[
https://issues.apache.org/jira/browse/CLOUDSTACK-9339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15514914#comment-15514914
]
ASF GitHub Bot commented on CLOUDSTACK-9339:
--------------------------------------------
Github user blueorangutan commented on the issue:
https://github.com/apache/cloudstack/pull/1659
<b>Trillian test result (#21)</b>
Environment: vmware-55u3 (x2), Advanced Networking
Total time taken: 27908s
Marvin logs:
https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr1659-t21-vmware-55u3.zip
Test completed. 45 look ok, 8 have errors
Test | Result | Time (s)
--- | --- | ---
test_04_rvpc_privategw_static_routes | `Failure` | 382.998
test_04_rvpc_internallb_haproxy_stats_on_all_interfaces | `Failure` |
598.977
test_03_vpc_privategw_restart_vpc_cleanup | `Failure` | 202.177
test_03_vpc_internallb_haproxy_stats_on_all_interfaces | `Failure` | 120.997
test_03_RVR_Network_check_router_state | `Failure` | 308.858
test_02_vpc_privategw_static_routes | `Failure` | 207.177
test_02_internallb_roundrobin_1RVPC_3VM_HTTP_port80 | `Failure` | 631.260
test_02_RVR_Network_FW_PF_SSH_default_routes_egress_false | `Failure` |
565.425
test_01_vpc_privategw_acl | `Failure` | 111.862
test_01_internallb_roundrobin_1VPC_3VM_HTTP_port80 | `Failure` | 430.487
test_01_RVR_Network_FW_PF_SSH_default_routes_egress_true | `Failure` |
464.304
test_router_dhcphosts | `Error` | 834.237
test_isolate_network_password_server | `Error` | 829.874
test_02_routervm_iptables_policies | `Error` | 888.488
test_01_vpc_site2site_vpn | `Error` | 485.994
test_01_vpc_remote_access_vpn | `Error` | 0.075
test_01_test_vm_volume_snapshot | `Error` | 191.106
test_01_single_VPC_iptables_policies | `Error` | 1026.261
test_01_redundant_vpc_site2site_vpn | `Error` | 716.864
ContextSuite context=TestRouterDHCPHosts>:teardown | `Error` | 855.313
test_router_dns_guestipquery | Success | 76.640
test_router_dns_externalipquery | Success | 0.054
test_reboot_router | Success | 629.192
test_network_rules_acquired_public_ip_3_Load_Balancer_Rule | Success |
76.555
test_network_rules_acquired_public_ip_2_nat_rule | Success | 61.441
test_network_rules_acquired_public_ip_1_static_nat_rule | Success | 124.970
test_network_acl | Success | 151.231
test_deployvm_userdata_post | Success | 30.430
test_deployvm_userdata | Success | 211.457
test_deploy_vm_from_iso | Success | 458.299
test_createRegion | Success | 0.041
test_assign_and_removal_lb | Success | 148.691
test_10_destroy_cpvm | Success | 261.579
test_10_attachAndDetach_iso | Success | 71.746
test_09_destroy_ssvm | Success | 244.470
test_08_reboot_cpvm | Success | 156.414
test_07_reboot_ssvm | Success | 158.193
test_06_stop_cpvm | Success | 176.587
test_06_download_detached_volume | Success | 55.413
test_05_stop_ssvm | Success | 173.415
test_05_rvpc_multi_tiers | Success | 684.340
test_04_rvpc_network_garbage_collector_nics | Success | 880.461
test_04_restart_network_wo_cleanup | Success | 5.583
test_04_extract_template | Success | 10.176
test_04_extract_Iso | Success | 5.132
test_04_cpvm_internals | Success | 1.087
test_04_change_offering_small | Success | 96.901
test_03_ssvm_internals | Success | 3.339
test_03_delete_vm_snapshots | Success | 275.207
test_03_delete_iso | Success | 95.118
test_03_create_redundant_VPC_1tier_2VMs_2IPs_2PF_ACL_reboot_routers |
Success | 736.715
test_02_revert_vm_snapshots | Success | 227.063
test_02_redundant_VPC_default_routes | Success | 651.796
test_02_port_fwd_on_non_src_nat | Success | 55.453
test_02_isolate_network_FW_PF_default_routes_egress_false | Success |
321.366
test_02_edit_iso | Success | 0.066
test_02_deploy_vm_root_resize | Success | 6.193
test_02_create_lb_rule_non_nat | Success | 207.381
test_02_attach_volume | Success | 48.971
test_02_VPC_default_routes | Success | 324.804
test_01_snapshot_root_disk | Success | 146.564
test_01_router_internal_basic | Success | 0.488
test_01_port_fwd_on_src_nat | Success | 111.674
test_01_nic | Success | 795.582
test_01_isolate_network_FW_PF_default_routes_egress_true | Success | 306.420
test_01_deploy_vm_root_resize | Success | 6.179
test_01_create_volume | Success | 512.345
test_01_create_vm_snapshots | Success | 161.679
test_01_create_redundant_VPC_2tiers_4VMs_4IPs_4PF_ACL | Success | 1372.001
test_01_create_lb_rule_src_nat | Success | 207.685
test_01_create_iso | Success | 66.303
test_01_VPC_nics_after_destroy | Success | 674.828
test_00_deploy_vm_root_resize | Success | 6.339
test_deploy_vgpu_enabled_vm | Skipped | 0.004
test_08_resize_volume | Skipped | 5.092
test_07_resize_fail | Skipped | 10.196
test_06_copy_template | Skipped | 0.000
test_01_primary_storage_iscsi | Skipped | 0.028
> Virtual Routers don't handle Multiple Public Interfaces
> -------------------------------------------------------
>
> Key: CLOUDSTACK-9339
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9339
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.8.0
> Reporter: dsclose
> Labels: firewall, nat, router
>
> There are a series of issues with the way Virtual Routers manage multiple
> public interfaces. These are more pronounced on redundant virtual router
> setups. I have not attempted to examine these issues in a VPC context.
> Outside of a VPC context, however, the following is expected behaviour:
> * eth0 connects the router to the guest network.
> * In RvR setups, keepalived manages the guests' gateway IP as a virtual IP on
> eth0.
> * eth1 provides a local link to the hypervisor, allowing Cloudstack to issue
> commands to the router.
> * eth2 is the routers public interface. By default, a single public IP will
> be setup on eth2 along with the necessary iptables and ip rules to source-NAT
> guest traffic to that public IP.
> * When a public IP address is assigned to the router that is on a separate
> subnet to the source-NAT IP, a new interface is configured, such as eth3, and
> the IP is assigned to that interface.
> * This can result in eth3, eth4, eth5, etc. being created depending upon how
> many public subnets the router has to work with.
> The above all works. The following, however, is currently not working:
> * Public interfaces should be set to DOWN on backup redundant routers. The
> master.py script is responsible for setting public interfaces to UP during a
> keepalived transition. Currently the check_is_up method of the CsIP class
> brings all interfaces UP on both RvR. A proposed fix for this has been
> discussed on the mailing list. That fix will leave public interfaces DOWN on
> RvR allowing the keepalived transition to control the state of public
> interfaces. Issue #1413 includes a commit that contradicts the proposed fix
> so it is unclear what the current state of the code should be.
> * Newly created interfaces should be set to UP on master redundant routers.
> Assuming public interfaces should be default be DOWN on an RvR we need to
> accommodate the fact that, as interfaces are created, no keepalived
> transition occurs. This means that assigning an IP from a new public subnet
> will have no effect (as the interface will be down) until the network is
> restarted with a "clean up."
> * Public interfaces other than eth2 do not forward traffic. There are two
> iptables rules in the FORWARD chain of the filter table created for eth2 that
> allow forwarding between eth2 and eth0. Equivalent rules are not created for
> other public interfaces so forwarded traffic is dropped.
> * Outbound traffic from guest VMs does not honour static-NAT rules. Instead,
> outbound traffic is source-NAT'd to the networks default source-NAT IP. New
> connections from guests that are destined for public networks are processed
> like so:
> 1. Traffic is matched against the following rule in the mangle table that
> marks the connection with a 0x0:
> *mangle
> -A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark
> 0x0/0xffffffff
> 2. There are no "ip rule" statements that match a connection marked 0x0, so
> the kernel routes the connection via the default gateway. That gateway is on
> source-NAT subnet, so the connection is routed out of eth2.
> 3. The following iptables rules are then matched in the filter table:
> *filter
> -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
> -A FW_OUTBOUND -j FW_EGRESS_RULES
> -A FW_EGRESS_RULES -j ACCEPT
> 4. Finally, the following rule is matched from the nat table, where the IP
> address is the source-NAT IP:
> *nat
> -A POSTROUTING -o eth2 -j SNAT --to-source 123.4.5.67
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
