Rohit Yadav commented on CLOUDSTACK-8945:

Disabling rp_filter would mean no source validation will be done on incoming 
packets on an interface, i.e. packets won't be dropped. This is used for all 
sorts of domR (VPC VRs, rVRs, normal VRs). On normal VRs, eth0 and eth1 are 
link-local and guest network nics, however eth2 is public network nic. For 
VPC/redundantVPC VRs, eth0 is link-local, eth1 is public, eth2 is guest network 
-- based on actual env tests on kvm, vmware, xenserver.

> rp_filter=1 not set on VPC private gateway initially, but is set after 
> restart of VPC router
> --------------------------------------------------------------------------------------------
>                 Key: CLOUDSTACK-8945
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8945
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Virtual Router
>    Affects Versions: 4.4.4
>            Reporter: Anton Opgenoort
>            Assignee: Rohit Yadav
> (on ACS4.4.4 with XenServer as hypervisor)
> Steps to reproduce:
> -create VPC router
> -Create private gateway on VPC router
> -now log on to the rVM via the hypervisor's link-local address
> root@r-46771-VM:~# sysctl net.ipv4.conf.eth2.rp_filter
> net.ipv4.conf.eth2.rp_filter = 0
> Restart the rVM via CloudStack (NOT restart VPC but restart the underlying 
> router via CloudStack)
> -log on again:
> root@r-46771-VM:~# sysctl net.ipv4.conf.eth2.rp_filter
> net.ipv4.conf.eth2.rp_filter = 1
> The issue thus is that on initial creation it is not set, where it should be 
> set immediately 
> Note: when adding a regular network tier to the VPC config, that new 
> interface IS configured with rp_filter=1. So it is limited to the private 
> gateway NIC. 

This message was sent by Atlassian JIRA

Reply via email to