cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rajani Karuturi (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CLOUDSTACK-9946) When multiple PF rules are deleted , the 1st PF rule added is still retained in forwardingrules.json file in VPC VR .
Date Thu, 06 Jul 2017 10:34:03 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-9946?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Rajani Karuturi updated CLOUDSTACK-9946:
----------------------------------------
    Fix Version/s:     (was: 4.10.0.0)
                   4.10.1.0

> When multiple PF rules are deleted , the 1st PF rule added is still retained in forwardingrules.json
file in VPC VR .
> ---------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-9946
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9946
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.10.0.0
>            Reporter: DeepthiMachiraju
>              Labels: PVR
>             Fix For: 4.10.1.0
>
>         Attachments: MS_log_deletion_pf_rules.txt
>
>
> - Create a VPC , and deploy a VM in the Tier.
> - Navigate to PUblick IP address in the VPC and acquire an IP.
> - Create Multiple PF rules as below . Was able to sucessfully ssh and access HTTP to
the VM.
> - Now delete all the rules configured .
> Observation :
> - All  the rules are cleaned up in the UI & DB . But the 1st rule added is still
 retained in the IPtables and forwardingrules.json file .
> - and user is still able to access the rule. 
> Logs when rules are added : 
> acquired ip and assigned 5 pf rules : 
> root@r-53-VM:/etc/cloudstack# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 0e:00:a9:fe:02:c3 brd ff:ff:ff:ff:ff:ff
>     inet 169.254.2.195/16 brd 169.254.255.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 06:3d:52:00:00:0d brd ff:ff:ff:ff:ff:ff
>     inet 10.147.30.112/24 brd 10.147.30.255 scope global eth1
>     inet 10.147.30.113/24 brd 10.147.30.255 scope global secondary eth1
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 02:00:4b:3f:00:14 brd ff:ff:ff:ff:ff:ff
>     inet 172.16.1.1/24 brd 172.16.1.255 scope global eth2
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 02:00:67:bb:00:04 brd ff:ff:ff:ff:ff:ff
>     inet 172.16.2.1/24 brd 172.16.2.255 scope global eth3
> ********************************
> root@r-53-VM:/etc/cloudstack# cat forwardingrules.json
> {
>     "10.147.30.113": [
>         {
>             "internal_ip": "172.16.2.10",
>             "internal_ports": "10:10",
>             "protocol": "tcp",
>             "public_ip": "10.147.30.113",
>             "public_ports": "10:10",
>             "type": "forward"
>         },
>         {
>             "internal_ip": "172.16.2.10",
>             "internal_ports": "20:20",
>             "protocol": "tcp",
>             "public_ip": "10.147.30.113",
>             "public_ports": "20:20",
>             "type": "forward"
>         },
>         {
>             "internal_ip": "172.16.2.10",
>             "internal_ports": "30:30",
>             "protocol": "tcp",
>             "public_ip": "10.147.30.113",
>             "public_ports": "30:30",
>             "type": "forward"
>         },
>         {
>             "internal_ip": "172.16.2.10",
>             "internal_ports": "22:22",
>             "protocol": "tcp",
>             "public_ip": "10.147.30.113",
>             "public_ports": "22:22",
>             "type": "forward"
>         },
>         {
>             "internal_ip": "172.16.2.10",
>             "internal_ports": "80:80",
>             "protocol": "tcp",
>             "public_ip": "10.147.30.113",
>             "public_ports": "80:80",
>             "type": "forward"
>         }
>     ],
>     "id": "forwardingrules"
> ********************************
> root@r-53-VM:/etc/cloudstack# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:10 to:172.16.2.10:10
> DNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:ftp-data to:172.16.2.10:20
> DNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:30 to:172.16.2.10:30
> DNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:ssh to:172.16.2.10:22
> DNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:http to:172.16.2.10:80
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:10 to:172.16.2.10:10
> DNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:ftp-data to:172.16.2.10:20
> DNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:30 to:172.16.2.10:30
> DNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:ssh to:172.16.2.10:22
> DNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:http to:172.16.2.10:80
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> SNAT       all  --  172.16.2.0/24        anywhere             to:172.16.2.1
> SNAT       all  --  172.16.1.0/24        anywhere             to:172.16.1.1
> SNAT       all  --  anywhere             anywhere             to:10.147.30.112
> SNAT       all  --  anywhere             anywhere             to:10.147.30.113
> SNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:10 to:172.16.2.10:10
> SNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:ftp-data to:172.16.2.10:20
> SNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:30 to:172.16.2.10:30
> SNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:ssh to:172.16.2.10:22
> SNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:http to:172.16.2.10:80
> ********************************
> mysql> select * from port_forwarding_rules;
> +-----+-------------+-----------------+-----------------+---------------+
> | id  | instance_id | dest_ip_address | dest_port_start | dest_port_end |
> +-----+-------------+-----------------+-----------------+---------------+
> | 113 |          24 | 172.16.2.10     |              10 |            10 |
> | 114 |          24 | 172.16.2.10     |              20 |            20 |
> | 115 |          24 | 172.16.2.10     |              30 |            30 |
> | 116 |          24 | 172.16.2.10     |              22 |            22 |
> | 117 |          24 | 172.16.2.10     |              80 |            80 |
> +-----+-------------+-----------------+-----------------+---------------+
> 5 rows in set (0.00 sec)
> ********************************
> ================== Logs post deleting the pf rules ========================
> root@r-53-VM:/etc/cloudstack# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 0e:00:a9:fe:02:c3 brd ff:ff:ff:ff:ff:ff
>     inet 169.254.2.195/16 brd 169.254.255.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 06:3d:52:00:00:0d brd ff:ff:ff:ff:ff:ff
>     inet 10.147.30.112/24 brd 10.147.30.255 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 02:00:4b:3f:00:14 brd ff:ff:ff:ff:ff:ff
>     inet 172.16.1.1/24 brd 172.16.1.255 scope global eth2
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen
1000
>     link/ether 02:00:67:bb:00:04 brd ff:ff:ff:ff:ff:ff
>     inet 172.16.2.1/24 brd 172.16.2.255 scope global eth3
> root@r-53-VM:/etc/cloudstack#
> ********************************
> root@r-53-VM:/etc/cloudstack# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:10 to:172.16.2.10:10
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:10 to:172.16.2.10:10
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> SNAT       all  --  172.16.2.0/24        anywhere             to:172.16.2.1
> SNAT       all  --  172.16.1.0/24        anywhere             to:172.16.1.1
> SNAT       all  --  anywhere             anywhere             to:10.147.30.112
> SNAT       tcp  --  anywhere             10.147.30.113        tcp dpt:10 to:172.16.2.10:10
> root@r-53-VM:/etc/cloudstack#
> +-********************************
> root@r-53-VM:/etc/cloudstack#
> root@r-53-VM:/etc/cloudstack# cat forwardingrules.json
> {
>     "10.147.30.113": [
>         {
>             "internal_ip": "172.16.2.10",
>             "internal_ports": "10:10",
>             "protocol": "tcp",
>             "public_ip": "10.147.30.113",
>             "public_ports": "10:10",
>             "type": "forward"
>         }
>     ],
>     "id": "forwardingrules"
> }root@r-53-VM:/etc/cloudstack#
> Attached MS.log



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message