[jira] [Commented] (CLOUDSTACK-99) disable staticNat deletes the firewall rule

[Chiradeep Vittal (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-99?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13457377#comment-13457377
 ] 

Chiradeep Vittal commented on CLOUDSTACK-99:
--------------------------------------------

Is the firewall rule deleted in the db also (that is, the firewall rule does 
not show up in the ui anymore?). I don't see any code removing the firewall 
rule from the db in response to removing a static nat rule. Behaviorally it is 
OK to remove it from the VR since the end-user does not have any visibility 
into the VR state, just the external behavior. In this case whether the VR has 
the rule or not, the behavior is the same: access is denied on port 22. Also, 
in the future, please give the output of iptables-save instead of iptables -t
                
> disable staticNat deletes the firewall rule
> -------------------------------------------
>
>                 Key: CLOUDSTACK-99
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-99
>             Project: CloudStack
>          Issue Type: Bug
>          Components: Network Controller
>    Affects Versions: pre-4.0.0
>         Environment: Git Revision: 03df2fa9dd45c938f72cd1866044b09d1b0cc978
> Git URL: https://git-wip-us.apache.org/repos/asf/incubator-cloudstack.gi
>            Reporter: sadhu suresh
>            Assignee: Chiradeep Vittal
>             Fix For: pre-4.0.0
>
>
> Steps:
> 1.create advance Zone with hyper-visor as xen
> 2.deploy a vm 
> 3.acquire public IP  and configure firewall rule for port 22
> 4.enable static NAT 
> 5.disable static NAT
> 6.observe the behavior
> actual result:
> disable static NAT was successful but it deletes firewall rule also.
> earlier in 2.2.x when we define any service the corresponding firewall rule 
> will be created and when we delete the policy(pF/staticnat) the corresponding 
> firewall rule will be deleted from background
> But in 3.0x firewall is separated from services/polices like(PF/StaticNat) we 
> need to explicitly define firewall to these policies/services.
> Expected result:
> should not delete the firewall rule when we disable the staticnat rule.if the 
> customer wants to use the same public IP for other other services like PF 
> then he has to define firwall rule again to open the port 22 to ssh.
> if its working as per design then it needs to be documented clearly.
> efore disabling the firewall
> root@r-11-VM:~# iptables -L -t mangle
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> VPN_10.147.49.33  all  --  anywhere             10.147.49.33
> FIREWALL_10.147.49.24  all  --  anywhere             10.147.49.24
> FIREWALL_10.147.49.33  all  --  anywhere             10.147.49.33
> CONNMARK   all  --  anywhere             anywhere            state 
> RELATED,ESTABLISHED CONNMARK restore
> MARK       all  --  anywhere             10.147.49.24        state NEW MARK 
> set 0x2
> CONNMARK   all  --  anywhere             10.147.49.24        state NEW 
> CONNMARK save
> MARK       all  --  8d1a831e-0eb3-46d8-8347-c7920e1e7cd2  anywhere            
> state NEW MARK set 0x2
> CONNMARK   all  --  8d1a831e-0eb3-46d8-8347-c7920e1e7cd2  anywhere            
> state NEW CONNMARK save
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> CHECKSUM   udp  --  anywhere             anywhere            udp dpt:bootpc 
> CHECKSUM fill
> Chain FIREWALL_10.147.49.24 (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state 
> RELATED,ESTABLISHED
> RETURN     tcp  --  anywhere             anywhere            tcp dpt:ssh
> DROP       all  --  anywhere             anywhere
> Chain FIREWALL_10.147.49.33 (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state 
> RELATED,ESTABLISHED
> DROP       all  --  anywhere             anywhere
> after disableing the staticNAT:
> root@r-11-VM:~# iptables -L -t mangle
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> VPN_10.147.49.33  all  --  anywhere             10.147.49.33
> FIREWALL_10.147.49.33  all  --  anywhere             10.147.49.33
> CONNMARK   all  --  anywhere             anywhere            state 
> RELATED,ESTABLISHED CONNMARK restore
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> CHECKSUM   udp  --  anywhere             anywhere            udp dpt:bootpc 
> CHECKSUM fill
> Chain FIREWALL_10.147.49.33 (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state 
> RELATED,ESTABLISHED
> DROP       all  --  anywhere             anywhere
> Chain VPN_10.147.49.33 (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            state 
> RELATED,ESTABLISHED
> RETURN     all  --  anywhere             anywhere

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira