Hi Marcus, I didn't realize the rp_filter issue when I worked on VPC feature, thanks for the fix.
With the fix , guest NIC is with rp_filter on, public NIC is with rp_filter off, that's correct. But seems eth0 ( link local) is with rp_filter off, which is supposed to be on, this is very trivial. I'm wondering if we can fix this in the opposite way in VPC router? By default , the rp_filter is on, When a public IP is associated to a VM, rp_filter is turned off explicitly for this NIC in vpc_ipassoc.sh. In VPC router, only eth0 is passed by kernel argument, further NICs are hot plugged into VPC router, so even eth1 (public NIC) is hot plugged into VPC router, and programmed by vpc_ipassoc.sh. Thanks, Anthony > -----Original Message----- > From: mlsoren...@apache.org [mailto:mlsoren...@apache.org] > Sent: Thursday, January 17, 2013 11:51 AM > To: cloudstack-comm...@incubator.apache.org > Subject: git commit: Summary: Fix rp_filter for VPC router > > Updated Branches: > refs/heads/master 0b60c0d3c -> e37a82375 > > > Summary: Fix rp_filter for VPC router > > Detail: VPC router was being treated like normal VR, which was an issue > because > normally the VR has an eth0,1,2 which are isolated, linklocal, and > public > networks respectively. rp_filter is turned on for eth0,1 and off for 2 > (hardcoded). VPC however comes up with eth0,1 as public, linklocal, and > no other > interfaces until new isolated networks are added, so the process > doesn't work. > This change turns on rp_filter as new isolated networks are added to > the VR. > > BUG-ID: CLOUDSTACK-938 > Bugfix-for: 4.0.2 > Signed-off-by: Marcus Sorensen <mar...@betterservers.com> 1358451991 - > 0700 > > > Project: http://git-wip-us.apache.org/repos/asf/incubator- > cloudstack/repo > Commit: http://git-wip-us.apache.org/repos/asf/incubator- > cloudstack/commit/e37a8237 > Tree: http://git-wip-us.apache.org/repos/asf/incubator- > cloudstack/tree/e37a8237 > Diff: http://git-wip-us.apache.org/repos/asf/incubator- > cloudstack/diff/e37a8237 > > Branch: refs/heads/master > Commit: e37a82375c1dd7631f37de1ed1b336f524d08c62 > Parents: 0b60c0d > Author: Marcus Sorensen <mar...@betterservers.com> > Authored: Thu Jan 17 12:46:31 2013 -0700 > Committer: Marcus Sorensen <mar...@betterservers.com> > Committed: Thu Jan 17 12:51:38 2013 -0700 > > ---------------------------------------------------------------------- > .../debian/config/etc/init.d/cloud-early-config | 2 +- > .../debian/config/opt/cloud/bin/vpc_guestnw.sh | 1 + > 2 files changed, 2 insertions(+), 1 deletions(-) > ---------------------------------------------------------------------- > > > http://git-wip-us.apache.org/repos/asf/incubator- > cloudstack/blob/e37a8237/patches/systemvm/debian/config/etc/init.d/clou > d-early-config > ---------------------------------------------------------------------- > diff --git a/patches/systemvm/debian/config/etc/init.d/cloud-early- > config b/patches/systemvm/debian/config/etc/init.d/cloud-early-config > index fe536cb..285a92f 100755 > --- a/patches/systemvm/debian/config/etc/init.d/cloud-early-config > +++ b/patches/systemvm/debian/config/etc/init.d/cloud-early-config > @@ -660,7 +660,7 @@ EOF > enable_svc dnsmasq 1 > enable_svc haproxy 1 > enable_svc cloud 0 > - disable_rpfilter_domR > + disable_rpfilter > enable_fwding 1 > cp /etc/iptables/iptables-vpcrouter /etc/iptables/rules > setup_sshd $ETH0_IP "eth0" > > http://git-wip-us.apache.org/repos/asf/incubator- > cloudstack/blob/e37a8237/patches/systemvm/debian/config/opt/cloud/bin/v > pc_guestnw.sh > ---------------------------------------------------------------------- > diff --git > a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh > b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh > index d20ed5a..c909cf7 100755 > --- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh > +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh > @@ -134,6 +134,7 @@ create_guest_network() { > sudo ip addr add dev $dev $ip/$mask brd + > sudo ip link set $dev up > sudo arping -c 3 -I $dev -A -U -s $ip $ip > + echo 1 > /proc/sys/net/ipv4/conf/$dev/rp_filter > # restore mark from connection mark > local tableName="Table_$dev" > sudo ip route add $subnet/$mask dev $dev table $tableName proto > static
