You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by ml...@apache.org on 2013/01/17 20:50:37 UTC

git commit: Summary: Fix rp_filter for VPC router

Updated Branches:
  refs/heads/master 0b60c0d3c -> e37a82375


Summary: Fix rp_filter for VPC router

Detail: VPC router was being treated like normal VR, which was an issue because
normally the VR has an eth0,1,2 which are isolated, linklocal, and public
networks respectively. rp_filter is turned on for eth0,1 and off for 2
(hardcoded). VPC however comes up with eth0,1 as public, linklocal, and no other
interfaces until new isolated networks are added, so the process doesn't work.
This change turns on rp_filter as new isolated networks are added to the VR.

BUG-ID: CLOUDSTACK-938
Bugfix-for: 4.0.2
Signed-off-by: Marcus Sorensen <ma...@betterservers.com> 1358451991 -0700


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/e37a8237
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/e37a8237
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/e37a8237

Branch: refs/heads/master
Commit: e37a82375c1dd7631f37de1ed1b336f524d08c62
Parents: 0b60c0d
Author: Marcus Sorensen <ma...@betterservers.com>
Authored: Thu Jan 17 12:46:31 2013 -0700
Committer: Marcus Sorensen <ma...@betterservers.com>
Committed: Thu Jan 17 12:51:38 2013 -0700

----------------------------------------------------------------------
 .../debian/config/etc/init.d/cloud-early-config    |    2 +-
 .../debian/config/opt/cloud/bin/vpc_guestnw.sh     |    1 +
 2 files changed, 2 insertions(+), 1 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/e37a8237/patches/systemvm/debian/config/etc/init.d/cloud-early-config
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/etc/init.d/cloud-early-config b/patches/systemvm/debian/config/etc/init.d/cloud-early-config
index fe536cb..285a92f 100755
--- a/patches/systemvm/debian/config/etc/init.d/cloud-early-config
+++ b/patches/systemvm/debian/config/etc/init.d/cloud-early-config
@@ -660,7 +660,7 @@ EOF
   enable_svc dnsmasq 1
   enable_svc haproxy 1
   enable_svc cloud 0
-  disable_rpfilter_domR
+  disable_rpfilter
   enable_fwding 1
   cp /etc/iptables/iptables-vpcrouter /etc/iptables/rules
   setup_sshd $ETH0_IP "eth0"

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/e37a8237/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
index d20ed5a..c909cf7 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
@@ -134,6 +134,7 @@ create_guest_network() {
   sudo ip addr add dev $dev $ip/$mask brd +
   sudo ip link set $dev up
   sudo arping -c 3 -I $dev -A -U -s $ip $ip
+  echo 1 > /proc/sys/net/ipv4/conf/$dev/rp_filter
   # restore mark from  connection mark
   local tableName="Table_$dev"
   sudo ip route add $subnet/$mask dev $dev table $tableName proto static

RE: git commit: Summary: Fix rp_filter for VPC router

Posted by Anthony Xu <Xu...@citrix.com>.

Hi Marcus,

I didn't realize the rp_filter issue when I worked on VPC feature, thanks for the fix.

With the fix , guest NIC is with rp_filter on, public NIC is with rp_filter off, that's correct. But seems eth0 ( link local) is with rp_filter off, which is supposed to be on, this is very trivial.

I'm wondering if we can fix this in the opposite way in VPC router?
By default , the rp_filter is on,
When a public IP is associated to a VM, rp_filter is turned off explicitly for this NIC in vpc_ipassoc.sh.

In VPC router, only eth0 is passed by kernel argument, further NICs are hot plugged into VPC router, so even eth1 (public NIC) is hot plugged into VPC router, and programmed by vpc_ipassoc.sh.


Thanks,
Anthony



> -----Original Message-----
> From: mlsorensen@apache.org [mailto:mlsorensen@apache.org]
> Sent: Thursday, January 17, 2013 11:51 AM
> To: cloudstack-commits@incubator.apache.org
> Subject: git commit: Summary: Fix rp_filter for VPC router
> 
> Updated Branches:
>   refs/heads/master 0b60c0d3c -> e37a82375
> 
> 
> Summary: Fix rp_filter for VPC router
> 
> Detail: VPC router was being treated like normal VR, which was an issue
> because
> normally the VR has an eth0,1,2 which are isolated, linklocal, and
> public
> networks respectively. rp_filter is turned on for eth0,1 and off for 2
> (hardcoded). VPC however comes up with eth0,1 as public, linklocal, and
> no other
> interfaces until new isolated networks are added, so the process
> doesn't work.
> This change turns on rp_filter as new isolated networks are added to
> the VR.
> 
> BUG-ID: CLOUDSTACK-938
> Bugfix-for: 4.0.2
> Signed-off-by: Marcus Sorensen <ma...@betterservers.com> 1358451991 -
> 0700
> 
> 
> Project: http://git-wip-us.apache.org/repos/asf/incubator-
> cloudstack/repo
> Commit: http://git-wip-us.apache.org/repos/asf/incubator-
> cloudstack/commit/e37a8237
> Tree: http://git-wip-us.apache.org/repos/asf/incubator-
> cloudstack/tree/e37a8237
> Diff: http://git-wip-us.apache.org/repos/asf/incubator-
> cloudstack/diff/e37a8237
> 
> Branch: refs/heads/master
> Commit: e37a82375c1dd7631f37de1ed1b336f524d08c62
> Parents: 0b60c0d
> Author: Marcus Sorensen <ma...@betterservers.com>
> Authored: Thu Jan 17 12:46:31 2013 -0700
> Committer: Marcus Sorensen <ma...@betterservers.com>
> Committed: Thu Jan 17 12:51:38 2013 -0700
> 
> ----------------------------------------------------------------------
>  .../debian/config/etc/init.d/cloud-early-config    |    2 +-
>  .../debian/config/opt/cloud/bin/vpc_guestnw.sh     |    1 +
>  2 files changed, 2 insertions(+), 1 deletions(-)
> ----------------------------------------------------------------------
> 
> 
> http://git-wip-us.apache.org/repos/asf/incubator-
> cloudstack/blob/e37a8237/patches/systemvm/debian/config/etc/init.d/clou
> d-early-config
> ----------------------------------------------------------------------
> diff --git a/patches/systemvm/debian/config/etc/init.d/cloud-early-
> config b/patches/systemvm/debian/config/etc/init.d/cloud-early-config
> index fe536cb..285a92f 100755
> --- a/patches/systemvm/debian/config/etc/init.d/cloud-early-config
> +++ b/patches/systemvm/debian/config/etc/init.d/cloud-early-config
> @@ -660,7 +660,7 @@ EOF
>    enable_svc dnsmasq 1
>    enable_svc haproxy 1
>    enable_svc cloud 0
> -  disable_rpfilter_domR
> +  disable_rpfilter
>    enable_fwding 1
>    cp /etc/iptables/iptables-vpcrouter /etc/iptables/rules
>    setup_sshd $ETH0_IP "eth0"
> 
> http://git-wip-us.apache.org/repos/asf/incubator-
> cloudstack/blob/e37a8237/patches/systemvm/debian/config/opt/cloud/bin/v
> pc_guestnw.sh
> ----------------------------------------------------------------------
> diff --git
> a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
> b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
> index d20ed5a..c909cf7 100755
> --- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
> +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
> @@ -134,6 +134,7 @@ create_guest_network() {
>    sudo ip addr add dev $dev $ip/$mask brd +
>    sudo ip link set $dev up
>    sudo arping -c 3 -I $dev -A -U -s $ip $ip
> +  echo 1 > /proc/sys/net/ipv4/conf/$dev/rp_filter
>    # restore mark from  connection mark
>    local tableName="Table_$dev"
>    sudo ip route add $subnet/$mask dev $dev table $tableName proto
> static