[ https://issues.apache.org/jira/browse/CLOUDSTACK-10379?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16495145#comment-16495145 ]
Sean Lair commented on CLOUDSTACK-10379: ---------------------------------------- [~weizhou] I just found out we have moved Issues to GitHub and away from JIRA. Here is the link to the Issue, i'll be closing this i JIRA. [https://github.com/apache/cloudstack/issues/2680] Maybe you misunderstood my comments and the problem? The problem with how the below SNAT is created: pkts bytes target prot opt in out source destination 0 0 SNAT all -- any eth3 10.101.141.0/30 anywhere to:10.101.141.2 See how the SOURCE is 10.101.141.0/30? Since the VM's actual IP is in the 10.0.0.0/24 subnet, the VMs traffic across the Private Gateway connection, it doesn't match that SNAT entry - thus the SNAT does not happen. My code suggestion is to make the SOURCE of the SNAT entry ANYWHERE, thus, when a VM in the 10.0.0.0/24 subnet talks across the private gateway, it matches the SNAT rule and gets NAT'd to 10.101.141.2 as it should. If we used the self.get_vpccidr() as you showed, the SOURCE in the SNAT rule would still say 10.101.141.0/30, and thus not match any traffic and not work. The default route looks good, private gateway functionality works with static routes. That is the 192.168.10.0/24 static route pointing across the the private gateway connection - which looks good. Hopefully that makes more sense. Thanks! > Using Source NAT option on Private Gateway does not work > -------------------------------------------------------- > > Key: CLOUDSTACK-10379 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10379 > Project: CloudStack > Issue Type: Improvement > Security Level: Public(Anyone can view this level - this is the > default.) > Components: VPC > Affects Versions: 4.9.0, 4.10.0.0 > Environment: KVM > Reporter: Sean Lair > Priority: Minor > Labels: patch > Original Estimate: 24h > Remaining Estimate: 24h > > There is a bug in the Private Gateway functionality, when Source NAT is > enabled for the Private Gateway. When the SNAT is added to iptables, it has > the source CIDR of the private gateway subnet. Since no VMs live in that > private gateway subnet, the SNAT doesn’t work. Below is an example: > > * VMs have IP addresses in the 10.0.0.0/24 subnet. > * The Private Gateway address is 10.101.141.2/30 > > See the outputs below, see how the SOURCE field for the new SNAT (eth3) only > matches if the source is 10.101.141.0/30? Since the VM has an IP address in > 10.0.0.0/24, the VMs don’t get SNAT’d as they should when talking across the > private gateway. The SOURCE should be set to ANYWHERE. > > BEFORE ADDING PRIVATE GATEWAY > ----------------------------------------------- > {code:java} > Chain POSTROUTING (policy ACCEPT 1 packets, 52 bytes) > pkts bytes target prot opt in out source destination > 2 736 SNAT all -- any eth2 10.0.0.0/24 anywhere > to:10.0.0.1 > 16 1039 SNAT all -- any eth1 anywhere anywhere > to:46.99.52.18{code} > > AFTER ADDING PRIVATE GATEWAY W/ SNAT > ----------------------------------------------- > {code:java} > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 SNAT all -- any eth3 10.101.141.0/30 anywhere > to:10.101.141.2 > 2 736 SNAT all -- any eth2 10.0.0.0/24 anywhere > to:10.0.0.1 > 23 1515 SNAT all -- any eth1 anywhere anywhere > to:46.99.52.18 > {code} > > It looks like CsAddress.py treats the creation of the Private Gateway SNAT > as if it is a GUEST network, which works fine, except for the SNAT problem > shown above. Here is the code from MASTER (line 479 is SNAT rule): > > {code:java} > if self.get_type() in ["guest"]: > ... > ... > self.fw.append(["nat", "front", > "-A POSTROUTING -s %s -o %s -j SNAT --to-source %s" % > (guestNetworkCidr, self.dev, self.address['public_ip'])]) > {code} > > I am thinking we just change that to the following. I can’t think of any > reason we need the source/guest CIDR specified: > > {code:java} > if self.get_type() in ["guest"]: > ... > ... > self.fw.append(["nat", "front", > "-A POSTROUTING -o %s -j SNAT --to-source %s" % > (self.dev, self.address['public_ip'])]) > {code} > > THE NAT TABLE IF THE ABOVE CODE CHANGE IS MADE > ----------------------------------------------- > {code:java} > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 SNAT all -- any eth3 anywhere anywhere > to:10.101.141.2 > 2 736 SNAT all -- any eth2 anywhere anywhere > to:10.0.0.1 > 23 1515 SNAT all -- any eth1 anywhere anywhere > to:46.99.52.18 > {code} > -- This message was sent by Atlassian JIRA (v7.6.3#76005)