cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From anthon...@apache.org
Subject git commit: updated refs/heads/4.2 to 2d87e64
Date Wed, 31 Jul 2013 00:35:08 GMT
Updated Branches:
  refs/heads/4.2 20831d00f -> 2d87e6437


CLOUDSTACK-3963:

in security group, CS put a rule in ebtables filter table FORWARD chain to prevent user from
changing VM mac address
util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-s', '!', vm_mac,  '-j', 'DROP'])

if user changes the VM mac address, all egress packet from the VM will be dropped, but the
egress packet still contaminate the bridge cache with fake MAC,

This patch moves the rule to ebtables nat table PREROUTING chain, then the egress packet with
modified MAC will not contaminate the bridge cache.


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/2d87e643
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/2d87e643
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/2d87e643

Branch: refs/heads/4.2
Commit: 2d87e643710d63c2a6dad90bf4f596e86b4eaf56
Parents: 20831d0
Author: Anthony Xu <anthony.xu@citrix.com>
Authored: Tue Jul 30 17:04:21 2013 -0700
Committer: Anthony Xu <anthony.xu@citrix.com>
Committed: Tue Jul 30 17:34:44 2013 -0700

----------------------------------------------------------------------
 .../vm/hypervisor/xenserver/ovs-vif-flows.py    | 23 ++++++++++++++++----
 scripts/vm/hypervisor/xenserver/vmops           | 11 +++++++++-
 2 files changed, 29 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/2d87e643/scripts/vm/hypervisor/xenserver/ovs-vif-flows.py
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/ovs-vif-flows.py b/scripts/vm/hypervisor/xenserver/ovs-vif-flows.py
index 46aedc8..8452dae 100644
--- a/scripts/vm/hypervisor/xenserver/ovs-vif-flows.py
+++ b/scripts/vm/hypervisor/xenserver/ovs-vif-flows.py
@@ -52,20 +52,35 @@ def apply_flows(bridge, this_vif_ofport, vif_ofports):
     pluginlib.add_flow(bridge, priority=1100,
                        nw_dst='224.0.0.0/24', actions=action)
 
+def clear_rules(vif):
+    try:
+        delcmd = "/sbin/ebtables -t nat -L PREROUTING | grep " + vif
+        delcmds = pluginlib.do_cmd(['/bin/bash', '-c', delcmd]).split('\n')
+        for cmd in delcmds:
+            try:
+                cmd = '/sbin/ebtables -t nat -D PREROUTING ' + cmd
+                pluginlib.do_cmd(['/bin/bash', '-c', cmd])
+            except:
+                pass
+    except:
+        pass
+
 
 def main(command, vif_raw):
     if command not in ('online', 'offline'):
         return
+
+    vif_name, dom_id, vif_index = vif_raw.split('-')
+    # validate vif and dom-id
+    this_vif = "%s%s.%s" % (vif_name, dom_id, vif_index)
     # Make sure the networking stack is not linux bridge!
     net_stack = pluginlib.do_cmd(['cat', '/etc/xensource/network.conf'])
     if net_stack.lower() == "bridge":
+        if command == 'offline':
+            clear_rules(this_vif)
         # Nothing to do here!
         return
 
-    vif_name, dom_id, vif_index = vif_raw.split('-')
-    # validate vif and dom-id
-    this_vif = "%s%s.%s" % (vif_name, dom_id, vif_index)
-
     bridge = pluginlib.do_cmd([pluginlib.VSCTL_PATH, 'iface-to-br', this_vif])
     
 	# find xs network for this bridge, verify is used for ovs tunnel network

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/2d87e643/scripts/vm/hypervisor/xenserver/vmops
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index 3b6ff3c..ff33c2d 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -486,6 +486,11 @@ def can_bridge_firewall(session, args):
     try:
         util.pread2(['ebtables', '-V'])
         util.pread2(['ipset', '-V'])
+        cmd = ['cat', '/etc/xensource/network.conf']
+        result = util.pread2(cmd)
+        if result.lower().strip() != "bridge":
+            return 'false'
+
     except:
         return 'false'
 
@@ -749,7 +754,11 @@ def default_ebtables_antispoof_rules(vm_chain, vifs, vm_ip, vm_mac):
     try:
         for vif in vifs:
             # only allow source mac that belongs to the vm
-	    util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-s', '!', vm_mac,  '-j', 'DROP'])
+            try:
+                util.pread2(['ebtables', '-t', 'nat', '-I', 'PREROUTING', '-i', vif, '-s',
'!' , vm_mac, '-j', 'DROP'])
+            except:
+                util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-s', '!', vm_mac,  '-j',
'DROP'])
+
             # do not allow fake dhcp responses
             util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-p', 'IPv4', '--ip-proto',
'udp', '--ip-dport', '68', '-j', 'DROP'])
             # do not allow snooping of dhcp requests


Mime
View raw message