[
https://issues.apache.org/jira/browse/CLOUDSTACK-9838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15960742#comment-15960742
]
ASF GitHub Bot commented on CLOUDSTACK-9838:
--------------------------------------------
GitHub user rhtyd reopened a pull request:
https://github.com/apache/cloudstack/pull/2034
[4.9+][network blocker] CLOUDSTACK-9838: Allow ingress traffic between
guest VMs via snat IPs
This enables the firewall/mangle tables rules to ACCEPT instead of RETURN,
which
is the same behaviour as observed in ACS 4.5. By accepting the traffic,
guest
VMs will be able to communicate tcp traffic between each other over snat
public
IPs.
This is a regression from ACS 4.5, observed in ACS 4.9.2.0.
Pinging for review - @PaulAngus @borisstoyanov @DagSonsteboSB
@abhinandanprateek @DaanHoogland and others
@blueorangutan package
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/shapeblue/cloudstack CLOUDSTACK-9838
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/2034.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2034
----
commit f4835294869f01def94618f2c206160ccb3b719f
Author: Rohit Yadav <rohit.ya...@shapeblue.com>
Date: 2017-04-07T11:44:18Z
CLOUDSTACK-9838: Allow ingress traffic between guest VMs via snat IPs
This enables the firewall/mangle tables rules to ACCEPT instead of RETURN,
which
is the same behaviour as observed in ACS 4.5. By accepting the traffic,
guest
VMs will be able to communicate tcp traffic between each other over snat
public
IPs.
Signed-off-by: Rohit Yadav <rohit.ya...@shapeblue.com>
----
> When 2 VMs have SNAT IPs assigned, they cannot communicate with each other
> via the SNAP IPs (normal VR)
> -------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-9838
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-9838
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.6.2, 4.7.1, 4.10.0.0, 4.9.2.0, 4.8.1.1
> Reporter: Paul Angus
> Assignee: Rohit Yadav
> Priority: Minor
>
> When 2 VMs have SNAT IPs (on different public subnets) assigned, they cannot
> communicate with each other via the SNAP IPs.
> Traffic flows over the SNAT IPs successfully to/from external networks/IPs
> using iptables -t mangle -vL
> from ACS 4.5
> established connections are ACCEPTed and are at the top of the order. RETURN
> happens later.
> Chain FIREWALL_10.1.35.23 (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- any any anywhere anywhere
> state RELATED,ESTABLISHED
> 0 0 RETURN icmp -- any any anywhere anywhere
> icmptype 8 code 0
> 0 0 RETURN tcp -- any any anywhere anywhere
> tcp dpt:http
> 0 0 DROP all -- any any anywhere anywhere
> using ACS 4.9
> the ACCEPT of established connections is at the END after the RETURN and so
> inspections don't get as far as the ACCEPT
> Chain FIREWALL_10.1.64.9 (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT icmp -- any any anywhere anywhere
> icmptype 8 code 0
> 39 3002 RETURN tcp -- any any anywhere anywhere
> tcp dpt:http
> 4921 4906K ACCEPT all -- any any anywhere anywhere
> state RELATED,ESTABLISHED
> 397 40700 DROP all -- any any anywhere anywhere
> moving
> 4921 4906K ACCEPT all -- any any anywhere anywhere
> state RELATED,ESTABLISHED
> to the top of this section resolves the issues and traffic can flow over the
> SNAT IPs.
> I believe that this only affects 'hairpin nat' traffic as it is in the mangle
> table
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
