[GitHub] [cloudstack] ravening opened a new issue #5365: Incorrect iptable rules for SNAT

GitBox Tue, 24 Aug 2021 07:43:58 -0700


ravening opened a new issue #5365:
URL: https://github.com/apache/cloudstack/issues/5365



   <!--
   Verify first that your issue/request is not already reported on GitHub.
   Also test if the latest release and main branch are affected too.
   Always add information AFTER of these HTML comments, but no need to delete 
the comments.
   -->
   
   ##### ISSUE TYPE
   <!-- Pick one below and delete the rest -->
    * Bug Report
   
   
   ##### COMPONENT NAME
   <!--
   Categorize the issue, e.g. API, VR, VPN, UI, etc.
   -->
   ~~~
   VPC, VR
   ~~~
   
   ##### CLOUDSTACK VERSION
   <!--
   New line separated list of affected versions, commit ID for issues on main 
branch.
   -->
   
   ~~~
   4.14
   ~~~
   
   ##### CONFIGURATION
   <!--
   Information about the configuration if relevant, e.g. basic network, 
advanced networking, etc.  N/A otherwise
   -->
   Advanced network
   
   ##### OS / ENVIRONMENT
   <!--
   Information about the environment if relevant, N/A otherwise
   -->
   
   
   ##### SUMMARY
   <!-- Explain the problem/feature briefly -->
   I have created vpc with several networks in it. I asociated snat to a vm in 
one of the network. when i try to access the vm with snat from a vm in 
different network in the same vpc, the source ip is changed. The source ip 
should be in the same subnet of the vm which has the snat
   
   
   Basically source address is pointing to different subnet address rather than 
the same subnet address of that network
   
   
   ##### STEPS TO REPRODUCE
   1. create a vpc
   2. create multiple networks in it with range 10.250.10.*, 10.250.20.*, 
10.250.40.* and so on
   3. create a vm in the network with range 10.250.20* and 10.250.40.*. The VR 
has 10.250.20.253 ip for 10.250.20.* network and 10.250.40.253 ip for 
10.250.40.* network
   4. Add snat to the vm in 10.250.20* network
   5. If i try to access public snat ip from the same vm, the source ip is 
showing fine as 10.250.20.253 but if i try to access it from 10.250.40.* 
network, im seeing different source ip. its showing as 10.250.40.253
   6. 
   <!--
   For bugs, show exactly how to reproduce the problem, using a minimal 
test-case. Use Screenshots if accurate.
   
   For new features, show how the feature would be used.
   -->
   
   <!-- Paste example playbooks or commands between quotes below -->
   ~~~
   
   ~~~
   
   <!-- You can also paste gist.github.com links for larger files -->
   
   ##### EXPECTED RESULTS
   <!-- What did you expect to happen when running the steps above? -->
   
   Below are the expected iptables rules
   ~~~
   iptables -t nat -L -n
   
   target     prot opt source               destination
   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            mark match 
0x525
   
   SNAT       all  --  10.250.120.0/24      10.250.120.147       
to:10.250.120.253 <<<<<<<<<<<<<<<<<<<<
   
   SNAT       all  --  10.250.120.0/24      10.250.120.139       
to:10.250.120.253
   
   SNAT       all  --  10.250.90.0/24       10.250.90.239        
to:10.250.90.253
   
   SNAT       all  --  10.250.80.0/24       10.250.80.124        
to:10.250.80.253
   
   SNAT       all  --  10.250.50.0/24       10.250.50.113        
to:10.250.50.253
   
   SNAT       all  --  10.250.10.0/24       10.250.10.89         
to:10.250.10.253
   
   SNAT       all  --  10.250.10.0/24       10.250.10.237        
to:10.250.10.253
   
   SNAT       all  --  10.250.20.0/24       10.250.20.151        
to:10.250.20.253
   
   SNAT       all  --  10.250.20.0/24       10.250.20.159        
to:10.250.20.253
   
   SNAT       all  --  10.250.40.0/24       10.250.40.85         
to:10.250.40.253 <<<<<<<<<<<<<<<<<<<<<<<<
   
   SNAT       all  --  10.250.30.0/24       10.250.30.73         
to:10.250.30.253
   ~~~
   
   ##### ACTUAL RESULTS
   <!-- What actually happened? -->
   
   <!-- Paste verbatim command output between quotes below -->
   Below are the new iptable rules
   ~~~
   target     prot opt source               destination
   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            mark match 
0x525
   
   SNAT       all  --  10.250.120.0/24      10.250.120.147       
to:10.250.40.253 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
   
   SNAT       all  --  10.250.120.0/24      10.250.120.139       
to:10.250.40.253 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
   
   SNAT       all  --  10.250.90.0/24       10.250.90.239        
to:10.250.40.253 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
   
   SNAT       all  --  10.250.80.0/24       10.250.80.124        
to:10.250.40.253
   
   SNAT       all  --  10.250.50.0/24       10.250.50.113        
to:10.250.40.253
   
   SNAT       all  --  10.250.10.0/24       10.250.10.89         
to:10.250.40.253
   
   SNAT       all  --  10.250.10.0/24       10.250.10.237        
to:10.250.40.253
   
   SNAT       all  --  10.250.20.0/24       10.250.20.151        
to:10.250.40.253 <<<<<<<<<<<<<<<<<<<<<<
   
   SNAT       all  --  10.250.20.0/24       10.250.20.159        
to:10.250.40.253
   
   SNAT       all  --  10.250.40.0/24       10.250.40.85         
to:10.250.40.253
   
   SNAT       all  --  10.250.30.0/24       10.250.30.73         
to:10.250.40.253
   ~~~
   
   
   This is how the inet address in vr is configured
   
   ```
   inet 10.250.20.253/24 brd 10.250.20.255 scope global eth5
       inet 10.250.20.1/24 brd 10.250.20.255 scope global secondary eth5
   ```
   
   but the iptable rules show
   
   ```
   SNAT       all  --  10.250.20.0/24       10.250.20.151        
to:10.250.40.253
   ```
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [cloudstack] ravening opened a new issue #5365: Incorrect iptable rules for SNAT

Reply via email to