2010-11-16 18:23:27 |
Kiall Mac Innes |
description |
On EC2, This ping succeeds as would be expected:
# ping `curl --quite http://169.254.169.254/2008-02-01/meta-data/public-ipv4`
On UEC, The same ping command fails. Additionally on UEC, an instance pinging another instances public IP receives echo-reply's from the second instances private IP, rather than the public IP ping'd.
The offending firewall rule (as seen by "iptables -L -t nat -n") is:
MASQUERADE all -- 172.19.0.0/16 !172.19.0.0/16
When changed to:
MASQUERADE all -- 172.19.0.0/16 0.0.0.0/0
Ping's work as expected (both pings to your "local" public IP, and other instances public IPs)
The bug appears to be in net/vnetwork.c L200:
snprintf(cmd, 256, "-A POSTROUTING -d ! %s/%d -s %s/%d -j MASQUERADE", network, slashnet, network, slashnet);
should be changed to:
snprintf(cmd, 256, "-A POSTROUTING -s %s/%d -j MASQUERADE", network, slashnet, network, slashnet);
Hope this makes sense ;) Its been a *long* 2 days. |
----
Impact statement: This bug causes several issues warranting a fix in maverick/lucid
A) Prevents correct communication between instances (eg icmp-reply from priv IP when pub IP was ping'd)
B) Blocks communication to the local instance via its public ip
C) Breaks compatibility with EC2
----
On EC2, This ping succeeds as would be expected:
# ping `curl --quite http://169.254.169.254/2008-02-01/meta-data/public-ipv4`
On UEC, The same ping command fails. Additionally on UEC, an instance pinging another instances public IP receives echo-reply's from the second instances private IP, rather than the public IP ping'd.
The offending firewall rule (as seen by "iptables -L -t nat -n") is:
MASQUERADE all -- 172.19.0.0/16 !172.19.0.0/16
When changed to:
MASQUERADE all -- 172.19.0.0/16 0.0.0.0/0
Ping's work as expected (both pings to your "local" public IP, and other instances public IPs)
The bug appears to be in net/vnetwork.c L200:
snprintf(cmd, 256, "-A POSTROUTING -d ! %s/%d -s %s/%d -j MASQUERADE", network, slashnet, network, slashnet);
should be changed to:
snprintf(cmd, 256, "-A POSTROUTING -s %s/%d -j MASQUERADE", network, slashnet);
Hope this makes sense ;) Its been a *long* 2 days.
|
|