[Bug 676167] Re: Hairpin NAT on CC disabled - EC2 inconsistency
Kiall
676167 at bugs.launchpad.net
Tue Nov 16 18:23:27 GMT 2010
** Description changed:
+ ----
+ Impact statement: This bug causes several issues warranting a fix in maverick/lucid
+
+ A) Prevents correct communication between instances (eg icmp-reply from priv IP when pub IP was ping'd)
+ B) Blocks communication to the local instance via its public ip
+ C) Breaks compatibility with EC2
+
+ ----
+
On EC2, This ping succeeds as would be expected:
# ping `curl --quite http://169.254.169.254/2008-02-01/meta-data/public-
ipv4`
On UEC, The same ping command fails. Additionally on UEC, an instance
pinging another instances public IP receives echo-reply's from the
second instances private IP, rather than the public IP ping'd.
The offending firewall rule (as seen by "iptables -L -t nat -n") is:
MASQUERADE all -- 172.19.0.0/16 !172.19.0.0/16
When changed to:
MASQUERADE all -- 172.19.0.0/16 0.0.0.0/0
Ping's work as expected (both pings to your "local" public IP, and other
instances public IPs)
-
The bug appears to be in net/vnetwork.c L200:
snprintf(cmd, 256, "-A POSTROUTING -d ! %s/%d -s %s/%d -j MASQUERADE",
network, slashnet, network, slashnet);
should be changed to:
snprintf(cmd, 256, "-A POSTROUTING -s %s/%d -j MASQUERADE", network,
- slashnet, network, slashnet);
+ slashnet);
Hope this makes sense ;) Its been a *long* 2 days.
--
Hairpin NAT on CC disabled - EC2 inconsistency
https://bugs.launchpad.net/bugs/676167
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to eucalyptus in ubuntu.
More information about the Ubuntu-server-bugs
mailing list