[
https://issues.apache.org/jira/browse/CLOUDSTACK-5403?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13857391#comment-13857391
]
ASF subversion and git services commented on CLOUDSTACK-5403:
-------------------------------------------------------------
Commit 8b151c98c22e39afb0be6768666b63a17286d410 in branch refs/heads/master
from [~murali.reddy]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=8b151c9 ]
CLOUDSTACK-5403: Shared network - None of PF, LB rules work after router
restart, firewall rules dropped from iptables post restart
on VR restart, not all public IP's associated with the network are sent
with IpAssocCmd to VR. This fix will ensure all the ip's associated with
the network irrespective of the account are sent as part of
IpAssocCommand
Conflicts:
server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
> Shared network - None of PF, LB rules work after router restart, firewall
> rules dropped from iptables post restart
> ------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-5403
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5403
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server, Network Controller
> Affects Versions: 4.3.0
> Environment: Advanced zone, shared network on Hyper-V
> Reporter: Sowmya Krishnan
> Assignee: Murali Reddy
> Priority: Critical
> Fix For: 4.3.0
>
> Attachments: iptables_after_restart.gz, iptables_before_restart.gz,
> restart_vr.log.gz, restart_vr_agent.log.log
>
>
> None of PF, LB or firewall rules work after router is restarted in shared
> network, advanced zone
> Steps:
> Create a shared network in advanced zone
> Acquire IP
> Create PF and corresponding Firewall rule
> Acquire another IP
> Create LB and corresponding Firewall rule
> Ensure all the rules work
> Restart router
> Check all rules
> Result:
> None of PF or LB rules work after router restart
> I've tested this only in Hypev-V so far. I'll update the bug in case I am
> able to test in any other hypervisor as well.
> The following rules are dropped from iptables FORWARD chain after restart:
> ACCEPT tcp -- anywhere shareduser1vm1 state
> RELATED,ESTABLISHED /* 10.102.196.239:888:888 */
> ACCEPT tcp -- anywhere shareduser1vm1 tcp dpt:http
> state NEW /* 10.102.196.239:888:888 */
> So also the firewall rules corresponding to the LB rule source ip
> The rules themselves exist in DB though:
> mysql> select * from firewall_rules;
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> | id | uuid | ip_address_id | start_port |
> end_port | state | protocol | purpose | account_id | domain_id |
> network_id | xid | created |
> icmp_code | icmp_type | related | type | vpc_id | traffic_type |
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> | 1 | b9082345-8a3d-4f6d-9b64-3d2d98e65d2d | 5 | 888 |
> 888 | Active | tcp | Firewall | 4 | 2 |
> 205 | 5cf27b56-4d37-4ec1-bdf8-ede0407f0115 | 2013-12-06 06:51:40 | NULL
> | NULL | NULL | User | NULL | Ingress |
> | 2 | 5b657e22-649a-4cd4-b23c-2416243f48ba | 5 | 888 |
> 888 | Active | tcp | PortForwarding | 4 | 2 |
> 205 | aad0e89d-f0df-4ee2-949d-39f129a1383a | 2013-12-06 06:52:13 | NULL
> | NULL | NULL | User | NULL | NULL |
> | 13 | 42f795f9-45e6-471f-9b17-4ce631a09531 | 6 | 888 |
> 888 | Active | tcp | Firewall | 4 | 2 |
> 205 | 0802945b-23b8-4b95-9441-f6b89e66d806 | 2013-12-06 11:27:08 | NULL
> | NULL | NULL | User | NULL | Ingress |
> | 14 | 9f5aa3dd-b8e9-4193-b635-c5fd7e188f35 | 6 | 888 |
> 888 | Active | tcp | LoadBalancing | 4 | 2 |
> 205 | ef7067b9-38b3-4d42-b8ee-5bfe44a817fa | 2013-12-06 11:27:53 | NULL
> | NULL | NULL | User | NULL | NULL |
> +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+
> 4 rows in set (0.00 sec)
> mysql> select * from load_balancing_rules;
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> | id | name | description | default_port_start | default_port_end |
> algorithm | source_ip_address | source_ip_address_network_id | scheme |
> lb_protocol |
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> | 14 | lbshared | NULL | 80 | 80 |
> roundrobin | NULL | NULL | Public | NULL
> |
> +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+
> 1 row in set (0.00 sec)
> mysql> select * from port_forwarding_rules;
> +----+-------------+-----------------+-----------------+---------------+
> | id | instance_id | dest_ip_address | dest_port_start | dest_port_end |
> +----+-------------+-----------------+-----------------+---------------+
> | 2 | 5 | 10.102.198.2 | 80 | 80 |
> +----+-------------+-----------------+-----------------+---------------+
> 1 row in set (0.00 sec)
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
