You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Jayapal Reddy (JIRA)" <ji...@apache.org> on 2017/05/31 06:28:04 UTC
[jira] [Created] (CLOUDSTACK-9934) Traffic is not routed correctly
on addtional public interface from static nat enabled vm
Jayapal Reddy created CLOUDSTACK-9934:
-----------------------------------------
Summary: Traffic is not routed correctly on addtional public interface from static nat enabled vm
Key: CLOUDSTACK-9934
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9934
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Network Devices
Reporter: Jayapal Reddy
Fix For: 4.10.0.0
1. Configure static nat on additional public subnet ip in VPC.
2. Now ping google.com from the static nat enabled vm.
3. The traffic supposed to leave out from the additional public ip interface (static nat enabled ip).
Bug: The traffic is leaving via default source nat interface (eth1).
Reason:
In iptables mangle table ACL_OUTBOUND_ethX chain is accepting the traffic before the connmark rule is hit the packet.
Please look at the below logs.
{noformat}
root@r-135-QA:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 0e:00:a9:fe:01:13 brd ff:ff:ff:ff:ff:ff
inet 169.254.1.19/16 brd 169.254.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 1e:00:f9:00:00:14 brd ff:ff:ff:ff:ff:ff
inet 10.147.46.108/24 brd 10.147.46.255 scope global eth1
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:29:c5:00:05 brd ff:ff:ff:ff:ff:ff
inet 10.1.2.1/24 brd 10.1.2.255 scope global eth3
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:45:73:00:06 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 brd 10.1.1.255 scope global eth4
8: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 1e:00:2a:00:00:34 brd ff:ff:ff:ff:ff:ff
inet 10.147.52.101/24 brd 10.147.52.255 scope global eth2
root@r-135-QA:~#
root@r-135-QA:~# iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 328 packets, 19964 bytes)
pkts bytes target prot opt in out source destination
77 6453 CONNMARK all -- eth4 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore
7 541 CONNMARK all -- eth3 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED CONNMARK restore
2 144 ACL_OUTBOUND_eth3 all -- eth3 * 10.1.2.0/24 !10.1.2.1 state NEW
0 0 CONNMARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK set 0x1
34 2832 ACL_OUTBOUND_eth4 all -- eth4 * 10.1.1.0/24 !10.1.1.1 state NEW
12 801 CONNMARK all -- * * 10.1.1.68 0.0.0.0/0 state NEW CONNMARK save
0 0 CONNMARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK set 0x2
2 129 MARK all -- * * 10.1.2.128 0.0.0.0/0 state NEW MARK set 0x2
2 129 CONNMARK all -- * * 10.1.2.128 0.0.0.0/0 state NEW CONNMARK save
Chain INPUT (policy ACCEPT 325 packets, 19712 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 4 packets, 336 bytes)
pkts bytes target prot opt in out source destination
4 336 VPN_STATS_eth2 all -- * * 0.0.0.0/0 0.0.0.0/0
209 17520 VPN_STATS_eth1 all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 291 packets, 35814 bytes)
pkts bytes target prot opt in out source destination
0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill
Chain POSTROUTING (policy ACCEPT 295 packets, 36150 bytes)
pkts bytes target prot opt in out source destination
0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill
Chain ACL_OUTBOUND_eth3 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18
0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50
2 144 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ACL_OUTBOUND_eth4 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18
0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50
33 2748 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ACL_OUTBOUND_eth5 (0 references)
pkts bytes target prot opt in out source destination
Chain VPN_STATS_eth1 (1 references)
pkts bytes target prot opt in out source destination
0 0 all -- * eth1 0.0.0.0/0 0.0.0.0/0 mark match 0x525
0 0 all -- eth1 * 0.0.0.0/0 0.0.0.0/0 mark match 0x524
Chain VPN_STATS_eth2 (1 references)
pkts bytes target prot opt in out source destination
0 0 all -- * eth2 0.0.0.0/0 0.0.0.0/0 mark match 0x525
0 0 all -- eth2 * 0.0.0.0/0 0.0.0.0/0 mark match 0x524
root@r-135-QA:~#
root@r-135-QA:~# tcpdump -i eth1 -nq
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
06:19:44.981751 IP 10.147.46.108 > 216.58.203.142: ICMP echo request, id 23906, seq 3, length 64
06:19:45.000805 IP 216.58.203.142 > 10.147.46.108: ICMP echo reply, id 23906, seq 3, length 64
06:19:46.312487 STP 802.1d, Config, Flags [none], bridge-id 802e.f0:b2:e5:81:12:00.8027, length 42
06:19:48.316566 STP 802.1d, Config, Flags [none], bridge-id 802e.f0:b2:e5:81:12:00.8027, length 42
06:19:49.103007 ARP, Request who-has 10.147.46.108 (1e:00:f9:00:00:14) tell 0.0.0.0, length 46
06:19:49.103025 ARP, Reply 10.147.46.108 is-at 1e:00:f9:00:00:14, length 28
06:19:50.159695 ARP, Request who-has 10.147.46.1 tell 10.147.46.104, length 28
06:19:50.315802 STP 802.1d, Config, Flags [none], bridge-id 802e.f0:b2:e5:81:12:00.8027, length 42
06:19:52.316119 STP 802.1d, Config, Flags [none], bridge-id 802e.f0:b2:e5:81:12:00.8027, length 42
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel
root@r-135-QA:~#
root@r-135-QA:~# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 10 packets, 714 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- eth0 * 0.0.0.0/0 10.147.52.101 to:10.1.2.128
0 0 DNAT all -- * * 0.0.0.0/0 10.147.52.101 to:10.1.2.128
Chain INPUT (policy ACCEPT 8 packets, 546 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 129 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 10.147.52.101 to:10.1.2.128
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth0 10.1.2.0/24 10.1.2.128 to:10.147.44.100
0 0 SNAT all -- * eth2 10.1.2.128 0.0.0.0/0 to:10.147.52.101
0 0 SNAT all -- * eth4 10.1.1.0/24 0.0.0.0/0 to:10.1.1.1
0 0 SNAT all -- * eth3 10.1.2.0/24 0.0.0.0/0 to:10.1.2.1
26 1841 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:10.147.46.108
0 0 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:10.147.52.101
root@r-135-QA:~#
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)