Slair1 commented on issue #2680: Using Source NAT option on Private Gateway does not work URL: https://github.com/apache/cloudstack/issues/2680#issuecomment-396743659 @rhtyd /cc @ustcweizhou It looks like that old SNAT in `CsAddress.py` (before this PR) was allowing the static NATs hair-pinning to work. However, that seems to only be because the actual static NAT hairpin code in `configure.py` wasn't working correctly because it had `eth0` hard-coded in it instead of dynamic determining the guest network interface. So, I left our `CsAddress.py` as it (see current PR #2681) and modified `configure.py` to fix the hairpin SNAT. Please see the following and let me know your thoughts. It may need some others to do some additional testing also. ## Before Changes to `configure.py` #### IP Address and Interfaces ``` root@r-336-VM:~# ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 0e:00:a9:fe:01:dd brd ff:ff:ff:ff:ff:ff inet 169.254.1.221/16 brd 169.254.255.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 06:18:90:00:00:30 brd ff:ff:ff:ff:ff:ff inet 46.99.52.18/26 brd 46.99.52.63 scope global eth1 inet 46.99.52.19/26 brd 46.99.52.63 scope global secondary eth1 inet 46.99.52.20/26 brd 46.99.52.63 scope global secondary eth1 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 06:1d:54:00:02:6b brd ff:ff:ff:ff:ff:ff inet 10.101.41.10/24 brd 10.101.41.255 scope global eth2 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 02:00:6d:75:00:0a brd ff:ff:ff:ff:ff:ff inet 10.0.0.1/24 brd 10.0.0.255 scope global eth3 ``` #### OUTPUT DNAT (looks good) ``` root@r-336-VM:~# iptables -L OUTPUT -t nat -vn Chain OUTPUT (policy ACCEPT 28 packets, 1871 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 46.99.52.20 to:10.0.0.154 0 0 DNAT all -- * * 0.0.0.0/0 46.99.52.19 to:10.0.0.209 ``` #### PREROUTING DNAT (1st and 3rd line are not needed) ``` root@r-336-VM:~# iptables -L PREROUTING -t nat -vn Chain PREROUTING (policy ACCEPT 551 packets, 51744 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- eth0 * 0.0.0.0/0 46.99.52.20 to:10.0.0.154 6 240 DNAT all -- * * 0.0.0.0/0 46.99.52.20 to:10.0.0.154 0 0 DNAT all -- eth0 * 0.0.0.0/0 46.99.52.19 to:10.0.0.209 11 492 DNAT all -- * * 0.0.0.0/0 46.99.52.19 to:10.0.0.209 ``` #### POSTROUTING SNAT (1st and 3rd line are incorrect. Last line isn't needed) The 1st and 3rd line are close to getting hair-pinning with a static NAT working, but the interface is wrong. If you look above, eth0 was our 169.254.0.0/16 network... ``` root@r-336-VM:~# iptables -L POSTROUTING -t nat -vn Chain POSTROUTING (policy ACCEPT 26 packets, 1100 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * eth0 10.0.0.0/24 10.0.0.154 to:10.0.0.1 34 2584 SNAT all -- * eth1 10.0.0.154 0.0.0.0/0 to:46.99.52.20 0 0 SNAT all -- * eth0 10.0.0.0/24 10.0.0.209 to:10.0.0.1 28 1456 SNAT all -- * eth1 10.0.0.209 0.0.0.0/0 to:46.99.52.19 243 14660 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:10.101.41.10 222 14854 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:46.99.52.18 0 0 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:46.99.52.19 ``` ## After Changes to `configure.py` #### IP Address and Interfaces ``` 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 0e:00:a9:fe:01:c9 brd ff:ff:ff:ff:ff:ff inet 169.254.1.201/16 brd 169.254.255.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 06:c7:80:00:00:30 brd ff:ff:ff:ff:ff:ff inet 46.99.52.18/26 brd 46.99.52.63 scope global eth1 inet 46.99.52.20/26 brd 46.99.52.63 scope global secondary eth1 inet 46.99.52.19/26 brd 46.99.52.63 scope global secondary eth1 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 06:5a:34:00:02:6b brd ff:ff:ff:ff:ff:ff inet 10.101.41.10/24 brd 10.101.41.255 scope global eth2 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 02:00:6c:02:00:16 brd ff:ff:ff:ff:ff:ff inet 10.0.0.1/24 brd 10.0.0.255 scope global eth3 ``` #### OUTPUT DNAT ``` root@r-342-VM:~# iptables -L OUTPUT -t nat -vn Chain OUTPUT (policy ACCEPT 104 packets, 8128 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 46.99.52.19 to:10.0.0.209 0 0 DNAT all -- * * 0.0.0.0/0 46.99.52.20 to:10.0.0.154 ``` #### PREROUTING DNAT ``` root@r-342-VM:~# iptables -L PREROUTING -t nat -vn Chain PREROUTING (policy ACCEPT 19526 packets, 1424K bytes) pkts bytes target prot opt in out source destination 160 8277 DNAT all -- * * 0.0.0.0/0 46.99.52.19 to:10.0.0.209 181 9086 DNAT all -- * * 0.0.0.0/0 46.99.52.20 to:10.0.0.154 ``` #### POSTROUTING SNAT That last line is still not needed, but not sure how/why that is there ``` root@r-342-VM:~# iptables -L POSTROUTING -t nat -vn Chain POSTROUTING (policy ACCEPT 339 packets, 17781 bytes) pkts bytes target prot opt in out source destination 4 240 SNAT all -- * eth3 10.0.0.0/24 10.0.0.209 to:10.0.0.1 34 1768 SNAT all -- * eth1 10.0.0.209 0.0.0.0/0 to:46.99.52.19 2 405 SNAT all -- * eth3 10.0.0.0/24 10.0.0.154 to:10.0.0.1 13800 830K SNAT all -- * eth1 10.0.0.154 0.0.0.0/0 to:46.99.52.20 0 0 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:10.101.41.10 154 10809 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:46.99.52.18 0 0 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:46.99.52.20 ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services