[
https://issues.apache.org/jira/browse/CLOUDSTACK-9946?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajani Karuturi updated CLOUDSTACK-9946:
----------------------------------------
Fix Version/s: (was: 4.10.0.0)
4.10.1.0
> When multiple PF rules are deleted , the 1st PF rule added is still retained
> in forwardingrules.json file in VPC VR .
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-9946
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9946
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.10.0.0
> Reporter: DeepthiMachiraju
> Labels: PVR
> Fix For: 4.10.1.0
>
> Attachments: MS_log_deletion_pf_rules.txt
>
>
> - Create a VPC , and deploy a VM in the Tier.
> - Navigate to PUblick IP address in the VPC and acquire an IP.
> - Create Multiple PF rules as below . Was able to sucessfully ssh and access
> HTTP to the VM.
> - Now delete all the rules configured .
> Observation :
> - All the rules are cleaned up in the UI & DB . But the 1st rule added is
> still retained in the IPtables and forwardingrules.json file .
> - and user is still able to access the rule.
> Logs when rules are added :
> acquired ip and assigned 5 pf rules :
> root@r-53-VM:/etc/cloudstack# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 0e:00:a9:fe:02:c3 brd ff:ff:ff:ff:ff:ff
> inet 169.254.2.195/16 brd 169.254.255.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 06:3d:52:00:00:0d brd ff:ff:ff:ff:ff:ff
> inet 10.147.30.112/24 brd 10.147.30.255 scope global eth1
> inet 10.147.30.113/24 brd 10.147.30.255 scope global secondary eth1
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 02:00:4b:3f:00:14 brd ff:ff:ff:ff:ff:ff
> inet 172.16.1.1/24 brd 172.16.1.255 scope global eth2
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 02:00:67:bb:00:04 brd ff:ff:ff:ff:ff:ff
> inet 172.16.2.1/24 brd 172.16.2.255 scope global eth3
> ********************************
> root@r-53-VM:/etc/cloudstack# cat forwardingrules.json
> {
> "10.147.30.113": [
> {
> "internal_ip": "172.16.2.10",
> "internal_ports": "10:10",
> "protocol": "tcp",
> "public_ip": "10.147.30.113",
> "public_ports": "10:10",
> "type": "forward"
> },
> {
> "internal_ip": "172.16.2.10",
> "internal_ports": "20:20",
> "protocol": "tcp",
> "public_ip": "10.147.30.113",
> "public_ports": "20:20",
> "type": "forward"
> },
> {
> "internal_ip": "172.16.2.10",
> "internal_ports": "30:30",
> "protocol": "tcp",
> "public_ip": "10.147.30.113",
> "public_ports": "30:30",
> "type": "forward"
> },
> {
> "internal_ip": "172.16.2.10",
> "internal_ports": "22:22",
> "protocol": "tcp",
> "public_ip": "10.147.30.113",
> "public_ports": "22:22",
> "type": "forward"
> },
> {
> "internal_ip": "172.16.2.10",
> "internal_ports": "80:80",
> "protocol": "tcp",
> "public_ip": "10.147.30.113",
> "public_ports": "80:80",
> "type": "forward"
> }
> ],
> "id": "forwardingrules"
> ********************************
> root@r-53-VM:/etc/cloudstack# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- anywhere 10.147.30.113 tcp dpt:10
> to:172.16.2.10:10
> DNAT tcp -- anywhere 10.147.30.113 tcp
> dpt:ftp-data to:172.16.2.10:20
> DNAT tcp -- anywhere 10.147.30.113 tcp dpt:30
> to:172.16.2.10:30
> DNAT tcp -- anywhere 10.147.30.113 tcp dpt:ssh
> to:172.16.2.10:22
> DNAT tcp -- anywhere 10.147.30.113 tcp dpt:http
> to:172.16.2.10:80
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- anywhere 10.147.30.113 tcp dpt:10
> to:172.16.2.10:10
> DNAT tcp -- anywhere 10.147.30.113 tcp
> dpt:ftp-data to:172.16.2.10:20
> DNAT tcp -- anywhere 10.147.30.113 tcp dpt:30
> to:172.16.2.10:30
> DNAT tcp -- anywhere 10.147.30.113 tcp dpt:ssh
> to:172.16.2.10:22
> DNAT tcp -- anywhere 10.147.30.113 tcp dpt:http
> to:172.16.2.10:80
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> SNAT all -- 172.16.2.0/24 anywhere to:172.16.2.1
> SNAT all -- 172.16.1.0/24 anywhere to:172.16.1.1
> SNAT all -- anywhere anywhere to:10.147.30.112
> SNAT all -- anywhere anywhere to:10.147.30.113
> SNAT tcp -- anywhere 10.147.30.113 tcp dpt:10
> to:172.16.2.10:10
> SNAT tcp -- anywhere 10.147.30.113 tcp
> dpt:ftp-data to:172.16.2.10:20
> SNAT tcp -- anywhere 10.147.30.113 tcp dpt:30
> to:172.16.2.10:30
> SNAT tcp -- anywhere 10.147.30.113 tcp dpt:ssh
> to:172.16.2.10:22
> SNAT tcp -- anywhere 10.147.30.113 tcp dpt:http
> to:172.16.2.10:80
> ********************************
> mysql> select * from port_forwarding_rules;
> +-----+-------------+-----------------+-----------------+---------------+
> | id | instance_id | dest_ip_address | dest_port_start | dest_port_end |
> +-----+-------------+-----------------+-----------------+---------------+
> | 113 | 24 | 172.16.2.10 | 10 | 10 |
> | 114 | 24 | 172.16.2.10 | 20 | 20 |
> | 115 | 24 | 172.16.2.10 | 30 | 30 |
> | 116 | 24 | 172.16.2.10 | 22 | 22 |
> | 117 | 24 | 172.16.2.10 | 80 | 80 |
> +-----+-------------+-----------------+-----------------+---------------+
> 5 rows in set (0.00 sec)
> ********************************
> ================== Logs post deleting the pf rules ========================
> root@r-53-VM:/etc/cloudstack# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 0e:00:a9:fe:02:c3 brd ff:ff:ff:ff:ff:ff
> inet 169.254.2.195/16 brd 169.254.255.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 06:3d:52:00:00:0d brd ff:ff:ff:ff:ff:ff
> inet 10.147.30.112/24 brd 10.147.30.255 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 02:00:4b:3f:00:14 brd ff:ff:ff:ff:ff:ff
> inet 172.16.1.1/24 brd 172.16.1.255 scope global eth2
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 02:00:67:bb:00:04 brd ff:ff:ff:ff:ff:ff
> inet 172.16.2.1/24 brd 172.16.2.255 scope global eth3
> root@r-53-VM:/etc/cloudstack#
> ********************************
> root@r-53-VM:/etc/cloudstack# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- anywhere 10.147.30.113 tcp dpt:10
> to:172.16.2.10:10
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- anywhere 10.147.30.113 tcp dpt:10
> to:172.16.2.10:10
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> SNAT all -- 172.16.2.0/24 anywhere to:172.16.2.1
> SNAT all -- 172.16.1.0/24 anywhere to:172.16.1.1
> SNAT all -- anywhere anywhere to:10.147.30.112
> SNAT tcp -- anywhere 10.147.30.113 tcp dpt:10
> to:172.16.2.10:10
> root@r-53-VM:/etc/cloudstack#
> +-********************************
> root@r-53-VM:/etc/cloudstack#
> root@r-53-VM:/etc/cloudstack# cat forwardingrules.json
> {
> "10.147.30.113": [
> {
> "internal_ip": "172.16.2.10",
> "internal_ports": "10:10",
> "protocol": "tcp",
> "public_ip": "10.147.30.113",
> "public_ports": "10:10",
> "type": "forward"
> }
> ],
> "id": "forwardingrules"
> }root@r-53-VM:/etc/cloudstack#
> Attached MS.log
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
