fix nat table by getting the fitting device for an address #9552
Conversation
boring-cyborg
bot
added
component:networking
component:virtual-router
Python
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## 4.19 #9552 +/- ##
============================================
- Coverage 15.08% 15.08% -0.01%
- Complexity 11184 11185 +1
============================================
Files 5406 5406
Lines 472889 472915 +26
Branches 57738 57661 -77
============================================
+ Hits 71352 71354 +2
- Misses 393593 393617 +24
Partials 7944 7944
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
@DaanHoogland Assume there are two public IPs in the VPC VR (and isolated network VR):
I think the expected behaviour should be
currently the rules are seems better to change to or to be discussed |
| @@ -554,7 +554,7 @@ def fw_vpcrouter(self): | |||
| if self.address["source_nat"]: | |||
| self.fw.append(["nat", "front", | |||
| "-A POSTROUTING -o %s -j SNAT --to-source %s" % | |||
| (self.dev, self.address['public_ip'])]) | |||
| (self.address['device'], self.address['public_ip'])]) | |||
There was a problem hiding this comment.
this line applies only when private gateway is source nat.
it seems we need to change line 698-700
There was a problem hiding this comment.
ok, I'll try and find if we have data on the second IF at that point.
There was a problem hiding this comment.
@DaanHoogland
have you checked the new iptables rules ? do they look good ?
There was a problem hiding this comment.
try changes on line 698-700
@DaanHoogland
There was a problem hiding this comment.
have a look at those @weizhouapache , they work in my test.
There was a problem hiding this comment.
it looks like this code snippet (line 554 to 557) can be removed.
It has been covered by line 696-697 (new code)
There was a problem hiding this comment.
please ignore my previous comment
There was a problem hiding this comment.
need to check, for private gateway , is self.dev same as self.address['device'] ?
| elif cmdline.get_source_nat_ip() and not self.is_private_gateway(): | ||
| self.fw.append( | ||
| ["nat", "", "-A POSTROUTING -j SNAT -o %s --to-source %s" % (self.dev, cmdline.get_source_nat_ip())]) | ||
| self.fw.append( |
There was a problem hiding this comment.
if there are multiple public ips (in multiple ranges), will there be same amount of rules ?
There was a problem hiding this comment.
I am not sure I understand the question. I checked this in a lab env and the resulting nat table was exactly as described in the issue, with only the last line being different. Ar you considdering another configuration here @weizhouapache ?
There was a problem hiding this comment.
for each public ip (and private gateway), there will be a rule below, right ?
-A POSTROUTING -j SNAT -o ethX --to-source xx.yy.zz.xx
There was a problem hiding this comment.
@DaanHoogland
to be clear, we need a rule for each public NIC, for example
-A POSTROUTING -j SNAT -o eth1 --to-source <source nat IP> # this is for source nat NIC
-A POSTROUTING -j SNAT -o eth5 --to-source <first public IP on eth5> # this is for additional public NIC
If I understand correctly, for the current changes , the rules are for example,
-A POSTROUTING -j SNAT -o eth1 --to-source <source nat IP> # this is for source nat NIC
-A POSTROUTING -j SNAT -o eth1 --to-source <second IP on source nat NIC> # this is for source nat NIC
-A POSTROUTING -j SNAT -o eth1 --to-source <third IP on source nat NIC> # this is for source nat NIC
-A POSTROUTING -j SNAT -o eth5 --to-source <first public IP on eth5> # this is for additional public NIC
-A POSTROUTING -j SNAT -o eth5 --to-source <second public IP on eth5> # this is for additional public NIC
-A POSTROUTING -j SNAT -o eth5 --to-source <third public IP on eth5> # this is for additional public NIC
There was a problem hiding this comment.
I'll verify that. Do you happen to know what condition to test for? I don't think the self.address object contains information on whether it is the first IP, does it?
There was a problem hiding this comment.
I think the original issue does not exist in our lab (I can verify with infra).
we can only verify the iptables rules in the VR
- create 2 public ip ranges with different vlan
- acquire 3 public ips on each public ip and use them for static/pf/lb
There was a problem hiding this comment.
I don't think the self.address object contains information on whether it is the first IP, does it?
it does, but I am not sure if it is 100% correct.
There was a problem hiding this comment.
ok, I'll give it a try
|
@blueorangutan package |
|
@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 11482 |
Description
This PR...
Fixes: #9473
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?
How did you try to break this feature and the system with this change?