cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-9770) Virtual router / Network regression since with public interface eth2
Date Fri, 03 Feb 2017 16:57:51 GMT


ASF GitHub Bot commented on CLOUDSTACK-9770:

GitHub user ustcweizhou opened a pull request:

    CLOUDSTACK-9770: fix missing ip routes in VR

    In network VR, the routes to current subnets are missing in corresponding ip route Table.
    It is a typo in commit 6749785caba78a9379e94bf3aaf0c1fbc44c5445
    In VPC VR, it works fine.

You can merge this pull request into a Git repository by running:

    $ git pull VR-missing-route

Alternatively you can review and apply these changes as the patch at:

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1929
commit 8c69cb1c1fd7ba93e021dca7d6e08dbaa831ccfa
Author: Wei Zhou <>
Date:   2017-02-03T09:04:10Z

    CLOUDSTACK-9770: fix missing ip routes in VR


> Virtual router / Network regression since with public interface eth2
> ----------------------------------------------------------------------------
>                 Key: CLOUDSTACK-9770
>                 URL:
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions:,,
>         Environment: CloudStack with advanced network installation
>            Reporter: Milamber
>            Priority: Critical
>              Labels: regresion
>             Fix For: Future
> I found a (possible) bug introduce by CLOUDSTACK-9339 [1] (Pull Request PR1659 [2]) on
CloudStack Advanced network installation.
> Since this changes (9339), the public network's route on eth2 (public interface) in VR
is missing.
> Before on VR, we have sometimes like:
> ip route show table Table_eth2
> dev eth2  table Table_eth2  scope link
> default via dev eth2
> ...
> where is the public network and the default gateway.
> After with the ip route command shows only:
> default via dev eth2  proto static
> throw  proto static
> throw  proto static
> (missing route for public network)
> The changes 9339 introduce the iptables connmark to add 0x2 mark on ip packets from internal
VMs IP and an ip rule to use the Table_eth2 network table for these ip packets.
> So if another machine into the public network try to reach a virtual machine inside CloudStack
using their public IP, the packets's travel is:
> source_machine--> VR (de-NAT) --> VM_inside_CS --> VR (NAT+using Table_eth2)
--> default_public_gateway --> source machine
> The issue is if the default_public_gateway refuse to forward IP packets with the source
IP and destination IP in the same network (often when the gateway is a firewall), then the
connection between a machine into public network is not possible with all VM behind the CS
virtual router.
> The correct network path for the packet must be:
> source_machine--> VR (de-nat) --> VM_inside_CS --> VR (NAT+using Table_eth2)
--> source machine (directly because on public network)
> To fix the issue (workaround), just execute this command on the virtual router:
>  ip route add dev eth2 table Table_eth2212.217.2.0/24
> Please note: this issue isn't visible on CloudStack upgrade installation from anterior
version of until you decide to restart with clean up the network in CS.
> What is the best way to fix this bug?
> Thanks
> [1]
> [2]

This message was sent by Atlassian JIRA

View raw message