Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SRX Plugin Cannot add Port Forwarding Rule #3379

Closed
richardlawley opened this issue Jun 5, 2019 · 4 comments · Fixed by #3393
Closed

SRX Plugin Cannot add Port Forwarding Rule #3379

richardlawley opened this issue Jun 5, 2019 · 4 comments · Fixed by #3393
Milestone
4.13.0.0

Comments

@richardlawley
Copy link
Contributor

ISSUE TYPE
  • Bug Report
COMPONENT NAME
SRX Plugin
CLOUDSTACK VERSION
4.11.2
CONFIGURATION

Advanced Networking

OS / ENVIRONMENT

Model: srx345-dual-ac
Junos: 15.1X49-D110.4
JUNOS Software Release [15.1X49-D110.4]

SUMMARY

When trying to add a port forwarding rule, it fails with a syntax error. If this ever worked, then I suspect the syntax of the API command has changed since JunOS 10, which from the hardware compatibility list may be what worked.

STEPS TO REPRODUCE

Add a port forwarding rule

EXPECTED RESULTS

Port Forwarding rule should be added, creating a destination nat rule on the SRX

ACTUAL RESULTS
2019-06-05 16:44:44,452 DEBUG [c.c.n.r.JuniperSrxResource] (DirectAgent-287:ctx-8a4e6665) (logid:be9407ed) Sending request:
<rpc>                                                                                                                                                                                                                                
    <load-configuration>                                                                                                                                                                                                             
    <configuration>                                                                                                                                                                                                                  
        <security>                                                                                                                                                                                                                   
            <nat>                                                                                                                                                                                                                    
                <destination>                                                                                                                                                                                                        
                    <rule-set>                                                                                                                                                                                                       
                    <name>untrust</name>                                                                                                                                                                                             
                    <from>                                                                                                                                                                                                           
                        <zone>untrust</zone>                                                                                                                                                                                         
                    </from>                                                                                                                                                                                                          
                    <rule>                                                                                                                                                                                                           
                        <name>destnatrule-1798423542</name>                                                                                                                                                                          
                        <dest-nat-rule-match><destination-address><dst-addr>XX.XX.XX.XX (XX-XX-XX-XX.XXXXXXXX.net)</dst-addr></destination-address><destination-port><dst-port>80</dst-port></destination-port></dest-nat-rule-match>
                        <then>                                                                                                                                                                                                       
                            <destination-nat>                                                                                                                                                                                        
                            <pool><pool-name>10-9-160-193-80</pool-name></pool>                                                                                                                                                      
                            </destination-nat></then>                                                                                                                                                                                
                    </rule>                                                                                                                                                                                                          
                    </rule-set></destination>                                                                                                                                                                                        
            </nat>                                                                                                                                                                                                                   
        </security>                                                                                                                                                                                                                  
    </configuration>                                                                                                                                                                                                                 
    </load-configuration></rpc>                                                                                                                                                                                                      
                                                                                                                                                                                                                                     
2019-06-05 16:44:44,495 DEBUG [c.c.n.r.JuniperSrxResource] (DirectAgent-287:ctx-8a4e6665) (logid:be9407ed)                                                                                                                           
 Checking response: <rpc-reply xmlns:junos="http://xml.juniper.net/junos/15.1X49/junos"><load-configuration-results>                                                                                                                 
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">                                                                                                                                
    <token>dst-port</token>                                                                                                                                                                                                          
    <message>syntax error</message>                                                                                                                                                                                                  
</xnm:error>                                                                                                                                                                                                                         
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">                                                                                                                                
    <token>dst-port</token>                                                                                                                                                                                                          
    <message>syntax error</message>                                                                                                                                                                                                  
</xnm:error>                                                                                                                                                                                                                         
<load-error-count>2</load-error-count></load-configuration-results></rpc-reply>
@richardlawley
Copy link
Contributor Author

I will attempt to fix this, hopefully in time for 4.11.3

@richardlawley
Copy link
Contributor Author

This was fixable by changing the script template at scripts/network/juniper/dest-nat-rule-add.xml - replacing with .

Before submitting this as a PR, I would welcome thoughts on whether this is ever likely to have worked in the past - if so it may turn out that the fix for more modern JunOS breaks older versions. However, the version on the supported hardware list (JunOS 10) went EOL in 2014.

@rohityadavcloud
Copy link
Member

@richardlawley can you start a discussion on dev and users ML. I don't think most of us have srx/infra to test your fix.

@richardlawley richardlawley mentioned this issue Jun 10, 2019
Merged
5 tasks
@richardlawley
Copy link
Contributor Author

@rhtyd I've submitted which a fix that makes the plugin usable on later versions with one manual change to the script XML file - this was to not break compatibility for anyone still using the very old versions.

Need to work out how to address it going forward in the next version though.

@rohityadavcloud rohityadavcloud added this to the 4.13.0.0 milestone Jun 20, 2019
rohityadavcloud pushed a commit that referenced this issue Jul 8, 2019
@richardlawley @rohityadavcloud
plugins: fix removing SRX port forwarding rules, improve add/remove l…
d70f574 
…ogic (#3393)

This PR partially fixes the logic around port forwarding rules on the Juniper SRX plugin. The code in the plugin is based on JunOS 10, which is very old. The changes here should not break compatibility, but should enable the plugin to be used on newer devices. Note that an additional change to a script file is required to be able to add port forwarding rules, but as this PR was targetted for 4.11.3, I thought it best not to include this change as it might break compatibility for anyone still using JunOS 10.

I've made the logic better and consistent for adding/removing static nat and port forwarding rules - these were multi-step processes which did not check each individual step. This would aid in manually fixing rules in case of further problems.

I've also improved the logging for communication with the SRX by stripping out the Apache header before sending it, and indicating the name of the template filename in use.

To be able to add port forwarding rules, the <dst-port> tags in dest-nat-rule-add.xml must be changed to <low>.

Fixes: #3379
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.13.0.0
Development

Successfully merging a pull request may close this issue.

Fix removing SRX port forwarding rules, improve add/remove logic richardlawley/cloudstack
2 participants
@rohityadavcloud @richardlawley