Return-Path: <issues-return-78712-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 03923200C10
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri,  3 Feb 2017 21:34:58 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 02344160B55; Fri,  3 Feb 2017 20:34:58 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 4A791160B43
	for <archive-asf-public@cust-asf.ponee.io>; Fri,  3 Feb 2017 21:34:57 +0100 (CET)
Received: (qmail 26336 invoked by uid 500); 3 Feb 2017 20:34:55 -0000
Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:issues@cloudstack.apache.org>
List-Id: <issues.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list issues@cloudstack.apache.org
Received: (qmail 26319 invoked by uid 500); 3 Feb 2017 20:34:55 -0000
Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org
Received: (qmail 26313 invoked by uid 99); 3 Feb 2017 20:34:55 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Feb 2017 20:34:55 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id CD337C043B
	for <cloudstack-issues@incubator.apache.org>; Fri,  3 Feb 2017 20:34:54 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -1.199
X-Spam-Level: 
X-Spam-Status: No, score=-1.199 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1,
	RP_MATCHES_RCVD=-2.999] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id oP9TLf8XidMG
	for <cloudstack-issues@incubator.apache.org>;
	Fri,  3 Feb 2017 20:34:52 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 7D88F5F340
	for <cloudstack-issues@incubator.apache.org>; Fri,  3 Feb 2017 20:34:52 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id E90F2E023B
	for <cloudstack-issues@incubator.apache.org>; Fri,  3 Feb 2017 20:34:51 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id A6B772528C
	for <cloudstack-issues@incubator.apache.org>; Fri,  3 Feb 2017 20:34:51 +0000 (UTC)
Date: Fri, 3 Feb 2017 20:34:51 +0000 (UTC)
From: "ASF GitHub Bot (JIRA)" <jira@apache.org>
To: cloudstack-issues@incubator.apache.org
Message-ID: <JIRA.13039913.1486061943000.29696.1486154091678@Atlassian.JIRA>
In-Reply-To: <JIRA.13039913.1486061943000@Atlassian.JIRA>
References: <JIRA.13039913.1486061943000@Atlassian.JIRA> <JIRA.13039913.1486061943911@jira-lw-us.apache.org>
Subject: [jira] [Commented] (CLOUDSTACK-9770) Virtual router / Network
 regression since 4.9.1.0 with public interface eth2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Fri, 03 Feb 2017 20:34:58 -0000


    [ https://issues.apache.org/jira/browse/CLOUDSTACK-9770?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15852083#comment-15852083 ] 

ASF GitHub Bot commented on CLOUDSTACK-9770:
--------------------------------------------

Github user DaanHoogland commented on the issue:

    https://github.com/apache/cloudstack/pull/1929
  
    @milamberspace could you try with this patch? I think @ustcweizhou solved your problem with the default route


> Virtual router / Network regression since 4.9.1.0 with public interface eth2
> ----------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9770
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9770
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.10.0.0, 4.9.2.0, 4.9.1.0
>         Environment: CloudStack with advanced network installation
>            Reporter: Milamber
>            Priority: Critical
>              Labels: regresion
>             Fix For: Future
>
>
> I found a (possible) bug introduce by CLOUDSTACK-9339 [1] (Pull Request PR1659 [2]) on CloudStack Advanced network installation.
> Since this changes (9339), the public network's route on eth2 (public interface) in VR is missing.
> Before on VR, we have sometimes like:
> ip route show table Table_eth2
> 212.217.2.0/24 dev eth2  table Table_eth2  scope link
> default via 212.217.2.1 dev eth2
> ...
> where 212.217.2.0/24 is the public network and 212.217.2.1 the default gateway.
> After with 4.9.1.0+ the ip route command shows only:
> default via 212.217.2.1 dev eth2  proto static
> throw 10.230.1.0/24  proto static
> throw 169.254.0.0/16  proto static
> (missing route for public network)
> The changes 9339 introduce the iptables connmark to add 0x2 mark on ip packets from internal VMs IP and an ip rule to use the Table_eth2 network table for these ip packets.
> So if another machine into the public network try to reach a virtual machine inside CloudStack using their public IP, the packets's travel is:
> source_machine--> VR (de-NAT) --> VM_inside_CS --> VR (NAT+using Table_eth2) --> default_public_gateway --> source machine
> The issue is if the default_public_gateway refuse to forward IP packets with the source IP and destination IP in the same network (often when the gateway is a firewall), then the connection between a machine into public network is not possible with all VM behind the CS virtual router.
> The correct network path for the packet must be:
> source_machine--> VR (de-nat) --> VM_inside_CS --> VR (NAT+using Table_eth2) --> source machine (directly because on public network)
> To fix the issue (workaround), just execute this command on the virtual router:
>  ip route add dev eth2 table Table_eth2212.217.2.0/24
> Please note: this issue isn't visible on CloudStack upgrade installation from anterior version of 4.9.1.0+ until you decide to restart with clean up the network in CS.
> What is the best way to fix this bug?
> Thanks
> [1] https://issues.apache.org/jira/browse/CLOUDSTACK-9339
> [2] https://github.com/apache/cloudstack/pull/1659



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)