[
https://issues.apache.org/jira/browse/CLOUDSTACK-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16049102#comment-16049102
]
Jayapal Reddy commented on CLOUDSTACK-9934:
-------------------------------------------
root@r-138-QA:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 0e:00:a9:fe:02:b3 brd ff:ff:ff:ff:ff:ff
inet 169.254.2.179/16 brd 169.254.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 1e:00:b5:00:00:14 brd ff:ff:ff:ff:ff:ff
inet 10.147.46.108/24 brd 10.147.46.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 02:00:0d:61:00:08 brd ff:ff:ff:ff:ff:ff
inet 10.1.2.1/24 brd 10.1.2.255 scope global eth2
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 02:00:50:fe:00:10 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 brd 10.1.1.255 scope global eth3
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 1e:00:21:00:00:34 brd ff:ff:ff:ff:ff:ff
inet 10.147.52.101/24 brd 10.147.52.255 scope global eth4
root@r-138-QA:~# iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 303 packets, 16393 bytes)
pkts bytes target prot opt in out source destination
2 168 CONNMARK all -- eth3 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED CONNMARK restore
0 0 CONNMARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED CONNMARK restore
0 0 ACL_OUTBOUND_eth2 all -- eth2 * 10.1.2.0/24
!10.1.2.1 state NEW
0 0 CONNMARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0
state NEW CONNMARK set 0x1
0 0 CONNMARK all -- eth4 * 0.0.0.0/0 0.0.0.0/0
state NEW CONNMARK set 0x4
3 213 MARK all -- * * 10.1.1.68 0.0.0.0/0
state NEW MARK set 0x4
3 213 CONNMARK all -- * * 10.1.1.68 0.0.0.0/0
state NEW CONNMARK save
1 84 ACL_OUTBOUND_eth3 all -- eth3 * 10.1.1.0/24
!10.1.1.1 state NEW
Chain INPUT (policy ACCEPT 298 packets, 15973 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 10.2.0.0/16 10.1.0.0/16
MARK set 0x524
Chain FORWARD (policy ACCEPT 6 packets, 504 bytes)
pkts bytes target prot opt in out source destination
6 504 VPN_STATS_eth4 all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 MARK all -- * * 10.2.0.0/16 10.1.0.0/16
MARK set 0x524
0 0 MARK all -- * * 10.1.0.0/16 10.2.0.0/16
MARK set 0x525
6 504 VPN_STATS_eth1 all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 295 packets, 36038 bytes)
pkts bytes target prot opt in out source destination
0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:68 CHECKSUM fill
0 0 MARK all -- * * 10.1.0.0/16 10.2.0.0/16
MARK set 0x525
Chain POSTROUTING (policy ACCEPT 301 packets, 36542 bytes)
pkts bytes target prot opt in out source destination
0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:68 CHECKSUM fill
Chain ACL_OUTBOUND_eth2 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18
0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ACL_OUTBOUND_eth3 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18
0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50
1 84 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VPN_STATS_eth1 (1 references)
pkts bytes target prot opt in out source destination
0 0 all -- * eth1 0.0.0.0/0 0.0.0.0/0
mark match 0x525
0 0 all -- eth1 * 0.0.0.0/0 0.0.0.0/0
mark match 0x524
Chain VPN_STATS_eth4 (1 references)
pkts bytes target prot opt in out source destination
0 0 all -- * eth4 0.0.0.0/0 0.0.0.0/0
mark match 0x525
0 0 all -- eth4 * 0.0.0.0/0 0.0.0.0/0
mark match 0x524
root@r-138-QA:~# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 26 packets, 1875 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- eth0 * 0.0.0.0/0
10.147.52.101 to:10.1.1.68
0 0 DNAT all -- * * 0.0.0.0/0
10.147.52.101 to:10.1.1.68
Chain INPUT (policy ACCEPT 22 packets, 1539 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 129 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0
10.147.52.101 to:10.1.1.68
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth0 10.1.1.0/24 10.1.1.68
to:10.1.2.1
4 336 SNAT all -- * eth4 10.1.1.68 0.0.0.0/0
to:10.147.52.101
0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
mark match 0x525
0 0 SNAT all -- * eth3 10.1.1.0/24 0.0.0.0/0
to:10.1.1.1
0 0 SNAT all -- * eth2 10.1.2.0/24 0.0.0.0/0
to:10.1.2.1
9 1986 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0
to:10.147.46.108
0 0 SNAT all -- * eth4 0.0.0.0/0 0.0.0.0/0
to:10.147.52.101
root@r-138-QA:~#
> Traffic is not routed correctly on addtional public interface from static nat
> enabled vm
> ----------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-9934
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9934
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Devices
> Reporter: Jayapal Reddy
> Fix For: 4.10.0.0
>
>
> 1. Configure static nat on additional public subnet ip in VPC.
> 2. Now ping google.com from the static nat enabled vm.
> 3. The traffic supposed to leave out from the additional public ip interface
> (static nat enabled ip).
> Bug: The traffic is leaving via default source nat interface (eth1).
> Reason:
> In iptables mangle table ACL_OUTBOUND_ethX chain is accepting the traffic
> before the connmark rule is hit the packet.
> Please look at the below logs.
> {noformat}
> root@r-135-QA:~# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 0e:00:a9:fe:01:13 brd ff:ff:ff:ff:ff:ff
> inet 169.254.1.19/16 brd 169.254.255.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 1e:00:f9:00:00:14 brd ff:ff:ff:ff:ff:ff
> inet 10.147.46.108/24 brd 10.147.46.255 scope global eth1
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 02:00:29:c5:00:05 brd ff:ff:ff:ff:ff:ff
> inet 10.1.2.1/24 brd 10.1.2.255 scope global eth3
> 6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 02:00:45:73:00:06 brd ff:ff:ff:ff:ff:ff
> inet 10.1.1.1/24 brd 10.1.1.255 scope global eth4
> 8: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 1e:00:2a:00:00:34 brd ff:ff:ff:ff:ff:ff
> inet 10.147.52.101/24 brd 10.147.52.255 scope global eth2
> root@r-135-QA:~#
> root@r-135-QA:~# iptables -t mangle -L -nv
> Chain PREROUTING (policy ACCEPT 328 packets, 19964 bytes)
> pkts bytes target prot opt in out source
> destination
> 77 6453 CONNMARK all -- eth4 * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED CONNMARK restore
> 7 541 CONNMARK all -- eth3 * 0.0.0.0/0 0.0.0.0/0
> state RELATED,ESTABLISHED CONNMARK restore
> 2 144 ACL_OUTBOUND_eth3 all -- eth3 * 10.1.2.0/24
> !10.1.2.1 state NEW
> 0 0 CONNMARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0
> state NEW CONNMARK set 0x1
> 34 2832 ACL_OUTBOUND_eth4 all -- eth4 * 10.1.1.0/24
> !10.1.1.1 state NEW
> 12 801 CONNMARK all -- * * 10.1.1.68 0.0.0.0/0
> state NEW CONNMARK save
> 0 0 CONNMARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0
> state NEW CONNMARK set 0x2
> 2 129 MARK all -- * * 10.1.2.128 0.0.0.0/0
> state NEW MARK set 0x2
> 2 129 CONNMARK all -- * * 10.1.2.128 0.0.0.0/0
> state NEW CONNMARK save
> Chain INPUT (policy ACCEPT 325 packets, 19712 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain FORWARD (policy ACCEPT 4 packets, 336 bytes)
> pkts bytes target prot opt in out source
> destination
> 4 336 VPN_STATS_eth2 all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 209 17520 VPN_STATS_eth1 all -- * * 0.0.0.0/0
> 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT 291 packets, 35814 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp dpt:68 CHECKSUM fill
> Chain POSTROUTING (policy ACCEPT 295 packets, 36150 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 CHECKSUM udp -- * * 0.0.0.0/0 0.0.0.0/0
> udp dpt:68 CHECKSUM fill
> Chain ACL_OUTBOUND_eth3 (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 224.0.0.18
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 225.0.0.50
> 2 144 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain ACL_OUTBOUND_eth4 (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 224.0.0.18
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 225.0.0.50
> 33 2748 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>
> Chain ACL_OUTBOUND_eth5 (0 references)
> pkts bytes target prot opt in out source
> destination
> Chain VPN_STATS_eth1 (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 all -- * eth1 0.0.0.0/0 0.0.0.0/0
> mark match 0x525
> 0 0 all -- eth1 * 0.0.0.0/0 0.0.0.0/0
> mark match 0x524
> Chain VPN_STATS_eth2 (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 all -- * eth2 0.0.0.0/0 0.0.0.0/0
> mark match 0x525
> 0 0 all -- eth2 * 0.0.0.0/0 0.0.0.0/0
> mark match 0x524
> root@r-135-QA:~#
> root@r-135-QA:~# tcpdump -i eth1 -nq
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
> 06:19:44.981751 IP 10.147.46.108 > 216.58.203.142: ICMP echo request, id
> 23906, seq 3, length 64
> 06:19:45.000805 IP 216.58.203.142 > 10.147.46.108: ICMP echo reply, id 23906,
> seq 3, length 64
> 06:19:46.312487 STP 802.1d, Config, Flags [none], bridge-id
> 802e.f0:b2:e5:81:12:00.8027, length 42
> 06:19:48.316566 STP 802.1d, Config, Flags [none], bridge-id
> 802e.f0:b2:e5:81:12:00.8027, length 42
> 06:19:49.103007 ARP, Request who-has 10.147.46.108 (1e:00:f9:00:00:14) tell
> 0.0.0.0, length 46
> 06:19:49.103025 ARP, Reply 10.147.46.108 is-at 1e:00:f9:00:00:14, length 28
> 06:19:50.159695 ARP, Request who-has 10.147.46.1 tell 10.147.46.104, length 28
> 06:19:50.315802 STP 802.1d, Config, Flags [none], bridge-id
> 802e.f0:b2:e5:81:12:00.8027, length 42
> 06:19:52.316119 STP 802.1d, Config, Flags [none], bridge-id
> 802e.f0:b2:e5:81:12:00.8027, length 42
> ^C
> 9 packets captured
> 9 packets received by filter
> 0 packets dropped by kernel
> root@r-135-QA:~#
> root@r-135-QA:~# iptables -t nat -L -nv
> Chain PREROUTING (policy ACCEPT 10 packets, 714 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DNAT all -- eth0 * 0.0.0.0/0
> 10.147.52.101 to:10.1.2.128
> 0 0 DNAT all -- * * 0.0.0.0/0
> 10.147.52.101 to:10.1.2.128
> Chain INPUT (policy ACCEPT 8 packets, 546 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain OUTPUT (policy ACCEPT 2 packets, 129 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DNAT all -- * * 0.0.0.0/0
> 10.147.52.101 to:10.1.2.128
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 SNAT all -- * eth0 10.1.2.0/24
> 10.1.2.128 to:10.147.44.100
> 0 0 SNAT all -- * eth2 10.1.2.128 0.0.0.0/0
> to:10.147.52.101
> 0 0 SNAT all -- * eth4 10.1.1.0/24 0.0.0.0/0
> to:10.1.1.1
> 0 0 SNAT all -- * eth3 10.1.2.0/24 0.0.0.0/0
> to:10.1.2.1
> 26 1841 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0
> to:10.147.46.108
> 0 0 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0
> to:10.147.52.101
> root@r-135-QA:~#
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
