[jira] [Commented] (CLOUDSTACK-8945) rp_filter=1 not set on VPC private gateway initially, but is set after restart of VPC router
[ https://issues.apache.org/jira/browse/CLOUDSTACK-8945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16118216#comment-16118216 ] Rohit Yadav commented on CLOUDSTACK-8945: - Disabling rp_filter would mean no source validation will be done on incoming packets on an interface, i.e. packets won't be dropped. This is used for all sorts of domR (VPC VRs, rVRs, normal VRs). On normal VRs, eth0 and eth1 are link-local and guest network nics, however eth2 is public network nic. For VPC/redundantVPC VRs, eth0 is link-local, eth1 is public, eth2 is guest network -- based on actual env tests on kvm, vmware, xenserver. > rp_filter=1 not set on VPC private gateway initially, but is set after > restart of VPC router > > > Key: CLOUDSTACK-8945 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8945 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Virtual Router >Affects Versions: 4.4.4 >Reporter: Anton Opgenoort >Assignee: Rohit Yadav > > (on ACS4.4.4 with XenServer as hypervisor) > Steps to reproduce: > -create VPC router > -Create private gateway on VPC router > -now log on to the rVM via the hypervisor's link-local address > root@r-46771-VM:~# sysctl net.ipv4.conf.eth2.rp_filter > net.ipv4.conf.eth2.rp_filter = 0 > Restart the rVM via CloudStack (NOT restart VPC but restart the underlying > router via CloudStack) > -log on again: > root@r-46771-VM:~# sysctl net.ipv4.conf.eth2.rp_filter > net.ipv4.conf.eth2.rp_filter = 1 > The issue thus is that on initial creation it is not set, where it should be > set immediately > Note: when adding a regular network tier to the VPC config, that new > interface IS configured with rp_filter=1. So it is limited to the private > gateway NIC. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (CLOUDSTACK-8945) rp_filter=1 not set on VPC private gateway initially, but is set after restart of VPC router
[
https://issues.apache.org/jira/browse/CLOUDSTACK-8945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16089745#comment-16089745
]
Boris Stoyanov commented on CLOUDSTACK-8945:
This one is failing test_privategw_acl test in the smoketest suite.
{code}
Boriss-MacBook-Pro:~ bstoyanov$ ssh root@10.1.34.66
root@10.1.34.66's password:
Last login: Mon Jul 17 08:07:34 2017 from 10.1.0.1
[root@VM-ba2a91c8-af1c-41d1-8cb3-18f599cdc673 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 02:00:08:91:00:01
inet addr:10.0.2.92 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::8ff:fe91:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3157 errors:0 dropped:0 overruns:0 frame:0
TX packets:268 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:228782 (223.4 KiB) TX bytes:44853 (43.8 KiB)
loLink encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
{code}
Ping Failed
{code}
[root@VM-ba2a91c8-af1c-41d1-8cb3-18f599cdc673 ~]# ping -c 3 10.0.1.166
PING 10.0.1.166 (10.0.1.166) 56(84) bytes of data.
--- 10.0.1.166 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
{code}
Restarted both the redundant routers where VM 10.0.1.166 is and was able to
ping the machine from VM 10.0.2.92
{code}
[root@VM-ba2a91c8-af1c-41d1-8cb3-18f599cdc673 ~]# ping -c 3 10.0.1.166
PING 10.0.1.166 (10.0.1.166) 56(84) bytes of data.
64 bytes from 10.0.1.166: icmp_seq=1 ttl=62 time=3.03 ms
64 bytes from 10.0.1.166: icmp_seq=2 ttl=62 time=2.22 ms
64 bytes from 10.0.1.166: icmp_seq=3 ttl=62 time=1.67 ms
--- 10.0.1.166 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 1.673/2.310/3.030/0.557 ms
[root@VM-ba2a91c8-af1c-41d1-8cb3-18f599cdc673 ~]#
{code}
> rp_filter=1 not set on VPC private gateway initially, but is set after
> restart of VPC router
>
>
> Key: CLOUDSTACK-8945
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8945
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
>Affects Versions: 4.4.4
>Reporter: Anton Opgenoort
>
> (on ACS4.4.4 with XenServer as hypervisor)
> Steps to reproduce:
> -create VPC router
> -Create private gateway on VPC router
> -now log on to the rVM via the hypervisor's link-local address
> root@r-46771-VM:~# sysctl net.ipv4.conf.eth2.rp_filter
> net.ipv4.conf.eth2.rp_filter = 0
> Restart the rVM via CloudStack (NOT restart VPC but restart the underlying
> router via CloudStack)
> -log on again:
> root@r-46771-VM:~# sysctl net.ipv4.conf.eth2.rp_filter
> net.ipv4.conf.eth2.rp_filter = 1
> The issue thus is that on initial creation it is not set, where it should be
> set immediately
> Note: when adding a regular network tier to the VPC config, that new
> interface IS configured with rp_filter=1. So it is limited to the private
> gateway NIC.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
