Hairpin NAT on CC disabled - EC2 inconsistency

Bug #676167 reported by Kiall Mac Innes on 2010-11-16
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Eucalyptus
Fix Released
Undecided
Daniel Nurmi
eucalyptus (Ubuntu)
Undecided
Unassigned

Bug Description

----
Impact statement: This bug causes several issues warranting a fix in maverick/lucid

A) Prevents correct communication between instances (eg icmp-reply from priv IP when pub IP was ping'd)
B) Blocks communication to the local instance via its public ip
C) Breaks compatibility with EC2

----

On EC2, This ping succeeds as would be expected:

# ping `curl --quite http://169.254.169.254/2008-02-01/meta-data/public-ipv4`

On UEC, The same ping command fails. Additionally on UEC, an instance pinging another instances public IP receives echo-reply's from the second instances private IP, rather than the public IP ping'd.

The offending firewall rule (as seen by "iptables -L -t nat -n") is:
MASQUERADE all -- 172.19.0.0/16 !172.19.0.0/16

When changed to:
MASQUERADE all -- 172.19.0.0/16 0.0.0.0/0

Ping's work as expected (both pings to your "local" public IP, and other instances public IPs)

The bug appears to be in net/vnetwork.c L200:

snprintf(cmd, 256, "-A POSTROUTING -d ! %s/%d -s %s/%d -j MASQUERADE", network, slashnet, network, slashnet);

should be changed to:

snprintf(cmd, 256, "-A POSTROUTING -s %s/%d -j MASQUERADE", network, slashnet);

Hope this makes sense ;) Its been a *long* 2 days.

Kiall Mac Innes (kiall) on 2010-11-16
description: updated
Dave Walker (davewalker) on 2010-11-18
Changed in eucalyptus (Ubuntu):
status: New → Confirmed
assignee: nobody → Dave Walker (davewalker)
Changed in eucalyptus:
assignee: nobody → Daniel Nurmi (nurmi)
Dave Walker (davewalker) on 2012-02-15
Changed in eucalyptus (Ubuntu):
assignee: Dave Walker (davewalker) → nobody

I believe this issues is fixed in 2.0.3.

Changed in eucalyptus:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers