You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/09/29 13:54:27 UTC

[GitHub] [cloudstack] GutoVeronezi opened a new pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

GutoVeronezi opened a new pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532


   ### Description
   In ACS, when a VPC has more than one public IP and a user tries to use the non `source NAT` IP with some feature/option (like `static NAT`, `port forwarding`, `VPN` and others), ACS adds the public IP (used for the feature/option) as `source NAT` in the `iptables` of the VR.
   
   Example:
   - VPC has one public IP `192.168.0.50` and it is defined as the `source NAT`.
   - If we assign another public IP `192.168.0.51` to the VPC and use it to execute `port forwarding`, ACS will automatically add `192.168.0.51` as `source NAT` too.
   
   This PR intends to remove this inconsistency created by ACS.
   
   ### Types of changes
   - [ ] Breaking change (fix or feature that would cause existing functionality to change)
   - [ ] New feature (non-breaking change which adds functionality)
   - [x] Bug fix (non-breaking change which fixes an issue)
   - [ ] Enhancement (improves an existing feature and functionality)
   - [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
   
   ### Feature/Enhancement Scale or Bug Severity
   
   #### Feature/Enhancement Scale
   - [ ] Major
   - [x] Minor
   
   ### How Has This Been Tested?
   I tested locally, in a test lab.
   1. Created a VPC;
   2. Observed VR's `iptables`;
   3. Added public IPs to the VPC, assigned functions, tested and removed them;
   4. Before this change, every public IP would turn into a `source NAT` and mess up with the `iptables`. After the changes, the `source NAT` is kept along all the process and only the real function of the public IP is assigned.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] blueorangutan commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

blueorangutan commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931123970


   <b>Trillian Build Failed (tid-2260)<b/>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] blueorangutan commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

blueorangutan commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931251721


   @weizhouapache a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] weizhouapache commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

weizhouapache commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-930916352


   @blueorangutan package
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] weizhouapache commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

weizhouapache commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931007754


   @blueorangutan test


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] blueorangutan removed a comment on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

blueorangutan removed a comment on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931122614






-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] blueorangutan removed a comment on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

blueorangutan removed a comment on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931008779






-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] blueorangutan commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

blueorangutan commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931125231


   <b>Trillian Build Failed (tid-2261)<b/>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] blueorangutan commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

blueorangutan commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931122614


   @weizhouapache a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] weizhouapache removed a comment on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

weizhouapache removed a comment on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931007754






-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] weizhouapache commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

weizhouapache commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-930258761


   @GutoVeronezi 
   which cloudstack version are you testing with ?
   
   could you please tell how to reproduce the issue ?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rhtyd merged pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

rhtyd merged pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] weizhouapache commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

weizhouapache commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931251033


   @blueorangutan test
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] blueorangutan commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

blueorangutan commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-930998106


   Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 1455


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] blueorangutan commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

blueorangutan commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931012601


   <b>Trillian Build Failed (tid-2256)<b/>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] GutoVeronezi commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

GutoVeronezi commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-930530135


   @weizhouapache 
   
   > which cloudstack version are you testing with ?
   
   4.15.0.0
   
   > could you please tell how to reproduce the issue ?
   
   1. Create a VPC;
   2. Observe VR's `iptables` (use `iptables-save | grep SNAT`);
   3. Add public IPs to the VPC and assigned functions (`static NAT`, `port forwarding`...) to them;
   - Before the changes:
    4. Every public IP will turn into a `source NAT`, i.e.:
    ```
   -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.247/32 -o eth2 -j SNAT --to-source 10.0.0.1
   -A POSTROUTING -s 10.0.0.247/32 -o eth1 -j SNAT --to-source 192.168.100.96
   -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.100.52
   -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.100.96
   ``` 
   
   - After the changes:
    4.  Only  `source NAT` IP is `source NAT`, others IPs will have only the real function to which they were assigned.
   ```
   -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.247/32 -o eth2 -j SNAT --to-source 10.0.0.1
   -A POSTROUTING -s 10.0.0.247/32 -o eth1 -j SNAT --to-source 192.168.100.96
   -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.100.52
   ```
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] blueorangutan commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

blueorangutan commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931663021


   <b>Trillian test result (tid-2262)</b>
   Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7
   Total time taken: 30994 seconds
   Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr5532-t2262-kvm-centos7.zip
   Smoke tests completed. 90 look OK, 0 have errors
   Only failed tests results shown below:
   
   
   Test | Result | Time (s) | Test File
   --- | --- | --- | ---
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] Hudratronium commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

Hudratronium commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-947220606


   just for understanding and out of interest:
   Currently enableing port forwarding for an addional public ip (e.g. expose a webserver) will - from a users point of view -  result in an automatic outbound nat for that IP. Meaning the client contacting the webservice will get an answer from the "additional" public ip he addressed (aka webservice IP).
   looking through the iptables in my current setup, the only rules for enabling this, seem to be the SNAT rules for the additonal public IPs. I guess the same will be the case for static NAT as well.
   
   So will something change in regards of the "outbound NAT" for a portforwarding - enabled ip? and where would this be configured?
   thanks in advance 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] blueorangutan commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

blueorangutan commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-930917349


   @weizhouapache a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] weizhouapache commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

weizhouapache commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931118669


   @blueorangutan test
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] GutoVeronezi commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

GutoVeronezi commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-930530135


   @weizhouapache 
   
   > which cloudstack version are you testing with ?
   
   4.15.0.0
   
   > could you please tell how to reproduce the issue ?
   
   1. Create a VPC;
   2. Observe VR's `iptables` (use `iptables-save | grep SNAT`);
   3. Add public IPs to the VPC and assigned functions (`static NAT`, `port forwarding`...) to them;
   - Before the changes:
    4. Every public IP will turn into a `source NAT`, i.e.:
    ```
   -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.247/32 -o eth2 -j SNAT --to-source 10.0.0.1
   -A POSTROUTING -s 10.0.0.247/32 -o eth1 -j SNAT --to-source 192.168.100.96
   -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.100.52
   -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.100.96
   ``` 
   
   - After the changes:
    4.  Only  `source NAT` IP is `source NAT`, others IPs will have only the real function to which they were assigned.
   ```
   -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.247/32 -o eth2 -j SNAT --to-source 10.0.0.1
   -A POSTROUTING -s 10.0.0.247/32 -o eth1 -j SNAT --to-source 192.168.100.96
   -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.100.52
   ```
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] weizhouapache commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

weizhouapache commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-930258761


   @GutoVeronezi 
   which cloudstack version are you testing with ?
   
   could you please tell how to reproduce the issue ?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] weizhouapache commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

weizhouapache commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-930917244


   > @weizhouapache
   > 
   > > which cloudstack version are you testing with ?
   > 
   > 4.15.0.0
   > 
   > > could you please tell how to reproduce the issue ?
   > 
   > 1. Create a VPC;
   > 2. Observe VR's `iptables` (use `iptables-save | grep SNAT`);
   > 3. Add public IPs to the VPC and assigned functions (`static NAT`, `port forwarding`...) to them;
   > 
   > * Before the changes:
   > 
   > 1. Every public IP will turn into a `source NAT`, i.e.:
   > 
   > ```
   > -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.247/32 -o eth2 -j SNAT --to-source 10.0.0.1
   > -A POSTROUTING -s 10.0.0.247/32 -o eth1 -j SNAT --to-source 192.168.100.96
   > -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.100.52
   > -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.100.96
   > ```
   > 
   > * After the changes:
   > 
   > 1. Only  `source NAT` IP is `source NAT`, others IPs will have only the real function to which they were assigned.
   > 
   > ```
   > -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.247/32 -o eth2 -j SNAT --to-source 10.0.0.1
   > -A POSTROUTING -s 10.0.0.247/32 -o eth1 -j SNAT --to-source 192.168.100.96
   > -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.100.52
   > ```
   
   @GutoVeronezi 
   thanks. it looks like a small valid issue.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] blueorangutan commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

blueorangutan commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-931008779


   @weizhouapache a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] GutoVeronezi commented on pull request #5532: Remove logic that creates gap for multiple 'source NAT' in VR

Posted by GitBox <gi...@apache.org>.

GutoVeronezi commented on pull request #5532:
URL: https://github.com/apache/cloudstack/pull/5532#issuecomment-947255616


   @Hudratronium the IP functions (like `static NAT`, `port forwarding`, `VPN`...) will not change. When we acquire a new public IP to a VPC and assign any function to it, ACS marks it as `source NAT` **too**. This PR only refers to avoid ACS to mark any public IP as `source NAT`.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org