123= 4,1235) on a physical network labelled GUEST. > Run up VM's in each network > *Issue:* > bond.VLAN interface does not consistently get added to the FORWARD chain = in iptables preventing connectivity to/from a VM > e.g. if I run up a machine on VLAN 1233 > Looking through the management-server.log files I see it setting it up: > [root@csm1 management]# zcat management-server.log.2013-09-26.gz | grep 1= 233 -A 5 -B 5 > ... > 2013-09-26 18:52:27,850 DEBUG [xen.resource.CitrixResourceBase] (DirectAg= ent-20:null) Creating VIF for i-2-22-VM on nic [Nic:Guest-192.168.3.69-vlan= ://1233] > 2013-09-26 18:52:27,852 DEBUG [xen.resource.CitrixResourceBase] (DirectAg= ent-20:null) Looking for network named GUEST > 2013-09-26 18:52:27,882 DEBUG [xen.resource.CitrixResourceBase] (DirectAg= ent-20:null) Found a network called GUEST on host=3D10.1.2.3; Network=3Dce= b6ea91-de34-cf95-5326-f865be6851a2; pif=3D5884f784-f9ce-58a6-517f-30caa04e6= 7be > 2013-09-26 18:52:27,883 DEBUG [xen.resource.CitrixResourceBase] (DirectAg= ent-20:null) Creating VLAN 1233 on host 10.1.2.3 on device bond2 > 2013-09-26 18:52:28,482 DEBUG [agent.manager.DirectAgentAttache] (DirectA= gent-8:null) Seq 9-390463667: Response Received:=20 > 2013-09-26 18:52:28,482 DEBUG [agent.transport.Request] (StatsCollector-1= :null) Seq 9-390463667: Received: { Ans: , MgmtId: 345052351047, via: 9, V= er: v1, Flags: 10, { GetStorageStatsAnswer } } > 2013-09-26 18:52:28,488 DEBUG [agent.manager.DirectAgentAttache] (DirectA= gent-427:null) Seq 10-1220149422: Executing request > 2013-09-26 18:52:28,637 DEBUG [xen.resource.CitrixResourceBase] (DirectAg= ent-20:null) VLAN is created for 1233. The uuid is 85d5ad86-40e6-8e6c-e1a6= -254ea64df8cd > 2013-09-26 18:52:28,646 DEBUG [xen.resource.CitrixResourceBase] (DirectAg= ent-20:null) Created a vif b57fdf9e-7d90-7689-0eee-9ad550951189 on 0 > 2013-09-26 18:52:29,262 DEBUG [agent.manager.DirectAgentAttache] (DirectA= gent-427:null) Seq 10-1220149422: Response Received:=20 > 2013-09-26 18:52:29,263 DEBUG [agent.transport.Request] (StatsCollector-1= :null) Seq 10-1220149422: Received: { Ans: , MgmtId: 345052351047, via: 10= , Ver: v1, Flags: 10, { GetStorageStatsAnswer } } > =E2=80=A6 > I inspect the host machine however and see > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source desti= nation =20 > 94 7460 BRIDGE-FIREWALL all -- * * 0.0.0.0/0 = 0.0.0.0/0 PHYSDEV match --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out bond2.1234 --physdev-is-bridged= =20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out bond2.1230 --physdev-is-bridged= =20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth2 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out bond0 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth3 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth6 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth4 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth7 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth10 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out bond2 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth11 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth9 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth5 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth8 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth1 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth0 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out bond1 --physdev-is-bridged=20 > 48 2880 DROP all -- * * 0.0.0.0/0 0.0.0= .0/0 =20 > there should be a rule for bond2.1233.=20 > If I perform a 'force re-connect' the chain gets correctly updated: > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source desti= nation =20 > 94 7460 BRIDGE-FIREWALL all -- * * 0.0.0.0/0 = 0.0.0.0/0 PHYSDEV match --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out bond2.1233 --physdev-is-bridged= =20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out bond2.1234 --physdev-is-bridged= =20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out bond2.1230 --physdev-is-bridged= =20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth2 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out bond0 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth3 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth6 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth4 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth7 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth10 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out bond2 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth11 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth9 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth5 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth8 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth1 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out eth0 --physdev-is-bridged=20 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0= .0/0 PHYSDEV match --physdev-out bond1 --physdev-is-bridged=20 > 48 2880 DROP all -- * * 0.0.0.0/0 0.0.0= .0/0 =20 > After which I can successfully connect to/from the VM > In the XenServer SMLog file after running the force re-connect I see > [root@hypervisor4 log]# grep -i bond2.1233 SMlog -A 5 -B 5 > Sep 27 10:31:27 hypervisor4 SM: [28323] pread SUCCESS > Sep 27 10:31:27 hypervisor4 SM: [28323] ['/bin/bash', '-c', "iptables -n = -L FORWARD | grep 'eth3 '"] > Sep 27 10:31:27 hypervisor4 SM: [28323] pread SUCCESS > Sep 27 10:31:27 hypervisor4 SM: [28323] ['/bin/bash', '-c', "iptables -n = -L FORWARD | grep 'eth2 '"] > Sep 27 10:31:27 hypervisor4 SM: [28323] pread SUCCESS > Sep 27 10:31:27 hypervisor4 SM: [28323] ['/bin/bash', '-c', "iptables -n = -L FORWARD | grep 'bond2.1233 '"] > Sep 27 10:31:27 hypervisor4 SM: [28323] FAILED in util.pread: (rc 1) stdo= ut: '', stderr: '' > Sep 27 10:31:27 hypervisor4 SM: [28323] ['iptables', '-I', 'FORWARD', '2'= , '-m', 'physdev', '--physdev-is-bridged', '--physdev-out', 'bond2.1233', '= -j', 'ACCEPT'] > Sep 27 10:31:27 hypervisor4 SM: [28323] pread SUCCESS > Sep 27 10:31:27 hypervisor4 SM: [28323] ['/bin/bash', '-c', "iptables -n = -L FORWARD | grep 'eth4 '"] > Sep 27 10:31:27 hypervisor4 SM: [28323] pread SUCCESS > Sep 27 10:31:27 hypervisor4 SM: [28323] ['/bin/bash', '-c', "iptables -n = -L FORWARD | grep 'eth2 '"] > Sep 27 10:31:27 hypervisor4 SM: [28323] pread SUCCESS > There were no other entries in the SMLog file for that vlan, although as = you can see from the dates above, the vm was created yesterday and the vif/= vlan were pushed to the host at that time. -- This message was sent by Atlassian JIRA (v6.1#6144)