You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Rohit Yadav (JIRA)" <ji...@apache.org> on 2017/08/08 11:38:00 UTC

[jira] [Commented] (CLOUDSTACK-8945) rp_filter=1 not set on VPC private gateway initially, but is set after restart of VPC router

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16118216#comment-16118216 ] 

Rohit Yadav commented on CLOUDSTACK-8945:
-----------------------------------------

Disabling rp_filter would mean no source validation will be done on incoming packets on an interface, i.e. packets won't be dropped. This is used for all sorts of domR (VPC VRs, rVRs, normal VRs). On normal VRs, eth0 and eth1 are link-local and guest network nics, however eth2 is public network nic. For VPC/redundantVPC VRs, eth0 is link-local, eth1 is public, eth2 is guest network -- based on actual env tests on kvm, vmware, xenserver.

> rp_filter=1 not set on VPC private gateway initially, but is set after restart of VPC router
> --------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8945
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8945
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.4.4
>            Reporter: Anton Opgenoort
>            Assignee: Rohit Yadav
>
> (on ACS4.4.4 with XenServer as hypervisor)
> Steps to reproduce:
> -create VPC router
> -Create private gateway on VPC router
> -now log on to the rVM via the hypervisor's link-local address
> root@r-46771-VM:~# sysctl net.ipv4.conf.eth2.rp_filter
> net.ipv4.conf.eth2.rp_filter = 0
> Restart the rVM via CloudStack (NOT restart VPC but restart the underlying router via CloudStack)
> -log on again:
> root@r-46771-VM:~# sysctl net.ipv4.conf.eth2.rp_filter
> net.ipv4.conf.eth2.rp_filter = 1
> The issue thus is that on initial creation it is not set, where it should be set immediately 
> Note: when adding a regular network tier to the VPC config, that new interface IS configured with rp_filter=1. So it is limited to the private gateway NIC. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)