Hairpin NAT on CC disabled - EC2 inconsistency

Bug #676167 reported by Kiall Mac Innes
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Fix Released
Daniel Nurmi
eucalyptus (Ubuntu)

Bug Description

Impact statement: This bug causes several issues warranting a fix in maverick/lucid

A) Prevents correct communication between instances (eg icmp-reply from priv IP when pub IP was ping'd)
B) Blocks communication to the local instance via its public ip
C) Breaks compatibility with EC2


On EC2, This ping succeeds as would be expected:

# ping `curl --quite`

On UEC, The same ping command fails. Additionally on UEC, an instance pinging another instances public IP receives echo-reply's from the second instances private IP, rather than the public IP ping'd.

The offending firewall rule (as seen by "iptables -L -t nat -n") is:

When changed to:

Ping's work as expected (both pings to your "local" public IP, and other instances public IPs)

The bug appears to be in net/vnetwork.c L200:

snprintf(cmd, 256, "-A POSTROUTING -d ! %s/%d -s %s/%d -j MASQUERADE", network, slashnet, network, slashnet);

should be changed to:

snprintf(cmd, 256, "-A POSTROUTING -s %s/%d -j MASQUERADE", network, slashnet);

Hope this makes sense ;) Its been a *long* 2 days.

Kiall Mac Innes (kiall)
description: updated
Dave Walker (davewalker)
Changed in eucalyptus (Ubuntu):
status: New → Confirmed
assignee: nobody → Dave Walker (davewalker)
Changed in eucalyptus:
assignee: nobody → Daniel Nurmi (nurmi)
Dave Walker (davewalker)
Changed in eucalyptus (Ubuntu):
assignee: Dave Walker (davewalker) → nobody
Revision history for this message
graziano obertelli (graziano.obertelli) wrote :

I believe this issues is fixed in 2.0.3.

Changed in eucalyptus:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers