You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Sowmya Krishnan (JIRA)" <ji...@apache.org> on 2013/12/06 16:09:35 UTC
[jira] [Created] (CLOUDSTACK-5403) Shared network - None of PF, LB
rules work after router restart, firewall rules dropped from iptables post
restart
Sowmya Krishnan created CLOUDSTACK-5403:
-------------------------------------------
Summary: Shared network - None of PF, LB rules work after router restart, firewall rules dropped from iptables post restart
Key: CLOUDSTACK-5403
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5403
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Management Server, Network Controller
Affects Versions: 4.3.0
Environment: Advanced zone, shared network on Hyper-V
Reporter: Sowmya Krishnan
Priority: Critical
Fix For: 4.3.0
Attachments: iptables_after_restart.gz, iptables_before_restart.gz, restart_vr.log.gz, restart_vr_agent.log.log
None of PF, LB or firewall rules work after router is restarted in shared network, advanced zone
Steps:
Create a shared network in advanced zone
Acquire IP
Create PF and corresponding Firewall rule
Acquire another IP
Create LB and corresponding Firewall rule
Ensure all the rules work
Restart router
Check all rules
Result:
None of PF or LB rules work after router restart
I've tested this only in Hypev-V so far. I'll update the bug in case I am able to test in any other hypervisor as well.
The following rules are dropped from iptables FORWARD chain after restart:
ACCEPT tcp -- anywhere shareduser1vm1 state RELATED,ESTABLISHED /* 10.102.196.239:888:888 */
ACCEPT tcp -- anywhere shareduser1vm1 tcp dpt:http state NEW /* 10.102.196.239:888:888 */
So also the firewall rules corresponding to the LB rule source ip
The rules themselves exist in DB though:
mysql> select * from firewall_rules;
+----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
| id | uuid | ip_address_id | start_port | end_port | state | protocol | purpose | account_id | domain_id | network_id | xid | created | icmp_code | icmp_type | related | type | vpc_id | traffic_type |
+----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
| 1 | b9082345-8a3d-4f6d-9b64-3d2d98e65d2d | 5 | 888 | 888 | Active | tcp | Firewall | 4 | 2 | 205 | 5cf27b56-4d37-4ec1-bdf8-ede0407f0115 | 2013-12-06 06:51:40 | NULL | NULL | NULL | User | NULL | Ingress |
| 2 | 5b657e22-649a-4cd4-b23c-2416243f48ba | 5 | 888 | 888 | Active | tcp | PortForwarding | 4 | 2 | 205 | aad0e89d-f0df-4ee2-949d-39f129a1383a | 2013-12-06 06:52:13 | NULL | NULL | NULL | User | NULL | NULL |
| 13 | 42f795f9-45e6-471f-9b17-4ce631a09531 | 6 | 888 | 888 | Active | tcp | Firewall | 4 | 2 | 205 | 0802945b-23b8-4b95-9441-f6b89e66d806 | 2013-12-06 11:27:08 | NULL | NULL | NULL | User | NULL | Ingress |
| 14 | 9f5aa3dd-b8e9-4193-b635-c5fd7e188f35 | 6 | 888 | 888 | Active | tcp | LoadBalancing | 4 | 2 | 205 | ef7067b9-38b3-4d42-b8ee-5bfe44a817fa | 2013-12-06 11:27:53 | NULL | NULL | NULL | User | NULL | NULL |
+----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
4 rows in set (0.00 sec)
mysql> select * from load_balancing_rules;
+----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
| id | name | description | default_port_start | default_port_end | algorithm | source_ip_address | source_ip_address_network_id | scheme | lb_protocol |
+----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
| 14 | lbshared | NULL | 80 | 80 | roundrobin | NULL | NULL | Public | NULL |
+----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
1 row in set (0.00 sec)
mysql> select * from port_forwarding_rules;
+----+-------------+-----------------+-----------------+---------------+
| id | instance_id | dest_ip_address | dest_port_start | dest_port_end |
+----+-------------+-----------------+-----------------+---------------+
| 2 | 5 | 10.102.198.2 | 80 | 80 |
+----+-------------+-----------------+-----------------+---------------+
1 row in set (0.00 sec)
--
This message was sent by Atlassian JIRA
(v6.1#6144)