[jira] [Commented] (CLOUDSTACK-7027) Leftover of SNAT rule was causing network down under L3 switch

Thu, 28 Aug 2014 03:24:39 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-7027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14113635#comment-14113635
 ] 

Jayapal Reddy commented on CLOUDSTACK-7027:
-------------------------------------------

Problem:
------------
On additional public subnet removing public ip is not deleting SNAT rules.
It is reproduced when ip is added as first ip but while removing the ip is 
removed as non first ip.

Root Cause Analysis:
----------------------------
For additional public subnet (non source nat network) the first is selected as 
first ip from the list which is retrieved from the DB.
When you have few ips delete/add operation on it changes the ips order.

Configure static nat on max ip first. configure few static nats on smaller ips.
While removing remove the max ip first so that it is not selected as first ip.
Due to this the SNAT rules configured on this are untouched on the VR.

While adding source nat rules are added for the first ip.

Proposed solution:
-----------------------
To delete SNAT rules, while disable static nat on ip from the non source nat 
network setting source nat flag to true.
This is to make sure the SNAT rules are got removed.

Verification steps:
------------------------
1. Add additional public range.
2. acquire public ips 
3. configure pf/firewall rules on public ip
4. observe that SNAT rules on public ip in 'iptables -t nat -L -nv'
5. remove ip/rules on that ip (select the max ip from the acquired pool) 
6. Repeat the acquire, config rule, remove rules.
Make sure that there is SNAT rules for the removed ip.



> Leftover of SNAT rule was causing network down under L3 switch
> --------------------------------------------------------------
>
>                 Key: CLOUDSTACK-7027
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-7027
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Network Controller
>    Affects Versions: 4.0.0
>            Reporter: Jayapal Reddy
>            Assignee: Jayapal Reddy
>              Labels: AUTOMATION_REQ, DEV_REVIEWED
>             Fix For: 4.4.0
>
>
> Reproducing steps:
> 1. Add additional public range.
> 2. acquire public ips 
> 3. configure pf/firewall rules on public ip
> 4. observe that SNAT rules on public ip in 'iptables -t nat -L -nv'
> 5. remove ip/rules on that ip (select the max ip from the acquired pool) 
> 6. Repeat the acquire, config rule, remove rules. 
> You can observe SNAT rules for removed ip on router.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to