[Bug 676167] Re: Hairpin NAT on CC disabled - EC2 inconsistency

Kiall 676167 at bugs.launchpad.net
Tue Nov 16 18:23:27 GMT 2010


** Description changed:

+ ----
+ Impact statement: This bug causes several issues warranting a fix in maverick/lucid
+ 
+ A) Prevents correct communication between instances (eg icmp-reply from priv IP when pub IP was ping'd)
+ B) Blocks communication to the local instance via its public ip
+ C) Breaks compatibility with EC2
+ 
+ ----
+ 
  On EC2, This ping succeeds as would be expected:
  
  # ping `curl --quite http://169.254.169.254/2008-02-01/meta-data/public-
  ipv4`
  
  On UEC, The same ping command fails. Additionally on UEC, an instance
  pinging another instances public IP receives echo-reply's from the
  second instances private IP, rather than the public IP ping'd.
  
  The offending firewall rule (as seen by "iptables -L -t nat -n") is:
  MASQUERADE  all  --  172.19.0.0/16       !172.19.0.0/16
  
  When changed to:
  MASQUERADE  all  --  172.19.0.0/16        0.0.0.0/0
  
  Ping's work as expected (both pings to your "local" public IP, and other
  instances public IPs)
  
- 
  The bug appears to be in net/vnetwork.c L200:
  
  snprintf(cmd, 256, "-A POSTROUTING -d ! %s/%d -s %s/%d -j MASQUERADE",
  network, slashnet, network, slashnet);
  
  should be changed to:
  
  snprintf(cmd, 256, "-A POSTROUTING -s %s/%d -j MASQUERADE", network,
- slashnet, network, slashnet);
+ slashnet);
  
  Hope this makes sense ;) Its been a *long* 2 days.

-- 
Hairpin NAT on CC disabled - EC2 inconsistency
https://bugs.launchpad.net/bugs/676167
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to eucalyptus in ubuntu.



More information about the Ubuntu-server-bugs mailing list