[jira] [Commented] (CLOUDSTACK-8905) [Blocker] Egress rules are not configured in VR

Sun, 27 Sep 2015 05:12:31 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14909705#comment-14909705
 ] 

ASF subversion and git services commented on CLOUDSTACK-8905:
-------------------------------------------------------------

Commit 3ded3e90007d08fa98465f2b8c68b7fb075557c0 in cloudstack's branch 
refs/heads/master from [~remibergsma]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=3ded3e9 ]

Merge pull request #887 from schubergphilis/vr_fixes_combined

[BLOCKER] Combined PRs that fix VR issuesTonight I worked with @wilderrodrigues 
to figure out what is wrong with the virtual router. As we couldn't test single 
PRs any more (because of other issues with them causing tests to fail) we added 
all VR related PRs in a separate branch and started testing from there.

We combined the following PRs into this PR:
#836 #851 #867 #870 #881 #882 #842

After that, one issue remains: the VPC does not get a default gateway. Which is 
strange, because we already solved it in PR #738. When I look back, it was 
fixed again in PR #784. It could very well be that either one fixed one 
specific case, but also breaking the other. We need to investigate this, and 
make sure there will be a fix that works both for VPCs and VRs.

When we manually add the default gateway on the VPC, most tests pass and also 
spinning up two VPCs with one tier each, having a VM and them using s2s to VPN 
them together works fine. See for more details the report Wilder sent earlier.

Tomorrow we'll try to figure out how to fix the default gateway and merge this. 
Then we should have a base to work from again. Any PR that fixes another 
blocker, should at least then be rebased against the fixed master so we can run 
the tests against the PR branch. I'm not saying everything is fixed, I'm just 
saying that we can spin up a cloud that has working VMs.

When, in the mean time, someone has the time to checkout this branch and make 
the default route work for both VPC and VR that would be awesome. After that we 
should double check and verify the test results.

Pinging @karuturi to let her know the current status.

Regards,
Wilder / Remi

* pr/887:
  Fixing the index out of bounds error in the check_if_link_up() function
  small cleanups
  Fixing the defaut route for VPC routers
  Formatting the get_gateway() method in the CsDatabag.py file
  Fixing the dhcpsrvr iptables file
  Formatting the router_proxy.sh script
  CLOUDSTACK-8881: Fixed Static and PF configuration issue
  CLOUDSTACK-8905: Fixed hooking egress rules
  CLOUDSTACK-8891: Fixed default iptables rules on VR  for guest traffic
  Configured dnsmasq to listen on all interfaces so that vpn  client gets dns
  CLOUDSTACK-8864: Not able to add TCP port forwarding rule in VPN for specific 
ports
  CLOUDSTACK-8863: VM doesn't reconnect to internet post VR 
RESTART/STOP-START/RECREATE
  CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VR

Signed-off-by: Remi Bergsma <git...@remi.nl>


> [Blocker] Egress rules are not configured in VR
> -----------------------------------------------
>
>                 Key: CLOUDSTACK-8905
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8905
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>    Affects Versions: 4.6.0
>            Reporter: Raja Pullela
>            Assignee: Jayapal Reddy
>            Priority: Blocker
>             Fix For: 4.6.0
>
>
> 1. Deployed CS Advanced zone.
>  2. Created an isolated network.
>  3. Navigate to Egress rule:
>  Observing a pop up message:
>  "Configure the rules to allow Traffic"
> Inside VR :
> root@r-9-VM:~# iptables-save
> 1.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
>  *filter
>  :INPUT DROP [0:0]
>  :FORWARD DROP [0:0]
>  :OUTPUT ACCEPT [65:7867]
>  :FW_OUTBOUND - [0:0]
>  :NETWORK_STATS - [0:0]
>  -A INPUT -j NETWORK_STATS
>  -A INPUT -d 224.0.0.18/32 -j ACCEPT
>  -A INPUT -d 225.0.0.50/32 -j ACCEPT
>  -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A INPUT -p icmp -j ACCEPT
>  -A INPUT -i lo -j ACCEPT
>  -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED 
> -j ACCEPT
>  -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED 
> -j ACCEPT
>  -A INPUT -d 224.0.0.18/32 -j ACCEPT
>  -A INPUT -d 225.0.0.50/32 -j ACCEPT
>  -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A INPUT -p icmp -j ACCEPT
>  -A INPUT -i lo -j ACCEPT
>  -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
>  -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
>  -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
>  -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
>  -A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
>  -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED 
> -j ACCEPT
>  -A FORWARD -j NETWORK_STATS
>  -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
>  -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
>  -A OUTPUT -j NETWORK_STATS
>  -A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A NETWORK_STATS -i eth0 -o eth2
>  -A NETWORK_STATS -i eth2 -o eth0
>  -A NETWORK_STATS ! -i eth0 -o eth2 -p tcp
>  -A NETWORK_STATS -i eth2 ! -o eth0 -p tcp
>  COMMIT
> 2.Completed on Wed Sep 23 10:46:46 2015
> 3.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
>  *nat
>  :PREROUTING ACCEPT [21:1428]
>  :INPUT ACCEPT [21:1428]
>  :OUTPUT ACCEPT [2:152]
>  :POSTROUTING ACCEPT [0:0]
>  -A POSTROUTING -o eth2 -j SNAT --to-source 10.147.47.9
>  COMMIT
> 4.Completed on Wed Sep 23 10:46:46 2015
> 5.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015
>  *mangle
>  :PREROUTING ACCEPT [331:33456]
>  :INPUT ACCEPT [352:35052]
>  :FORWARD ACCEPT [0:0]
>  :OUTPUT ACCEPT [331:44643]
>  :POSTROUTING ACCEPT [331:44643]
>  :FIREWALL_10.147.47.9 - [0:0]
>  :VPN_10.147.47.9 - [0:0]
>  -A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK 
> --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
>  -A PREROUTING -d 10.147.47.9/32 -j FIREWALL_10.147.47.9
>  -A PREROUTING -d 10.147.47.9/32 -j VPN_10.147.47.9
>  -A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK 
> --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
>  -A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --set-xmark 
> 0x2/0xffffffff
>  -A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark 
> 0x0/0xffffffff
>  -A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
>  -A FIREWALL_10.147.47.9 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A FIREWALL_10.147.47.9 -j DROP
>  -A VPN_10.147.47.9 -m state --state RELATED,ESTABLISHED -j ACCEPT
>  -A VPN_10.147.47.9 -j RETURN
>  COMMIT
> 6.Completed on Wed Sep 23 10:46:46 2015
>  root@r-9-VM:~#



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to