[ https://issues.apache.org/jira/browse/CLOUDSTACK-9339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15524933#comment-15524933 ]
ASF GitHub Bot commented on CLOUDSTACK-9339: -------------------------------------------- Github user abhinandanprateek commented on a diff in the pull request: https://github.com/apache/cloudstack/pull/1659#discussion_r80615061 --- Diff: test/integration/component/test_multiple_public_interfaces.py --- @@ -0,0 +1,1365 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +""" BVT tests for network services on public IP's from different public IP + range than that of associated source NAT IP of the network. Each IP associated + with network from a different public IP range results in a new public + interface on VR (eth3, eth4 etc) and iptable +""" +# Import Local Modules +from marvin.codes import (FAILED, STATIC_NAT_RULE, LB_RULE, + NAT_RULE, PASS) +from marvin.cloudstackTestCase import cloudstackTestCase +from marvin.cloudstackException import CloudstackAPIException +from marvin.cloudstackAPI import rebootRouter +from marvin.sshClient import SshClient +from marvin.lib.utils import cleanup_resources, get_process_status +from marvin.lib.base import (Account, + VirtualMachine, + ServiceOffering, + NATRule, + PublicIPAddress, + StaticNATRule, + FireWallRule, + Network, + NetworkOffering, + LoadBalancerRule, + PublicIpRange, + Router, + VpcOffering, + VPC, + NetworkACL) +from marvin.lib.common import (get_domain, + get_zone, + get_template, + list_hosts, + list_publicIP, + list_nat_rules, + list_routers, + list_virtual_machines, + list_lb_rules, + list_configurations, + verifyGuestTrafficPortGroups) +from nose.plugins.attrib import attr +from ddt import ddt, data +# Import System modules +import socket +import time +import logging + +_multiprocess_shared_ = True + +logger = logging.getLogger('TestNetworkOps') +stream_handler = logging.StreamHandler() +logger.setLevel(logging.DEBUG) +logger.addHandler(stream_handler) + +class TestPortForwarding(cloudstackTestCase): + + @classmethod + def setUpClass(cls): + + testClient = super(TestPortForwarding, cls).getClsTestClient() + cls.apiclient = testClient.getApiClient() + cls.services = testClient.getParsedTestDataConfig() + cls.hypervisor = testClient.getHypervisorInfo() + # Get Zone, Domain and templates + cls.domain = get_domain(cls.apiclient) + cls.zone = get_zone(cls.apiclient, testClient.getZoneForTests()) + cls.services["virtual_machine"]["zoneid"] = cls.zone.id + cls.services["zoneid"] = cls.zone.id + template = get_template( + cls.apiclient, + cls.zone.id, + cls.services["ostype"] + ) + if template == FAILED: + assert False, "get_template() failed to return template with description %s" % cls.services[ + "ostype"] + + # Create an account, network, VM and IP addresses + cls.account = Account.create( + cls.apiclient, + cls.services["account"], + admin=True, + domainid=cls.domain.id + ) + cls.services["publiciprange"]["zoneid"] = cls.zone.id + cls.service_offering = ServiceOffering.create( + cls.apiclient, + cls.services["service_offerings"]["tiny"] + ) + cls.virtual_machine = VirtualMachine.create( + cls.apiclient, + cls.services["virtual_machine"], + templateid=template.id, + accountid=cls.account.name, + domainid=cls.account.domainid, + serviceofferingid=cls.service_offering.id + ) + cls._cleanup = [ + cls.virtual_machine, + cls.account, + cls.service_offering + ] + + def setUp(self): + self.apiclient = self.testClient.getApiClient() + self.cleanup = [] + return + + @classmethod + def tearDownClass(cls): + try: + cls.apiclient = super( + TestPortForwarding, + cls).getClsTestClient().getApiClient() + cleanup_resources(cls.apiclient, cls._cleanup) + except Exception as e: + raise Exception("Warning: Exception during cleanup : %s" % e) + + def tearDown(self): + cleanup_resources(self.apiclient, self.cleanup) + return + + @attr(tags=["advanced", "smoke"], required_hardware="true") + def test_port_forwarding_on_ip_from_non_src_nat_ip_range(self): + """Test for port forwarding on a IP which is in pubic IP range different + from public IP range that has source NAT IP associated with network + """ + + # Validate the following: + # 1. Create a new public IP range and dedicate to a account + # 2. Acquire a IP from new public range + # 3. create a port forwarding on acquired IP from new range + # 4. Create a firewall rule to open up the port + # 5. Test SSH works to the VM + + self.public_ip_range = PublicIpRange.create( + self.apiclient, + self.services["publiciprange"] + ) + + self.debug("Dedicating Public IP range to the account"); + dedicate_public_ip_range_response = PublicIpRange.dedicate( + self.apiclient, + self.public_ip_range.vlan.id, + account=self.account.name, + domainid=self.account.domainid + ) + ip_address = PublicIPAddress.create( + self.apiclient, + self.account.name, + self.zone.id, + self.account.domainid, + self.services["virtual_machine"] + ) + self.cleanup.append(ip_address) + self.cleanup.append(self.public_ip_range) + # Check if VM is in Running state before creating NAT and firewall rules + vm_response = VirtualMachine.list( + self.apiclient, + id=self.virtual_machine.id + ) + + self.assertEqual( + isinstance(vm_response, list), + True, + "Check list VM returns a valid list" + ) + + self.assertNotEqual( + len(vm_response), + 0, + "Check Port Forwarding Rule is created" + ) + self.assertEqual( + vm_response[0].state, + 'Running', + "VM state should be Running before creating a NAT rule." + ) + + # Open up firewall port for SSH + FireWallRule.create( + self.apiclient, + ipaddressid=ip_address.ipaddress.id, + protocol=self.services["natrule"]["protocol"], + cidrlist=['0.0.0.0/0'], + startport=self.services["natrule"]["publicport"], + endport=self.services["natrule"]["publicport"] + ) + + # Create PF rule + nat_rule = NATRule.create( + self.apiclient, + self.virtual_machine, + self.services["natrule"], + ip_address.ipaddress.id + ) + + try: + logger.debug("SSHing into VM with IP address %s with NAT IP %s" % + ( + self.virtual_machine.ipaddress, + ip_address.ipaddress.ipaddress + )) + self.virtual_machine.get_ssh_client(ip_address.ipaddress.ipaddress) + except Exception as e: + self.fail( + "SSH Access failed for %s: %s" % + (self.virtual_machine.ipaddress, e) + ) + + nat_rule.delete(self.apiclient) + +class TestStaticNat(cloudstackTestCase): + + @classmethod + def setUpClass(cls): + + testClient = super(TestStaticNat, cls).getClsTestClient() + cls.apiclient = testClient.getApiClient() + cls.services = testClient.getParsedTestDataConfig() + cls.hypervisor = testClient.getHypervisorInfo() + # Get Zone, Domain and templates + cls.domain = get_domain(cls.apiclient) + cls.zone = get_zone(cls.apiclient, testClient.getZoneForTests()) + cls.services["virtual_machine"]["zoneid"] = cls.zone.id + cls.services["zoneid"] = cls.zone.id + template = get_template( + cls.apiclient, + cls.zone.id, + cls.services["ostype"] + ) + if template == FAILED: + assert False, "get_template() failed to return template with description %s" % cls.services[ + "ostype"] + + # Create an account, network, VM and IP addresses + cls.account = Account.create( + cls.apiclient, + cls.services["account"], + admin=True, + domainid=cls.domain.id + ) + cls.services["publiciprange"]["zoneid"] = cls.zone.id + cls.service_offering = ServiceOffering.create( + cls.apiclient, + cls.services["service_offerings"]["tiny"] + ) + cls.virtual_machine = VirtualMachine.create( + cls.apiclient, + cls.services["virtual_machine"], + templateid=template.id, + accountid=cls.account.name, + domainid=cls.account.domainid, + serviceofferingid=cls.service_offering.id + ) + cls.defaultNetworkId = cls.virtual_machine.nic[0].networkid + cls._cleanup = [ + cls.virtual_machine, + cls.account, + cls.service_offering + ] + + def setUp(self): + self.apiclient = self.testClient.getApiClient() + self.cleanup = [] + return + + @classmethod + def tearDownClass(cls): + try: + cls.apiclient = super( + TestStaticNat, + cls).getClsTestClient().getApiClient() + cleanup_resources(cls.apiclient, cls._cleanup) + except Exception as e: + raise Exception("Warning: Exception during cleanup : %s" % e) + + def tearDown(self): + cleanup_resources(self.apiclient, self.cleanup) + return + + @attr(tags=["advanced", "smoke"], required_hardware="true") + def test_static_nat_on_ip_from_non_src_nat_ip_range(self): + """Test for static nat on a IP which is in pubic IP range different + from public IP range that has source NAT IP associated with network + """ + + # Validate the following: + # 1. Create a new public IP range and dedicate to a account + # 2. Acquire a IP from new public range + # 3. Enable static NAT on acquired IP from new range + # 4. Create a firewall rule to open up the port + # 5. Test SSH works to the VM + + self.public_ip_range = PublicIpRange.create( + self.apiclient, + self.services["publiciprange"] + ) + + self.debug("Dedicating Public IP range to the account"); + dedicate_public_ip_range_response = PublicIpRange.dedicate( + self.apiclient, + self.public_ip_range.vlan.id, + account=self.account.name, + domainid=self.account.domainid + ) + ip_address = PublicIPAddress.create( + self.apiclient, + self.account.name, + self.zone.id, + self.account.domainid, + self.services["virtual_machine"] + ) + self.cleanup.append(ip_address) + self.cleanup.append(self.public_ip_range) + # Check if VM is in Running state before creating NAT and firewall rules + vm_response = VirtualMachine.list( + self.apiclient, + id=self.virtual_machine.id + ) + + self.assertEqual( + isinstance(vm_response, list), + True, + "Check list VM returns a valid list" + ) + + self.assertNotEqual( + len(vm_response), + 0, + "Check Port Forwarding Rule is created" + ) + self.assertEqual( + vm_response[0].state, + 'Running', + "VM state should be Running before creating a NAT rule." + ) + + # Open up firewall port for SSH + FireWallRule.create( + self.apiclient, + ipaddressid=ip_address.ipaddress.id, + protocol=self.services["natrule"]["protocol"], + cidrlist=['0.0.0.0/0'], + startport=self.services["natrule"]["publicport"], + endport=self.services["natrule"]["publicport"] + ) + + # Create Static NAT rule + StaticNATRule.enable( + self.apiclient, + ip_address.ipaddress.id, + self.virtual_machine.id, + self.defaultNetworkId + ) + + try: + logger.debug("SSHing into VM with IP address %s with NAT IP %s" % + ( + self.virtual_machine.ipaddress, + ip_address.ipaddress.ipaddress + )) + self.virtual_machine.get_ssh_client(ip_address.ipaddress.ipaddress) + except Exception as e: + self.fail( + "SSH Access failed for %s: %s" % + (self.virtual_machine.ipaddress, e) + ) + + StaticNATRule.disable( + self.apiclient, + ip_address.ipaddress.id, + self.virtual_machine.id + ) + +class TestRouting(cloudstackTestCase): + + @classmethod + def setUpClass(cls): + + testClient = super(TestRouting, cls).getClsTestClient() + cls.apiclient = testClient.getApiClient() + cls.services = testClient.getParsedTestDataConfig() + cls.hypervisor = testClient.getHypervisorInfo() + # Get Zone, Domain and templates + cls.domain = get_domain(cls.apiclient) + cls.zone = get_zone(cls.apiclient, testClient.getZoneForTests()) + cls.services["virtual_machine"]["zoneid"] = cls.zone.id + cls.services["zoneid"] = cls.zone.id + template = get_template( + cls.apiclient, + cls.zone.id, + cls.services["ostype"] + ) + if template == FAILED: + assert False, "get_template() failed to return template with description %s" % cls.services[ + "ostype"] + + # Create an account, network, VM and IP addresses + cls.account = Account.create( + cls.apiclient, + cls.services["account"], + admin=True, + domainid=cls.domain.id + ) + cls.services["publiciprange"]["zoneid"] = cls.zone.id + cls.service_offering = ServiceOffering.create( + cls.apiclient, + cls.services["service_offerings"]["tiny"] + ) + cls.virtual_machine = VirtualMachine.create( + cls.apiclient, + cls.services["virtual_machine"], + templateid=template.id, + accountid=cls.account.name, + domainid=cls.account.domainid, + serviceofferingid=cls.service_offering.id + ) + cls._cleanup = [ + cls.virtual_machine, + cls.account, + cls.service_offering + ] + + def setUp(self): + self.apiclient = self.testClient.getApiClient() + self.cleanup = [] + return + + @classmethod + def tearDownClass(cls): + try: + cls.apiclient = super( + TestRouting, + cls).getClsTestClient().getApiClient() + cleanup_resources(cls.apiclient, cls._cleanup) + except Exception as e: + raise Exception("Warning: Exception during cleanup : %s" % e) + + def tearDown(self): + cleanup_resources(self.apiclient, self.cleanup) + return + + @attr(tags=["advanced", "smoke"], required_hardware="true") + def test_routing_tables(self): + """Test routing table in case we have IP associated with a network which is in + different pubic IP range from that of public IP range that has source NAT IP. + When IP is associated we should see a new route table created. + When IP is associated we should see a that route table is deleted. + """ + + # Validate the following: + # 1. Create a new public IP range and dedicate to a account + # 2. Acquire a IP from new public range + # 3. Create a firewall rule to open up the port, so that IP is associated with network + # 5. Login to VR and verify routing tables, there should be Table_eth3 + # 6. Delete firewall rule, since its last IP, routing table Table_eth3 should be deleted + + self.public_ip_range = PublicIpRange.create( + self.apiclient, + self.services["publiciprange"] + ) + + self.debug("Dedicating Public IP range to the account"); + dedicate_public_ip_range_response = PublicIpRange.dedicate( + self.apiclient, + self.public_ip_range.vlan.id, + account=self.account.name, + domainid=self.account.domainid + ) + ip_address = PublicIPAddress.create( + self.apiclient, + self.account.name, + self.zone.id, + self.account.domainid, + self.services["virtual_machine"] + ) + self.cleanup.append(ip_address) + self.cleanup.append(self.public_ip_range) + # Check if VM is in Running state before creating NAT and firewall rules + vm_response = VirtualMachine.list( + self.apiclient, + id=self.virtual_machine.id + ) + + self.assertEqual( + isinstance(vm_response, list), + True, + "Check list VM returns a valid list" + ) + + self.assertNotEqual( + len(vm_response), + 0, + "Check Port Forwarding Rule is created" + ) + self.assertEqual( + vm_response[0].state, + 'Running', + "VM state should be Running before creating Firewall rule." + ) + + # Open up firewall port for SSH, this will associate IP with VR + firewall_rule = FireWallRule.create( + self.apiclient, + ipaddressid=ip_address.ipaddress.id, + protocol=self.services["natrule"]["protocol"], + cidrlist=['0.0.0.0/0'], + startport=self.services["natrule"]["publicport"], + endport=self.services["natrule"]["publicport"] + ) + + # Get the router details associated with account + routers = list_routers( + self.apiclient, + account=self.account.name, + domainid=self.account.domainid, + ) + router = routers[0] + + if (self.hypervisor.lower() == 'vmware' + or self.hypervisor.lower() == 'hyperv'): + result = get_process_status( + self.apiclient.connection.mgtSvr, + 22, + self.apiclient.connection.user, + self.apiclient.connection.passwd, + router.linklocalip, + 'ip route list table Table_eth3', + hypervisor=self.hypervisor + ) + else: + hosts = list_hosts( + self.apiclient, + id=router.hostid, + ) + self.assertEqual( + isinstance(hosts, list), + True, + "Check for list hosts response return valid data" + ) + host = hosts[0] + host.user = self.services["configurableData"]["host"]["username"] + host.passwd = self.services["configurableData"]["host"]["password"] + try: + result = get_process_status( + host.ipaddress, + 22, + host.user, + host.passwd, + router.linklocalip, + 'ip route list table Table_eth3' + ) + except KeyError: + self.skipTest( + "Provide a marvin config file with host\ + credentials to run %s" % + self._testMethodName) + + self.debug("ip route list table Table_eth3: %s" % result) + public_range_gateway = self.services["publiciprange"]["gateway"] + default_route_rule = "default via " + public_range_gateway + " dev eth3 proto static" + self.debug("default route result: %s" % str(result[0])) + self.assertEqual( + default_route_rule, + str(result[0]), + "Check default route table entry for public ip range" + ) + + res = str(result) + self.assertEqual( + res.count("throw") > 2, + True, + "Check routing rules to throw rest of the traffic. Count shoule be Atleast 2 for the control and guest traffic " + ) + + firewall_rule.delete(self.apiclient) + + if (self.hypervisor.lower() == 'vmware' + or self.hypervisor.lower() == 'hyperv'): + result = get_process_status( + self.apiclient.connection.mgtSvr, + 22, + self.apiclient.connection.user, + self.apiclient.connection.passwd, + router.linklocalip, + 'ip route list table Table_eth3', + hypervisor=self.hypervisor + ) + else: + hosts = list_hosts( + self.apiclient, + id=router.hostid, + ) + self.assertEqual( + isinstance(hosts, list), + True, + "Check for list hosts response return valid data" + ) + host = hosts[0] + host.user = self.services["configurableData"]["host"]["username"] + host.passwd = self.services["configurableData"]["host"]["password"] + try: + result = get_process_status( + host.ipaddress, + 22, + host.user, + host.passwd, + router.linklocalip, + 'ip route list table Table_eth3' + ) + except KeyError: + self.skipTest( + "Provide a marvin config file with host\ + credentials to run %s" % + self._testMethodName) + + self.debug("ip route list table Table_eth3: %s" % result) + res = str(result) + self.assertEqual( + res.count("default via"), + 0, + "Check to ensure there should not be any default rule" + ) + + self.assertEqual( + res.count("throw"), + 0, + "Check to ensure there should not be any throw rule" + ) + +class TestIptables(cloudstackTestCase): + + @classmethod + def setUpClass(cls): + + testClient = super(TestIptables, cls).getClsTestClient() + cls.apiclient = testClient.getApiClient() + cls.services = testClient.getParsedTestDataConfig() + cls.hypervisor = testClient.getHypervisorInfo() + # Get Zone, Domain and templates + cls.domain = get_domain(cls.apiclient) + cls.zone = get_zone(cls.apiclient, testClient.getZoneForTests()) + cls.services["virtual_machine"]["zoneid"] = cls.zone.id + cls.services["zoneid"] = cls.zone.id + template = get_template( + cls.apiclient, + cls.zone.id, + cls.services["ostype"] + ) + if template == FAILED: + assert False, "get_template() failed to return template with description %s" % cls.services[ + "ostype"] + + # Create an account, network, VM and IP addresses + cls.account = Account.create( + cls.apiclient, + cls.services["account"], + admin=True, + domainid=cls.domain.id + ) + cls.services["publiciprange"]["zoneid"] = cls.zone.id + cls.service_offering = ServiceOffering.create( + cls.apiclient, + cls.services["service_offerings"]["tiny"] + ) + cls.virtual_machine = VirtualMachine.create( + cls.apiclient, + cls.services["virtual_machine"], + templateid=template.id, + accountid=cls.account.name, + domainid=cls.account.domainid, + serviceofferingid=cls.service_offering.id + ) + cls._cleanup = [ + cls.virtual_machine, + cls.account, + cls.service_offering + ] + + def setUp(self): + self.apiclient = self.testClient.getApiClient() + self.cleanup = [] + return + + @classmethod + def tearDownClass(cls): + try: + cls.apiclient = super( + TestIptables, + cls).getClsTestClient().getApiClient() + cleanup_resources(cls.apiclient, cls._cleanup) + except Exception as e: + raise Exception("Warning: Exception during cleanup : %s" % e) + + def tearDown(self): + cleanup_resources(self.apiclient, self.cleanup) + return + + @attr(tags=["advanced", "smoke"], required_hardware="true") + def test_iptable_rules(self): + """Test iptable rules in case we have IP associated with a network which is in + different pubic IP range from that of public IP range that has source NAT IP. + When IP is associated we should see a rule '-i eth3 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT' in FORWARD table. + When IP is dis-associated we should see a rule in the FORWARD table is deleted. + """ + + # Validate the following: + # 1. Create a new public IP range and dedicate to a account + # 2. Acquire a IP from new public range + # 3. Create a firewall rule to open up the port, so that IP is associated with network + # 5. Login to VR and verify routing tables, there should be Table_eth3 + # 6. Delete firewall rule, since its last IP, routing table Table_eth3 should be deleted + + self.public_ip_range = PublicIpRange.create( + self.apiclient, + self.services["publiciprange"] + ) + + self.debug("Dedicating Public IP range to the account"); + dedicate_public_ip_range_response = PublicIpRange.dedicate( + self.apiclient, + self.public_ip_range.vlan.id, + account=self.account.name, + domainid=self.account.domainid + ) + ip_address = PublicIPAddress.create( + self.apiclient, + self.account.name, + self.zone.id, + self.account.domainid, + self.services["virtual_machine"] + ) + self.cleanup.append(ip_address) + self.cleanup.append(self.public_ip_range) + # Check if VM is in Running state before creating NAT and firewall rules + vm_response = VirtualMachine.list( + self.apiclient, + id=self.virtual_machine.id + ) + + self.assertEqual( + isinstance(vm_response, list), + True, + "Check list VM returns a valid list" + ) + + self.assertNotEqual( + len(vm_response), + 0, + "Check Port Forwarding Rule is created" + ) + self.assertEqual( + vm_response[0].state, + 'Running', + "VM state should be Running before creating a NAT rule." + ) + + # Open up firewall port for SSH + firewall_rule = FireWallRule.create( + self.apiclient, + ipaddressid=ip_address.ipaddress.id, + protocol=self.services["natrule"]["protocol"], + cidrlist=['0.0.0.0/0'], + startport=self.services["natrule"]["publicport"], + endport=self.services["natrule"]["publicport"] + ) + + # Get the router details associated with account + routers = list_routers( + self.apiclient, + account=self.account.name, + domainid=self.account.domainid, + ) + router = routers[0] + + if (self.hypervisor.lower() == 'vmware' + or self.hypervisor.lower() == 'hyperv'): + result = get_process_status( + self.apiclient.connection.mgtSvr, + 22, + self.apiclient.connection.user, + self.apiclient.connection.passwd, + router.linklocalip, + 'iptables -t filter -L FORWARD -v', + hypervisor=self.hypervisor + ) + else: + hosts = list_hosts( + self.apiclient, + id=router.hostid, + ) + self.assertEqual( + isinstance(hosts, list), + True, + "Check for list hosts response return valid data" + ) + host = hosts[0] + host.user = self.services["configurableData"]["host"]["username"] + host.passwd = self.services["configurableData"]["host"]["password"] + try: + result = get_process_status( + host.ipaddress, + 22, + host.user, + host.passwd, + router.linklocalip, + 'iptables -t filter -L FORWARD -v' + ) + except KeyError: + self.skipTest( + "Provide a marvin config file with host\ + credentials to run %s" % + self._testMethodName) + + self.debug("iptables -t filter -L FORWARD -v: %s" % result) + res = str(result) + self.assertEqual( + res.count("eth3 eth0 anywhere anywhere state RELATED,ESTABLISHED"), + 1, + "Check to ensure there is a iptable rule to accept the RELATED,ESTABLISHED traffic" + ) + + + firewall_rule.delete(self.apiclient) + --- End diff -- I think creating and validating a firewall rule can be moved to net utility class, as this has possibilities to be reused. > Virtual Routers don't handle Multiple Public Interfaces > ------------------------------------------------------- > > Key: CLOUDSTACK-9339 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9339 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Virtual Router > Affects Versions: 4.8.0 > Reporter: dsclose > Labels: firewall, nat, router > > There are a series of issues with the way Virtual Routers manage multiple > public interfaces. These are more pronounced on redundant virtual router > setups. I have not attempted to examine these issues in a VPC context. > Outside of a VPC context, however, the following is expected behaviour: > * eth0 connects the router to the guest network. > * In RvR setups, keepalived manages the guests' gateway IP as a virtual IP on > eth0. > * eth1 provides a local link to the hypervisor, allowing Cloudstack to issue > commands to the router. > * eth2 is the routers public interface. By default, a single public IP will > be setup on eth2 along with the necessary iptables and ip rules to source-NAT > guest traffic to that public IP. > * When a public IP address is assigned to the router that is on a separate > subnet to the source-NAT IP, a new interface is configured, such as eth3, and > the IP is assigned to that interface. > * This can result in eth3, eth4, eth5, etc. being created depending upon how > many public subnets the router has to work with. > The above all works. The following, however, is currently not working: > * Public interfaces should be set to DOWN on backup redundant routers. The > master.py script is responsible for setting public interfaces to UP during a > keepalived transition. Currently the check_is_up method of the CsIP class > brings all interfaces UP on both RvR. A proposed fix for this has been > discussed on the mailing list. That fix will leave public interfaces DOWN on > RvR allowing the keepalived transition to control the state of public > interfaces. Issue #1413 includes a commit that contradicts the proposed fix > so it is unclear what the current state of the code should be. > * Newly created interfaces should be set to UP on master redundant routers. > Assuming public interfaces should be default be DOWN on an RvR we need to > accommodate the fact that, as interfaces are created, no keepalived > transition occurs. This means that assigning an IP from a new public subnet > will have no effect (as the interface will be down) until the network is > restarted with a "clean up." > * Public interfaces other than eth2 do not forward traffic. There are two > iptables rules in the FORWARD chain of the filter table created for eth2 that > allow forwarding between eth2 and eth0. Equivalent rules are not created for > other public interfaces so forwarded traffic is dropped. > * Outbound traffic from guest VMs does not honour static-NAT rules. Instead, > outbound traffic is source-NAT'd to the networks default source-NAT IP. New > connections from guests that are destined for public networks are processed > like so: > 1. Traffic is matched against the following rule in the mangle table that > marks the connection with a 0x0: > *mangle > -A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark > 0x0/0xffffffff > 2. There are no "ip rule" statements that match a connection marked 0x0, so > the kernel routes the connection via the default gateway. That gateway is on > source-NAT subnet, so the connection is routed out of eth2. > 3. The following iptables rules are then matched in the filter table: > *filter > -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND > -A FW_OUTBOUND -j FW_EGRESS_RULES > -A FW_EGRESS_RULES -j ACCEPT > 4. Finally, the following rule is matched from the nat table, where the IP > address is the source-NAT IP: > *nat > -A POSTROUTING -o eth2 -j SNAT --to-source 123.4.5.67 > -- This message was sent by Atlassian JIRA (v6.3.4#6332)