[jira] [Commented] (CLOUDSTACK-6214) VPC: when guest network is in Setup state, on its initial nicPlug to the VR, corresponding network rules are not getting applied

angeline shen (JIRA) Tue, 11 Mar 2014 18:49:23 -0700

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-6214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13931120#comment-13931120
 ]


angeline shen commented on CLOUDSTACK-6214:
-------------------------------------------

Verifify with latest build   CloudPlatform-QA-4.3.0.0-0.402-rhel6.3.tar.gz

MS: 10.223.130.160      host: 10.223.51.4      XS 6.2

nw offer isolated specify VLAN VPC LB type: public LB
chk vpn dhcp dns lb userdata sourceNAT staticNAT PF nwACL account

1. Create VPC

    Configure
    NW ACL list - Add ACL list > vpc4ACL4
    vpc4ACL4 > ACL list rules> 
    add rule 1: 0.0.0.0/0 allow ALL Ingress
    add rule 2: 0.0.0.0/0 allow ALL Egress

2. Create NW offering 6214:
Guest type: isolated
specify VLAN: check
VPC : check
LB type: public LB

Supported services:
VPN - VR
Dhcp - VR
DNS - VR
Firewall - Uncheck
Load balancer - VR
User data - VR
Source NAT - VR
Static NAT - VR
Port forwarding - VR
networkACL - check
supported source NAT type: per account

3. Vpc4 > create NW tier vpc4G4    with nw offering 6214
4. Vpc4G4    > Deploy VM
5. Login host 10.223.51.4 - login to VR r-3-VM

[ashen@localhost ~]$ ssh [email protected]
[email protected]'s password:

[root@Rack2Host19 ~]# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.181 -p 3922 
Linux r-3-VM 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64

6.  r-3-VM:
root@r-3-VM:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 0e:00:a9:fe:03:b5  
          inet addr:169.254.3.181  Bcast:169.254.255.255  Mask:255.255.0.0
          inet6 addr: fe80::c00:a9ff:fefe:3b5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:416 errors:0 dropped:0 overruns:0 frame:0
          TX packets:395 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:53884 (52.6 KiB)  TX bytes:66554 (64.9 KiB)
          Interrupt:25 

eth1      Link encap:Ethernet  HWaddr 06:2b:70:00:00:13  
          inet addr:10.223.123.17  Bcast:10.223.123.63  Mask:255.255.255.192
          inet6 addr: fe80::42b:70ff:fe00:13/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:31 errors:0 dropped:0 overruns:0 frame:0
          TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2122 (2.0 KiB)  TX bytes:7170 (7.0 KiB)
          Interrupt:24 

eth2      Link encap:Ethernet  HWaddr 02:00:7f:16:00:02  
          inet addr:10.4.1.1  Bcast:10.4.1.255  Mask:255.255.255.0
          inet6 addr: fe80::7fff:fe16:2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2314 (2.2 KiB)  TX bytes:3238 (3.1 KiB)
          Interrupt:26 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1318 (1.2 KiB)  TX bytes:1318 (1.2 KiB)


7. check iptables

[root@Rack2Host19 ~]#  iptables-save 

# Generated by iptables-save v1.4.14 on Tue Mar 11 22:13:02 2014
*mangle
:PREROUTING ACCEPT [455:46866]
:INPUT ACCEPT [455:46866]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:55390]
:POSTROUTING ACCEPT [402:55390]
:ACL_OUTBOUND_eth2 - [0:0]
:VPN_STATS_eth1 - [0:0]
-A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-xmark 
0x1/0xffffffff
-A PREROUTING -i eth2 -m state --state RELATED,ESTABLISHED -j CONNMARK 
--restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -s 10.4.1.0/24 ! -d 10.4.1.1/32 -i eth2 -m state --state NEW -j 
ACL_OUTBOUND_eth2
-A FORWARD -j VPN_STATS_eth1
-A OUTPUT -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A ACL_OUTBOUND_eth2 -j ACCEPT
-A ACL_OUTBOUND_eth2 -j DROP
-A VPN_STATS_eth1 -o eth1 -m mark --mark 0x525
-A VPN_STATS_eth1 -i eth1 -m mark --mark 0x524
COMMIT
# Completed on Tue Mar 11 22:13:02 2014
# Generated by iptables-save v1.4.14 on Tue Mar 11 22:13:02 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [402:55390]
:ACL_INBOUND_eth2 - [0:0]
:NETWORK_STATS_eth1 - [0:0]
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -d 10.4.1.1/32 -i eth2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 10.4.1.1/32 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 10.4.1.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 80 
-j ACCEPT
-A INPUT -d 10.4.1.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 8080 
-j ACCEPT
-A FORWARD -j NETWORK_STATS_eth1
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.4.0.0/16 ! -d 10.4.0.0/16 -j ACCEPT
-A FORWARD -d 10.4.1.0/24 -o eth2 -j ACL_INBOUND_eth2
-A ACL_INBOUND_eth2 -j ACCEPT
-A ACL_INBOUND_eth2 -j DROP
-A NETWORK_STATS_eth1 -s 10.4.0.0/16 -o eth1
-A NETWORK_STATS_eth1 -d 10.4.0.0/16 -i eth1
COMMIT
# Completed on Tue Mar 11 22:13:02 2014
# Generated by iptables-save v1.4.14 on Tue Mar 11 22:13:02 2014
*nat
:PREROUTING ACCEPT [27:2450]
:INPUT ACCEPT [27:2450]
:OUTPUT ACCEPT [10:1288]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j SNAT --to-source 10.223.123.17
-A POSTROUTING -s 10.4.1.0/24 -o eth2 -j SNAT --to-source 10.4.1.1
COMMIT
# Completed on Tue Mar 11 22:13:02 2014

8.   .    Per Kishan's email:

>  On VR, verify that ACLs are applied using iptables.
>  e.g: If an egress ACL is added to eth2, related rules will be in 
> chain ACL_INBOUND_eth2

Does following  ACL rule lines   look correct?

[ashen@localhost 6214]$ grep ACL     ipt4

:ACL_OUTBOUND_eth2 - [0:0]

-A PREROUTING -s 10.4.1.0/24 ! -d 10.4.1.1/32 -i eth2 -m state --state NEW -j 
ACL_OUTBOUND_eth2
-A ACL_OUTBOUND_eth2 -j ACCEPT
-A ACL_OUTBOUND_eth2 -j DROP

:ACL_INBOUND_eth2 - [0:0]
-A FORWARD -d 10.4.1.0/24 -o eth2 -j ACL_INBOUND_eth2
-A ACL_INBOUND_eth2 -j ACCEPT
-A ACL_INBOUND_eth2 -j DROP





> VPC: when guest network is in Setup state, on its initial nicPlug to the VR, 
> corresponding network rules are not getting applied
> --------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-6214
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6214
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Network Controller
>    Affects Versions: 4.3.0
>            Reporter: Alena Prokharchyk
>            Assignee: Alena Prokharchyk
>            Priority: Critical
>             Fix For: 4.3.0
>
>
> Steps to reproduce:
> ==========================
> 1) Create VPC
> 2) Add networkACLList and a rule to it
> 3) In VPC, create a network from NetworkOffering with specifyVlan=true. 
> Network is created in Setup state.
> 4) Start user vm in the network. 
> Bug: network ACLs are not applied although the guest nic is plugged to the VR.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (CLOUDSTACK-6214) VPC: when guest network is in Setup state, on its initial nicPlug to the VR, corresponding network rules are not getting applied

Reply via email to