[ https://issues.apache.org/jira/browse/CLOUDSTACK-8905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14909705#comment-14909705 ]
ASF subversion and git services commented on CLOUDSTACK-8905: ------------------------------------------------------------- Commit 3ded3e90007d08fa98465f2b8c68b7fb075557c0 in cloudstack's branch refs/heads/master from [~remibergsma] [ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=3ded3e9 ] Merge pull request #887 from schubergphilis/vr_fixes_combined [BLOCKER] Combined PRs that fix VR issuesTonight I worked with @wilderrodrigues to figure out what is wrong with the virtual router. As we couldn't test single PRs any more (because of other issues with them causing tests to fail) we added all VR related PRs in a separate branch and started testing from there. We combined the following PRs into this PR: #836 #851 #867 #870 #881 #882 #842 After that, one issue remains: the VPC does not get a default gateway. Which is strange, because we already solved it in PR #738. When I look back, it was fixed again in PR #784. It could very well be that either one fixed one specific case, but also breaking the other. We need to investigate this, and make sure there will be a fix that works both for VPCs and VRs. When we manually add the default gateway on the VPC, most tests pass and also spinning up two VPCs with one tier each, having a VM and them using s2s to VPN them together works fine. See for more details the report Wilder sent earlier. Tomorrow we'll try to figure out how to fix the default gateway and merge this. Then we should have a base to work from again. Any PR that fixes another blocker, should at least then be rebased against the fixed master so we can run the tests against the PR branch. I'm not saying everything is fixed, I'm just saying that we can spin up a cloud that has working VMs. When, in the mean time, someone has the time to checkout this branch and make the default route work for both VPC and VR that would be awesome. After that we should double check and verify the test results. Pinging @karuturi to let her know the current status. Regards, Wilder / Remi * pr/887: Fixing the index out of bounds error in the check_if_link_up() function small cleanups Fixing the defaut route for VPC routers Formatting the get_gateway() method in the CsDatabag.py file Fixing the dhcpsrvr iptables file Formatting the router_proxy.sh script CLOUDSTACK-8881: Fixed Static and PF configuration issue CLOUDSTACK-8905: Fixed hooking egress rules CLOUDSTACK-8891: Fixed default iptables rules on VR for guest traffic Configured dnsmasq to listen on all interfaces so that vpn client gets dns CLOUDSTACK-8864: Not able to add TCP port forwarding rule in VPN for specific ports CLOUDSTACK-8863: VM doesn't reconnect to internet post VR RESTART/STOP-START/RECREATE CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VR Signed-off-by: Remi Bergsma <git...@remi.nl> > [Blocker] Egress rules are not configured in VR > ----------------------------------------------- > > Key: CLOUDSTACK-8905 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8905 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Affects Versions: 4.6.0 > Reporter: Raja Pullela > Assignee: Jayapal Reddy > Priority: Blocker > Fix For: 4.6.0 > > > 1. Deployed CS Advanced zone. > 2. Created an isolated network. > 3. Navigate to Egress rule: > Observing a pop up message: > "Configure the rules to allow Traffic" > Inside VR : > root@r-9-VM:~# iptables-save > 1.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015 > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [65:7867] > :FW_OUTBOUND - [0:0] > :NETWORK_STATS - [0:0] > -A INPUT -j NETWORK_STATS > -A INPUT -d 224.0.0.18/32 -j ACCEPT > -A INPUT -d 225.0.0.50/32 -j ACCEPT > -A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED > -j ACCEPT > -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED > -j ACCEPT > -A INPUT -d 224.0.0.18/32 -j ACCEPT > -A INPUT -d 225.0.0.50/32 -j ACCEPT > -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT > -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT > -A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT > -A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED > -j ACCEPT > -A FORWARD -j NETWORK_STATS > -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT > -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND > -A OUTPUT -j NETWORK_STATS > -A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT > -A NETWORK_STATS -i eth0 -o eth2 > -A NETWORK_STATS -i eth2 -o eth0 > -A NETWORK_STATS ! -i eth0 -o eth2 -p tcp > -A NETWORK_STATS -i eth2 ! -o eth0 -p tcp > COMMIT > 2.Completed on Wed Sep 23 10:46:46 2015 > 3.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015 > *nat > :PREROUTING ACCEPT [21:1428] > :INPUT ACCEPT [21:1428] > :OUTPUT ACCEPT [2:152] > :POSTROUTING ACCEPT [0:0] > -A POSTROUTING -o eth2 -j SNAT --to-source 10.147.47.9 > COMMIT > 4.Completed on Wed Sep 23 10:46:46 2015 > 5.Generated by iptables-save v1.4.14 on Wed Sep 23 10:46:46 2015 > *mangle > :PREROUTING ACCEPT [331:33456] > :INPUT ACCEPT [352:35052] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [331:44643] > :POSTROUTING ACCEPT [331:44643] > :FIREWALL_10.147.47.9 - [0:0] > :VPN_10.147.47.9 - [0:0] > -A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK > --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff > -A PREROUTING -d 10.147.47.9/32 -j FIREWALL_10.147.47.9 > -A PREROUTING -d 10.147.47.9/32 -j VPN_10.147.47.9 > -A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK > --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff > -A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --set-xmark > 0x2/0xffffffff > -A PREROUTING -i eth0 -m state --state NEW -j CONNMARK --set-xmark > 0x0/0xffffffff > -A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > -A FIREWALL_10.147.47.9 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FIREWALL_10.147.47.9 -j DROP > -A VPN_10.147.47.9 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A VPN_10.147.47.9 -j RETURN > COMMIT > 6.Completed on Wed Sep 23 10:46:46 2015 > root@r-9-VM:~# -- This message was sent by Atlassian JIRA (v6.3.4#6332)