cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rajani Karuturi (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CLOUDSTACK-9934) Traffic is not routed correctly on addtional public interface from static nat enabled vm
Date Thu, 06 Jul 2017 10:34:03 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Rajani Karuturi updated CLOUDSTACK-9934:
----------------------------------------
    Fix Version/s:     (was: 4.10.0.0)
                   4.10.1.0

> Traffic is not routed correctly on addtional public interface from static nat enabled
vm
> ----------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9934
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9934
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Network Devices
>            Reporter: Jayapal Reddy
>             Fix For: 4.10.1.0
>
>
> 1. Configure static nat on additional public subnet ip  in VPC.
> 2. Now ping google.com from the static nat enabled vm.
> 3. The traffic supposed to leave out from the additional public ip interface (static
nat enabled ip).
> Bug: The traffic is leaving via default source nat interface (eth1).
> Reason:
> In iptables mangle table ACL_OUTBOUND_ethX chain is accepting the traffic before the
connmark rule is hit  the packet.
> Please look at the below logs.
> {noformat}
> root@r-135-QA:~# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 0e:00:a9:fe:01:13 brd ff:ff:ff:ff:ff:ff
>     inet 169.254.1.19/16 brd 169.254.255.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 1e:00:f9:00:00:14 brd ff:ff:ff:ff:ff:ff
>     inet 10.147.46.108/24 brd 10.147.46.255 scope global eth1
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 02:00:29:c5:00:05 brd ff:ff:ff:ff:ff:ff
>     inet 10.1.2.1/24 brd 10.1.2.255 scope global eth3
> 6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 02:00:45:73:00:06 brd ff:ff:ff:ff:ff:ff
>     inet 10.1.1.1/24 brd 10.1.1.255 scope global eth4
> 8: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 1e:00:2a:00:00:34 brd ff:ff:ff:ff:ff:ff
>     inet 10.147.52.101/24 brd 10.147.52.255 scope global eth2
> root@r-135-QA:~# 
> root@r-135-QA:~# iptables -t mangle -L -nv
> Chain PREROUTING (policy ACCEPT 328 packets, 19964 bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>    77  6453 CONNMARK   all  --  eth4   *       0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED CONNMARK restore
>     7   541 CONNMARK   all  --  eth3   *       0.0.0.0/0            0.0.0.0/0       
    state RELATED,ESTABLISHED CONNMARK restore
>     2   144 ACL_OUTBOUND_eth3  all  --  eth3   *       10.1.2.0/24         !10.1.2.1
            state NEW
>     0     0 CONNMARK   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0       
    state NEW CONNMARK set 0x1
>    34  2832 ACL_OUTBOUND_eth4  all  --  eth4   *       10.1.1.0/24         !10.1.1.1
            state NEW
>    12   801 CONNMARK   all  --  *      *       10.1.1.68            0.0.0.0/0       
    state NEW CONNMARK save
>     0     0 CONNMARK   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0       
    state NEW CONNMARK set 0x2
>     2   129 MARK       all  --  *      *       10.1.2.128           0.0.0.0/0       
    state NEW MARK set 0x2
>     2   129 CONNMARK   all  --  *      *       10.1.2.128           0.0.0.0/0       
    state NEW CONNMARK save
> Chain INPUT (policy ACCEPT 325 packets, 19712 bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
> Chain FORWARD (policy ACCEPT 4 packets, 336 bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>     4   336 VPN_STATS_eth2  all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        
>   209 17520 VPN_STATS_eth1  all  --  *      *       0.0.0.0/0            0.0.0.0/0  
        
> Chain OUTPUT (policy ACCEPT 291 packets, 35814 bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>     0     0 CHECKSUM   udp  --  *      *       0.0.0.0/0            0.0.0.0/0       
    udp dpt:68 CHECKSUM fill
> Chain POSTROUTING (policy ACCEPT 295 packets, 36150 bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>     0     0 CHECKSUM   udp  --  *      *       0.0.0.0/0            0.0.0.0/0       
    udp dpt:68 CHECKSUM fill
> Chain ACL_OUTBOUND_eth3 (1 references)
>  pkts bytes target     prot opt in     out     source               destination     
   
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18      
   
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50      
   
>     2   144 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       
   
> Chain ACL_OUTBOUND_eth4 (1 references)
>  pkts bytes target     prot opt in     out     source               destination     
   
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            224.0.0.18      
   
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            225.0.0.50      
   
>    33  2748 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0       
   
> Chain ACL_OUTBOUND_eth5 (0 references)
>  pkts bytes target     prot opt in     out     source               destination     
   
> Chain VPN_STATS_eth1 (1 references)
>  pkts bytes target     prot opt in     out     source               destination     
   
>     0     0            all  --  *      eth1    0.0.0.0/0            0.0.0.0/0       
    mark match 0x525
>     0     0            all  --  eth1   *       0.0.0.0/0            0.0.0.0/0       
    mark match 0x524
> Chain VPN_STATS_eth2 (1 references)
>  pkts bytes target     prot opt in     out     source               destination     
   
>     0     0            all  --  *      eth2    0.0.0.0/0            0.0.0.0/0       
    mark match 0x525
>     0     0            all  --  eth2   *       0.0.0.0/0            0.0.0.0/0       
    mark match 0x524
> root@r-135-QA:~# 
> root@r-135-QA:~# tcpdump -i eth1 -nq
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
> 06:19:44.981751 IP 10.147.46.108 > 216.58.203.142: ICMP echo request, id 23906, seq
3, length 64
> 06:19:45.000805 IP 216.58.203.142 > 10.147.46.108: ICMP echo reply, id 23906, seq
3, length 64
> 06:19:46.312487 STP 802.1d, Config, Flags [none], bridge-id 802e.f0:b2:e5:81:12:00.8027,
length 42
> 06:19:48.316566 STP 802.1d, Config, Flags [none], bridge-id 802e.f0:b2:e5:81:12:00.8027,
length 42
> 06:19:49.103007 ARP, Request who-has 10.147.46.108 (1e:00:f9:00:00:14) tell 0.0.0.0,
length 46
> 06:19:49.103025 ARP, Reply 10.147.46.108 is-at 1e:00:f9:00:00:14, length 28
> 06:19:50.159695 ARP, Request who-has 10.147.46.1 tell 10.147.46.104, length 28
> 06:19:50.315802 STP 802.1d, Config, Flags [none], bridge-id 802e.f0:b2:e5:81:12:00.8027,
length 42
> 06:19:52.316119 STP 802.1d, Config, Flags [none], bridge-id 802e.f0:b2:e5:81:12:00.8027,
length 42
> ^C
> 9 packets captured
> 9 packets received by filter
> 0 packets dropped by kernel
> root@r-135-QA:~# 
> root@r-135-QA:~# iptables -t nat -L -nv
> Chain PREROUTING (policy ACCEPT 10 packets, 714 bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>     0     0 DNAT       all  --  eth0   *       0.0.0.0/0            10.147.52.101   
    to:10.1.2.128
>     0     0 DNAT       all  --  *      *       0.0.0.0/0            10.147.52.101   
    to:10.1.2.128
> Chain INPUT (policy ACCEPT 8 packets, 546 bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
> Chain OUTPUT (policy ACCEPT 2 packets, 129 bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>     0     0 DNAT       all  --  *      *       0.0.0.0/0            10.147.52.101   
    to:10.1.2.128
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination     
   
>     0     0 SNAT       all  --  *      eth0    10.1.2.0/24          10.1.2.128      
    to:10.147.44.100
>     0     0 SNAT       all  --  *      eth2    10.1.2.128           0.0.0.0/0       
    to:10.147.52.101
>     0     0 SNAT       all  --  *      eth4    10.1.1.0/24          0.0.0.0/0       
    to:10.1.1.1
>     0     0 SNAT       all  --  *      eth3    10.1.2.0/24          0.0.0.0/0       
    to:10.1.2.1
>    26  1841 SNAT       all  --  *      eth1    0.0.0.0/0            0.0.0.0/0       
    to:10.147.46.108
>     0     0 SNAT       all  --  *      eth2    0.0.0.0/0            0.0.0.0/0       
    to:10.147.52.101
> root@r-135-QA:~# 
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message