[
https://issues.apache.org/jira/browse/CLOUDSTACK-9930?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajani Karuturi updated CLOUDSTACK-9930:
----------------------------------------
Fix Version/s: (was: 4.10.0.0)
4.10.1.0
> SNAT rule is incorrectly added on for PF rule
> ---------------------------------------------
>
> Key: CLOUDSTACK-9930
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9930
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Jayapal Reddy
> Fix For: 4.10.1.0
>
>
> 1. Acquire an ip from the additional public subnet.
> 2. Configure a port forwarding rule on the isolated network.
> 3. Check the snat rule added in nat table. It is added on default source nat
> interface instead of additional public subnet interface.
> eth3 - additional public subnet interface.
> {noformat}
> root@r-133-QA:~# iptables -t nat -L -nv
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 CONNMARK tcp -- eth3 * 0.0.0.0/0
> 10.147.52.100 tcp dpt:22 state NEW CONNMARK save
> 0 0 DNAT tcp -- eth3 * 0.0.0.0/0
> 10.147.52.100 tcp dpt:22 to:10.1.1.182:22
> 0 0 DNAT tcp -- eth0 * 0.0.0.0/0
> 10.147.52.100 tcp dpt:22 to:10.1.1.182:22
> 0 0 MARK tcp -- eth3 * 0.0.0.0/0
> 10.147.52.100 tcp dpt:22 MARK set 0x3
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DNAT tcp -- * * 0.0.0.0/0
> 10.147.52.100 tcp dpt:22 to:10.1.1.182:22
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 10 500 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0
> to:10.147.46.107
> 0 0 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0
> to:10.147.52.100
> 0 0 SNAT tcp -- * eth0 10.1.1.0/24
> 10.1.1.182 tcp dpt:22 to:10.1.1.1
> root@r-133-QA:~#
> root@r-133-QA:~#
> root@r-133-QA:~#
> root@r-133-QA:~# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 02:00:24:c6:00:07 brd ff:ff:ff:ff:ff:ff
> inet 10.1.1.1/24 brd 10.1.1.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 0e:00:a9:fe:02:b7 brd ff:ff:ff:ff:ff:ff
> inet 169.254.2.183/16 brd 169.254.255.255 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 1e:00:1e:00:00:13 brd ff:ff:ff:ff:ff:ff
> inet 10.147.46.107/24 brd 10.147.46.255 scope global eth2
> 7: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
> qlen 1000
> link/ether 1e:00:e0:00:00:33 brd ff:ff:ff:ff:ff:ff
> inet 10.147.52.100/24 brd 10.147.52.255 scope global eth3
> root@r-133-QA:~#
> root@r-133-QA:~# ip route show table Table_eth3
> default via 10.147.52.1 dev eth3 proto static
> throw 10.1.1.0/24 proto static
> throw 169.254.0.0/16 proto static
> root@r-133-QA:~# ip route show table Table_eth2
> default via 10.147.46.1 dev eth2 proto static
> throw 10.1.1.0/24 proto static
> throw 169.254.0.0/16 proto static
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
