You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by "Sailaja Mada (JIRA)" <ji...@apache.org> on 2013/02/28 13:41:15 UTC
[jira] [Updated] (CLOUDSTACK-1452) Public IP's are assigned to
private interface with VPC Restart [PF/LB rules are not functional]
[ https://issues.apache.org/jira/browse/CLOUDSTACK-1452?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sailaja Mada updated CLOUDSTACK-1452:
-------------------------------------
Attachment: management-server.log
> Public IP's are assigned to private interface with VPC Restart [PF/LB rules are not functional]
> -----------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-1452
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1452
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Network Controller
> Affects Versions: 4.1.0
> Reporter: Sailaja Mada
> Priority: Critical
> Attachments: management-server.log
>
>
> Steps:
> 1. Advanced Networking - KVM 6.3 host
> 2. Create VPC and add Tier1 with 1 instance
> 3. Configure PF or LB rule [22-22]
> 4. Access Instance and ensure that PF/LB rules are functional
> Statistics of Router & VM Before restart :
> Router :
> root@r-151-VM:~# ip addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
> link/ether 0e:00:a9:fe:01:d3 brd ff:ff:ff:ff:ff:ff
> inet 169.254.1.211/16 brd 169.254.255.255 scope global eth0
> inet6 fe80::c00:a9ff:fefe:1d3/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
> link/ether 06:de:46:00:00:15 brd ff:ff:ff:ff:ff:ff
> inet 10.102.196.222/24 brd 10.102.196.255 scope global eth1
> inet6 fe80::4de:46ff:fe00:15/64 scope link
> valid_lft forever preferred_lft forever
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
> link/ether 02:00:19:9f:00:01 brd ff:ff:ff:ff:ff:ff
> inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2
> inet6 fe80::19ff:fe9f:1/64 scope link
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
> link/ether 06:f0:c6:00:00:16 brd ff:ff:ff:ff:ff:ff
> inet 10.102.197.225/24 brd 10.102.197.255 scope global eth3
> inet6 fe80::4f0:c6ff:fe00:16/64 scope link
> valid_lft forever preferred_lft forever
> root@r-151-VM:~#
> root@r-151-VM:~# iptables --list
> Chain INPUT (policy DROP)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere vrrp.mcast.net
> ACCEPT all -- anywhere 225.0.0.50
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3922
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT udp -- anywhere 10.2.0.1 udp dpt:domain
> ACCEPT tcp -- anywhere 10.2.0.1 tcp dpt:domain
> ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp dpt:www
> ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp dpt:http-alt
> Chain FORWARD (policy DROP)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT all -- anywhere !anywhere
> ACL_INBOUND_eth2 all -- anywhere 10.2.0.0/24
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> Chain ACL_INBOUND_eth2 (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> DROP all -- anywhere anywhere
> Chain NETWORK_STATS (3 references)
> target prot opt source destination
> all -- anywhere anywhere
> all -- anywhere anywhere
> tcp -- anywhere anywhere
> tcp -- anywhere anywhere
> root@r-151-VM:~#
> Instance :
> [root@cbdbc436-ddbb-4d72-9ca4-96d8a417b6e9 ~]# iptables --list
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT esp -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
> ACCEPT udp -- anywhere anywhere udp dpt:ipp
> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
> REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
> [root@cbdbc436-ddbb-4d72-9ca4-96d8a417b6e9 ~]# ifconfig
> eth0 Link encap:Ethernet HWaddr 02:00:60:1C:00:02
> inet addr:10.2.0.127 Bcast:10.2.0.255 Mask:255.255.255.0
> inet6 addr: fe80::60ff:fe1c:2/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:180 errors:0 dropped:0 overruns:0 frame:0
> TX packets:170 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:16010 (15.6 KiB) TX bytes:22842 (22.3 KiB)
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:32 errors:0 dropped:0 overruns:0 frame:0
> TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:4076 (3.9 KiB) TX bytes:4076 (3.9 KiB)
> [root@cbdbc436-ddbb-4d72-9ca4-96d8a417b6e9 ~]#
> Statistics after restarting VPC :
> root@r-155-VM:~# ip addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
> link/ether 0e:00:a9:fe:02:88 brd ff:ff:ff:ff:ff:ff
> inet 169.254.2.136/16 brd 169.254.255.255 scope global eth0
> inet6 fe80::c00:a9ff:fefe:288/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
> link/ether 06:4a:24:00:00:15 brd ff:ff:ff:ff:ff:ff
> inet 10.102.196.222/24 brd 10.102.196.255 scope global eth1
> inet6 fe80::44a:24ff:fe00:15/64 scope link
> valid_lft forever preferred_lft forever
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
> link/ether 06:74:de:00:00:16 brd ff:ff:ff:ff:ff:ff
> inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2
> inet 10.102.197.225/24 brd 10.102.197.255 scope global eth2
> inet6 fe80::474:deff:fe00:16/64 scope link
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
> link/ether 02:00:1a:94:00:03 brd ff:ff:ff:ff:ff:ff
> root@r-155-VM:~#
> root@r-155-VM:~# ifconfig
> eth0 Link encap:Ethernet HWaddr 0e:00:a9:fe:02:88
> inet addr:169.254.2.136 Bcast:169.254.255.255 Mask:255.255.0.0
> inet6 addr: fe80::c00:a9ff:fefe:288/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:410 errors:0 dropped:0 overruns:0 frame:0
> TX packets:355 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:63392 (61.9 KiB) TX bytes:64251 (62.7 KiB)
> eth1 Link encap:Ethernet HWaddr 06:4a:24:00:00:15
> inet addr:10.102.196.222 Bcast:10.102.196.255 Mask:255.255.255.0
> inet6 addr: fe80::44a:24ff:fe00:15/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:305 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:15516 (15.1 KiB) TX bytes:404 (404.0 B)
> eth2 Link encap:Ethernet HWaddr 06:74:de:00:00:16
> inet addr:10.2.0.1 Bcast:10.2.0.255 Mask:255.255.255.0
> inet6 addr: fe80::474:deff:fe00:16/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:126 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:8080 (7.8 KiB) TX bytes:404 (404.0 B)
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:6 errors:0 dropped:0 overruns:0 frame:0
> TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:414 (414.0 B) TX bytes:414 (414.0 B)
> root@r-155-VM:~#
> root@r-155-VM:~# iptables --list
> Chain INPUT (policy DROP)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere vrrp.mcast.net
> ACCEPT all -- anywhere 225.0.0.50
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:3922
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT udp -- anywhere 10.2.0.1 udp dpt:domain
> ACCEPT tcp -- anywhere 10.2.0.1 tcp dpt:domain
> ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp dpt:www
> ACCEPT tcp -- anywhere 10.2.0.1 state NEW tcp dpt:http-alt
> Chain FORWARD (policy DROP)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> ACCEPT all -- anywhere !anywhere
> ACL_INBOUND_eth2 all -- anywhere 10.2.0.0/24
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> Chain ACL_INBOUND_eth2 (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> DROP all -- anywhere anywhere
> Chain NETWORK_STATS (3 references)
> target prot opt source destination
> all -- anywhere anywhere
> all -- anywhere anywhere
> tcp -- anywhere anywhere
> tcp -- anywhere anywhere
> root@r-155-VM:~#
> Observation before restart - VPC :
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
> link/ether 02:00:19:9f:00:01 brd ff:ff:ff:ff:ff:ff
> inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2
> inet6 fe80::19ff:fe9f:1/64 scope link
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
> link/ether 06:f0:c6:00:00:16 brd ff:ff:ff:ff:ff:ff
> inet 10.102.197.225/24 brd 10.102.197.255 scope global eth3
> inet6 fe80::4f0:c6ff:fe00:16/64 scope link
> valid_lft forever preferred_lft forever
> root@r-151-VM:~#
> Observation after restart - VPC :
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
> link/ether 06:74:de:00:00:16 brd ff:ff:ff:ff:ff:ff
> inet 10.2.0.1/24 brd 10.2.0.255 scope global eth2
> inet 10.102.197.225/24 brd 10.102.197.255 scope global eth2
> inet6 fe80::474:deff:fe00:16/64 scope link
> valid_lft forever preferred_lft forever
> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
> link/ether 02:00:1a:94:00:03 brd ff:ff:ff:ff:ff:ff
> notes:
> a.Public IP's are assigned to private interface with VPC Restart
> b. PF/LB rules are not functional. Instances are not accessible.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira