Hairpin NAT on CC disabled - EC2 inconsistency
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Eucalyptus |
Fix Released
|
Undecided
|
Daniel Nurmi | ||
eucalyptus (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
----
Impact statement: This bug causes several issues warranting a fix in maverick/lucid
A) Prevents correct communication between instances (eg icmp-reply from priv IP when pub IP was ping'd)
B) Blocks communication to the local instance via its public ip
C) Breaks compatibility with EC2
----
On EC2, This ping succeeds as would be expected:
# ping `curl --quite http://
On UEC, The same ping command fails. Additionally on UEC, an instance pinging another instances public IP receives echo-reply's from the second instances private IP, rather than the public IP ping'd.
The offending firewall rule (as seen by "iptables -L -t nat -n") is:
MASQUERADE all -- 172.19.0.0/16 !172.19.0.0/16
When changed to:
MASQUERADE all -- 172.19.0.0/16 0.0.0.0/0
Ping's work as expected (both pings to your "local" public IP, and other instances public IPs)
The bug appears to be in net/vnetwork.c L200:
snprintf(cmd, 256, "-A POSTROUTING -d ! %s/%d -s %s/%d -j MASQUERADE", network, slashnet, network, slashnet);
should be changed to:
snprintf(cmd, 256, "-A POSTROUTING -s %s/%d -j MASQUERADE", network, slashnet);
Hope this makes sense ;) Its been a *long* 2 days.
description: | updated |
Changed in eucalyptus (Ubuntu): | |
status: | New → Confirmed |
assignee: | nobody → Dave Walker (davewalker) |
Changed in eucalyptus: | |
assignee: | nobody → Daniel Nurmi (nurmi) |
Changed in eucalyptus (Ubuntu): | |
assignee: | Dave Walker (davewalker) → nobody |
I believe this issues is fixed in 2.0.3.