cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-5403) Shared network - None of PF, LB rules work after router restart, firewall rules dropped from iptables post restart
Date Fri, 27 Dec 2013 08:59:53 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-5403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13857391#comment-13857391
] 

ASF subversion and git services commented on CLOUDSTACK-5403:
-------------------------------------------------------------

Commit 8b151c98c22e39afb0be6768666b63a17286d410 in branch refs/heads/master from [~murali.reddy]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=8b151c9 ]

CLOUDSTACK-5403: Shared network - None of PF, LB rules work after router
restart, firewall rules dropped from iptables post restart

on VR restart, not all public IP's associated with the network are sent
with IpAssocCmd to VR. This fix will ensure all the ip's associated with
the network irrespective of the account are sent as part of
IpAssocCommand

Conflicts:
	server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java


> Shared network - None of PF, LB rules work after router restart, firewall rules dropped
from iptables post restart
> ------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-5403
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5403
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Management Server, Network Controller
>    Affects Versions: 4.3.0
>         Environment: Advanced zone, shared network on Hyper-V
>            Reporter: Sowmya Krishnan
>            Assignee: Murali Reddy
>            Priority: Critical
>             Fix For: 4.3.0
>
>         Attachments: iptables_after_restart.gz, iptables_before_restart.gz, restart_vr.log.gz,
restart_vr_agent.log.log
>
>
> None of PF, LB or firewall rules work after router is restarted in shared network, advanced
zone
> Steps:
> Create a shared network in advanced zone
> Acquire IP
> Create PF and corresponding Firewall rule
> Acquire another IP
> Create LB and corresponding Firewall rule
> Ensure all the rules work
> Restart router
> Check all rules
> Result:
> None of PF or LB rules work after router restart
> I've tested this only in Hypev-V so far. I'll update the bug in case I am able to test
in any other hypervisor as well.
> The following rules are dropped from iptables FORWARD chain after restart:
> ACCEPT     tcp  --  anywhere             shareduser1vm1       state RELATED,ESTABLISHED
/* 10.102.196.239:888:888 */
> ACCEPT     tcp  --  anywhere             shareduser1vm1       tcp dpt:http state NEW
/* 10.102.196.239:888:888 */
> So also the firewall rules corresponding to the LB rule source ip
> The rules themselves exist in DB though:
> mysql> select * from firewall_rules;
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> | id | uuid                                 | ip_address_id | start_port | end_port |
state  | protocol | purpose        | account_id | domain_id | network_id | xid           
                      | created             | icmp_code | icmp_type | related | type | vpc_id
| traffic_type |
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> |  1 | b9082345-8a3d-4f6d-9b64-3d2d98e65d2d |             5 |        888 |      888 |
Active | tcp      | Firewall       |          4 |         2 |        205 | 5cf27b56-4d37-4ec1-bdf8-ede0407f0115
| 2013-12-06 06:51:40 |      NULL |      NULL |    NULL | User |   NULL | Ingress      |
> |  2 | 5b657e22-649a-4cd4-b23c-2416243f48ba |             5 |        888 |      888 |
Active | tcp      | PortForwarding |          4 |         2 |        205 | aad0e89d-f0df-4ee2-949d-39f129a1383a
| 2013-12-06 06:52:13 |      NULL |      NULL |    NULL | User |   NULL | NULL         |
> | 13 | 42f795f9-45e6-471f-9b17-4ce631a09531 |             6 |        888 |      888 |
Active | tcp      | Firewall       |          4 |         2 |        205 | 0802945b-23b8-4b95-9441-f6b89e66d806
| 2013-12-06 11:27:08 |      NULL |      NULL |    NULL | User |   NULL | Ingress      |
> | 14 | 9f5aa3dd-b8e9-4193-b635-c5fd7e188f35 |             6 |        888 |      888 |
Active | tcp      | LoadBalancing  |          4 |         2 |        205 | ef7067b9-38b3-4d42-b8ee-5bfe44a817fa
| 2013-12-06 11:27:53 |      NULL |      NULL |    NULL | User |   NULL | NULL         |
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> 4 rows in set (0.00 sec)
> mysql> select * from load_balancing_rules;
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> | id | name     | description | default_port_start | default_port_end | algorithm  |
source_ip_address | source_ip_address_network_id | scheme | lb_protocol |
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> | 14 | lbshared | NULL        |                 80 |               80 | roundrobin |
NULL              |                         NULL | Public | NULL        |
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> 1 row in set (0.00 sec)
> mysql> select * from port_forwarding_rules;
> +----+-------------+-----------------+-----------------+---------------+
> | id | instance_id | dest_ip_address | dest_port_start | dest_port_end |
> +----+-------------+-----------------+-----------------+---------------+
> |  2 |           5 | 10.102.198.2    |              80 |            80 |
> +----+-------------+-----------------+-----------------+---------------+
> 1 row in set (0.00 sec)



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message