richardlawley opened a new issue #3177: Static NAT causes duplicate firewall 
rules to be added
URL: https://github.com/apache/cloudstack/issues/3177
 
 
   <!--
   Verify first that your issue/request is not already reported on GitHub.
   Also test if the latest release and master branch are affected too.
   Always add information AFTER of these HTML comments, but no need to delete 
the comments.
   -->
   
   ##### ISSUE TYPE
   <!-- Pick one below and delete the rest -->
    * Bug Report
   
   ##### COMPONENT NAME
   <!--
   Categorize the issue, e.g. API, VR, VPN, UI, etc.
   -->
   ~~~
   VR
   ~~~
   
   ##### CLOUDSTACK VERSION
   <!--
   New line separated list of affected versions, commit ID for issues on master 
branch.
   -->
   
   ~~~
   4.11.2
   ~~~
   
   ##### CONFIGURATION
   <!--
   Information about the configuration if relevant, e.g. basic network, 
advanced networking, etc.  N/A otherwise
   -->
   Advanced Networking
   
   ##### OS / ENVIRONMENT
   <!--
   Information about the environment if relevant, N/A otherwise
   -->
   n/a
   
   ##### SUMMARY
   <!-- Explain the problem/feature briefly -->
   When two static NAT IPs exist on a network, every time a firewall rule is 
added or removed, duplicate CONNMARK rules are added to mangle/PREROUTING.  
Over time and on a busy network, this causes a significant number of duplicate 
rules and an increase in processing time.
   
   I believe this is caused by the rules being defined with `-I PREROUTING` 
instead of `-A PREROUTING`, as the code appears to be trying to match them to 
the output of iptables-save.  This may have been introduced in 
40d77460386342126fb5533a9139bf6d08137d1d.
   
   I've fixed this locally by changing in `configure.py`:
   ```
   self.fw.append(["mangle", "",
       "-I PREROUTING -s %s/32 -m state --state NEW -j CONNMARK --save-mark 
--nfmask 0xffffffff --ctmask 0xffffffff" %
       rule["internal_ip"]])
   ```
   to
   ```
   self.fw.append(["mangle", "front",
       "-A PREROUTING -s %s/32 -m state --state NEW -j CONNMARK --save-mark 
--nfmask 0xffffffff --ctmask 0xffffffff" %
       rule["internal_ip"]])
   ```
   However, there are more instances of adding rules with `-I` in the file 
related to VPC and VPNs, which I don't have a way of testing at the moment.
   
   ##### STEPS TO REPRODUCE
   <!--
   For bugs, show exactly how to reproduce the problem, using a minimal 
test-case. Use Screenshots if accurate.
   
   For new features, show how the feature would be used.
   -->
   * Create advanced network
   * Deploy two VMs
   * Enable static NAT for both IPs
   * Create one Firewall rule
   * Log onto VR and run `iptables -t mangle -nL PREROUTING --line-numbers`
   * Add a rule and repeat
   
   For a simpler repeat repro, log onto the VR, then:
   * Find a firewall rules file in 
/var/cache/cloud/processed/firewall_rules,json.XXXXX.gz and gunzip it
   * `iptables -t mangle -F PREROUTING --line-numbers`
   * `/opt/cloud/bin/configure 
/var/cache/cloud/processed/firewall_rules,json.XXXXX`
   * `iptables -t mangle -F PREROUTING --line-numbers`
   
   
   ##### EXPECTED RESULTS
   <!-- What did you expect to happen when running the steps above? -->
   No increase in the number of rules in PREROUTING
   
   ~~~
   # iptables -t mangle -nL PREROUTING --line-numbers
   Chain PREROUTING (policy ACCEPT)
   num  target     prot opt source               destination
   1    MARK       all  --  10.1.1.167           0.0.0.0/0            state NEW 
MARK set 0x2
   2    CONNMARK   all  --  10.1.1.167           0.0.0.0/0            state NEW 
CONNMARK save
   3    MARK       all  --  10.1.1.75            0.0.0.0/0            state NEW 
MARK set 0x2
   4    CONNMARK   all  --  10.1.1.75            0.0.0.0/0            state NEW 
CONNMARK save
   5    FIREWALL_192.168.23.137  all  --  0.0.0.0/0            192.168.23.137
   6    VPN_192.168.23.137  all  --  0.0.0.0/0            192.168.23.137
   7    FIREWALL_192.168.23.136  all  --  0.0.0.0/0            192.168.23.136
   8    VPN_192.168.23.136  all  --  0.0.0.0/0            192.168.23.136
   9    FIREWALL_192.168.23.135  all  --  0.0.0.0/0            192.168.23.135
   10   VPN_192.168.23.135  all  --  0.0.0.0/0            192.168.23.135
   11   CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0            state 
RELATED,ESTABLISHED CONNMARK restore
   12   CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0            state NEW 
CONNMARK set 0x2
   ~~~
   
   ##### ACTUAL RESULTS
   <!-- What actually happened? -->
   PREROUTING rules were increased by N, where N is the number of static NAT 
rules.
   
   <!-- Paste verbatim command output between quotes below -->
   
   Error messages when running configure.py
   ~~~
   # /opt/cloud/bin/configure.py 
/var/cache/cloud/processed/firewall_rules.json.2c3c52b5-9888-4fe4-a9d7-8b559fe98622
   iptables v1.6.2: CONNMARK target: No operation specified
   Try `iptables -h' or 'iptables --help' for more information.
   iptables v1.6.2: CONNMARK target: No operation specified
   Try `iptables -h' or 'iptables --help' for more information.
   ~~~
   
   Duplicate firewall rules added (lines 1 & 2 here)
   ~~~
   # iptables -t mangle -nL PREROUTING --line-numbers
   Chain PREROUTING (policy ACCEPT)
   num  target     prot opt source               destination
   1    CONNMARK   all  --  10.1.1.167           0.0.0.0/0            state NEW 
CONNMARK save
   2    CONNMARK   all  --  10.1.1.75            0.0.0.0/0            state NEW 
CONNMARK save
   3    MARK       all  --  10.1.1.167           0.0.0.0/0            state NEW 
MARK set 0x2
   4    CONNMARK   all  --  10.1.1.167           0.0.0.0/0            state NEW 
CONNMARK save
   5    MARK       all  --  10.1.1.75            0.0.0.0/0            state NEW 
MARK set 0x2
   6    CONNMARK   all  --  10.1.1.75            0.0.0.0/0            state NEW 
CONNMARK save
   7    FIREWALL_192.168.23.137  all  --  0.0.0.0/0            192.168.23.137
   8    VPN_192.168.23.137  all  --  0.0.0.0/0            192.168.23.137
   9    FIREWALL_192.168.23.136  all  --  0.0.0.0/0            192.168.23.136
   10   VPN_192.168.23.136  all  --  0.0.0.0/0            192.168.23.136
   11   FIREWALL_192.168.23.135  all  --  0.0.0.0/0            192.168.23.135
   12   VPN_192.168.23.135  all  --  0.0.0.0/0            192.168.23.135
   13   CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0            state 
RELATED,ESTABLISHED CONNMARK restore
   14   CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0            state NEW 
CONNMARK set 0x2
   ~~~

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to