Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cloudstack.apache.org
Date: Sun, 27 Nov 2016 12:08:58 +0000 (UTC)
From: "ASF GitHub Bot (JIRA)" <jira@apache.org>
To: cloudstack-issues@incubator.apache.org
Message-ID: <JIRA.12956155.1459864315000.373025.1480248538437@Atlassian.JIRA>
In-Reply-To: <JIRA.12956155.1459864315000@Atlassian.JIRA>
References: <JIRA.12956155.1459864315000@Atlassian.JIRA> <JIRA.12956155.1459864315094@arcas>
Subject: [jira] [Commented] (CLOUDSTACK-9339) Virtual Routers don't handle
 Multiple Public Interfaces
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
archived-at: Sun, 27 Nov 2016 12:09:00 -0000


    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9339?page=3Dcom.atla=
ssian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=
=3D15699588#comment-15699588 ]=20

ASF GitHub Bot commented on CLOUDSTACK-9339:
--------------------------------------------

Github user blueorangutan commented on the issue:

    https://github.com/apache/cloudstack/pull/1659
 =20
    Packaging result: =E2=9C=94centos6 =E2=9C=94centos7 =E2=9C=94debian. JI=
D-263


> Virtual Routers don't handle Multiple Public Interfaces
> -------------------------------------------------------
>
>                 Key: CLOUDSTACK-9339
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-933=
9
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the defa=
ult.)=20
>          Components: Virtual Router
>    Affects Versions: 4.8.0
>            Reporter: dsclose
>            Assignee: Murali Reddy
>              Labels: firewall, nat, router
>             Fix For: 4.10.0.0, 4.9.1.0
>
>
> There are a series of issues with the way Virtual Routers manage multiple=
 public interfaces. These are more pronounced on redundant virtual router s=
etups. I have not attempted to examine these issues in a VPC context. Outsi=
de of a VPC context, however, the following is expected behaviour:
> * eth0 connects the router to the guest network.
> * In RvR setups, keepalived manages the guests' gateway IP as a virtual I=
P on eth0.
> * eth1 provides a local link to the hypervisor, allowing Cloudstack to is=
sue commands to the router.
> * eth2 is the routers public interface. By default, a single public IP wi=
ll be setup on eth2 along with the necessary iptables and ip rules to sourc=
e-NAT guest traffic to that public IP.
> * When a public IP address is assigned to the router that is on a separat=
e subnet to the source-NAT IP, a new interface is configured, such as eth3,=
 and the IP is assigned to that interface.
> * This can result in eth3, eth4, eth5, etc. being created depending upon =
how many public subnets the router has to work with.
> The above all works. The following, however, is currently not working:
> * Public interfaces should be set to DOWN on backup redundant routers. Th=
e master.py script is responsible for setting public interfaces to UP durin=
g a keepalived transition. Currently the check_is_up method of the CsIP cla=
ss brings all interfaces UP on both RvR. A proposed fix for this has been d=
iscussed on the mailing list. That fix will leave public interfaces DOWN on=
 RvR allowing the keepalived transition to control the state of public inte=
rfaces. Issue #1413 includes a commit that contradicts the proposed fix so =
it is unclear what the current state of the code should be.
> * Newly created interfaces should be set to UP on master redundant router=
s. Assuming public interfaces should be default be DOWN on an RvR we need t=
o accommodate the fact that, as interfaces are created, no keepalived trans=
ition occurs. This means that assigning an IP from a new public subnet will=
 have no effect (as the interface will be down) until the network is restar=
ted with a "clean up."
> * Public interfaces other than eth2 do not forward traffic. There are two=
 iptables rules in the FORWARD chain of the filter table created for eth2 t=
hat allow forwarding between eth2 and eth0. Equivalent rules are not create=
d for other public interfaces so forwarded traffic is dropped.
> * Outbound traffic from guest VMs does not honour static-NAT rules. Inste=
ad, outbound traffic is source-NAT'd to the networks default source-NAT IP.=
 New connections from guests that are destined for public networks are proc=
essed like so:
> 1. Traffic is matched against the following rule in the mangle table that=
 marks the connection with a 0x0:
> *mangle
> -A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark 0x0/0x=
ffffffff
> 2. There are no "ip rule" statements that match a connection marked 0x0, =
so the kernel routes the connection via the default gateway. That gateway i=
s on source-NAT subnet, so the connection is routed out of eth2.
> 3. The following iptables rules are then matched in the filter table:
> *filter
> -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
> -A FW_OUTBOUND -j FW_EGRESS_RULES
> -A FW_EGRESS_RULES -j ACCEPT
> 4. Finally, the following rule is matched from the nat table, where the I=
P address is the source-NAT IP:
> *nat
> -A POSTROUTING -o eth2 -j SNAT --to-source 123.4.5.67
> =20


--
This message was sent by Atlassian JIRA
(v6.3.4#6332)