You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Paul Angus (JIRA)" <ji...@apache.org> on 2017/03/15 18:31:41 UTC

[jira] [Created] (CLOUDSTACK-9838) When 2 VMs have SNAT IPs assigned, they cannot communicate with each other via the SNAP IPs (normal VR)

Paul Angus created CLOUDSTACK-9838:
--------------------------------------

             Summary: When 2 VMs have SNAT IPs assigned, they cannot communicate with each other via the SNAP IPs (normal VR)
                 Key: CLOUDSTACK-9838
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9838
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Virtual Router
    Affects Versions: 4.8.1.1, 4.7.1, 4.6.2, 4.10.0.0, 4.9.2.0
            Reporter: Paul Angus
            Priority: Minor


When 2 VMs have SNAT IPs (on different public subnets) assigned, they cannot communicate with each other via the SNAP IPs. 
Traffic flows over the SNAT IPs successfully to/from external networks/IPs

using iptables -t mangle -vL 

from ACS 4.5
established connections are ACCEPTed and are at the top of the order.  RETURN happens later.

Chain FIREWALL_10.1.35.23 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 RETURN     icmp --  any    any     anywhere             anywhere             icmptype 8 code 0
    0     0 RETURN     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
    0     0 DROP       all  --  any    any     anywhere             anywhere


using ACS 4.9
the ACCEPT of established connections is at the END after the RETURN and so inspections don't get as far as the ACCEPT

Chain FIREWALL_10.1.64.9 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmptype 8 code 0
   39  3002 RETURN     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
 4921 4906K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
  397 40700 DROP       all  --  any    any     anywhere             anywhere


moving
 4921 4906K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED

to the top of this section resolves the issues and traffic can flow over the SNAT IPs.

I believe that this only affects 'hairpin nat' traffic as it is in the mangle table




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)