You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/08/24 14:43:53 UTC
[GitHub] [cloudstack] ravening opened a new issue #5365: Incorrect iptable rules for SNAT
ravening opened a new issue #5365:
URL: https://github.com/apache/cloudstack/issues/5365
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
VPC, VR
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on main branch.
-->
~~~
4.14
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network, advanced networking, etc. N/A otherwise
-->
Advanced network
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
##### SUMMARY
<!-- Explain the problem/feature briefly -->
I have created vpc with several networks in it. I asociated snat to a vm in one of the network. when i try to access the vm with snat from a vm in different network in the same vpc, the source ip is changed. The source ip should be in the same subnet of the vm which has the snat
Basically source address is pointing to different subnet address rather than the same subnet address of that network
##### STEPS TO REPRODUCE
1. create a vpc
2. create multiple networks in it with range 10.250.10.*, 10.250.20.*, 10.250.40.* and so on
3. create a vm in the network with range 10.250.20* and 10.250.40.*. The VR has 10.250.20.253 ip for 10.250.20.* network and 10.250.40.253 ip for 10.250.40.* network
4. Add snat to the vm in 10.250.20* network
5. If i try to access public snat ip from the same vm, the source ip is showing fine as 10.250.20.253 but if i try to access it from 10.250.40.* network, im seeing different source ip. its showing as 10.250.40.253
6.
<!--
For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
<!-- Paste example playbooks or commands between quotes below -->
~~~
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
Below are the expected iptables rules
~~~
iptables -t nat -L -n
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x525
SNAT all -- 10.250.120.0/24 10.250.120.147 to:10.250.120.253 <<<<<<<<<<<<<<<<<<<<
SNAT all -- 10.250.120.0/24 10.250.120.139 to:10.250.120.253
SNAT all -- 10.250.90.0/24 10.250.90.239 to:10.250.90.253
SNAT all -- 10.250.80.0/24 10.250.80.124 to:10.250.80.253
SNAT all -- 10.250.50.0/24 10.250.50.113 to:10.250.50.253
SNAT all -- 10.250.10.0/24 10.250.10.89 to:10.250.10.253
SNAT all -- 10.250.10.0/24 10.250.10.237 to:10.250.10.253
SNAT all -- 10.250.20.0/24 10.250.20.151 to:10.250.20.253
SNAT all -- 10.250.20.0/24 10.250.20.159 to:10.250.20.253
SNAT all -- 10.250.40.0/24 10.250.40.85 to:10.250.40.253 <<<<<<<<<<<<<<<<<<<<<<<<
SNAT all -- 10.250.30.0/24 10.250.30.73 to:10.250.30.253
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
Below are the new iptable rules
~~~
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 mark match 0x525
SNAT all -- 10.250.120.0/24 10.250.120.147 to:10.250.40.253 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
SNAT all -- 10.250.120.0/24 10.250.120.139 to:10.250.40.253 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
SNAT all -- 10.250.90.0/24 10.250.90.239 to:10.250.40.253 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
SNAT all -- 10.250.80.0/24 10.250.80.124 to:10.250.40.253
SNAT all -- 10.250.50.0/24 10.250.50.113 to:10.250.40.253
SNAT all -- 10.250.10.0/24 10.250.10.89 to:10.250.40.253
SNAT all -- 10.250.10.0/24 10.250.10.237 to:10.250.40.253
SNAT all -- 10.250.20.0/24 10.250.20.151 to:10.250.40.253 <<<<<<<<<<<<<<<<<<<<<<
SNAT all -- 10.250.20.0/24 10.250.20.159 to:10.250.40.253
SNAT all -- 10.250.40.0/24 10.250.40.85 to:10.250.40.253
SNAT all -- 10.250.30.0/24 10.250.30.73 to:10.250.40.253
~~~
This is how the inet address in vr is configured
```
inet 10.250.20.253/24 brd 10.250.20.255 scope global eth5
inet 10.250.20.1/24 brd 10.250.20.255 scope global secondary eth5
```
but the iptable rules show
```
SNAT all -- 10.250.20.0/24 10.250.20.151 to:10.250.40.253
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] ravening commented on issue #5365: Incorrect iptable rules for SNAT
Posted by GitBox <gi...@apache.org>.
ravening commented on issue #5365:
URL: https://github.com/apache/cloudstack/issues/5365#issuecomment-905537474
@weizhouapache this is what I found in the log
```
2021-08-25 13:53:30,876 INFO Address found in DataBag ==> {u'public_ip': u'10.10.50.254', u'one_to_one_nat': False, u'nic_dev_id': u'6', u'network': u'10.10.50.0/24', u'netmask': u'255.255.255.0', u'source_nat': False, u'broadcast': u
'10.10.50.255', u'add': True, u'nw_type': u'guest', u'device': u'eth6', u'cidr': u'10.10.50.254/24', u'gateway': u'10.10.50.254', u'size': u'24'}
```
so whichever ip address it finds **first** in the databag then that ip will be used as gateway for all tiers
In this case, the ip 10.10.50.254 was found first in the databag and hence that is used as gateway for all tiers according to below code.
```
def getGuestIp(self):
interfaces = []
ipAddr = None
for interface in self.config.address().get_interfaces():
if interface.is_guest():
interfaces.append(interface)
if len(interfaces) > 0:
ipAddr = sorted(interfaces)[-1] <<<<<<<<<<<< as soon as first guest ip is found, it is returned
if ipAddr:
return ipAddr.get_ip()
return None
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd closed issue #5365: Incorrect iptable rules for SNAT
Posted by GitBox <gi...@apache.org>.
rhtyd closed issue #5365:
URL: https://github.com/apache/cloudstack/issues/5365
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] ravening commented on issue #5365: Incorrect iptable rules for SNAT
Posted by GitBox <gi...@apache.org>.
ravening commented on issue #5365:
URL: https://github.com/apache/cloudstack/issues/5365#issuecomment-906185574
> > @weizhouapache this is what I found in the log
>
> >
>
> > ```
>
> > 2021-08-25 13:53:30,876 INFO Address found in DataBag ==> {u'public_ip': u'10.10.50.254', u'one_to_one_nat': False, u'nic_dev_id': u'6', u'network': u'10.10.50.0/24', u'netmask': u'255.255.255.0', u'source_nat': False, u'broadcast': u
>
> > '10.10.50.255', u'add': True, u'nw_type': u'guest', u'device': u'eth6', u'cidr': u'10.10.50.254/24', u'gateway': u'10.10.50.254', u'size': u'24'}
>
> > ```
>
> >
>
> > so whichever ip address it finds **first** in the databag then that ip will be used as gateway for all tiers
>
> >
>
> > In this case, the ip 10.10.50.254 was found first in the databag and hence that is used as gateway for all tiers according to below code.
>
> >
>
> > ```
>
> > def getGuestIp(self):
>
> > interfaces = []
>
> > ipAddr = None
>
> >
>
> > for interface in self.config.address().get_interfaces():
>
> > if interface.is_guest():
>
> > interfaces.append(interface)
>
> > if len(interfaces) > 0:
>
> > ipAddr = sorted(interfaces)[-1] <<<<<<<<<<<< as soon as first guest ip is found, it is returned
>
> > if ipAddr:
>
> > return ipAddr.get_ip()
>
> >
>
> > return None
>
> > ```
>
>
>
> @ravening ok. use 'getGuestIpByIp' instead of it might fix the issue.
@weizhouapache yes I used that and that fixed the issue.. I will create a pr
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on issue #5365: Incorrect iptable rules for SNAT
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #5365:
URL: https://github.com/apache/cloudstack/issues/5365#issuecomment-906177660
> @weizhouapache this is what I found in the log
>
> ```
> 2021-08-25 13:53:30,876 INFO Address found in DataBag ==> {u'public_ip': u'10.10.50.254', u'one_to_one_nat': False, u'nic_dev_id': u'6', u'network': u'10.10.50.0/24', u'netmask': u'255.255.255.0', u'source_nat': False, u'broadcast': u
> '10.10.50.255', u'add': True, u'nw_type': u'guest', u'device': u'eth6', u'cidr': u'10.10.50.254/24', u'gateway': u'10.10.50.254', u'size': u'24'}
> ```
>
> so whichever ip address it finds **first** in the databag then that ip will be used as gateway for all tiers
>
> In this case, the ip 10.10.50.254 was found first in the databag and hence that is used as gateway for all tiers according to below code.
>
> ```
> def getGuestIp(self):
> interfaces = []
> ipAddr = None
>
> for interface in self.config.address().get_interfaces():
> if interface.is_guest():
> interfaces.append(interface)
> if len(interfaces) > 0:
> ipAddr = sorted(interfaces)[-1] <<<<<<<<<<<< as soon as first guest ip is found, it is returned
> if ipAddr:
> return ipAddr.get_ip()
>
> return None
> ```
@ravening ok. use 'getGuestIpByIp' instead of it might fix the issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] ravening commented on issue #5365: Incorrect iptable rules for SNAT
Posted by GitBox <gi...@apache.org>.
ravening commented on issue #5365:
URL: https://github.com/apache/cloudstack/issues/5365#issuecomment-904706495
@weizhouapache @rhtyd do you guys kno what could have changed this? which script configure these rules?
is it vpc_snat.sh or configure.py or ipassoc.py?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] ravening commented on issue #5365: Incorrect iptable rules for SNAT
Posted by GitBox <gi...@apache.org>.
ravening commented on issue #5365:
URL: https://github.com/apache/cloudstack/issues/5365#issuecomment-905371769
@weizhouapache yes looks like an issue. I have 5 tiers with cidr `10.10.10.*` `10.10.20.*` `10.10.30.*` `10.10.40.*` and `10.10.50.*`
for all tiers the `--to-source` is configured as 10.10.50.254 which is wrong
this is the iptable output
```
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.10.50.0/24 10.10.50.200 to:10.10.50.254
SNAT all -- 10.10.50.200 0.0.0.0/0 to:10.135.122.135
SNAT all -- 10.10.40.0/24 10.10.40.139 to:10.10.50.254 <<<<<<<<<<<<<<< (shoule be 10.10.40.254)
SNAT all -- 10.10.40.139 0.0.0.0/0 to:10.135.122.134
SNAT all -- 10.10.30.0/24 10.10.30.128 to:10.10.50.254 <<<<<<<<<<<<<(should be 10.10.30.254)
SNAT all -- 10.10.30.128 0.0.0.0/0 to:10.135.122.133
SNAT all -- 10.10.20.0/24 10.10.20.170 to:10.10.50.254 <<<<<<<<<<<<< (should be 10.10.20.254)
SNAT all -- 10.10.20.170 0.0.0.0/0 to:10.135.122.132
SNAT all -- 10.10.10.0/24 10.10.10.154 to:10.10.50.254 <<<<<<<<<<<<< (should be 10.10.10.254)
SNAT all -- 10.10.10.154 0.0.0.0/0 to:10.135.122.131
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on issue #5365: Incorrect iptable rules for SNAT
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #5365:
URL: https://github.com/apache/cloudstack/issues/5365#issuecomment-904718288
not sure if it is an issue.
@ravening you can change processStaticNatRule in configure.py
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on issue #5365: Incorrect iptable rules for SNAT
Posted by GitBox <gi...@apache.org>.
rhtyd commented on issue #5365:
URL: https://github.com/apache/cloudstack/issues/5365#issuecomment-911382666
Fixed by https://github.com/apache/cloudstack/pull/5376
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] ravening edited a comment on issue #5365: Incorrect iptable rules for SNAT
Posted by GitBox <gi...@apache.org>.
ravening edited a comment on issue #5365:
URL: https://github.com/apache/cloudstack/issues/5365#issuecomment-904706495
@weizhouapache @rhtyd do you guys know what could have changed this? which script configure these rules?
is it vpc_snat.sh or configure.py or ipassoc.py?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org