incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "sadhu suresh (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-99) disable staticNat deletes the firewall rule
Date Fri, 14 Sep 2012 03:54:07 GMT
sadhu suresh created CLOUDSTACK-99:
--------------------------------------

             Summary: disable staticNat deletes the firewall rule
                 Key: CLOUDSTACK-99
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-99
             Project: CloudStack
          Issue Type: Bug
          Components: Network Controller
         Environment: Git Revision: 03df2fa9dd45c938f72cd1866044b09d1b0cc978
Git URL: https://git-wip-us.apache.org/repos/asf/incubator-cloudstack.gi

            Reporter: sadhu suresh
             Fix For: pre-4.0.0



Steps:

1.create advance Zone with hyper-visor as xen
2.deploy a vm 
3.acquire public IP  and configure firewall rule for port 22
4.enable static NAT 
5.disable static NAT
6.observe the behavior

actual result:
disable static NAT was successful but it deletes firewall rule also.

earlier in 2.2.x when we define any service the corresponding firewall rule will be created
and when we delete the policy(pF/staticnat) the corresponding firewall rule will be deleted
from background


But in 3.0x firewall is separated from services/polices like(PF/StaticNat) we need to explicitly
define firewall to these policies/services.









Expected result:
should not delete the firewall rule when we disable the staticnat rule.if the customer wants
to use the same public IP for other other services like PF then he has to define firwall rule
again to open the port 22 to ssh.


if its working as per design then it needs to be documented clearly.



efore disabling the firewall




root@r-11-VM:~# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
VPN_10.147.49.33  all  --  anywhere             10.147.49.33
FIREWALL_10.147.49.24  all  --  anywhere             10.147.49.24
FIREWALL_10.147.49.33  all  --  anywhere             10.147.49.33
CONNMARK   all  --  anywhere             anywhere            state RELATED,ESTABLISHED CONNMARK
restore
MARK       all  --  anywhere             10.147.49.24        state NEW MARK set 0x2
CONNMARK   all  --  anywhere             10.147.49.24        state NEW CONNMARK save
MARK       all  --  8d1a831e-0eb3-46d8-8347-c7920e1e7cd2  anywhere            state NEW MARK
set 0x2
CONNMARK   all  --  8d1a831e-0eb3-46d8-8347-c7920e1e7cd2  anywhere            state NEW CONNMARK
save

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
CHECKSUM   udp  --  anywhere             anywhere            udp dpt:bootpc CHECKSUM fill

Chain FIREWALL_10.147.49.24 (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
RETURN     tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       all  --  anywhere             anywhere

Chain FIREWALL_10.147.49.33 (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere






after disableing the staticNAT:



root@r-11-VM:~# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
VPN_10.147.49.33  all  --  anywhere             10.147.49.33
FIREWALL_10.147.49.33  all  --  anywhere             10.147.49.33
CONNMARK   all  --  anywhere             anywhere            state RELATED,ESTABLISHED CONNMARK
restore

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
CHECKSUM   udp  --  anywhere             anywhere            udp dpt:bootpc CHECKSUM fill

Chain FIREWALL_10.147.49.33 (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere

Chain VPN_10.147.49.33 (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
RETURN     all  --  anywhere             anywhere





--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message