incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chiradeep Vittal (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CLOUDSTACK-99) disable staticNat deletes the firewall rule
Date Mon, 17 Sep 2012 21:47:08 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-99?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Chiradeep Vittal resolved CLOUDSTACK-99.
----------------------------------------

    Resolution: Not A Problem

Whether the VR has the rule or not, in the absence of a service on that public ip address,
the externally observed behavior is the same
                
> disable staticNat deletes the firewall rule
> -------------------------------------------
>
>                 Key: CLOUDSTACK-99
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-99
>             Project: CloudStack
>          Issue Type: Bug
>          Components: Network Controller
>    Affects Versions: pre-4.0.0
>         Environment: Git Revision: 03df2fa9dd45c938f72cd1866044b09d1b0cc978
> Git URL: https://git-wip-us.apache.org/repos/asf/incubator-cloudstack.gi
>            Reporter: sadhu suresh
>            Assignee: Chiradeep Vittal
>             Fix For: pre-4.0.0
>
>
> Steps:
> 1.create advance Zone with hyper-visor as xen
> 2.deploy a vm 
> 3.acquire public IP  and configure firewall rule for port 22
> 4.enable static NAT 
> 5.disable static NAT
> 6.observe the behavior
> actual result:
> disable static NAT was successful but it deletes firewall rule also.
> earlier in 2.2.x when we define any service the corresponding firewall rule will be created
and when we delete the policy(pF/staticnat) the corresponding firewall rule will be deleted
from background
> But in 3.0x firewall is separated from services/polices like(PF/StaticNat) we need to
explicitly define firewall to these policies/services.
> Expected result:
> should not delete the firewall rule when we disable the staticnat rule.if the customer
wants to use the same public IP for other other services like PF then he has to define firwall
rule again to open the port 22 to ssh.
> if its working as per design then it needs to be documented clearly.
> efore disabling the firewall
> root@r-11-VM:~# iptables -L -t mangle
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> VPN_10.147.49.33  all  --  anywhere             10.147.49.33
> FIREWALL_10.147.49.24  all  --  anywhere             10.147.49.24
> FIREWALL_10.147.49.33  all  --  anywhere             10.147.49.33
> CONNMARK   all  --  anywhere             anywhere            state RELATED,ESTABLISHED
CONNMARK restore
> MARK       all  --  anywhere             10.147.49.24        state NEW MARK set 0x2
> CONNMARK   all  --  anywhere             10.147.49.24        state NEW CONNMARK save
> MARK       all  --  8d1a831e-0eb3-46d8-8347-c7920e1e7cd2  anywhere            state NEW
MARK set 0x2
> CONNMARK   all  --  8d1a831e-0eb3-46d8-8347-c7920e1e7cd2  anywhere            state NEW
CONNMARK save
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> CHECKSUM   udp  --  anywhere             anywhere            udp dpt:bootpc CHECKSUM
fill
> Chain FIREWALL_10.147.49.24 (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
> RETURN     tcp  --  anywhere             anywhere            tcp dpt:ssh
> DROP       all  --  anywhere             anywhere
> Chain FIREWALL_10.147.49.33 (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
> DROP       all  --  anywhere             anywhere
> after disableing the staticNAT:
> root@r-11-VM:~# iptables -L -t mangle
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> VPN_10.147.49.33  all  --  anywhere             10.147.49.33
> FIREWALL_10.147.49.33  all  --  anywhere             10.147.49.33
> CONNMARK   all  --  anywhere             anywhere            state RELATED,ESTABLISHED
CONNMARK restore
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> CHECKSUM   udp  --  anywhere             anywhere            udp dpt:bootpc CHECKSUM
fill
> Chain FIREWALL_10.147.49.33 (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
> DROP       all  --  anywhere             anywhere
> Chain VPN_10.147.49.33 (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
> RETURN     all  --  anywhere             anywhere

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message