You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Sowmya Krishnan (JIRA)" <ji...@apache.org> on 2013/12/06 16:09:37 UTC
[jira] [Updated] (CLOUDSTACK-5403) Shared network - None of PF, LB
rules work after router restart, firewall rules dropped from iptables post
restart
[ https://issues.apache.org/jira/browse/CLOUDSTACK-5403?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sowmya Krishnan updated CLOUDSTACK-5403:
----------------------------------------
Attachment: iptables_before_restart.gz
iptables_after_restart.gz
restart_vr_agent.log.log
restart_vr.log.gz
Attached MS log and agent log during router restart and also iptables before and after router restart.
> Shared network - None of PF, LB rules work after router restart, firewall rules dropped from iptables post restart
> ------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-5403
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5403
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Management Server, Network Controller
> Affects Versions: 4.3.0
> Environment: Advanced zone, shared network on Hyper-V
> Reporter: Sowmya Krishnan
> Priority: Critical
> Labels: hyper-V,
> Fix For: 4.3.0
>
> Attachments: iptables_after_restart.gz, iptables_before_restart.gz, restart_vr.log.gz, restart_vr_agent.log.log
>
>
> None of PF, LB or firewall rules work after router is restarted in shared network, advanced zone
> Steps:
> Create a shared network in advanced zone
> Acquire IP
> Create PF and corresponding Firewall rule
> Acquire another IP
> Create LB and corresponding Firewall rule
> Ensure all the rules work
> Restart router
> Check all rules
> Result:
> None of PF or LB rules work after router restart
> I've tested this only in Hypev-V so far. I'll update the bug in case I am able to test in any other hypervisor as well.
> The following rules are dropped from iptables FORWARD chain after restart:
> ACCEPT tcp -- anywhere shareduser1vm1 state RELATED,ESTABLISHED /* 10.102.196.239:888:888 */
> ACCEPT tcp -- anywhere shareduser1vm1 tcp dpt:http state NEW /* 10.102.196.239:888:888 */
> So also the firewall rules corresponding to the LB rule source ip
> The rules themselves exist in DB though:
> mysql> select * from firewall_rules;
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> | id | uuid | ip_address_id | start_port | end_port | state | protocol | purpose | account_id | domain_id | network_id | xid | created | icmp_code | icmp_type | related | type | vpc_id | traffic_type |
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> | 1 | b9082345-8a3d-4f6d-9b64-3d2d98e65d2d | 5 | 888 | 888 | Active | tcp | Firewall | 4 | 2 | 205 | 5cf27b56-4d37-4ec1-bdf8-ede0407f0115 | 2013-12-06 06:51:40 | NULL | NULL | NULL | User | NULL | Ingress |
> | 2 | 5b657e22-649a-4cd4-b23c-2416243f48ba | 5 | 888 | 888 | Active | tcp | PortForwarding | 4 | 2 | 205 | aad0e89d-f0df-4ee2-949d-39f129a1383a | 2013-12-06 06:52:13 | NULL | NULL | NULL | User | NULL | NULL |
> | 13 | 42f795f9-45e6-471f-9b17-4ce631a09531 | 6 | 888 | 888 | Active | tcp | Firewall | 4 | 2 | 205 | 0802945b-23b8-4b95-9441-f6b89e66d806 | 2013-12-06 11:27:08 | NULL | NULL | NULL | User | NULL | Ingress |
> | 14 | 9f5aa3dd-b8e9-4193-b635-c5fd7e188f35 | 6 | 888 | 888 | Active | tcp | LoadBalancing | 4 | 2 | 205 | ef7067b9-38b3-4d42-b8ee-5bfe44a817fa | 2013-12-06 11:27:53 | NULL | NULL | NULL | User | NULL | NULL |
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> 4 rows in set (0.00 sec)
> mysql> select * from load_balancing_rules;
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> | id | name | description | default_port_start | default_port_end | algorithm | source_ip_address | source_ip_address_network_id | scheme | lb_protocol |
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> | 14 | lbshared | NULL | 80 | 80 | roundrobin | NULL | NULL | Public | NULL |
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> 1 row in set (0.00 sec)
> mysql> select * from port_forwarding_rules;
> +----+-------------+-----------------+-----------------+---------------+
> | id | instance_id | dest_ip_address | dest_port_start | dest_port_end |
> +----+-------------+-----------------+-----------------+---------------+
> | 2 | 5 | 10.102.198.2 | 80 | 80 |
> +----+-------------+-----------------+-----------------+---------------+
> 1 row in set (0.00 sec)
--
This message was sent by Atlassian JIRA
(v6.1#6144)