After some more investigation, I think I’ve identified the problem. It was
indeed the last chain containing the wrong rules:
Chain NETWORK_STATS_eth1 (1 references)
pkts bytes target prot opt in out source destination
0 0 all -- * eth1 0.0.0.0/0
10.188.218.0/24
275K 718M all -- * eth1 10.188.218.0/24 0.0.0.0/0
Should be:
Chain NETWORK_STATS_eth1 (1 references)
pkts bytes target prot opt in out source destination
373K 828M all -- * eth1 10.188.218.0/24 0.0.0.0/0
81528 848M all -- eth1 * 0.0.0.0/0
10.188.218.0/24
The order of the rules is important since it will be interpreted by CloudStack
to be Bytes sent first and Bytes received second. The in and out were also
reversed.
--
Simon
> On Jul 13, 2016, at 09:28, Simon Godard <[email protected]> wrote:
>
> Hi,
>
> After upgrading to ACS 4.7 and VRs to 4.6 we are noticing a regression in the
> Network usage stats. The Network out (bytes sent) is now 0 and the Network
> received (bytes received) appears to hold the stats of bytes sent. This is
> using VPCs without redundant VRs.
>
> Here are the output of the iptables -L -v command:
>
> ~# iptables -L -v -n
> Chain INPUT (policy DROP 36031 packets, 3454K bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0
> 10.188.218.1 tcp dpt:80 state NEW
> 0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0
> 10.188.218.1 tcp dpt:53
> 8988 655K ACCEPT udp -- eth2 * 0.0.0.0/0
> 10.188.218.1 udp dpt:53
> 91565 11M NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT udp -- eth2 * 0.0.0.0/0 0.0.0.0/0
> udp dpt:67
> 0 0 ACCEPT udp -- eth2 * 0.0.0.0/0 0.0.0.0/0
> udp dpt:53
> 0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:53
> 0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:80 state NEW
> 0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:8080 state NEW
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 224.0.0.18
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 225.0.0.50
> 2936 244K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
>
> 52597 7459K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:3922 state NEW,ESTABLISHED
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 224.0.0.18
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 225.0.0.50
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
>
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:3922 state NEW,ESTABLISHED
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 224.0.0.18
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 225.0.0.50
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
>
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:3922 state NEW,ESTABLISHED
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 224.0.0.18
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 225.0.0.50
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
>
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:3922 state NEW,ESTABLISHED
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 224.0.0.18
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 225.0.0.50
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
>
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:3922 state NEW,ESTABLISHED
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 224.0.0.18
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 225.0.0.50
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
>
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:3922 state NEW,ESTABLISHED
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 224.0.0.18
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 225.0.0.50
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
>
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
> tcp dpt:3922 state NEW,ESTABLISHED
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 560K 1307M NETWORK_STATS_eth1 all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 560K 1307M NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 286K 589M ACL_INBOUND_eth2 all -- * eth2 0.0.0.0/0
> 10.188.218.0/24
> 275K 718M ACCEPT all -- * * 10.188.216.0/22
> !10.188.216.0/22
>
> Chain OUTPUT (policy ACCEPT 71914 packets, 10M bytes)
> pkts bytes target prot opt in out source
> destination
> 71955 10M NETWORK_STATS all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain ACL_INBOUND_eth2 (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 225.0.0.50
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 224.0.0.18
> 286K 589M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
>
>
> Chain NETWORK_STATS (3 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 tcp -- eth0 eth2 0.0.0.0/0 0.0.0.0/0
>
> 0 0 tcp -- eth2 eth0 0.0.0.0/0 0.0.0.0/0
>
> 275K 588M tcp -- !eth0 eth2 0.0.0.0/0 0.0.0.0/0
>
> 264K 717M tcp -- eth2 !eth0 0.0.0.0/0 0.0.0.0/0
>
>
> Chain NETWORK_STATS_eth1 (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 all -- * eth1 0.0.0.0/0
> 10.188.218.0/24
> 275K 718M all -- * eth1 10.188.218.0/24 0.0.0.0/0
>
>
> The last Chain (NETWORK_STATS_eth1 appears to be wrong since both rules have
> ‘in’ as * and ‘out’ as eth1.
>
> Do you have an idea of what is going on?
>
> Thanks
> --
> Simon Godard
>
