[ https://issues.apache.org/jira/browse/CLOUDSTACK-5815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sanjeev N reopened CLOUDSTACK-5815: ----------------------------------- Verified this bug on the latest build from 4.3 with commit 52f2af19c89b06826d5ee196eb3fc69f244177f9. I still see the issue and the behavior is same as before. Following is the IpAssocCommand for PF creation: 2014-02-13 06:10:51,890 DEBUG [c.c.a.t.Request] (Job-Executor-100:ctx-45781660 ctx-02373089) Seq 4-298790783: Executing: { Cmd , MgmtId: 6615759585382, via: 4(10.147.40.31), Ver: v1, Flags: 100001, [{"com.cloud.agent.api.routing.IpAssocCommand":{"ipAddresses":[{"accountId":2,"publicIp":"10.147.48.5","sourceNat":true,"add":true,"oneToOneNat":false,"firstIP":true,"broadcastUri":"vlan://48","vlanGateway":"10.147.48.1","vlanNetmask":"255.255.255.0","vifMacAddress":"06:a5:94:00:00:17","networkRate":200,"trafficType":"Public"},{"accountId":2,"publicIp":"10.147.48.10","sourceNat":false,"add":true,"oneToOneNat":false,"firstIP":false,"broadcastUri":"vlan://48","vlanGateway":"10.147.48.1","vlanNetmask":"255.255.255.0","vifMacAddress":"06:81:61:00:00:17","networkRate":200,"trafficType":"Public"}],"accessDetails":{"router.guest.ip":"10.1.1.1","zone.network.type":"Advanced","router.ip":"10.147.40.228","router.name":"r-4-QA"},"wait":0}},{"com.cloud.agent.api.routing.IpAssocCommand":{"ipAddresses":[{"accountId":2,"publicIp":"10.147.52.221","sourceNat":true,"add":true,"oneToOneNat":false,"firstIP":true,"broadcastUri":"vlan://52","vlanGateway":"10.147.52.1","vlanNetmask":"255.255.255.0","vifMacAddress":"06:81:69:00:00:17","networkRate":200,"trafficType":"Public"}],"accessDetails":{"router.guest.ip":"10.1.1.1","zone.network.type":"Advanced","router.ip":"10.147.40.228","router.name":"r-4-QA"},"wait":0}}] } root@r-4-QA:~# ip addr show eth2 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 06:81:60:00:00:17 brd ff:ff:ff:ff:ff:ff inet 10.147.48.5/24 brd 10.147.48.255 scope global eth2 inet 10.147.52.221/24 brd 10.147.52.255 scope global eth2 inet 10.147.48.10/24 brd 10.147.48.255 scope global secondary eth2 inet6 fe80::481:60ff:fe00:17/64 scope link valid_lft forever preferred_lft forever root@r-4-QA:~# iptables -t nat -L -nv Chain PREROUTING (policy ACCEPT 85 packets, 6590 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- eth2 * 0.0.0.0/0 10.147.48.5 tcp dpt:22 to:10.1.1.14:22 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 10.147.48.5 tcp dpt:22 to:10.1.1.14:22 0 0 DNAT tcp -- eth2 * 0.0.0.0/0 10.147.48.10 tcp dpt:22 to:10.1.1.14:22 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 10.147.48.10 tcp dpt:22 to:10.1.1.14:22 0 0 DNAT tcp -- eth2 * 0.0.0.0/0 10.147.52.221 tcp dpt:22 to:10.1.1.14:22 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 10.147.52.221 tcp dpt:22 to:10.1.1.14:22 Chain INPUT (policy ACCEPT 22 packets, 1320 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 223 packets, 14928 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 10.147.48.5 tcp dpt:22 to:10.1.1.14:22 0 0 DNAT tcp -- * * 0.0.0.0/0 10.147.48.10 tcp dpt:22 to:10.1.1.14:22 0 0 DNAT tcp -- * * 0.0.0.0/0 10.147.52.221 tcp dpt:22 to:10.1.1.14:22 Chain POSTROUTING (policy ACCEPT 223 packets, 14928 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:10.147.48.5 0 0 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 to:10.147.52.221 0 0 SNAT tcp -- * eth0 10.1.1.0/24 10.1.1.14 tcp dpt:22 to:10.1.1.1 > [Hyper-v] Two SNAT rules for one isolated network if acquired ip is from > different vlan > --------------------------------------------------------------------------------------- > > Key: CLOUDSTACK-5815 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5815 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Hypervisor Controller, Network Controller > Affects Versions: Future > Environment: Latest build from 4.3 branch with > commit:6f309b8a87d3376950a60234d399c6e3749ad1c7 > Reporter: Sanjeev N > Assignee: Rajesh Battala > Labels: hyper-V,, hyper-v, hyperv > Fix For: 4.4.0 > > > [Hyper-v] Two SNAT rules for one isolated network if acquired ip is from > different vlan > Steps to Reproduce: > ================= > 1.Bring up CS in advanced zone with hyper-v cluster > 2.Create isolated guest network and deploy few vms in the network > 3.Exhaust all the public IP addresses present in the zone (in user_ip_address > table set the allocated=now()) > 4.Add new public IP range in new vlan and new subnet > 5.Acquire one ip address from the new ip range and configure PF and assign > one vm deployed at step2 > Expected Result: > ============== > In isolated network there is only one SNAT ip address for the entire network. > So even the acquired IP address is from different vlan, new SNAT rule should > not be configured with the acquired ip address. > Actual Result: > ============ > Since the ip address acquired at step5 is from new vlan and is the ip address > from that vlan additional SNAT rule got configured on VR with the acquired ip > address. > Following is the output from iptables on VR: > root@r-4-VM:~# iptables -t nat -L -nv > Chain PREROUTING (policy ACCEPT 279 packets, 28169 bytes) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- eth2 * 0.0.0.0/0 > 10.147.31.240 tcp dpt:22 to:10.1.1.26:22 > 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 > 10.147.31.240 tcp dpt:22 to:10.1.1.26:22 > Chain INPUT (policy ACCEPT 4 packets, 240 bytes) > pkts bytes target prot opt in out source > destination > Chain OUTPUT (policy ACCEPT 4 packets, 304 bytes) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 10.147.31.240 tcp dpt:22 to:10.1.1.26:22 > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 SNAT tcp -- * eth0 10.1.1.0/24 10.1.1.26 > tcp dpt:22 to:10.1.1.1 > 4 304 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 > to:10.147.48.5 > 0 0 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 > to:10.147.31.240 > ip address configuration on eth2 as follows: > root@r-4-VM:~# ip addr show eth2 > 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP > qlen 1000 > link/ether 06:78:3c:00:00:17 brd ff:ff:ff:ff:ff:ff > inet 10.147.48.5/24 brd 10.147.48.255 scope global eth2 > inet 10.147.31.240/24 brd 10.147.31.255 scope global eth2 > inet6 fe80::478:3cff:fe00:17/64 scope link > valid_lft forever preferred_lft forever > Following is the IpAssocCmd got executed after configuring PF rule on the > acquired ip address: > 2014-01-07 11:30:39,274 DEBUG [c.c.a.t.Request] (Job-Executor-31:ctx-26e587af > ctx-d423299a) Seq 4-2034961238: Sending { Cmd , MgmtId: 132129494109518, > via: 4(10.147.40.31), Ver: v1, Flags: 100001, > [{"com.cloud.agent.api.routing.IpAssocCommand":{"ipAddresses":[{"accountId":2,"publicIp":"10.147.48.5","sourceNat":true,"add":true,"oneToOneNat":false,"firstIP":true,"broadcastUri":"vlan://48","vlanGateway":"10.147.48.1","vlanNetmask":"255.255.255.0","vifMacAddress":"06:88:76:00:00:17","networkRate":200,"trafficType":"Public"}],"accessDetails":{"router.guest.ip":"10.1.1.1","zone.network.type":"Advanced","router.ip":"10.147.40.230","router.name":"r-4-VM"},"wait":0}},{"com.cloud.agent.api.routing.IpAssocCommand":{"ipAddresses":[{"accountId":2,"publicIp":"10.147.31.240","sourceNat":true,"add":true,"oneToOneNat":false,"firstIP":true,"broadcastUri":"vlan://31","vlanGateway":"10.147.31.1","vlanNetmask":"255.255.255.0","vifMacAddress":"06:78:3e:00:00:17","networkRate":200,"trafficType":"Public"}],"accessDetails":{"router.guest.ip":"10.1.1.1","zone.network.type":"Advanced","router.ip":"10.147.40.230","router.name":"r-4-VM"},"wait":0}}] > } > 2014-01-07 11:30:39,275 DEBUG [c.c.a.t.Request] (Job-Executor-31:ctx-26e587af > ctx-d423299a) Seq 4-2034961238: Executing: { Cmd , MgmtId: 132129494109518, > via: 4(10.147.40.31), Ver: v1, Flags: 100001, > [{"com.cloud.agent.api.routing.IpAssocCommand":{"ipAddresses":[{"accountId":2,"publicIp":"10.147.48.5","sourceNat":true,"add":true,"oneToOneNat":false,"firstIP":true,"broadcastUri":"vlan://48","vlanGateway":"10.147.48.1","vlanNetmask":"255.255.255.0","vifMacAddress":"06:88:76:00:00:17","networkRate":200,"trafficType":"Public"}],"accessDetails":{"router.guest.ip":"10.1.1.1","zone.network.type":"Advanced","router.ip":"10.147.40.230","router.name":"r-4-VM"},"wait":0}},{"com.cloud.agent.api.routing.IpAssocCommand":{"ipAddresses":[{"accountId":2,"publicIp":"10.147 > 31.240","sourceNat":true,"add":true,"oneToOneNat":false,"firstIP":true,"broadcastUri":"vlan://31","vlanGateway":"10.147.31.1","vlanNetmask":"255.255.255.0","vifMacAddress":"06:78:3e:00:00:17","networkRate":200,"trafficType":"Public"}],"accessDetails":{"router.guest.ip":"10.1.1.1","zone.network.type":"Advanced","router.ip":"10.147.40.230","router.name":"r-4-VM"},"wait":0}}] > } > In the above IpAssocCommand sourceNat is set to true even for the new > acquired ip address in the same netowrk. -- This message was sent by Atlassian JIRA (v6.1.5#6160)