sadhu suresh created CLOUDSTACK-99:
--------------------------------------
Summary: disable staticNat deletes the firewall rule
Key: CLOUDSTACK-99
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-99
Project: CloudStack
Issue Type: Bug
Components: Network Controller
Environment: Git Revision: 03df2fa9dd45c938f72cd1866044b09d1b0cc978
Git URL: https://git-wip-us.apache.org/repos/asf/incubator-cloudstack.gi
Reporter: sadhu suresh
Fix For: pre-4.0.0
Steps:
1.create advance Zone with hyper-visor as xen
2.deploy a vm
3.acquire public IP and configure firewall rule for port 22
4.enable static NAT
5.disable static NAT
6.observe the behavior
actual result:
disable static NAT was successful but it deletes firewall rule also.
earlier in 2.2.x when we define any service the corresponding firewall rule
will be created and when we delete the policy(pF/staticnat) the corresponding
firewall rule will be deleted from background
But in 3.0x firewall is separated from services/polices like(PF/StaticNat) we
need to explicitly define firewall to these policies/services.
Expected result:
should not delete the firewall rule when we disable the staticnat rule.if the
customer wants to use the same public IP for other other services like PF then
he has to define firwall rule again to open the port 22 to ssh.
if its working as per design then it needs to be documented clearly.
efore disabling the firewall
root@r-11-VM:~# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VPN_10.147.49.33 all -- anywhere 10.147.49.33
FIREWALL_10.147.49.24 all -- anywhere 10.147.49.24
FIREWALL_10.147.49.33 all -- anywhere 10.147.49.33
CONNMARK all -- anywhere anywhere state
RELATED,ESTABLISHED CONNMARK restore
MARK all -- anywhere 10.147.49.24 state NEW MARK set
0x2
CONNMARK all -- anywhere 10.147.49.24 state NEW CONNMARK
save
MARK all -- 8d1a831e-0eb3-46d8-8347-c7920e1e7cd2 anywhere
state NEW MARK set 0x2
CONNMARK all -- 8d1a831e-0eb3-46d8-8347-c7920e1e7cd2 anywhere
state NEW CONNMARK save
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
CHECKSUM udp -- anywhere anywhere udp dpt:bootpc
CHECKSUM fill
Chain FIREWALL_10.147.49.24 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
RETURN tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere
Chain FIREWALL_10.147.49.33 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
DROP all -- anywhere anywhere
after disableing the staticNAT:
root@r-11-VM:~# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VPN_10.147.49.33 all -- anywhere 10.147.49.33
FIREWALL_10.147.49.33 all -- anywhere 10.147.49.33
CONNMARK all -- anywhere anywhere state
RELATED,ESTABLISHED CONNMARK restore
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
CHECKSUM udp -- anywhere anywhere udp dpt:bootpc
CHECKSUM fill
Chain FIREWALL_10.147.49.33 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
DROP all -- anywhere anywhere
Chain VPN_10.147.49.33 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
RETURN all -- anywhere anywhere
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
