[
https://issues.apache.org/jira/browse/CLOUDSTACK-6214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13929819#comment-13929819
]
angeline shen commented on CLOUDSTACK-6214:
-------------------------------------------
Try to reproduce problem with CloudPlatform-QA-4.3-0.292-rhel6.3.tar.gz (few
days old):
MS: 10.223.130.59 host: 10.223.51.3 XS
6.2
nw offer isolated specify VLAN VPC LB type: public
LB
chk vpn dhcp dns lb userdata sourceNAT
staticNAT PF nwACL account
1. Create VPC
- Configure
- NW ACL list - Add ACL list > vpc2ACL1
- vpc2ACL1 > ACL list rules> add rule 1: 0.0.0.0/0
allow ALL Ingress
add
rule 2: 0.0.0.0/0 allow ALL Egress
2. Create NW offering 6214:
Guest type: isolated
specify VLAN: check
VPC : check
LB type: public LB
Supported services:
VPN - VR
Dhcp - VR
DNS - VR
Firewall - Uncheck
Load balancer - VR
User data - VR
Source NAT - VR
Static NAT - VR
Port forwarding - VR
networkACL - check
supported source NAT type: per account
3. Vpc2 > create NW tier vpc2G2 with nw offering 6214
4. Vpc2G2 > Deploy VM
5. Login host 10.223.51.3 - login to VR r-4-VM
[ashen@localhost ~]$ ssh [email protected]
[email protected]'s password:
[root@Rack2Host18 ~]# ssh -i /root/.ssh/id_rsa.cloud 169.254.2.234 -p 3922
6. R-4-VM:
root@r-4-VM:~# ifconfig
eth0 Link encap:Ethernet HWaddr 0e:00:a9:fe:02:ea
inet addr:169.254.2.234 Bcast:169.254.255.255 Mask:255.255.0.0
inet6 addr: fe80::c00:a9ff:fefe:2ea/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:695 errors:0 dropped:0 overruns:0 frame:0
TX packets:622 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:74492 (72.7 KiB) TX bytes:202424 (197.6 KiB)
Interrupt:25
eth1 Link encap:Ethernet HWaddr 06:2c:ce:00:00:17
inet addr:10.223.123.33 Bcast:10.223.123.63 Mask:255.255.255.192
inet6 addr: fe80::42c:ceff:fe00:17/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2180 (2.1 KiB) TX bytes:8376 (8.1 KiB)
Interrupt:24
eth2 Link encap:Ethernet HWaddr 02:00:33:51:00:02
inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::33ff:fe51:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1143 (1.1 KiB) TX bytes:1851 (1.8 KiB)
Interrupt:26
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1318 (1.2 KiB) TX bytes:1318 (1.2 KiB)
7. check iptables : What are we looking for?
# Generated by iptables-save v1.4.14 on Mon Mar 10 23:50:17 2014
*mangle
:PREROUTING ACCEPT [263:28463]
:INPUT ACCEPT [263:28463]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [228:33139]
:POSTROUTING ACCEPT [228:33139]
:ACL_OUTBOUND_eth2 - [0:0]
:VPN_STATS_eth1 - [0:0]
-A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-xmark
0x1/0xffffffff
-A PREROUTING -i eth2 -m state --state RELATED,ESTABLISHED -j CONNMARK
--restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -s 10.1.1.0/24 ! -d 10.1.1.1/32 -i eth2 -m state --state NEW -j
ACL_OUTBOUND_eth2
-A FORWARD -j VPN_STATS_eth1
-A OUTPUT -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A ACL_OUTBOUND_eth2 -j ACCEPT
-A VPN_STATS_eth1 -o eth1 -m mark --mark 0x525
-A VPN_STATS_eth1 -i eth1 -m mark --mark 0x524
COMMIT
# Completed on Mon Mar 10 23:50:17 2014
# Generated by iptables-save v1.4.14 on Mon Mar 10 23:50:17 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [217:31431]
:ACL_INBOUND_eth2 - [0:0]
:NETWORK_STATS_eth1 - [0:0]
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -d 10.1.1.1/32 -i eth2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 10.1.1.1/32 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 10.1.1.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 80
-j ACCEPT
-A INPUT -d 10.1.1.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 8080
-j ACCEPT
-A FORWARD -j NETWORK_STATS_eth1
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j ACCEPT
-A FORWARD -d 10.1.1.0/24 -o eth2 -j ACL_INBOUND_eth2
-A ACL_INBOUND_eth2 -j DROP
-A NETWORK_STATS_eth1 -s 10.1.0.0/16 -o eth1
-A NETWORK_STATS_eth1 -d 10.1.0.0/16 -i eth1
COMMIT
# Completed on Mon Mar 10 23:50:17 2014
# Generated by iptables-save v1.4.14 on Mon Mar 10 23:50:17 2014
*nat
:PREROUTING ACCEPT [16:1399]
:INPUT ACCEPT [16:1399]
:OUTPUT ACCEPT [1:340]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j SNAT --to-source 10.223.123.33
-A POSTROUTING -s 10.1.1.0/24 -o eth2 -j SNAT --to-source 10.1.1.1
COMMIT
# Completed on Mon Mar 10 23:50:17 2014
~
root@r-4-VM:~# ifconfig
eth0 Link encap:Ethernet HWaddr 0e:00:a9:fe:02:ea
inet addr:169.254.2.234 Bcast:169.254.255.255 Mask:255.255.0.0
inet6 addr: fe80::c00:a9ff:fefe:2ea/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:695 errors:0 dropped:0 overruns:0 frame:0
TX packets:622 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:74492 (72.7 KiB) TX bytes:202424 (197.6 KiB)
Interrupt:25
eth1 Link encap:Ethernet HWaddr 06:2c:ce:00:00:17
inet addr:10.223.123.33 Bcast:10.223.123.63 Mask:255.255.255.192
inet6 addr: fe80::42c:ceff:fe00:17/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2180 (2.1 KiB) TX bytes:8376 (8.1 KiB)
Interrupt:24
eth2 Link encap:Ethernet HWaddr 02:00:33:51:00:02
inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::33ff:fe51:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1143 (1.1 KiB) TX bytes:1851 (1.8 KiB)
Interrupt:26
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1318 (1.2 KiB) TX bytes:1318 (1.2 KiB)
> VPC: when guest network is in Setup state, on its initial nicPlug to the VR,
> corresponding network rules are not getting applied
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-6214
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6214
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.3.0
> Reporter: Alena Prokharchyk
> Assignee: Alena Prokharchyk
> Priority: Critical
> Fix For: 4.3.0
>
>
> Steps to reproduce:
> ==========================
> 1) Create VPC
> 2) Add networkACLList and a rule to it
> 3) In VPC, create a network from NetworkOffering with specifyVlan=true.
> Network is created in Setup state.
> 4) Start user vm in the network.
> Bug: network ACLs are not applied although the guest nic is plugged to the VR.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
