[
https://issues.apache.org/jira/browse/CLOUDSTACK-6214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13931120#comment-13931120
]
angeline shen edited comment on CLOUDSTACK-6214 at 3/12/14 11:28 PM:
---------------------------------------------------------------------
Verifify with latest build internal build 4.3.0.0-0.402-rhel6.3.tar.gz
MS: 10.223.130.160 host: 10.223.51.4 XS 6.2
nw offer isolated specify VLAN VPC LB type: public LB
chk vpn dhcp dns lb userdata sourceNAT staticNAT PF nwACL account
1. Create VPC
Configure
NW ACL list - Add ACL list > vpc4ACL4
vpc4ACL4 > ACL list rules>
add rule 1: 0.0.0.0/0 allow ALL Ingress
add rule 2: 0.0.0.0/0 allow ALL Egress
2. Create NW offering 6214:
Guest type: isolated
specify VLAN: check
VPC : check
LB type: public LB
Supported services:
VPN - VR
Dhcp - VR
DNS - VR
Firewall - Uncheck
Load balancer - VR
User data - VR
Source NAT - VR
Static NAT - VR
Port forwarding - VR
networkACL - check
supported source NAT type: per account
3. Vpc4 > create NW tier vpc4G4 with nw offering 6214
4. Vpc4G4 > Deploy VM
5. Login host 10.223.51.4 - login to VR r-3-VM
[ashen@localhost ~]$ ssh root@10.223.51.3
root@10.223.51.3's password:
[root@Rack2Host19 ~]# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.181 -p 3922
Linux r-3-VM 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64
6. r-3-VM:
root@r-3-VM:~# ifconfig
eth0 Link encap:Ethernet HWaddr 0e:00:a9:fe:03:b5
inet addr:169.254.3.181 Bcast:169.254.255.255 Mask:255.255.0.0
inet6 addr: fe80::c00:a9ff:fefe:3b5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:416 errors:0 dropped:0 overruns:0 frame:0
TX packets:395 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:53884 (52.6 KiB) TX bytes:66554 (64.9 KiB)
Interrupt:25
eth1 Link encap:Ethernet HWaddr 06:2b:70:00:00:13
inet addr:10.223.123.17 Bcast:10.223.123.63 Mask:255.255.255.192
inet6 addr: fe80::42b:70ff:fe00:13/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:31 errors:0 dropped:0 overruns:0 frame:0
TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2122 (2.0 KiB) TX bytes:7170 (7.0 KiB)
Interrupt:24
eth2 Link encap:Ethernet HWaddr 02:00:7f:16:00:02
inet addr:10.4.1.1 Bcast:10.4.1.255 Mask:255.255.255.0
inet6 addr: fe80::7fff:fe16:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2314 (2.2 KiB) TX bytes:3238 (3.1 KiB)
Interrupt:26
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1318 (1.2 KiB) TX bytes:1318 (1.2 KiB)
7. check iptables
[root@Rack2Host19 ~]# iptables-save
# Generated by iptables-save v1.4.14 on Tue Mar 11 22:13:02 2014
*mangle
:PREROUTING ACCEPT [455:46866]
:INPUT ACCEPT [455:46866]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:55390]
:POSTROUTING ACCEPT [402:55390]
:ACL_OUTBOUND_eth2 - [0:0]
:VPN_STATS_eth1 - [0:0]
-A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-xmark
0x1/0xffffffff
-A PREROUTING -i eth2 -m state --state RELATED,ESTABLISHED -j CONNMARK
--restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -s 10.4.1.0/24 ! -d 10.4.1.1/32 -i eth2 -m state --state NEW -j
ACL_OUTBOUND_eth2
-A FORWARD -j VPN_STATS_eth1
-A OUTPUT -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A ACL_OUTBOUND_eth2 -j ACCEPT
-A ACL_OUTBOUND_eth2 -j DROP
-A VPN_STATS_eth1 -o eth1 -m mark --mark 0x525
-A VPN_STATS_eth1 -i eth1 -m mark --mark 0x524
COMMIT
# Completed on Tue Mar 11 22:13:02 2014
# Generated by iptables-save v1.4.14 on Tue Mar 11 22:13:02 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [402:55390]
:ACL_INBOUND_eth2 - [0:0]
:NETWORK_STATS_eth1 - [0:0]
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -d 10.4.1.1/32 -i eth2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 10.4.1.1/32 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 10.4.1.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 80
-j ACCEPT
-A INPUT -d 10.4.1.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 8080
-j ACCEPT
-A FORWARD -j NETWORK_STATS_eth1
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.4.0.0/16 ! -d 10.4.0.0/16 -j ACCEPT
-A FORWARD -d 10.4.1.0/24 -o eth2 -j ACL_INBOUND_eth2
-A ACL_INBOUND_eth2 -j ACCEPT
-A ACL_INBOUND_eth2 -j DROP
-A NETWORK_STATS_eth1 -s 10.4.0.0/16 -o eth1
-A NETWORK_STATS_eth1 -d 10.4.0.0/16 -i eth1
COMMIT
# Completed on Tue Mar 11 22:13:02 2014
# Generated by iptables-save v1.4.14 on Tue Mar 11 22:13:02 2014
*nat
:PREROUTING ACCEPT [27:2450]
:INPUT ACCEPT [27:2450]
:OUTPUT ACCEPT [10:1288]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j SNAT --to-source 10.223.123.17
-A POSTROUTING -s 10.4.1.0/24 -o eth2 -j SNAT --to-source 10.4.1.1
COMMIT
# Completed on Tue Mar 11 22:13:02 2014
8. . Per Kishan's email:
> On VR, verify that ACLs are applied using iptables.
> e.g: If an egress ACL is added to eth2, related rules will be in
> chain ACL_INBOUND_eth2
Does following ACL rule lines look correct?
[ashen@localhost 6214]$ grep ACL ipt4
:ACL_OUTBOUND_eth2 - [0:0]
-A PREROUTING -s 10.4.1.0/24 ! -d 10.4.1.1/32 -i eth2 -m state --state NEW -j
ACL_OUTBOUND_eth2
-A ACL_OUTBOUND_eth2 -j ACCEPT
-A ACL_OUTBOUND_eth2 -j DROP
:ACL_INBOUND_eth2 - [0:0]
-A FORWARD -d 10.4.1.0/24 -o eth2 -j ACL_INBOUND_eth2
-A ACL_INBOUND_eth2 -j ACCEPT
-A ACL_INBOUND_eth2 -j DROP
was (Author: angelines):
Verifify with latest build CloudPlatform-QA-4.3.0.0-0.402-rhel6.3.tar.gz
MS: 10.223.130.160 host: 10.223.51.4 XS 6.2
nw offer isolated specify VLAN VPC LB type: public LB
chk vpn dhcp dns lb userdata sourceNAT staticNAT PF nwACL account
1. Create VPC
Configure
NW ACL list - Add ACL list > vpc4ACL4
vpc4ACL4 > ACL list rules>
add rule 1: 0.0.0.0/0 allow ALL Ingress
add rule 2: 0.0.0.0/0 allow ALL Egress
2. Create NW offering 6214:
Guest type: isolated
specify VLAN: check
VPC : check
LB type: public LB
Supported services:
VPN - VR
Dhcp - VR
DNS - VR
Firewall - Uncheck
Load balancer - VR
User data - VR
Source NAT - VR
Static NAT - VR
Port forwarding - VR
networkACL - check
supported source NAT type: per account
3. Vpc4 > create NW tier vpc4G4 with nw offering 6214
4. Vpc4G4 > Deploy VM
5. Login host 10.223.51.4 - login to VR r-3-VM
[ashen@localhost ~]$ ssh root@10.223.51.3
root@10.223.51.3's password:
[root@Rack2Host19 ~]# ssh -i /root/.ssh/id_rsa.cloud 169.254.3.181 -p 3922
Linux r-3-VM 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64
6. r-3-VM:
root@r-3-VM:~# ifconfig
eth0 Link encap:Ethernet HWaddr 0e:00:a9:fe:03:b5
inet addr:169.254.3.181 Bcast:169.254.255.255 Mask:255.255.0.0
inet6 addr: fe80::c00:a9ff:fefe:3b5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:416 errors:0 dropped:0 overruns:0 frame:0
TX packets:395 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:53884 (52.6 KiB) TX bytes:66554 (64.9 KiB)
Interrupt:25
eth1 Link encap:Ethernet HWaddr 06:2b:70:00:00:13
inet addr:10.223.123.17 Bcast:10.223.123.63 Mask:255.255.255.192
inet6 addr: fe80::42b:70ff:fe00:13/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:31 errors:0 dropped:0 overruns:0 frame:0
TX packets:89 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2122 (2.0 KiB) TX bytes:7170 (7.0 KiB)
Interrupt:24
eth2 Link encap:Ethernet HWaddr 02:00:7f:16:00:02
inet addr:10.4.1.1 Bcast:10.4.1.255 Mask:255.255.255.0
inet6 addr: fe80::7fff:fe16:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2314 (2.2 KiB) TX bytes:3238 (3.1 KiB)
Interrupt:26
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1318 (1.2 KiB) TX bytes:1318 (1.2 KiB)
7. check iptables
[root@Rack2Host19 ~]# iptables-save
# Generated by iptables-save v1.4.14 on Tue Mar 11 22:13:02 2014
*mangle
:PREROUTING ACCEPT [455:46866]
:INPUT ACCEPT [455:46866]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:55390]
:POSTROUTING ACCEPT [402:55390]
:ACL_OUTBOUND_eth2 - [0:0]
:VPN_STATS_eth1 - [0:0]
-A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-xmark
0x1/0xffffffff
-A PREROUTING -i eth2 -m state --state RELATED,ESTABLISHED -j CONNMARK
--restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -s 10.4.1.0/24 ! -d 10.4.1.1/32 -i eth2 -m state --state NEW -j
ACL_OUTBOUND_eth2
-A FORWARD -j VPN_STATS_eth1
-A OUTPUT -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A ACL_OUTBOUND_eth2 -j ACCEPT
-A ACL_OUTBOUND_eth2 -j DROP
-A VPN_STATS_eth1 -o eth1 -m mark --mark 0x525
-A VPN_STATS_eth1 -i eth1 -m mark --mark 0x524
COMMIT
# Completed on Tue Mar 11 22:13:02 2014
# Generated by iptables-save v1.4.14 on Tue Mar 11 22:13:02 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [402:55390]
:ACL_INBOUND_eth2 - [0:0]
:NETWORK_STATS_eth1 - [0:0]
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 3922 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -d 10.4.1.1/32 -i eth2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d 10.4.1.1/32 -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 10.4.1.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 80
-j ACCEPT
-A INPUT -d 10.4.1.1/32 -i eth2 -p tcp -m state --state NEW -m tcp --dport 8080
-j ACCEPT
-A FORWARD -j NETWORK_STATS_eth1
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.4.0.0/16 ! -d 10.4.0.0/16 -j ACCEPT
-A FORWARD -d 10.4.1.0/24 -o eth2 -j ACL_INBOUND_eth2
-A ACL_INBOUND_eth2 -j ACCEPT
-A ACL_INBOUND_eth2 -j DROP
-A NETWORK_STATS_eth1 -s 10.4.0.0/16 -o eth1
-A NETWORK_STATS_eth1 -d 10.4.0.0/16 -i eth1
COMMIT
# Completed on Tue Mar 11 22:13:02 2014
# Generated by iptables-save v1.4.14 on Tue Mar 11 22:13:02 2014
*nat
:PREROUTING ACCEPT [27:2450]
:INPUT ACCEPT [27:2450]
:OUTPUT ACCEPT [10:1288]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j SNAT --to-source 10.223.123.17
-A POSTROUTING -s 10.4.1.0/24 -o eth2 -j SNAT --to-source 10.4.1.1
COMMIT
# Completed on Tue Mar 11 22:13:02 2014
8. . Per Kishan's email:
> On VR, verify that ACLs are applied using iptables.
> e.g: If an egress ACL is added to eth2, related rules will be in
> chain ACL_INBOUND_eth2
Does following ACL rule lines look correct?
[ashen@localhost 6214]$ grep ACL ipt4
:ACL_OUTBOUND_eth2 - [0:0]
-A PREROUTING -s 10.4.1.0/24 ! -d 10.4.1.1/32 -i eth2 -m state --state NEW -j
ACL_OUTBOUND_eth2
-A ACL_OUTBOUND_eth2 -j ACCEPT
-A ACL_OUTBOUND_eth2 -j DROP
:ACL_INBOUND_eth2 - [0:0]
-A FORWARD -d 10.4.1.0/24 -o eth2 -j ACL_INBOUND_eth2
-A ACL_INBOUND_eth2 -j ACCEPT
-A ACL_INBOUND_eth2 -j DROP
> VPC: when guest network is in Setup state, on its initial nicPlug to the VR,
> corresponding network rules are not getting applied
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-6214
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6214
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.3.0
> Reporter: Alena Prokharchyk
> Assignee: Alena Prokharchyk
> Priority: Critical
> Fix For: 4.3.0
>
> Attachments: ipt1.doc, ipt4.doc, management-server.log,
> management-server.log.2014-03-10
>
>
> Steps to reproduce:
> ==========================
> 1) Create VPC
> 2) Add networkACLList and a rule to it
> 3) In VPC, create a network from NetworkOffering with specifyVlan=true.
> Network is created in Setup state.
> 4) Start user vm in the network.
> Bug: network ACLs are not applied although the guest nic is plugged to the VR.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
