Sowmya Krishnan created CLOUDSTACK-5403: -------------------------------------------
Summary: Shared network - None of PF, LB rules work after router restart, firewall rules dropped from iptables post restart Key: CLOUDSTACK-5403 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5403 Project: CloudStack Issue Type: Bug Security Level: Public (Anyone can view this level - this is the default.) Components: Management Server, Network Controller Affects Versions: 4.3.0 Environment: Advanced zone, shared network on Hyper-V Reporter: Sowmya Krishnan Priority: Critical Fix For: 4.3.0 Attachments: iptables_after_restart.gz, iptables_before_restart.gz, restart_vr.log.gz, restart_vr_agent.log.log None of PF, LB or firewall rules work after router is restarted in shared network, advanced zone Steps: Create a shared network in advanced zone Acquire IP Create PF and corresponding Firewall rule Acquire another IP Create LB and corresponding Firewall rule Ensure all the rules work Restart router Check all rules Result: None of PF or LB rules work after router restart I've tested this only in Hypev-V so far. I'll update the bug in case I am able to test in any other hypervisor as well. The following rules are dropped from iptables FORWARD chain after restart: ACCEPT tcp -- anywhere shareduser1vm1 state RELATED,ESTABLISHED /* 10.102.196.239:888:888 */ ACCEPT tcp -- anywhere shareduser1vm1 tcp dpt:http state NEW /* 10.102.196.239:888:888 */ So also the firewall rules corresponding to the LB rule source ip The rules themselves exist in DB though: mysql> select * from firewall_rules; +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+ | id | uuid | ip_address_id | start_port | end_port | state | protocol | purpose | account_id | domain_id | network_id | xid | created | icmp_code | icmp_type | related | type | vpc_id | traffic_type | +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+ | 1 | b9082345-8a3d-4f6d-9b64-3d2d98e65d2d | 5 | 888 | 888 | Active | tcp | Firewall | 4 | 2 | 205 | 5cf27b56-4d37-4ec1-bdf8-ede0407f0115 | 2013-12-06 06:51:40 | NULL | NULL | NULL | User | NULL | Ingress | | 2 | 5b657e22-649a-4cd4-b23c-2416243f48ba | 5 | 888 | 888 | Active | tcp | PortForwarding | 4 | 2 | 205 | aad0e89d-f0df-4ee2-949d-39f129a1383a | 2013-12-06 06:52:13 | NULL | NULL | NULL | User | NULL | NULL | | 13 | 42f795f9-45e6-471f-9b17-4ce631a09531 | 6 | 888 | 888 | Active | tcp | Firewall | 4 | 2 | 205 | 0802945b-23b8-4b95-9441-f6b89e66d806 | 2013-12-06 11:27:08 | NULL | NULL | NULL | User | NULL | Ingress | | 14 | 9f5aa3dd-b8e9-4193-b635-c5fd7e188f35 | 6 | 888 | 888 | Active | tcp | LoadBalancing | 4 | 2 | 205 | ef7067b9-38b3-4d42-b8ee-5bfe44a817fa | 2013-12-06 11:27:53 | NULL | NULL | NULL | User | NULL | NULL | +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+ 4 rows in set (0.00 sec) mysql> select * from load_balancing_rules; +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+ | id | name | description | default_port_start | default_port_end | algorithm | source_ip_address | source_ip_address_network_id | scheme | lb_protocol | +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+ | 14 | lbshared | NULL | 80 | 80 | roundrobin | NULL | NULL | Public | NULL | +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+ 1 row in set (0.00 sec) mysql> select * from port_forwarding_rules; +----+-------------+-----------------+-----------------+---------------+ | id | instance_id | dest_ip_address | dest_port_start | dest_port_end | +----+-------------+-----------------+-----------------+---------------+ | 2 | 5 | 10.102.198.2 | 80 | 80 | +----+-------------+-----------------+-----------------+---------------+ 1 row in set (0.00 sec) -- This message was sent by Atlassian JIRA (v6.1#6144)