[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-9339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15514914#comment-15514914
 ] 

ASF GitHub Bot commented on CLOUDSTACK-9339:
--------------------------------------------

Github user blueorangutan commented on the issue:

    https://github.com/apache/cloudstack/pull/1659
  
    <b>Trillian test result (#21)</b>
    Environment: vmware-55u3 (x2), Advanced Networking
    Total time taken: 27908s
    Marvin logs: 
https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr1659-t21-vmware-55u3.zip
    Test completed. 45 look ok, 8 have errors
    
    
    Test | Result | Time (s)
    --- | --- | ---
    test_04_rvpc_privategw_static_routes | `Failure` | 382.998
    test_04_rvpc_internallb_haproxy_stats_on_all_interfaces | `Failure` | 
598.977
    test_03_vpc_privategw_restart_vpc_cleanup | `Failure` | 202.177
    test_03_vpc_internallb_haproxy_stats_on_all_interfaces | `Failure` | 120.997
    test_03_RVR_Network_check_router_state | `Failure` | 308.858
    test_02_vpc_privategw_static_routes | `Failure` | 207.177
    test_02_internallb_roundrobin_1RVPC_3VM_HTTP_port80 | `Failure` | 631.260
    test_02_RVR_Network_FW_PF_SSH_default_routes_egress_false | `Failure` | 
565.425
    test_01_vpc_privategw_acl | `Failure` | 111.862
    test_01_internallb_roundrobin_1VPC_3VM_HTTP_port80 | `Failure` | 430.487
    test_01_RVR_Network_FW_PF_SSH_default_routes_egress_true | `Failure` | 
464.304
    test_router_dhcphosts | `Error` | 834.237
    test_isolate_network_password_server | `Error` | 829.874
    test_02_routervm_iptables_policies | `Error` | 888.488
    test_01_vpc_site2site_vpn | `Error` | 485.994
    test_01_vpc_remote_access_vpn | `Error` | 0.075
    test_01_test_vm_volume_snapshot | `Error` | 191.106
    test_01_single_VPC_iptables_policies | `Error` | 1026.261
    test_01_redundant_vpc_site2site_vpn | `Error` | 716.864
    ContextSuite context=TestRouterDHCPHosts>:teardown | `Error` | 855.313
    test_router_dns_guestipquery | Success | 76.640
    test_router_dns_externalipquery | Success | 0.054
    test_reboot_router | Success | 629.192
    test_network_rules_acquired_public_ip_3_Load_Balancer_Rule | Success | 
76.555
    test_network_rules_acquired_public_ip_2_nat_rule | Success | 61.441
    test_network_rules_acquired_public_ip_1_static_nat_rule | Success | 124.970
    test_network_acl | Success | 151.231
    test_deployvm_userdata_post | Success | 30.430
    test_deployvm_userdata | Success | 211.457
    test_deploy_vm_from_iso | Success | 458.299
    test_createRegion | Success | 0.041
    test_assign_and_removal_lb | Success | 148.691
    test_10_destroy_cpvm | Success | 261.579
    test_10_attachAndDetach_iso | Success | 71.746
    test_09_destroy_ssvm | Success | 244.470
    test_08_reboot_cpvm | Success | 156.414
    test_07_reboot_ssvm | Success | 158.193
    test_06_stop_cpvm | Success | 176.587
    test_06_download_detached_volume | Success | 55.413
    test_05_stop_ssvm | Success | 173.415
    test_05_rvpc_multi_tiers | Success | 684.340
    test_04_rvpc_network_garbage_collector_nics | Success | 880.461
    test_04_restart_network_wo_cleanup | Success | 5.583
    test_04_extract_template | Success | 10.176
    test_04_extract_Iso | Success | 5.132
    test_04_cpvm_internals | Success | 1.087
    test_04_change_offering_small | Success | 96.901
    test_03_ssvm_internals | Success | 3.339
    test_03_delete_vm_snapshots | Success | 275.207
    test_03_delete_iso | Success | 95.118
    test_03_create_redundant_VPC_1tier_2VMs_2IPs_2PF_ACL_reboot_routers | 
Success | 736.715
    test_02_revert_vm_snapshots | Success | 227.063
    test_02_redundant_VPC_default_routes | Success | 651.796
    test_02_port_fwd_on_non_src_nat | Success | 55.453
    test_02_isolate_network_FW_PF_default_routes_egress_false | Success | 
321.366
    test_02_edit_iso | Success | 0.066
    test_02_deploy_vm_root_resize | Success | 6.193
    test_02_create_lb_rule_non_nat | Success | 207.381
    test_02_attach_volume | Success | 48.971
    test_02_VPC_default_routes | Success | 324.804
    test_01_snapshot_root_disk | Success | 146.564
    test_01_router_internal_basic | Success | 0.488
    test_01_port_fwd_on_src_nat | Success | 111.674
    test_01_nic | Success | 795.582
    test_01_isolate_network_FW_PF_default_routes_egress_true | Success | 306.420
    test_01_deploy_vm_root_resize | Success | 6.179
    test_01_create_volume | Success | 512.345
    test_01_create_vm_snapshots | Success | 161.679
    test_01_create_redundant_VPC_2tiers_4VMs_4IPs_4PF_ACL | Success | 1372.001
    test_01_create_lb_rule_src_nat | Success | 207.685
    test_01_create_iso | Success | 66.303
    test_01_VPC_nics_after_destroy | Success | 674.828
    test_00_deploy_vm_root_resize | Success | 6.339
    test_deploy_vgpu_enabled_vm | Skipped | 0.004
    test_08_resize_volume | Skipped | 5.092
    test_07_resize_fail | Skipped | 10.196
    test_06_copy_template | Skipped | 0.000
    test_01_primary_storage_iscsi | Skipped | 0.028



> Virtual Routers don't handle Multiple Public Interfaces
> -------------------------------------------------------
>
>                 Key: CLOUDSTACK-9339
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9339
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Virtual Router
>    Affects Versions: 4.8.0
>            Reporter: dsclose
>              Labels: firewall, nat, router
>
> There are a series of issues with the way Virtual Routers manage multiple 
> public interfaces. These are more pronounced on redundant virtual router 
> setups. I have not attempted to examine these issues in a VPC context. 
> Outside of a VPC context, however, the following is expected behaviour:
> * eth0 connects the router to the guest network.
> * In RvR setups, keepalived manages the guests' gateway IP as a virtual IP on 
> eth0.
> * eth1 provides a local link to the hypervisor, allowing Cloudstack to issue 
> commands to the router.
> * eth2 is the routers public interface. By default, a single public IP will 
> be setup on eth2 along with the necessary iptables and ip rules to source-NAT 
> guest traffic to that public IP.
> * When a public IP address is assigned to the router that is on a separate 
> subnet to the source-NAT IP, a new interface is configured, such as eth3, and 
> the IP is assigned to that interface.
> * This can result in eth3, eth4, eth5, etc. being created depending upon how 
> many public subnets the router has to work with.
> The above all works. The following, however, is currently not working:
> * Public interfaces should be set to DOWN on backup redundant routers. The 
> master.py script is responsible for setting public interfaces to UP during a 
> keepalived transition. Currently the check_is_up method of the CsIP class 
> brings all interfaces UP on both RvR. A proposed fix for this has been 
> discussed on the mailing list. That fix will leave public interfaces DOWN on 
> RvR allowing the keepalived transition to control the state of public 
> interfaces. Issue #1413 includes a commit that contradicts the proposed fix 
> so it is unclear what the current state of the code should be.
> * Newly created interfaces should be set to UP on master redundant routers. 
> Assuming public interfaces should be default be DOWN on an RvR we need to 
> accommodate the fact that, as interfaces are created, no keepalived 
> transition occurs. This means that assigning an IP from a new public subnet 
> will have no effect (as the interface will be down) until the network is 
> restarted with a "clean up."
> * Public interfaces other than eth2 do not forward traffic. There are two 
> iptables rules in the FORWARD chain of the filter table created for eth2 that 
> allow forwarding between eth2 and eth0. Equivalent rules are not created for 
> other public interfaces so forwarded traffic is dropped.
> * Outbound traffic from guest VMs does not honour static-NAT rules. Instead, 
> outbound traffic is source-NAT'd to the networks default source-NAT IP. New 
> connections from guests that are destined for public networks are processed 
> like so:
> 1. Traffic is matched against the following rule in the mangle table that 
> marks the connection with a 0x0:
> *mangle
> -A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark 
> 0x0/0xffffffff
> 2. There are no "ip rule" statements that match a connection marked 0x0, so 
> the kernel routes the connection via the default gateway. That gateway is on 
> source-NAT subnet, so the connection is routed out of eth2.
> 3. The following iptables rules are then matched in the filter table:
> *filter
> -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
> -A FW_OUTBOUND -j FW_EGRESS_RULES
> -A FW_EGRESS_RULES -j ACCEPT
> 4. Finally, the following rule is matched from the nat table, where the IP 
> address is the source-NAT IP:
> *nat
> -A POSTROUTING -o eth2 -j SNAT --to-source 123.4.5.67
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to