Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E6E9C10AFA for ; Tue, 27 May 2014 10:03:01 +0000 (UTC) Received: (qmail 35909 invoked by uid 500); 27 May 2014 10:03:01 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 35884 invoked by uid 500); 27 May 2014 10:03:01 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 35877 invoked by uid 500); 27 May 2014 10:03:01 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 35874 invoked by uid 99); 27 May 2014 10:03:01 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 May 2014 10:03:01 +0000 Date: Tue, 27 May 2014 10:03:01 +0000 (UTC) From: "ASF subversion and git services (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CLOUDSTACK-6761) Destroying an Instance that has a Static NAT bound, the security policy is removed and the firewall filter term is removed however the proxy-arp entry is not MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-6761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14009544#comment-14009544 ] ASF subversion and git services commented on CLOUDSTACK-6761: ------------------------------------------------------------- Commit 19668713ed2f12e61f538a238422d7dfd4841009 in cloudstack's branch refs/heads/master from Jayapal [ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=1966871 ] CLOUDSTACK-6761: Fixed removing proxy arp rule on deleting static nat or PF rule on ip The proxy-arp add/del is done on firewall rule add/del. The proxy-arp rule is deleted only when there is no static nat or dest nat rule is not using the ip. When there is static nat or PF and firewall rule a. Delete firewall rule. It skips delete proxy-arp because the rule is used by static nat rule. b. After deleting fw rule if we disable static nat there is no way to delete proxy-arp rule. On VM expunge we are deleting firewall rules first then static nat rules. This caused the stale proxy-arp rules. With this fix adding/deleting proxy arp rule on static nat/PF rule add/del. > Destroying an Instance that has a Static NAT bound, the security policy is removed and the firewall filter term is removed however the proxy-arp entry is not > ------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: CLOUDSTACK-6761 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6761 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the default.) > Components: Network Controller > Affects Versions: 4.0.0 > Reporter: Jayapal Reddy > Assignee: Jayapal Reddy > Fix For: 4.4.0 > > > When destroying an Instance that has a Static NAT bound, the security policy is removed and the firewall filter term is removed however the proxy-arp entry is not > This causing issue when network is configured with SRX and load balancer. > For the same ip responses comes for two devices depending on who receives first. -- This message was sent by Atlassian JIRA (v6.2#6252)