[ https://issues.apache.org/jira/browse/CLOUDSTACK-5815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sanjeev N resolved CLOUDSTACK-5815. ----------------------------------- Resolution: Fixed > [Hyper-v] Two SNAT rules for one isolated network if acquired ip is from > different vlan > --------------------------------------------------------------------------------------- > > Key: CLOUDSTACK-5815 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5815 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Hypervisor Controller, Network Controller > Affects Versions: Future > Environment: Latest build from 4.3 branch with > commit:6f309b8a87d3376950a60234d399c6e3749ad1c7 > Reporter: Sanjeev N > Assignee: Rajesh Battala > Labels: hyper-V,, hyper-v, hyperv > Fix For: 4.4.0 > > > [Hyper-v] Two SNAT rules for one isolated network if acquired ip is from > different vlan > Steps to Reproduce: > ================= > 1.Bring up CS in advanced zone with hyper-v cluster > 2.Create isolated guest network and deploy few vms in the network > 3.Exhaust all the public IP addresses present in the zone (in user_ip_address > table set the allocated=now()) > 4.Add new public IP range in new vlan and new subnet > 5.Acquire one ip address from the new ip range and configure PF and assign > one vm deployed at step2 > Expected Result: > ============== > In isolated network there is only one SNAT ip address for the entire network. > So even the acquired IP address is from different vlan, new SNAT rule should > not be configured with the acquired ip address. > Actual Result: > ============ > Since the ip address acquired at step5 is from new vlan and is the ip address > from that vlan additional SNAT rule got configured on VR with the acquired ip > address. > Following is the output from iptables on VR: > root@r-4-VM:~# iptables -t nat -L -nv > Chain PREROUTING (policy ACCEPT 279 packets, 28169 bytes) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- eth2 * 0.0.0.0/0 > 10.147.31.240 tcp dpt:22 to:10.1.1.26:22 > 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 > 10.147.31.240 tcp dpt:22 to:10.1.1.26:22 > Chain INPUT (policy ACCEPT 4 packets, 240 bytes) > pkts bytes target prot opt in out source > destination > Chain OUTPUT (policy ACCEPT 4 packets, 304 bytes) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 10.147.31.240 tcp dpt:22 to:10.1.1.26:22 > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 SNAT tcp -- * eth0 10.1.1.0/24 10.1.1.26 > tcp dpt:22 to:10.1.1.1 > 4 304 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 > to:10.147.48.5 > 0 0 SNAT all -- * eth2 0.0.0.0/0 0.0.0.0/0 > to:10.147.31.240 > ip address configuration on eth2 as follows: > root@r-4-VM:~# ip addr show eth2 > 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP > qlen 1000 > link/ether 06:78:3c:00:00:17 brd ff:ff:ff:ff:ff:ff > inet 10.147.48.5/24 brd 10.147.48.255 scope global eth2 > inet 10.147.31.240/24 brd 10.147.31.255 scope global eth2 > inet6 fe80::478:3cff:fe00:17/64 scope link > valid_lft forever preferred_lft forever > Following is the IpAssocCmd got executed after configuring PF rule on the > acquired ip address: > 2014-01-07 11:30:39,274 DEBUG [c.c.a.t.Request] (Job-Executor-31:ctx-26e587af > ctx-d423299a) Seq 4-2034961238: Sending { Cmd , MgmtId: 132129494109518, > via: 4(10.147.40.31), Ver: v1, Flags: 100001, > [{"com.cloud.agent.api.routing.IpAssocCommand":{"ipAddresses":[{"accountId":2,"publicIp":"10.147.48.5","sourceNat":true,"add":true,"oneToOneNat":false,"firstIP":true,"broadcastUri":"vlan://48","vlanGateway":"10.147.48.1","vlanNetmask":"255.255.255.0","vifMacAddress":"06:88:76:00:00:17","networkRate":200,"trafficType":"Public"}],"accessDetails":{"router.guest.ip":"10.1.1.1","zone.network.type":"Advanced","router.ip":"10.147.40.230","router.name":"r-4-VM"},"wait":0}},{"com.cloud.agent.api.routing.IpAssocCommand":{"ipAddresses":[{"accountId":2,"publicIp":"10.147.31.240","sourceNat":true,"add":true,"oneToOneNat":false,"firstIP":true,"broadcastUri":"vlan://31","vlanGateway":"10.147.31.1","vlanNetmask":"255.255.255.0","vifMacAddress":"06:78:3e:00:00:17","networkRate":200,"trafficType":"Public"}],"accessDetails":{"router.guest.ip":"10.1.1.1","zone.network.type":"Advanced","router.ip":"10.147.40.230","router.name":"r-4-VM"},"wait":0}}] > } > 2014-01-07 11:30:39,275 DEBUG [c.c.a.t.Request] (Job-Executor-31:ctx-26e587af > ctx-d423299a) Seq 4-2034961238: Executing: { Cmd , MgmtId: 132129494109518, > via: 4(10.147.40.31), Ver: v1, Flags: 100001, > [{"com.cloud.agent.api.routing.IpAssocCommand":{"ipAddresses":[{"accountId":2,"publicIp":"10.147.48.5","sourceNat":true,"add":true,"oneToOneNat":false,"firstIP":true,"broadcastUri":"vlan://48","vlanGateway":"10.147.48.1","vlanNetmask":"255.255.255.0","vifMacAddress":"06:88:76:00:00:17","networkRate":200,"trafficType":"Public"}],"accessDetails":{"router.guest.ip":"10.1.1.1","zone.network.type":"Advanced","router.ip":"10.147.40.230","router.name":"r-4-VM"},"wait":0}},{"com.cloud.agent.api.routing.IpAssocCommand":{"ipAddresses":[{"accountId":2,"publicIp":"10.147 > 31.240","sourceNat":true,"add":true,"oneToOneNat":false,"firstIP":true,"broadcastUri":"vlan://31","vlanGateway":"10.147.31.1","vlanNetmask":"255.255.255.0","vifMacAddress":"06:78:3e:00:00:17","networkRate":200,"trafficType":"Public"}],"accessDetails":{"router.guest.ip":"10.1.1.1","zone.network.type":"Advanced","router.ip":"10.147.40.230","router.name":"r-4-VM"},"wait":0}}] > } > In the above IpAssocCommand sourceNat is set to true even for the new > acquired ip address in the same netowrk. -- This message was sent by Atlassian JIRA (v6.1.5#6160)