From deb92d32bbf743208472113874fac98960099d99 Mon Sep 17 00:00:00 2001 From: Syed Mushtaq Ahmed Date: Tue, 22 Aug 2017 02:50:25 -0400 Subject: [PATCH] CLOUDSTACK-10030: Make sure that public IPs assigned to VPC are reacheable from inside the VPC (#2221) If a public IP is assigned to a VPC, a VM running inside that VPC cannot ping that public IP. This is due to the IPtables Nat rules set in such a way that drop any requests to the public IP from internal interfaces. I am fixing this so that internal hosts can also reach the public IP. Reproduction: Create a VPC Create a network inside the VPC Allocate a public IP Create a VM in the network Create a port forwarding rule enabling ICMP ping the public IP inside the VM (this will fail) --- systemvm/patches/debian/config/opt/cloud/bin/configure.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 252bd2cecba..f1113098137 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -892,7 +892,7 @@ class CsForwardingRules(CsDataBag): self.fw.append(["filter", "", fw7]) def forward_vpc(self, rule): - fw_prerout_rule = "-A PREROUTING -d %s/32 -i %s" % (rule["public_ip"], self.getDeviceByIp(rule['public_ip'])) + fw_prerout_rule = "-A PREROUTING -d %s/32 " % (rule["public_ip"]) if not rule["protocol"] == "any": fw_prerout_rule += " -m %s -p %s" % (rule["protocol"], rule["protocol"]) if not rule["public_ports"] == "any":