Jayapal Reddy created CLOUDSTACK-9968:
-----------------------------------------
Summary: VR iptables rules are not properly processed due to this
rule config is failing.
Key: CLOUDSTACK-9968
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9968
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Affects Versions: 4.9.0
Reporter: Jayapal Reddy
Fix For: 4.10.0.0
In CsNetfilter.py to_str method is inefficient, it can't handle CONNMARK target
iptables rules option. It receives a dictionary which contains iptables value
(hex) as key.
1. iptables mangle rule when iptables-save is run.
-A PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK --save-mark
--nfmask 0xffffffff --ctmask 0xffffffff
2. To_str method recieved the following dictionary in which only one 0xffffffff
and it is a key.
2017-06-20 08:40:37,682 CsNetfilter.py to_str:287 Before to_str rule: :
{u'--save-mark': u'--nfmask', u'-A': u'PREROUTING', u'-s': u'10.1.1.68/32',
u'-j': u'CONNMARK', u'0xffffffff': u'--ctmask', u'--state': u'NEW', u'-m2':
u'state'}
3. Based on the above the below incorrect rule is framed.
2017-06-20 08:40:37,682 CsNetfilter.py to_str:303 After str rule: : -D
PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK
4. Rule execution fails because of the missing options.
2017-06-20 08:40:37,682 CsNetfilter.py get_unseen:129 unseen cmd: iptables -t
mangle -D PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK
2017-06-20 08:40:37,688 CsHelper.py execute:188 Executed: iptables -t mangle
-D PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK -* exitstatus=2*
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
