[
https://issues.apache.org/jira/browse/CLOUDSTACK-9941?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
samhith vasikarla updated CLOUDSTACK-9941:
------------------------------------------
Description:
1. Create a network say N1 with Network offering "Conserve Mode Enabled and all
other services with Virtual Router"
2. Create an instance with N1
3. After successful creation of instance, Navigate to Network and add port
forwarding rules .
4.After successful addition of port forwarding rules .Login to the router and
type iptables -t nat -L we will find the port forwarding rules
root@r-22-VM:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 10.147.30.184 tcp dpt:ssh
to:10.1.1.114:22
DNAT tcp -- anywhere 10.147.30.184 tcp dpt:ssh
to:10.1.1.114:22
MARK tcp -- anywhere 10.147.30.184 tcp dpt:ssh MARK
set 0x2
CONNMARK tcp -- anywhere 10.147.30.184 tcp dpt:ssh state
NEW CONNMARK save
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 10.147.30.184 tcp dpt:ssh
to:10.1.1.114:22
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:10.147.30.184
SNAT tcp -- 10.1.1.0/24 conserve tcp dpt:ssh
to:10.1.1.1
5. Reboot the router from outside of the management server
6.Again type iptables -t nat -L and check whether the rules are persistent .
Observation :
Post reboot from outside of cloudstack , PF rules are not present on the
iptables of VR.
In database the pf rules are present
mysql> select * from port_forwarding_rules\G;
********* 1. row **********
id: 46
instance_id: 23
dest_ip_address: 10.1.1.114
dest_port_start: 22
dest_port_end: 22
1 row in set (0.00 sec)
*****************************
In forwarding rules.json the rules are present
{
"10.147.30.184": [
{
"internal_ip": "10.1.1.114",
"internal_ports": "22:22",
"protocol": "tcp",
"public_ip": "10.147.30.184",
"public_ports": "22:22",
"type": "forward"
}
],
"id": "forwardingrules"
}
******************************************************************
But in iptables the rules are not present
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
********************************************************************
In the above one we cannot ssh to the virtual machine
ssh [email protected]
ssh: connect to host 10.147.30.184 port 22: Connection refused
Note : When the vr is rebooted from cloudstack , all the rules are again
fetched.
was:
1. Create a network say N1 with Network offering "Conserve Mode Enabled and all
other services with Virtual Router"
2. Create an instance with N1
3. After successful creation of instance, Navigate to Network and add port
forwarding rules .
4.After successful addition of port forwarding rules .Login to the router and
type iptables -t nat -L we will find the port forwarding rules
root@r-22-VM:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 10.147.30.184 tcp dpt:ssh
to:10.1.1.114:22
DNAT tcp -- anywhere 10.147.30.184 tcp dpt:ssh
to:10.1.1.114:22
MARK tcp -- anywhere 10.147.30.184 tcp dpt:ssh MARK
set 0x2
CONNMARK tcp -- anywhere 10.147.30.184 tcp dpt:ssh state
NEW CONNMARK save
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 10.147.30.184 tcp dpt:ssh
to:10.1.1.114:22
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:10.147.30.184
SNAT tcp -- 10.1.1.0/24 conserve tcp dpt:ssh
to:10.1.1.1
5. Reboot the router from outside of the management server
6.Again type iptables -t nat -L and check whether the rules are persistent .
Observation :
Post reboot from outside of cloudstack , PF rules are not present on the
iptables of VR.
In database the pf rules are present
mysql> select * from port_forwarding_rules\G;
********* 1. row **********
id: 46
instance_id: 23
dest_ip_address: 10.1.1.114
dest_port_start: 22
dest_port_end: 22
1 row in set (0.00 sec)
*****************************
In forwarding rules.json the rules are present
{
"10.147.30.184": [
{
"internal_ip": "10.1.1.114",
"internal_ports": "22:22",
"protocol": "tcp",
"public_ip": "10.147.30.184",
"public_ports": "22:22",
"type": "forward"
}
],
"id": "forwardingrules"
}
******************************************************************
But in iptables the rules are not present
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
********************************************************************
In the above one we cannot ssh to the virtual machine
ssh [email protected]
ssh: connect to host 10.147.30.184 port 22: Connection refused
Note : When the vr is rebooted from cloudstack , all the rules are again
fetched.
> Port forwarding rules are not persistent when we reboot VR from outside
> Cloudstack
> -----------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-9941
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9941
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Affects Versions: 4.10.0.0
> Reporter: samhith vasikarla
> Fix For: 4.10.0.0
>
> Attachments: log.txt
>
>
> 1. Create a network say N1 with Network offering "Conserve Mode Enabled and
> all other services with Virtual Router"
> 2. Create an instance with N1
> 3. After successful creation of instance, Navigate to Network and add port
> forwarding rules .
> 4.After successful addition of port forwarding rules .Login to the router and
> type iptables -t nat -L we will find the port forwarding rules
> root@r-22-VM:~# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- anywhere 10.147.30.184 tcp dpt:ssh
> to:10.1.1.114:22
> DNAT tcp -- anywhere 10.147.30.184 tcp dpt:ssh
> to:10.1.1.114:22
> MARK tcp -- anywhere 10.147.30.184 tcp dpt:ssh
> MARK set 0x2
> CONNMARK tcp -- anywhere 10.147.30.184 tcp dpt:ssh
> state NEW CONNMARK save
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- anywhere 10.147.30.184 tcp dpt:ssh
> to:10.1.1.114:22
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> SNAT all -- anywhere anywhere to:10.147.30.184
> SNAT tcp -- 10.1.1.0/24 conserve tcp dpt:ssh
> to:10.1.1.1
> 5. Reboot the router from outside of the management server
> 6.Again type iptables -t nat -L and check whether the rules are persistent .
> Observation :
> Post reboot from outside of cloudstack , PF rules are not present on the
> iptables of VR.
> In database the pf rules are present
> mysql> select * from port_forwarding_rules\G;
> ********* 1. row **********
> id: 46
> instance_id: 23
> dest_ip_address: 10.1.1.114
> dest_port_start: 22
> dest_port_end: 22
> 1 row in set (0.00 sec)
> *****************************
> In forwarding rules.json the rules are present
> {
> "10.147.30.184": [
> {
> "internal_ip": "10.1.1.114",
> "internal_ports": "22:22",
> "protocol": "tcp",
> "public_ip": "10.147.30.184",
> "public_ports": "22:22",
> "type": "forward"
> }
> ],
> "id": "forwardingrules"
> }
> ******************************************************************
> But in iptables the rules are not present
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> ********************************************************************
> In the above one we cannot ssh to the virtual machine
> ssh [email protected]
> ssh: connect to host 10.147.30.184 port 22: Connection refused
> Note : When the vr is rebooted from cloudstack , all the rules are again
> fetched.
>
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
