cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "samhith vasikarla (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CLOUDSTACK-9941) Port forwarding rules are not persistent when we reboot VR from outside Cloudstack
Date Mon, 05 Jun 2017 12:24:04 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-9941?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

samhith vasikarla updated CLOUDSTACK-9941:
------------------------------------------
    Description: 
1. Create a network say N1 with Network offering "Conserve Mode Enabled and all other services
with Virtual Router"
2. Create an instance with N1
3. After successful creation of instance, Navigate to Network and add port forwarding rules
.
4.After successful addition of port forwarding rules .Login to the router and type iptables
-t nat -L we will find the port forwarding rules


root@r-22-VM:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             10.147.30.184        tcp dpt:ssh to:10.1.1.114:22
DNAT       tcp  --  anywhere             10.147.30.184        tcp dpt:ssh to:10.1.1.114:22
MARK       tcp  --  anywhere             10.147.30.184        tcp dpt:ssh MARK set 0x2
CONNMARK   tcp  --  anywhere             10.147.30.184        tcp dpt:ssh state NEW CONNMARK
save

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             10.147.30.184        tcp dpt:ssh to:10.1.1.114:22

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  anywhere             anywhere             to:10.147.30.184
SNAT       tcp  --  10.1.1.0/24          conserve             tcp dpt:ssh to:10.1.1.1

5. Reboot the router from outside of the management server 
6.Again type iptables -t nat -L and check whether the rules are persistent .

Observation : 
Post reboot from outside of cloudstack , PF rules are not present on the iptables of  VR.

In database the pf rules are present

mysql> select * from port_forwarding_rules\G;
********* 1. row **********
             id: 46
    instance_id: 23
dest_ip_address: 10.1.1.114
dest_port_start: 22
  dest_port_end: 22
1 row in set (0.00 sec)
*****************************
In forwarding rules.json the rules are present

{
    "10.147.30.184": [
        {
            "internal_ip": "10.1.1.114",
            "internal_ports": "22:22",
            "protocol": "tcp",
            "public_ip": "10.147.30.184",
            "public_ports": "22:22",
            "type": "forward"
        }
    ],
    "id": "forwardingrules"
}
******************************************************************
But in iptables the rules are not present 

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

********************************************************************
In the above one we cannot ssh to the virtual machine

ssh root@10.147.30.184
ssh: connect to host 10.147.30.184 port 22: Connection refused



Note : When the vr is rebooted from cloudstack , all the rules are again fetched.
 

  was:
1. Create a network say N1 with Network offering "Conserve Mode Enabled and all other services
with Virtual Router"
2. Create an instance with N1
3. After successful creation of instance, Navigate to Network and add port forwarding rules
.
4.After successful addition of port forwarding rules .Login to the router and type iptables
-t nat -L we will find the port forwarding rules


root@r-22-VM:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             10.147.30.184        tcp dpt:ssh to:10.1.1.114:22
DNAT       tcp  --  anywhere             10.147.30.184        tcp dpt:ssh to:10.1.1.114:22
MARK       tcp  --  anywhere             10.147.30.184        tcp dpt:ssh MARK set 0x2
CONNMARK   tcp  --  anywhere             10.147.30.184        tcp dpt:ssh state NEW CONNMARK
save

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             10.147.30.184        tcp dpt:ssh to:10.1.1.114:22

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  anywhere             anywhere             to:10.147.30.184
SNAT       tcp  --  10.1.1.0/24          conserve             tcp dpt:ssh to:10.1.1.1

5. Reboot the router from outside of the management server 
6.Again type iptables -t nat -L and check whether the rules are persistent .

Observation : 
Post reboot from outside of cloudstack , PF rules are not present on the iptables of  VR.

In database the pf rules are present

mysql> select * from port_forwarding_rules\G;
************** 1. row *******************
             id: 46
    instance_id: 23
dest_ip_address: 10.1.1.114
dest_port_start: 22
  dest_port_end: 22
1 row in set (0.00 sec)
*************************************
In forwarding rules.json the rules are present

{
    "10.147.30.184": [
        {
            "internal_ip": "10.1.1.114",
            "internal_ports": "22:22",
            "protocol": "tcp",
            "public_ip": "10.147.30.184",
            "public_ports": "22:22",
            "type": "forward"
        }
    ],
    "id": "forwardingrules"
}
******************************************************************
But in iptables the rules are not present 

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

********************************************************************
In the above one we cannot ssh to the virtual machine

ssh root@10.147.30.184
ssh: connect to host 10.147.30.184 port 22: Connection refused



Note : When the vr is rebooted from cloudstack , all the rules are again fetched.
 


> Port forwarding rules are not persistent when we reboot VR from outside Cloudstack 
> -----------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9941
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9941
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: 4.10.0.0
>            Reporter: samhith vasikarla
>             Fix For: 4.10.0.0
>
>         Attachments: log.txt
>
>
> 1. Create a network say N1 with Network offering "Conserve Mode Enabled and all other
services with Virtual Router"
> 2. Create an instance with N1
> 3. After successful creation of instance, Navigate to Network and add port forwarding
rules .
> 4.After successful addition of port forwarding rules .Login to the router and type iptables
-t nat -L we will find the port forwarding rules
> root@r-22-VM:~# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             10.147.30.184        tcp dpt:ssh to:10.1.1.114:22
> DNAT       tcp  --  anywhere             10.147.30.184        tcp dpt:ssh to:10.1.1.114:22
> MARK       tcp  --  anywhere             10.147.30.184        tcp dpt:ssh MARK set 0x2
> CONNMARK   tcp  --  anywhere             10.147.30.184        tcp dpt:ssh state NEW CONNMARK
save
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             10.147.30.184        tcp dpt:ssh to:10.1.1.114:22
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> SNAT       all  --  anywhere             anywhere             to:10.147.30.184
> SNAT       tcp  --  10.1.1.0/24          conserve             tcp dpt:ssh to:10.1.1.1
> 5. Reboot the router from outside of the management server 
> 6.Again type iptables -t nat -L and check whether the rules are persistent .
> Observation : 
> Post reboot from outside of cloudstack , PF rules are not present on the iptables of
 VR.
> In database the pf rules are present
> mysql> select * from port_forwarding_rules\G;
> ********* 1. row **********
>              id: 46
>     instance_id: 23
> dest_ip_address: 10.1.1.114
> dest_port_start: 22
>   dest_port_end: 22
> 1 row in set (0.00 sec)
> *****************************
> In forwarding rules.json the rules are present
> {
>     "10.147.30.184": [
>         {
>             "internal_ip": "10.1.1.114",
>             "internal_ports": "22:22",
>             "protocol": "tcp",
>             "public_ip": "10.147.30.184",
>             "public_ports": "22:22",
>             "type": "forward"
>         }
>     ],
>     "id": "forwardingrules"
> }
> ******************************************************************
> But in iptables the rules are not present 
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> ********************************************************************
> In the above one we cannot ssh to the virtual machine
> ssh root@10.147.30.184
> ssh: connect to host 10.147.30.184 port 22: Connection refused
> Note : When the vr is rebooted from cloudstack , all the rules are again fetched.
>  



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message