DeepthiMachiraju created CLOUDSTACK-9745: --------------------------------------------
Summary: IPtable nat rules are not cleaned up on router, post disabling static nat on Public IP Key: CLOUDSTACK-9745 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9745 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Affects Versions: 4.9.0.1 Reporter: DeepthiMachiraju Fix For: 4.10.0.0 Attachments: cloudlog.txt - Navigate to network and acquire a new Public IP. - Enable static nat , and assign a guest VM to the IP. - Ensure the Nat rules are updated accordingly in the router. - Now Disable the static nat on public IP. Observation : - IPtable Nat rule are still populated with disabled Public IP entries . Check the IP at eth2 and PostRouting chain . ( 10.147.30.112 is the source nat IP and 10.147.30.113 , 10.147.30.114 are the acquired IP's.) - The rules are cleared only , after the network is restarted with clean up option enabled. ===================================================== root@r-203-VM:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 02:00:76:12:00:02 brd ff:ff:ff:ff:ff:ff inet 10.1.1.1/24 brd 10.1.1.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 0e:00:a9:fe:00:4a brd ff:ff:ff:ff:ff:ff inet 169.254.0.74/16 brd 169.254.255.255 scope global eth1 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 06:77:36:00:00:0d brd ff:ff:ff:ff:ff:ff inet 10.147.30.112/24 brd 10.147.30.255 scope global eth2 root@r-203-VM:~# root@r-203-VM:~# iptables -t nat -L -v Chain PREROUTING (policy ACCEPT 3 packets, 204 bytes) pkts bytes target prot opt in out source destination 4 240 DNAT tcp -- eth2 any anywhere 10.147.30.112 tcp dpt:ssh to:10.1.1.13:22 0 0 DNAT tcp -- eth0 any anywhere 10.147.30.112 tcp dpt:ssh to:10.1.1.13:22 0 0 MARK tcp -- eth2 any anywhere 10.147.30.112 tcp dpt:ssh MARK set 0x2 0 0 CONNMARK tcp -- eth2 any anywhere 10.147.30.112 tcp dpt:ssh state NEW CONNMARK save Chain INPUT (policy ACCEPT 3 packets, 204 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 10 packets, 665 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- any any anywhere 10.147.30.112 tcp dpt:ssh to:10.1.1.13:22 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 257 17134 SNAT all -- any eth2 anywhere anywhere to:10.147.30.112 0 0 SNAT tcp -- any eth0 10.1.1.0/24 newv1 tcp dpt:ssh to:10.1.1.1 0 0 SNAT all -- any eth2 anywhere anywhere to:10.147.30.113 0 0 SNAT all -- any eth2 anywhere anywhere to:10.147.30.114 ========================================================== -- This message was sent by Atlassian JIRA (v6.3.4#6332)