[
https://issues.apache.org/jira/browse/CLOUDSTACK-9968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jayapal Reddy updated CLOUDSTACK-9968:
--
Description:
1. enable and disable the static nat you will observe the below issue.
In CsNetfilter.py to_str method is inefficient, it can't handle CONNMARK target
iptables rules option. It receives a dictionary which contains iptables value
(hex) as key.
1. iptables mangle rule when iptables-save is run.
-A PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK --save-mark
--nfmask 0x --ctmask 0x
2. To_str method recieved the following dictionary in which only one 0x
and it is a key.
2017-06-20 08:40:37,682 CsNetfilter.py to_str:287 Before to_str rule: :
{u'--save-mark': u'--nfmask', u'-A': u'PREROUTING', u'-s': u'10.1.1.68/32',
u'-j': u'CONNMARK', u'0x': u'--ctmask', u'--state': u'NEW', u'-m2':
u'state'}
3. Based on the above the below incorrect rule is framed.
2017-06-20 08:40:37,682 CsNetfilter.py to_str:303 After str rule: : -D
PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK
4. Rule execution fails because of the missing options.
2017-06-20 08:40:37,682 CsNetfilter.py get_unseen:129 unseen cmd: iptables -t
mangle -D PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK
2017-06-20 08:40:37,688 CsHelper.py execute:188 Executed: iptables -t mangle
-D PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK -* exitstatus=2*
was:
In CsNetfilter.py to_str method is inefficient, it can't handle CONNMARK target
iptables rules option. It receives a dictionary which contains iptables value
(hex) as key.
1. iptables mangle rule when iptables-save is run.
-A PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK --save-mark
--nfmask 0x --ctmask 0x
2. To_str method recieved the following dictionary in which only one 0x
and it is a key.
2017-06-20 08:40:37,682 CsNetfilter.py to_str:287 Before to_str rule: :
{u'--save-mark': u'--nfmask', u'-A': u'PREROUTING', u'-s': u'10.1.1.68/32',
u'-j': u'CONNMARK', u'0x': u'--ctmask', u'--state': u'NEW', u'-m2':
u'state'}
3. Based on the above the below incorrect rule is framed.
2017-06-20 08:40:37,682 CsNetfilter.py to_str:303 After str rule: : -D
PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK
4. Rule execution fails because of the missing options.
2017-06-20 08:40:37,682 CsNetfilter.py get_unseen:129 unseen cmd: iptables -t
mangle -D PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK
2017-06-20 08:40:37,688 CsHelper.py execute:188 Executed: iptables -t mangle
-D PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK -* exitstatus=2*
> VR iptables rules are not properly processed due to this rule config is
> failing.
>
>
> Key: CLOUDSTACK-9968
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9968
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
>Affects Versions: 4.9.0
>Reporter: Jayapal Reddy
> Fix For: 4.10.0.0
>
>
> 1. enable and disable the static nat you will observe the below issue.
> In CsNetfilter.py to_str method is inefficient, it can't handle CONNMARK
> target iptables rules option. It receives a dictionary which contains
> iptables value (hex) as key.
> 1. iptables mangle rule when iptables-save is run.
> -A PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK --save-mark
> --nfmask 0x --ctmask 0x
> 2. To_str method recieved the following dictionary in which only one
> 0x and it is a key.
> 2017-06-20 08:40:37,682 CsNetfilter.py to_str:287 Before to_str rule: :
> {u'--save-mark': u'--nfmask', u'-A': u'PREROUTING', u'-s': u'10.1.1.68/32',
> u'-j': u'CONNMARK', u'0x': u'--ctmask', u'--state': u'NEW', u'-m2':
> u'state'}
> 3. Based on the above the below incorrect rule is framed.
> 2017-06-20 08:40:37,682 CsNetfilter.py to_str:303 After str rule: : -D
> PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK
> 4. Rule execution fails because of the missing options.
> 2017-06-20 08:40:37,682 CsNetfilter.py get_unseen:129 unseen cmd: iptables
> -t mangle -D PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK
> 2017-06-20 08:40:37,688 CsHelper.py execute:188 Executed: iptables -t mangle
> -D PREROUTING -s 10.1.1.68/32 -m state --state NEW -j CONNMARK -*
> exitstatus=2*
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
