[GitHub] Slair1 commented on issue #2680: Using Source NAT option on Private Gateway does not work

Tue, 12 Jun 2018 14:41:55 -0700 

Slair1 commented on issue #2680: Using Source NAT option on Private Gateway 
does not work
URL: https://github.com/apache/cloudstack/issues/2680#issuecomment-396743659
 
 
   @rhtyd /cc @ustcweizhou 
   
   It looks like that old SNAT in `CsAddress.py` (before this PR) was allowing 
the static NATs hair-pinning to work.  However, that seems to only be because 
the actual static NAT hairpin code in `configure.py` wasn't working correctly 
because it had `eth0` hard-coded in it instead of dynamic determining the guest 
network interface.  So, I left our `CsAddress.py` as it (see current PR #2681) 
and modified `configure.py` to fix the hairpin SNAT.  Please see the following 
and let me know your thoughts.  It may need some others to do some additional 
testing also.
   
   ## Before Changes to `configure.py`
   #### IP Address and Interfaces
   ```
   root@r-336-VM:~# ip add
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
   2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UP qlen 1000
       link/ether 0e:00:a9:fe:01:dd brd ff:ff:ff:ff:ff:ff
       inet 169.254.1.221/16 brd 169.254.255.255 scope global eth0
   3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UP qlen 1000
       link/ether 06:18:90:00:00:30 brd ff:ff:ff:ff:ff:ff
       inet 46.99.52.18/26 brd 46.99.52.63 scope global eth1
       inet 46.99.52.19/26 brd 46.99.52.63 scope global secondary eth1
       inet 46.99.52.20/26 brd 46.99.52.63 scope global secondary eth1
   4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UP qlen 1000
       link/ether 06:1d:54:00:02:6b brd ff:ff:ff:ff:ff:ff
       inet 10.101.41.10/24 brd 10.101.41.255 scope global eth2
   5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UP qlen 1000
       link/ether 02:00:6d:75:00:0a brd ff:ff:ff:ff:ff:ff
       inet 10.0.0.1/24 brd 10.0.0.255 scope global eth3
   ```
   #### OUTPUT DNAT (looks good)
   ```
   root@r-336-VM:~# iptables -L OUTPUT -t nat -vn
   Chain OUTPUT (policy ACCEPT 28 packets, 1871 bytes)
    pkts bytes target     prot opt in     out     source               
destination
       0     0 DNAT       all  --  *      *       0.0.0.0/0            
46.99.52.20        to:10.0.0.154
       0     0 DNAT       all  --  *      *       0.0.0.0/0            
46.99.52.19        to:10.0.0.209
   ```
   #### PREROUTING DNAT (1st and 3rd line are not needed)
   ```
   root@r-336-VM:~# iptables -L PREROUTING -t nat -vn
   Chain PREROUTING (policy ACCEPT 551 packets, 51744 bytes)
    pkts bytes target     prot opt in     out     source               
destination
       0     0 DNAT       all  --  eth0   *       0.0.0.0/0            
46.99.52.20        to:10.0.0.154
       6   240 DNAT       all  --  *      *       0.0.0.0/0            
46.99.52.20        to:10.0.0.154
       0     0 DNAT       all  --  eth0   *       0.0.0.0/0            
46.99.52.19        to:10.0.0.209
      11   492 DNAT       all  --  *      *       0.0.0.0/0            
46.99.52.19        to:10.0.0.209
   ```
   #### POSTROUTING SNAT (1st and 3rd line are incorrect.  Last line isn't 
needed)
   The 1st and 3rd line are close to getting hair-pinning with a static NAT 
working, but the interface is wrong.  If you look above, eth0 was our 
169.254.0.0/16 network...
   ```
   root@r-336-VM:~# iptables -L POSTROUTING -t nat -vn
   Chain POSTROUTING (policy ACCEPT 26 packets, 1100 bytes)
    pkts bytes target     prot opt in     out     source               
destination
       0     0 SNAT       all  --  *      eth0    10.0.0.0/24          
10.0.0.154           to:10.0.0.1
      34  2584 SNAT       all  --  *      eth1    10.0.0.154           
0.0.0.0/0            to:46.99.52.20
       0     0 SNAT       all  --  *      eth0    10.0.0.0/24          
10.0.0.209           to:10.0.0.1
      28  1456 SNAT       all  --  *      eth1    10.0.0.209           
0.0.0.0/0            to:46.99.52.19
     243 14660 SNAT       all  --  *      eth2    0.0.0.0/0            
0.0.0.0/0            to:10.101.41.10
     222 14854 SNAT       all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0            to:46.99.52.18
       0     0 SNAT       all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0            to:46.99.52.19
   ```
   ## After Changes to `configure.py`
   #### IP Address and Interfaces
   ```
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
   2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UP qlen 1000
       link/ether 0e:00:a9:fe:01:c9 brd ff:ff:ff:ff:ff:ff
       inet 169.254.1.201/16 brd 169.254.255.255 scope global eth0
   3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UP qlen 1000
       link/ether 06:c7:80:00:00:30 brd ff:ff:ff:ff:ff:ff
       inet 46.99.52.18/26 brd 46.99.52.63 scope global eth1
       inet 46.99.52.20/26 brd 46.99.52.63 scope global secondary eth1
       inet 46.99.52.19/26 brd 46.99.52.63 scope global secondary eth1
   4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UP qlen 1000
       link/ether 06:5a:34:00:02:6b brd ff:ff:ff:ff:ff:ff
       inet 10.101.41.10/24 brd 10.101.41.255 scope global eth2
   5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state 
UP qlen 1000
       link/ether 02:00:6c:02:00:16 brd ff:ff:ff:ff:ff:ff
       inet 10.0.0.1/24 brd 10.0.0.255 scope global eth3
   ```
   #### OUTPUT DNAT
   ```
   root@r-342-VM:~# iptables -L OUTPUT -t nat -vn
   Chain OUTPUT (policy ACCEPT 104 packets, 8128 bytes)
    pkts bytes target     prot opt in     out     source               
destination
       0     0 DNAT       all  --  *      *       0.0.0.0/0            
46.99.52.19        to:10.0.0.209
       0     0 DNAT       all  --  *      *       0.0.0.0/0            
46.99.52.20        to:10.0.0.154
   ```
   #### PREROUTING DNAT
   ```
   root@r-342-VM:~# iptables -L PREROUTING -t nat -vn
   Chain PREROUTING (policy ACCEPT 19526 packets, 1424K bytes)
    pkts bytes target     prot opt in     out     source               
destination
     160  8277 DNAT       all  --  *      *       0.0.0.0/0            
46.99.52.19        to:10.0.0.209
     181  9086 DNAT       all  --  *      *       0.0.0.0/0            
46.99.52.20        to:10.0.0.154
   ```
   #### POSTROUTING SNAT
   That last line is still not needed, but not sure how/why that is there
   ```
   root@r-342-VM:~# iptables -L POSTROUTING -t nat -vn
   Chain POSTROUTING (policy ACCEPT 339 packets, 17781 bytes)
    pkts bytes target     prot opt in     out     source               
destination
       4   240 SNAT       all  --  *      eth3    10.0.0.0/24          
10.0.0.209           to:10.0.0.1
      34  1768 SNAT       all  --  *      eth1    10.0.0.209           
0.0.0.0/0            to:46.99.52.19
       2   405 SNAT       all  --  *      eth3    10.0.0.0/24          
10.0.0.154           to:10.0.0.1
   13800  830K SNAT       all  --  *      eth1    10.0.0.154           
0.0.0.0/0            to:46.99.52.20
       0     0 SNAT       all  --  *      eth2    0.0.0.0/0            
0.0.0.0/0            to:10.101.41.10
     154 10809 SNAT       all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0            to:46.99.52.18
       0     0 SNAT       all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0            to:46.99.52.20
   ```

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to