[ https://issues.apache.org/jira/browse/CLOUDSTACK-5403?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Abhinandan Prateek updated CLOUDSTACK-5403: ------------------------------------------- Assignee: Rajesh Battala > Shared network - None of PF, LB rules work after router restart, firewall > rules dropped from iptables post restart > ------------------------------------------------------------------------------------------------------------------ > > Key: CLOUDSTACK-5403 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5403 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Management Server, Network Controller > Affects Versions: 4.3.0 > Environment: Advanced zone, shared network on Hyper-V > Reporter: Sowmya Krishnan > Assignee: Rajesh Battala > Priority: Critical > Fix For: 4.3.0 > > Attachments: iptables_after_restart.gz, iptables_before_restart.gz, > restart_vr.log.gz, restart_vr_agent.log.log > > > None of PF, LB or firewall rules work after router is restarted in shared > network, advanced zone > Steps: > Create a shared network in advanced zone > Acquire IP > Create PF and corresponding Firewall rule > Acquire another IP > Create LB and corresponding Firewall rule > Ensure all the rules work > Restart router > Check all rules > Result: > None of PF or LB rules work after router restart > I've tested this only in Hypev-V so far. I'll update the bug in case I am > able to test in any other hypervisor as well. > The following rules are dropped from iptables FORWARD chain after restart: > ACCEPT tcp -- anywhere shareduser1vm1 state > RELATED,ESTABLISHED /* 10.102.196.239:888:888 */ > ACCEPT tcp -- anywhere shareduser1vm1 tcp dpt:http > state NEW /* 10.102.196.239:888:888 */ > So also the firewall rules corresponding to the LB rule source ip > The rules themselves exist in DB though: > mysql> select * from firewall_rules; > +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+ > | id | uuid | ip_address_id | start_port | > end_port | state | protocol | purpose | account_id | domain_id | > network_id | xid | created | > icmp_code | icmp_type | related | type | vpc_id | traffic_type | > +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+ > | 1 | b9082345-8a3d-4f6d-9b64-3d2d98e65d2d | 5 | 888 | > 888 | Active | tcp | Firewall | 4 | 2 | > 205 | 5cf27b56-4d37-4ec1-bdf8-ede0407f0115 | 2013-12-06 06:51:40 | NULL > | NULL | NULL | User | NULL | Ingress | > | 2 | 5b657e22-649a-4cd4-b23c-2416243f48ba | 5 | 888 | > 888 | Active | tcp | PortForwarding | 4 | 2 | > 205 | aad0e89d-f0df-4ee2-949d-39f129a1383a | 2013-12-06 06:52:13 | NULL > | NULL | NULL | User | NULL | NULL | > | 13 | 42f795f9-45e6-471f-9b17-4ce631a09531 | 6 | 888 | > 888 | Active | tcp | Firewall | 4 | 2 | > 205 | 0802945b-23b8-4b95-9441-f6b89e66d806 | 2013-12-06 11:27:08 | NULL > | NULL | NULL | User | NULL | Ingress | > | 14 | 9f5aa3dd-b8e9-4193-b635-c5fd7e188f35 | 6 | 888 | > 888 | Active | tcp | LoadBalancing | 4 | 2 | > 205 | ef7067b9-38b3-4d42-b8ee-5bfe44a817fa | 2013-12-06 11:27:53 | NULL > | NULL | NULL | User | NULL | NULL | > +----+--------------------------------------+---------------+------------+----------+--------+----------+----------------+------------+-----------+------------+--------------------------------------+---------------------+-----------+-----------+---------+------+--------+--------------+ > 4 rows in set (0.00 sec) > mysql> select * from load_balancing_rules; > +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+ > | id | name | description | default_port_start | default_port_end | > algorithm | source_ip_address | source_ip_address_network_id | scheme | > lb_protocol | > +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+ > | 14 | lbshared | NULL | 80 | 80 | > roundrobin | NULL | NULL | Public | NULL > | > +----+----------+-------------+--------------------+------------------+------------+-------------------+------------------------------+--------+-------------+ > 1 row in set (0.00 sec) > mysql> select * from port_forwarding_rules; > +----+-------------+-----------------+-----------------+---------------+ > | id | instance_id | dest_ip_address | dest_port_start | dest_port_end | > +----+-------------+-----------------+-----------------+---------------+ > | 2 | 5 | 10.102.198.2 | 80 | 80 | > +----+-------------+-----------------+-----------------+---------------+ > 1 row in set (0.00 sec) -- This message was sent by Atlassian JIRA (v6.1.4#6159)