ustcweizhou opened a new pull request #4484: URL: https://github.com/apache/cloudstack/pull/4484
### Description This PR contains 13 commits below ``` bugfix #1 vpc: fix ips on wrong interfaces after rebooting vpc vrs bugfix #1 vr: Force a restart of keepalived if conntrackd is not running or configuration has changed bugfix #2 vpc: Fix remove first public ip will remove all ips on the nic bugfix #3 apply ip dessociation before unplugging a nic so ip is marked as add:false in ips.json bugfix #2 vpc vr: fix issue if static nat is disabled but still other IP used by lb/pf bugfix #4 vpc vr: Do NOT send Nic plug in/out command to Stopped/Stopping VR Revert "Handle private gateways more reliably" Revert "Add private gateway IP to router initialization config" Revert "Fix Policy Based Routing for private gateway static routes (#3604)" bugfix #6 vpc vr: Add iptables rules for ACL of private gateway bugfix #7 vpc vr: allow servers in private gateway to reach internet via the VPC VR if it is gateway bugfix #8 vpc: add rule for traffic between vm and private gateway bugfix #9 vpc vr: Add PREROUTING rule for vm with static nat to multiple private gateways ``` Here are description of bugs (1) ips on wrong interfaces after rebooting vpc vrs When add new vpc tier, create private gateway, associated IP in new range to a VPC, nics will be plugged to VPC VRs. However, when reboot(or start) a VPC VR, the nics will be added by order: Public IP (source nat), other Public IP range, private gateway, VPC tiers. so the device_id of nics are different before stopping VR. I have created a PR for this issue #4467 (2) remove first public ip will remove all ips on the nic When use more public IPs in new public IP range (not same as source nat), a nic will be plugged to VPC VR. All public IPs used by the VPC will be attached to the nic. However, when we release the first public IP of the nic, it will remove the nic, all other IPs on the nic will be gone as well. (3) public ip is not marked as "add: false" in /etc/cloudstack/ips.json when release it. When use a public IP in new range to VPC VR, a nic will be plugged to VPC VR. When remove the public from VPC, the nic will be unplugged. however, the ip is still marked as "add: true" in /etc/cloudstack/ips.json so when we add a new nic to the VPC, the (old) public ip will be added back to the nic. (4) When a VPC VR is stopped, we cannot add/remove new nic to VPC VR. (5) Static NAT with multiple public interfaces uses wrong outgoing IP #4234 This is a regression of the fix for #3604 we need to revert the commit "Fix Policy Based Routing for private gateway static routes (#3604)" (6) There is no ACL rule for private gateway This is a regression of the fix for #3402 private gateway is changed to 'public' in commit "vpc: set traffic type of private gateway IP to Public to fix ke… (#3851)" so we need to add ACL rules. (7) servers in private gateway cannot reach internet via the VPC VR if it is gateway When add private gateway and use VPC as gateway (private gateway IP = gateway IP), the servers in private gateway network cannot reach internet via VPC VR. need to add rule to accept packet if VPC VR is used as gateway. (8) INBOUND rules for traffic between vm and private gateway servers does not work. Even rules are added to fix bug (6), the incoming traffic between vm and private gateway network is always accepted. for example, if the ACL of vm disallow traffic from private gateway network, vm still accepts traffic from private gateway network. need to add rules to check the INBOUND ACL rules. (9) vm with static nat cannot connect to private gateway network. As the fix is reverted to fix (5), the issue described in #3604 is back. this PR introduced another way to fix the issue. ### Types of changes - [ ] Breaking change (fix or feature that would cause existing functionality to change) - [ ] New feature (non-breaking change which adds functionality) - [X] Bug fix (non-breaking change which fixes an issue) - [ ] Enhancement (improves an existing feature and functionality) - [ ] Cleanup (Code refactoring and cleanup, that may add test cases) ### Feature/Enhancement Scale or Bug Severity #### Bug Severity - [ ] BLOCKER - [X] Critical - [ ] Major - [ ] Minor - [ ] Trivial ### Screenshots (if appropriate): ### How Has This Been Tested? <!-- Please describe in detail how you tested your changes. --> <!-- Include details of your testing environment, and the tests you ran to --> <!-- see how your change affects other areas of the code, etc. --> <!-- Please read the [CONTRIBUTING](https://github.com/apache/cloudstack/blob/master/CONTRIBUTING.md) document --> ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
