Static Routes with nexthop non-functional for private gateways#12859
Static Routes with nexthop non-functional for private gateways#12859bhouse-nexthop wants to merge 3 commits intoapache:4.22from
Conversation
|
Congratulations on your first Pull Request and welcome to the Apache CloudStack community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md)
|
boring-cyborg
bot
added
component:networking
component:virtual-router
Python
bhouse-nexthop
changed the title
bhouse-nexthop
force-pushed
the
fix-static-route-pbr
branch
2 times, most recently
from
f51b1ab to
1141a7a
Compare
Static routes were only being added to the main routing table, but policy-based routing (PBR) is active on VPC routers. This caused traffic coming in from specific interfaces to not find the static routes, as they use interface-specific routing tables (Table_ethX). This fix: - Adds a helper method to find which interface a gateway belongs to by matching the gateway IP against configured interface subnets - Modifies route add/delete operations to update both the main table and the appropriate interface-specific PBR table - Uses existing CsAddress databag metadata to avoid OS queries - Handles both add and revoke operations for proper cleanup - Adds comprehensive logging for troubleshooting Fixes apache#12857
bhouse-nexthop
force-pushed
the
fix-static-route-pbr
branch
from
1141a7a to
8a60b80
Compare
bhouse-nexthop
force-pushed
the
fix-static-route-pbr
branch
3 times, most recently
from
4dc4ac3 to
e102b98
Compare
|
@weizhouapache can you approve the workflow runs and review this. I've just confirmed this fixes both of my issues. |
bhouse-nexthop
force-pushed
the
fix-static-route-pbr
branch
from
e102b98 to
16228ff
Compare
|
@blueorangutan package |
|
@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17284 |
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
weizhouapache
left a comment
weizhouapache
left a comment
There was a problem hiding this comment.
@bhouse-nexthop
overall lgtm, not tested tet
left two minor comments
|
@blueorangutan package |
|
@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
|
@blueorangutan package |
|
@sureshanaparti a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress. |
weizhouapache
left a comment
weizhouapache
left a comment
There was a problem hiding this comment.
code lgtm
not tested yet
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" % | ||
| (self.dev, guestNetworkCidr, self.address['gateway'], self.dev)]) | ||
|
|
||
| # Process static routes for this interface |
There was a problem hiding this comment.
@bhouse-nexthop , can we make the follwing code a method? i.e process_static_routes_for_Interface(…)
There was a problem hiding this comment.
a vast majority of this block was just moved up outside of the if self.is_private_gateway():, I don't think it warrants a helper function tbh. Plus, the code as it is right now has been well tested, so we'd have to go through the validation process again.
If you feel really strongly about it I'll do it, but I'd rather not :)
There was a problem hiding this comment.
I feel strongly but that is not absolute. I don’t think you should force yourself or that it is a requirement for merging (at all) or that you should do it if you feel it is a risk. I do think that such extractions make code more readable and maintainable, hence my question.
|
code looks good generally, what can we do in terms of testing, other than trusting @bhouse-nexthop ? @sureshanaparti @rajujith (cc @weizhouapache @winterhazel ) |
|
btw, seems we have merged lint-errors. the errors in https://github.com/apache/cloudstack/actions/runs/24455968567/job/71456964714?pr=12859 refer files not touched in this PR! |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17505 |
|
@blueorangutan test |
|
@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests |
|
[SF] Trillian test result (tid-15888)
|
Description
Static routes were only being added to the main routing table, but policy-based routing (PBR) is active on VPC routers. This caused traffic coming in from specific interfaces to not find the static routes, as they use interface-specific routing tables (Table_ethX).
This fix:
Fixes #12857
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?
See #12857 for the tested scenario
How did you try to break this feature and the system with this change?