cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From h...@apache.org
Subject [03/19] Move the system vm to a separate maven project.
Date Fri, 20 Sep 2013 10:32:55 GMT
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/opt/cloud/bin/vpc_func.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_func.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_func.sh
new file mode 100755
index 0000000..2f88351
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_func.sh
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# @VERSION@
+
+getEthByIp (){
+  local ip=$1
+  for dev in `ls -1 /sys/class/net | grep eth`
+  do
+    sudo ip addr show dev $dev | grep $ip\/ > /dev/null
+    if [ $? -eq 0 ]
+    then
+      echo $dev
+      return 0
+    fi
+  done
+  return 1
+}    
+
+getVPCcidr () {
+  CMDLINE=$(cat /var/cache/cloud/cmdline)
+  for i in $CMDLINE
+  do
+    # search for foo=bar pattern and cut out foo
+    KEY=$(echo $i | cut -d= -f1)
+    VALUE=$(echo $i | cut -d= -f2)
+    if [ "$KEY" == "vpccidr" ]
+    then
+      echo "$VALUE"
+      return 0
+    fi
+  done
+  return 1
+}
+
+removeRulesForIp() {
+  local ip=$1
+  iptables-save -t mangle | grep $ip | grep "\-A"  | while read rule
+  do
+    rule=$(echo $rule | sed 's/\-A/\-D/')
+    sudo iptables -t mangle $rule
+  done
+  iptables-save -t nat | grep $ip | grep "\-A"  | while read rule
+  do
+    rule=$(echo $rule | sed 's/\-A/\-D/')
+    sudo iptables -t nat $rule
+  done
+  iptables-save -t filter | grep $ip | grep "\-A"  | while read rule
+  do
+    rule=$(echo $rule | sed 's/\-A/\-D/')
+    sudo iptables -t filter $rule
+  done
+}

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/opt/cloud/bin/vpc_guestnw.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_guestnw.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_guestnw.sh
new file mode 100755
index 0000000..e5da2e0
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_guestnw.sh
@@ -0,0 +1,294 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# guestnw.sh -- create/destroy guest network 
+# @VERSION@
+
+source /root/func.sh
+source /opt/cloud/bin/vpc_func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+usage() {
+  printf "Usage:\n %s -A  -d <dev> -i <ip address> -g <gateway> -m <network mask> -s <dns ip> -e < domain> [-f] \n" $(basename $0) >&2
+  printf " %s -D -d <dev> -i <ip address> \n" $(basename $0) >&2
+}
+
+
+destroy_acl_chain() {
+  sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -F ACL_INBOUND_$dev 2>/dev/null
+  sudo iptables -D FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev  2>/dev/null
+  sudo iptables -X ACL_INBOUND_$dev 2>/dev/null
+
+}
+
+create_acl_chain() {
+  destroy_acl_chain
+  sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j ACCEPT 2>/dev/null
+  sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -N ACL_INBOUND_$dev 2>/dev/null
+  # drop if no rules match (this will be the last rule in the chain)
+  sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null
+  sudo iptables -A FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev  2>/dev/null
+}
+
+
+setup_apache2() {
+  logger -t cloud "Setting up apache web server for $dev"
+  cp /etc/apache2/vhostexample.conf /etc/apache2/conf.d/vhost$dev.conf
+  sed -i -e "s/<VirtualHost.*:80>/<VirtualHost $ip:80>/" /etc/apache2/conf.d/vhost$dev.conf
+  sed -i -e "s/<VirtualHost.*:443>/<VirtualHost $ip:443>/" /etc/apache2/conf.d/vhost$dev.conf
+  sed -i -e "s/\tServerName.*/\tServerName vhost$dev.cloudinternal.com/" /etc/apache2/conf.d/vhost$dev.conf
+  sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/conf.d/vhost$dev.conf
+  sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/conf.d/vhost$dev.conf
+  service apache2 restart
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
+}
+
+desetup_apache2() {
+  logger -t cloud "Desetting up apache web server for $dev"
+  rm -f /etc/apache2/conf.d/vhost$dev.conf
+  service apache2 restart
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
+}
+
+
+setup_dnsmasq() {
+  logger -t cloud "Setting up dnsmasq for network $ip/$mask "
+  # setup rules to allow dhcp/dns request
+  sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m tcp --dport 53 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -d $ip -p tcp -m tcp --dport 53 -j ACCEPT
+  # setup static 
+  sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf
+  echo "dhcp-range=interface:$dev,set:interface-$dev,$ip,static" >> /etc/dnsmasq.d/cloud.conf
+  # setup DOMAIN
+  [ -z $DOMAIN ] && DOMAIN="cloudnine.internal"
+
+  sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,15.*$/d" /etc/dnsmasq.d/cloud.conf
+  echo "dhcp-option=tag:interface-$dev,15,$DOMAIN" >> /etc/dnsmasq.d/cloud.conf
+  service dnsmasq restart
+  sleep 1
+} 
+
+desetup_dnsmasq() {
+  logger -t cloud "Desetting up dnsmasq for network $ip/$mask "
+  # remove rules to allow dhcp/dns request
+  sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
+  sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,option:router.*$/d" /etc/dnsmasq.d/cloud.conf
+  sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,6.*$/d" /etc/dnsmasq.d/cloud.conf
+  sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf
+  service dnsmasq restart
+  sleep 1
+}
+
+setup_passwdsvcs() {
+  logger -t cloud "Setting up password service for network $ip/$mask, eth $dev "
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
+  nohup bash /opt/cloud/bin/vpc_passwd_server $ip >/dev/null 2>&1 &
+}
+
+desetup_passwdsvcs() {
+  logger -t cloud "Desetting up password service for network $ip/$mask, eth $dev "
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
+  pid=`ps -ef | grep socat | grep $ip | grep -v grep | awk '{print $2}'`
+  if [ -n "$pid" ]
+  then
+    kill -9 $pid
+  fi 
+}
+
+create_guest_network() {
+  # need to wait for eth device to appear before configuring it
+  timer=0
+  while ! `grep -q $dev /proc/net/dev` ; do
+    logger -t cloud "$(basename $0):Waiting for interface $dev to appear, $timer seconds"
+    sleep 1;
+    if [ $timer -gt 15 ]; then
+      logger -t cloud "$(basename $0):interface $dev never appeared"
+      break
+    fi
+    timer=$[timer + 1]
+  done
+
+  logger -t cloud " $(basename $0): Create network on interface $dev,  gateway $gw, network $ip/$mask "
+  # setup ip configuration
+  sudo ip addr add dev $dev $ip/$mask brd +
+  sudo ip link set $dev up
+  sudo arping -c 3 -I $dev -A -U -s $ip $ip
+  echo 1 > /proc/sys/net/ipv4/conf/$dev/rp_filter
+  # restore mark from  connection mark
+  local tableName="Table_$dev"
+  sudo ip route add $subnet/$mask dev $dev table $tableName proto static
+  sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
+  sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
+  sudo iptables -t mangle -A PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
+  # set up hairpin
+  sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
+  create_acl_chain
+  setup_dnsmasq
+  setup_apache2
+  setup_passwdsvcs
+
+  #enable rps, rfs
+  enable_rpsrfs $dev
+}
+
+enable_rpsrfs() {
+
+    if [  -f /etc/rpsrfsenable ]
+    then
+        enable=$(cat /etc/rpsrfsenable)
+        if [ $enable -eq 0 ]
+        then
+            return 0
+        fi
+    else
+        return 0
+    fi
+
+    proc=$(cat /proc/cpuinfo | grep "processor" | wc -l)
+    if [ $proc -le 1 ]
+    then
+        return 0
+    fi
+    dev=$1
+
+    num=1
+    num=$(($num<<$proc))
+    num=$(($num-1));
+    echo $num;
+    hex=$(printf "%x\n" $num)
+    echo $hex;
+    #enable rps
+    echo $hex > /sys/class/net/$dev/queues/rx-0/rps_cpus
+
+    #enble rfs
+    rps_flow_entries=$(cat /proc/sys/net/core/rps_sock_flow_entries)
+
+    if [ $rps_flow_entries -eq 0 ]
+    then
+        echo 256 > /proc/sys/net/core/rps_sock_flow_entries
+    fi
+
+    echo 256 > /sys/class/net/$dev/queues/rx-0/rps_flow_cnt
+
+}
+
+destroy_guest_network() {
+  logger -t cloud " $(basename $0): Create network on interface $dev,  gateway $gw, network $ip/$mask "
+
+  sudo ip addr del dev $dev $ip/$mask
+  sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
+  sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
+  destroy_acl_chain
+  desetup_dnsmasq
+  desetup_apache2
+  desetup_passwdsvcs
+}
+
+#set -x
+iflag=0
+mflag=0
+nflag=0
+dflag=
+gflag=
+Cflag=
+Dflag=
+
+op=""
+
+
+while getopts 'CDn:m:d:i:g:s:e:' OPTION
+do
+  case $OPTION in
+  C)	Cflag=1
+		op="-C"
+		;;
+  D)	Dflag=1
+		op="-D"
+		;;
+  n)	nflag=1
+		subnet="$OPTARG"
+		;;
+  m)	mflag=1
+		mask="$OPTARG"
+		;;
+  d)	dflag=1
+  		dev="$OPTARG"
+  		;;
+  i)	iflag=1
+		ip="$OPTARG"
+  		;;
+  g)	gflag=1
+  		gw="$OPTARG"
+                ;;
+  s)    sflag=1
+                DNS="$OPTARG"
+                ;;
+  e)    eflag=1
+		DOMAIN="$OPTARG"
+  		;;
+  ?)	usage
+                unlock_exit 2 $lock $locked
+		;;
+  esac
+done
+
+vpccidr=$(getVPCcidr)
+
+if [ "$Cflag$Dflag$dflag" != "11" ]
+then
+    usage
+    unlock_exit 2 $lock $locked
+fi
+
+if [ "$Cflag" == "1" ] && [ "$iflag$gflag$mflag" != "111" ]
+then
+    usage
+    unlock_exit 2 $lock $locked
+fi
+
+
+if [ "$Cflag" == "1" ]
+then  
+  create_guest_network 
+fi
+
+
+if [ "$Dflag" == "1" ]
+then
+  destroy_guest_network
+fi
+
+unlock_exit 0 $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/opt/cloud/bin/vpc_ipassoc.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_ipassoc.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_ipassoc.sh
new file mode 100755
index 0000000..8c5e0e4
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_ipassoc.sh
@@ -0,0 +1,223 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+ 
+
+# ipassoc.sh -- associate/disassociate a public ip with an instance
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+  exit 1
+fi
+
+usage() {
+  printf "Usage:\n %s -A -l <public-ip-address> -c <dev> [-f] \n" $(basename $0) >&2
+  printf " %s -D -l <public-ip-address> -c <dev> [-f] \n" $(basename $0) >&2
+}
+
+add_routing() {
+  logger -t cloud "$(basename $0):Add routing $pubIp on interface $ethDev"
+
+  local tableName="Table_$ethDev"
+  sudo ip route add $subnet/$mask dev $ethDev table $tableName proto static
+  sudo ip route add default via $defaultGwIP table $tableName proto static
+  sudo ip route flush cache
+  sudo ip route | grep default
+  if [ $? -gt 0 ]
+  then
+    sudo ip route add default via $defaultGwIP
+  fi
+  return 0
+}
+
+
+remove_routing() {
+  return 0
+}
+
+add_an_ip () {
+  # need to wait for eth device to appear before configuring it
+  timer=0
+  while ! `grep -q $ethDev /proc/net/dev` ; do
+    logger -t cloud "$(basename $0):Waiting for interface $ethDev to appear, $timer seconds"
+    sleep 1;
+    if [ $timer -gt 15 ]; then
+      logger -t cloud "$(basename $0):interface $ethDev never appeared"
+      break
+    fi
+    timer=$[timer + 1]
+  done
+
+  logger -t cloud "$(basename $0):Adding ip $pubIp on interface $ethDev"
+  sudo ip link show $ethDev | grep "state DOWN" > /dev/null
+  local old_state=$?
+
+  sudo ip addr add dev $ethDev $pubIp/$mask brd +
+  if [ $old_state -eq 0 ]
+  then
+    sudo ip link set $ethDev up
+  fi
+  sudo arping -c 1 -I $ethDev -A -U -s $pubIp $pubIp
+  sudo arping -c 1 -I $ethDev -A -U -s $pubIp $pubIp
+  local tableNo=${ethDev:3} 
+  sudo iptables-save -t mangle | grep  "PREROUTING -i $ethDev -m state --state NEW -j CONNMARK --set-xmark" 2>/dev/null
+  if [ $? -gt 0 ]
+  then
+    sudo iptables -t mangle -A PREROUTING -i $ethDev -m state --state NEW -j CONNMARK --set-mark $tableNo 2>/dev/null
+  fi
+
+  enable_rpsrfs $ethDev
+  add_routing 
+  return $?
+}
+
+enable_rpsrfs() {
+
+    if [  -f /etc/rpsrfsenable ]
+    then
+        enable=$(cat /etc/rpsrfsenable)
+        if [ $enable -eq 0 ]
+        then
+            return 0
+        fi
+    else
+        return 0
+    fi
+
+    proc=$(cat /proc/cpuinfo | grep "processor" | wc -l)
+    if [ $proc -le 1 ]
+    then
+        return 0
+    fi
+    dev=$1
+
+    num=1
+    num=$(($num<<$proc))
+    num=$(($num-1));
+    echo $num;
+    hex=$(printf "%x\n" $num)
+    echo $hex;
+    #enable rps
+    echo $hex > /sys/class/net/$dev/queues/rx-0/rps_cpus
+
+    #enble rfs
+    rps_flow_entries=$(cat /proc/sys/net/core/rps_sock_flow_entries)
+
+    if [ $rps_flow_entries -eq 0 ]
+    then
+        echo 256 > /proc/sys/net/core/rps_sock_flow_entries
+    fi
+
+    if [ $(cat /sys/class/net/$dev/queues/rx-0/rps_flow_cnt) -eq 0 ]
+    then
+        echo 256 > /sys/class/net/$dev/queues/rx-0/rps_flow_cnt
+    fi
+}
+
+remove_an_ip () {
+  logger -t cloud "$(basename $0):Removing ip $pubIp on interface $ethDev"
+  local existingIpMask=$(sudo ip addr show dev $ethDev | grep -v "inet6" | grep "inet " | awk '{print $2}')
+
+  sudo ip addr del dev $ethDev $pubIp/$mask
+  # reapply IPs in this interface
+  for ipMask in $existingIpMask
+  do
+    if [ "$ipMask" == "$pubIp/$mask" ]
+    then
+      continue
+    fi
+    sudo ip addr add dev $ethDev $ipMask brd +
+  done
+
+  remove_routing
+  return 0
+}
+
+#set -x
+lflag=0
+cflag=0
+gflag=0
+mflag=0
+nflag=0
+op=""
+
+
+while getopts 'ADl:c:g:m:n:' OPTION
+do
+  case $OPTION in
+  A)	Aflag=1
+		op="-A"
+		;;
+  D)	Dflag=1
+		op="-D"
+		;;
+  l)	lflag=1
+		pubIp="$OPTARG"
+		;;
+  c)	cflag=1
+  		ethDev="$OPTARG"
+  		;;
+  g)	gflag=1
+  		defaultGwIP="$OPTARG"
+  		;;
+  m)	mflag=1
+  		mask="$OPTARG"
+  		;;
+  n)	nflag=1
+  		subnet="$OPTARG"
+  		;;
+  ?)	usage
+                unlock_exit 2 $lock $locked
+		;;
+  esac
+done
+
+
+if [ "$Aflag$Dflag" != "1" ]
+then
+  usage
+  unlock_exit 2 $lock $locked
+fi
+
+if [ "$lflag$cflag$gflag$mflag$nflag" != "11111" ] 
+then
+  usage
+  unlock_exit 2 $lock $locked
+fi
+
+
+if [ "$Aflag" == "1" ]
+then
+  add_an_ip
+  unlock_exit $? $lock $locked
+fi
+
+
+if [ "$Dflag" == "1" ]
+then
+  remove_an_ip
+  unlock_exit $? $lock $locked
+fi
+
+
+unlock_exit 1 $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/opt/cloud/bin/vpc_loadbalancer.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_loadbalancer.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_loadbalancer.sh
new file mode 100755
index 0000000..36a2347
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_loadbalancer.sh
@@ -0,0 +1,224 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# @VERSION@
+
+do_ilb_if_ilb () {
+  local typ=""
+  local pattern="type=(.*)"
+
+  for keyval in $(cat /var/cache/cloud/cmdline)
+  do    
+     if [[ $keyval =~ $pattern ]]; then      
+        typ=${BASH_REMATCH[1]}; 
+     fi 
+  done
+  if [ "$typ" == "ilbvm" ]
+  then
+     logger -t cloud "$(basename $0): Detected that we are running in an internal load balancer vm"
+     $(dirname $0)/ilb.sh "$@"
+     exit $?
+  fi
+
+}
+
+logger -t cloud "$(basename $0): Entering $(dirname $0)/$(basename $0)"
+
+do_ilb_if_ilb "$@"
+
+source /root/func.sh
+source /opt/cloud/bin/vpc_func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+usage() {
+  printf "Usage: %s:  -i <domR eth1 ip>  -a <added public ip address ip:port> -d <removed ip:port> -f <load balancer config> -s <stats ip ip:port:cidr>  \n" $(basename $0) >&2
+}
+
+# set -x
+
+fw_remove_backup() {
+  sudo iptables -F back_load_balancer 2> /dev/null
+  sudo iptables -D INPUT -p tcp  -j back_load_balancer 2> /dev/null
+  sudo iptables -X back_load_balancer 2> /dev/null
+  sudo iptables -F back_lb_stats 2> /dev/null
+  sudo iptables -D INPUT -p tcp  -j back_lb_stats 2> /dev/null
+  sudo iptables -X back_lb_stats 2> /dev/null
+}
+
+fw_remove() {
+  sudo iptables -F load_balancer 2> /dev/null
+  sudo iptables -D INPUT -p tcp  -j load_balancer 2> /dev/null
+  sudo iptables -X load_balancer 2> /dev/null
+  sudo iptables -F lb_stats 2> /dev/null
+  sudo iptables -D INPUT -p tcp  -j lb_stats 2> /dev/null
+  sudo iptables -X lb_stats 2> /dev/null
+}
+
+fw_backup() {
+  fw_remove_backup
+  sudo iptables -E load_balancer back_load_balancer 2> /dev/null
+  sudo iptables -E lb_stats back_lb_stats 2> /dev/null
+}
+
+fw_restore() {
+  fw_remove
+  sudo iptables -E back_load_balancer load_balancer 2> /dev/null
+  sudo iptables -E back_lb_stats lb_stats 2> /dev/null
+}
+
+fw_chain_create () {
+  fw_backup
+  sudo iptables -N load_balancer 2> /dev/null
+  sudo iptables -A INPUT -p tcp  -j load_balancer 2> /dev/null
+  sudo iptables -N lb_stats 2> /dev/null
+  sudo iptables -A INPUT -p tcp  -j lb_stats 2> /dev/null
+}
+
+# firewall entry to ensure that haproxy can receive on specified port
+fw_entry() {
+  local added=$1
+  local removed=$2
+  local stats=$3
+  if [ "$added" == "none" ]
+  then
+  	added=""
+  fi
+  if [ "$removed" == "none" ]
+  then
+  	removed=""
+  fi
+  local a=$(echo $added | cut -d, -f1- --output-delimiter=" ")
+  local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ")
+  fw_chain_create
+  success=0
+  while [ 1 ]
+  do
+    for i in $a
+    do
+      local pubIp=$(echo $i | cut -d: -f1)
+      local dport=$(echo $i | cut -d: -f2)    
+      sudo iptables -A load_balancer -p tcp -d $pubIp --dport $dport -j ACL_INBOUND_$dev 2>/dev/null
+      success=$?
+      if [ $success -gt 0 ]
+      then
+        break
+      fi
+    done
+    if [ "$stats" != "none" ]
+    then
+      local pubIp=$(echo $stats | cut -d: -f1)
+      local dport=$(echo $stats | cut -d: -f2)    
+      local cidrs=$(echo $stats | cut -d: -f3 | sed 's/-/,/')
+      sudo iptables -A lb_stats -s $cidrs -p tcp -d $pubIp --dport $dport -j ACCEPT 2>/dev/null
+      success=$?
+    fi
+    break
+  done
+  if [ $success -gt 0 ]
+  then
+    fw_restore
+  else
+    fw_remove_backup
+  fi  
+  return $success
+}
+
+#Hot reconfigure HA Proxy in the routing domain
+reconfig_lb() {
+  /root/reconfigLB.sh
+  return $?
+}
+
+# Restore the HA Proxy to its previous state, and revert iptables rules on DomR
+restore_lb() {
+  logger -t cloud "Restoring HA Proxy to previous state"
+  # Copy the old version of haproxy.cfg into the file that reconfigLB.sh uses
+  cp /etc/haproxy/haproxy.cfg.old /etc/haproxy/haproxy.cfg.new
+   
+  if [ $? -eq 0 ]
+  then
+    # Run reconfigLB.sh again
+    /root/reconfigLB.sh
+  fi
+}
+
+iflag=
+aflag=
+dflag=
+sflag=
+
+while getopts 'i:a:d:s:' OPTION
+do
+  case $OPTION in
+  i)	iflag=1
+		ip="$OPTARG"
+		;;
+  a)	aflag=1
+		addedIps="$OPTARG"
+		;;
+  d)	dflag=1
+		removedIps="$OPTARG"
+		;;
+  s)	sflag=1
+		statsIp="$OPTARG"
+		;;
+  ?)	usage
+                unlock_exit 2 $lock $locked
+		;;
+  esac
+done
+
+
+dev=$(getEthByIp $ip)
+
+if [ "$addedIps" == "" ]
+then
+  addedIps="none"
+fi
+
+if [ "$removedIps" == "" ]
+then
+  removedIps="none"
+fi
+
+# hot reconfigure haproxy
+reconfig_lb
+
+if [ $? -gt 0 ]
+then
+  logger -t cloud "Reconfiguring loadbalancer failed"
+  unlock_exit 1 $lock $locked
+fi
+
+# iptables entry to ensure that haproxy receives traffic
+fw_entry $addedIps $removedIps $statsIp
+result=$?  	
+if [ $result -gt 0 ]
+then
+  logger -t cloud "Failed to apply firewall rules for load balancing, reverting HA Proxy config"
+  # Restore the LB
+  restore_lb
+fi
+ 
+unlock_exit $result $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/opt/cloud/bin/vpc_netusage.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_netusage.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_netusage.sh
new file mode 100755
index 0000000..4f32a46
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_netusage.sh
@@ -0,0 +1,158 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+source /root/func.sh
+source /opt/cloud/bin/vpc_func.sh
+
+vpnoutmark="0x525"
+vpninmark="0x524"
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+usage() {
+  printf "Usage: %s -[c|g|r|n|d] [-l <public gateway>] [-v <vpc cidr>] \n" $(basename $0)  >&2
+}
+
+create_usage_rules () {
+  iptables-save|grep "NETWORK_STATS_$ethDev" > /dev/null
+  if [ $? -gt 0 ]
+  then 
+    iptables -N NETWORK_STATS_$ethDev > /dev/null;
+    iptables -I FORWARD -j NETWORK_STATS_$ethDev > /dev/null;
+    iptables -A NETWORK_STATS_$ethDev -o $ethDev -s $vcidr > /dev/null;
+    iptables -A NETWORK_STATS_$ethDev -i $ethDev -d $vcidr > /dev/null;
+  fi  
+  return $?
+}
+
+create_vpn_usage_rules () {
+  iptables-save|grep "VPN_STATS_$ethDev" > /dev/null
+  if [ $? -gt 0 ]
+  then 
+    iptables -t mangle -N VPN_STATS_$ethDev > /dev/null;
+    iptables -t mangle -I FORWARD -j VPN_STATS_$ethDev > /dev/null;
+    iptables -t mangle -A VPN_STATS_$ethDev -o $ethDev -m mark --mark $vpnoutmark > /dev/null;
+    iptables -t mangle -A VPN_STATS_$ethDev -i $ethDev -m mark --mark $vpninmark > /dev/null;
+  fi
+  return $?
+}
+
+remove_usage_rules () {
+  return 0
+}
+
+get_usage () {
+  iptables -L NETWORK_STATS_$ethDev -n -v -x 2> /dev/null | awk '$1 ~ /^[0-9]+$/ { printf "%s:", $2}'; > /dev/null
+  return 0
+}
+
+get_vpn_usage () {
+  iptables -t mangle -L VPN_STATS_$ethDev -n -v -x | awk '$1 ~ /^[0-9]+$/ { printf "%s:", $2}'; > /dev/null
+  if [ $? -gt 0 ]
+  then
+     printf $?
+     return 1
+  fi
+}
+
+reset_usage () {
+  iptables -Z NETWORK_STATS_$ethDev > /dev/null
+  if [ $? -gt 0  -a $? -ne 2 ]
+  then
+     return 1
+  fi
+}
+
+#set -x
+
+cflag=
+gflag=
+rflag=
+lflag=
+vflag=
+nflag=
+dflag=
+
+while getopts 'cgndrl:v:' OPTION
+do
+  case $OPTION in
+  c)	cflag=1
+	;;
+  g)	gflag=1
+	;;
+  r)	rflag=1
+	;;
+  l)    lflag=1
+        publicIp="$OPTARG"
+        ;;
+  v)    vflag=1
+        vcidr="$OPTARG"
+        ;;
+  n)	nflag=1
+	;;
+  d)	dflag=1
+	;;	        
+  i)    #Do nothing, since it's parameter for host script
+        ;;
+  ?)	usage
+        unlock_exit 2 $lock $locked
+	;;
+  esac
+done
+
+ethDev=$(getEthByIp $publicIp)
+if [ "$cflag" == "1" ] 
+then
+  if [ "$ethDev" != "" ]
+  then
+    create_usage_rules
+    create_vpn_usage_rules
+    unlock_exit 0 $lock $locked
+   fi 
+fi
+
+if [ "$gflag" == "1" ] 
+then
+  get_usage 
+  unlock_exit $? $lock $locked
+fi
+
+if [ "$nflag" == "1" ] 
+then
+  get_vpn_usage 
+  unlock_exit $? $lock $locked
+fi
+
+if [ "$dflag" == "1" ] 
+then
+  remove_usage_rules
+  unlock_exit 0 $lock $locked
+fi
+
+if [ "$rflag" == "1" ] 
+then
+  reset_usage  
+  unlock_exit $? $lock $locked
+fi
+
+
+unlock_exit 0 $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/opt/cloud/bin/vpc_passwd_server
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_passwd_server b/systemvm/patches/debian/config/opt/cloud/bin/vpc_passwd_server
new file mode 100755
index 0000000..6488bec
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_passwd_server
@@ -0,0 +1,32 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+ip=$1
+result=$ip
+while [ -n "$result" ]
+do
+    socat -lf /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=$ip SYSTEM:"/opt/cloud/bin/serve_password.sh \"\$SOCAT_PEERADDR\""
+    rc=$?
+    if [ $rc -ne 0 ]
+    then
+        logger -t cloud "Password server failed with error code $rc. Restarting socat..."
+        sleep 3
+    fi
+    result=`ip addr show | grep $ip`
+done

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/opt/cloud/bin/vpc_portforwarding.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_portforwarding.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_portforwarding.sh
new file mode 100755
index 0000000..5aeaa70
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_portforwarding.sh
@@ -0,0 +1,126 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+usage() {
+  printf "Usage: %s: (-A|-D)   -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code)  -l <public ip address> -d <target port> -s <source cidrs> [-G]   \n" $(basename $0) >&2
+}
+
+#set -x
+
+#Port (address translation) forwarding for tcp or udp
+tcp_or_udp_nat() {
+  local op=$1
+  local proto=$2
+  local publicIp=$3
+  local ports=$4
+  local instIp=$5
+  local dports=$6
+
+  logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
+  instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
+
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && tcp_or_udp_nat "-D" $proto $publicIp $ports $instIp $dports
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+  # shortcircuit the process if error and it is an append operation
+  # continue if it is delete
+  local PROTO=""
+  if [ "$proto" != "any" ]
+  then
+    PROTO="--proto $proto"
+  fi
+
+  local DEST_PORT=""
+  if [ "$ports" != "any" ]
+  then
+    DEST_PORT="--destination-port $ports"
+  fi
+  
+  local TO_DEST="--to-destination $instIp"
+  if [ "$dports" != "any" ]
+  then
+    TO_DEST="--to-destination $instIp:$dports"
+  fi
+
+  sudo iptables -t nat $op PREROUTING $PROTO -d $publicIp  $DEST_PORT -j DNAT  \
+           $TO_DEST &>> $OUTFILE 
+        
+  local result=$?
+  logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
+  # the rule may not exist
+  if [ "$op" == "-D" ]
+  then
+    return 0
+  fi
+  return $result
+}
+
+
+rflag=
+Pflag=
+pflag=
+lflag=
+dflag=
+op=""
+protocal="any"
+ports="any"
+dports="any"
+while getopts 'ADr:P:p:l:d:' OPTION
+do
+  case $OPTION in
+  A)    op="-A"
+        ;;
+  D)    op="-D"
+        ;;
+  r)    rflag=1
+        instanceIp="$OPTARG"
+        ;;
+  P)    Pflag=1
+        protocol="$OPTARG"
+        ;;
+  p)    pflag=1
+        ports="$OPTARG"
+        ;;
+  l)    lflag=1
+        publicIp="$OPTARG"
+        ;;
+  d)    dflag=1
+        dports="$OPTARG"
+        ;;
+  ?)    usage
+        unlock_exit 2 $lock $locked
+        ;;
+  esac
+done
+
+OUTFILE=$(mktemp)
+
+tcp_or_udp_nat $op $protocol $publicIp $ports $instanceIp $dports
+result=$?
+unlock_exit $result $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/opt/cloud/bin/vpc_privateGateway.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_privateGateway.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_privateGateway.sh
new file mode 100755
index 0000000..3635e1c
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_privateGateway.sh
@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+  exit 1
+fi
+
+usage() {
+  printf "Usage:\n %s -A -l <public-ip-address>\n" $(basename $0) >&2
+  printf " %s -D -l <public-ip-address>\n" $(basename $0) >&2
+}
+
+
+add_snat() {
+  logger -t cloud "$(basename $0):Added SourceNAT $pubIp on interface $ethDev"
+  sudo iptables -t nat -D POSTROUTING   -j SNAT -o $ethDev --to-source $pubIp
+  sudo iptables -t nat -A POSTROUTING   -j SNAT -o $ethDev --to-source $pubIp
+  return $?
+}
+remove_snat() {
+  logger -t cloud "$(basename $0):Removing SourceNAT $pubIp on interface $ethDev"
+  sudo iptables -t nat -D POSTROUTING   -j SNAT -o $ethDev --to-source $pubIp
+  return $?
+}
+
+#set -x
+lflag=0
+cflag=0
+op=""
+
+while getopts 'ADl:c:' OPTION
+do
+  case $OPTION in
+  A)	Aflag=1
+		op="-A"
+		;;
+  D)	Dflag=1
+		op="-D"
+		;;
+  l)	lflag=1
+		pubIp="$OPTARG"
+		;;
+  c)	cflag=1
+		ethDev="$OPTARG"
+		;;
+  ?)	usage
+                unlock_exit 2 $lock $locked
+		;;
+  esac
+done
+
+if [ "$Aflag$Dflag" != "1" ]
+then
+  usage
+  unlock_exit 2 $lock $locked
+fi
+
+if [ "$lflag$cflag" != "11" ]
+then
+  usage
+  unlock_exit 2 $lock $locked
+fi
+
+if [ "$Aflag" == "1" ]
+then
+  add_snat  $publicIp
+  unlock_exit $? $lock $locked
+fi
+
+if [ "$Dflag" == "1" ]
+then
+  remove_snat  $publicIp
+  unlock_exit $? $lock $locked
+fi
+
+unlock_exit 1 $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/opt/cloud/bin/vpc_privategw_acl.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_privategw_acl.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_privategw_acl.sh
new file mode 100755
index 0000000..d4e3eba
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_privategw_acl.sh
@@ -0,0 +1,224 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# vpc_privategw_acl.sh_rule.sh -- allow/block some ports / protocols to vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+usage() {
+  printf "Usage: %s:  -a <public ip address:protocol:startport:endport:sourcecidrs>  \n" $(basename $0) >&2
+  printf "sourcecidrs format:  cidr1-cidr2-cidr3-...\n"
+}
+#set -x
+#FIXME: eating up the error code during execution of iptables
+
+acl_switch_to_new() {
+  sudo iptables -D FORWARD -o $dev  -j _ACL_INBOUND_$dev  2>/dev/null
+  sudo iptables-save  | grep "\-j _ACL_INBOUND_$dev" | grep "\-A" | while read rule;
+  do
+    rule1=$(echo $rule | sed 's/\_ACL_INBOUND/ACL_INBOUND/')
+    sudo iptables $rule1
+    rule2=$(echo $rule | sed 's/\-A/\-D/')
+    sudo iptables $rule2
+  done
+  sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
+  sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev  -j _ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+acl_remove_backup() {
+  sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
+  sudo iptables -D FORWARD -o $dev  -j _ACL_INBOUND_$dev  2>/dev/null
+  sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev  -j _ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+acl_remove() {
+  sudo iptables -F ACL_INBOUND_$dev 2>/dev/null
+  sudo iptables -D FORWARD -o $dev  -j ACL_INBOUND_$dev  2>/dev/null
+  sudo iptables -X ACL_INBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev  -j ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+acl_restore() {
+  acl_remove
+  sudo iptables -E _ACL_INBOUND_$dev ACL_INBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -E _ACL_OUTBOUND_$dev ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+acl_save() {
+  acl_remove_backup
+  sudo iptables -E ACL_INBOUND_$dev _ACL_INBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -E ACL_OUTBOUND_$dev _ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+acl_chain_for_guest_network () {
+  acl_save
+  # inbound
+  sudo iptables -N ACL_INBOUND_$dev 2>/dev/null
+  # drop if no rules match (this will be the last rule in the chain)
+  sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null
+  sudo iptables -A FORWARD -o $dev  -j ACL_INBOUND_$dev  2>/dev/null
+  # outbound
+  sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev  -j ACL_OUTBOUND_$dev  2>/dev/null
+}
+
+
+
+acl_entry_for_guest_network() {
+  local rule=$1
+
+  local ttype=$(echo $rule | cut -d: -f1)
+  local prot=$(echo $rule | cut -d: -f2)
+  local sport=$(echo $rule | cut -d: -f3)
+  local eport=$(echo $rule | cut -d: -f4)
+  local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
+  local action=$(echo $rule | cut -d: -f6)
+  if [ "$sport" == "0" -a "$eport" == "0" ]
+  then
+      DPORT=""
+  else
+      DPORT="--dport $sport:$eport"
+  fi
+  logger -t cloud "$(basename $0): enter apply acl rules on private gateway interface : $dev, inbound:$inbound:$prot:$sport:$eport:$cidrs"
+
+  # note that rules are inserted after the RELATED,ESTABLISHED rule
+  # but before the DROP rule
+  for lcidr in $cidrs
+  do
+    [ "$prot" == "reverted" ] && continue;
+    if [ "$prot" == "icmp" ]
+    then
+      typecode="$sport/$eport"
+      [ "$eport" == "-1" ] && typecode="$sport"
+      [ "$sport" == "-1" ] && typecode="any"
+      if [ "$ttype" == "Ingress" ]
+      then
+        sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr  \
+                    --icmp-type $typecode  -j $action
+      else
+        let egress++
+        sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr  \
+                    --icmp-type $typecode  -j $action
+      fi
+    else
+      if [ "$ttype" == "Ingress" ]
+      then
+        sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
+                    $DPORT -j $action
+      else
+        let egress++
+        sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
+                    $DPORT -j $action
+      fi
+    fi
+    result=$?
+    [ $result -gt 0 ] &&
+       logger -t cloud "Error adding iptables entry for private gateway interface : $dev,inbound:$inbound:$prot:$sport:$eport:$cidrs" &&
+       break
+  done
+
+  logger -t cloud "$(basename $0): exit apply acl rules for private gw interface : $dev"
+  return $result
+}
+
+
+dflag=0
+gflag=0
+aflag=0
+rules=""
+rules_list=""
+dev=""
+while getopts 'd:a:' OPTION
+do
+  case $OPTION in
+  d)    dflag=1
+                dev="$OPTARG"
+                ;;
+  a)    aflag=1
+        rules="$OPTARG"
+        ;;
+  ?)    usage
+                unlock_exit 2 $lock $locked
+        ;;
+  esac
+done
+
+if [ "$dflag$aflag" != "11" ]
+then
+  usage
+  unlock_exit 2 $lock $locked
+fi
+
+if [ -n "$rules" ]
+then
+  rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
+fi
+
+# rule format
+# protocal:sport:eport:cidr
+#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
+#    if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
+# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:ACCEPT:,172.16.92.44:tcp:220:220:0.0.0.0/0:DROP,200.1.1.2:reverted:0:0:0
+
+success=0
+
+acl_chain_for_guest_network
+egress=0
+for r in $rules_list
+do
+  acl_entry_for_guest_network $r
+  success=$?
+  if [ $success -gt 0 ]
+  then
+    logger -t cloud "$(basename $0): failure to apply acl rules on private gateway interface : $dev"
+    break
+  else
+    logger -t cloud "$(basename $0): successful in applying acl rules on private gateway interface : $dev"
+  fi
+done
+
+if [ $success -gt 0 ]
+then
+  logger -t cloud "$(basename $0): restoring from backup on private gateway interface : $dev"
+  acl_restore
+else
+  logger -t cloud "$(basename $0): deleting backup on private gateway interface : $dev"
+  if [ $egress -eq 0 ]
+  then
+    sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j ACCEPT 2>/dev/null
+  else
+    sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
+  fi
+  acl_switch_to_new
+fi
+unlock_exit $success $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/opt/cloud/bin/vpc_snat.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_snat.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_snat.sh
new file mode 100755
index 0000000..aa33e08
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_snat.sh
@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# @VERSION@
+
+source /root/func.sh
+source /opt/cloud/bin/vpc_func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+  exit 1
+fi
+
+usage() {
+  printf "Usage:\n %s -A -l <public-ip-address>\n" $(basename $0) >&2
+  printf " %s -D -l <public-ip-address>\n" $(basename $0) >&2
+}
+
+
+add_snat() {
+  logger -t cloud "$(basename $0):Added SourceNAT $pubIp on interface $ethDev"
+  vpccidr=$(getVPCcidr)
+  sudo iptables -D FORWARD -s $vpccidr ! -d $vpccidr -j ACCEPT
+  sudo iptables -A FORWARD -s $vpccidr ! -d $vpccidr -j ACCEPT
+  sudo iptables -t nat -D POSTROUTING   -j SNAT -o $ethDev --to-source $pubIp
+  sudo iptables -t nat -A POSTROUTING   -j SNAT -o $ethDev --to-source $pubIp
+  return $?
+}
+remove_snat() {
+  logger -t cloud "$(basename $0):Removing SourceNAT $pubIp on interface $ethDev"
+  sudo iptables -t nat -D POSTROUTING   -j SNAT -o $ethDev --to-source $pubIp
+  return $?
+}
+
+#set -x
+lflag=0
+cflag=0
+op=""
+
+while getopts 'ADl:c:' OPTION
+do
+  case $OPTION in
+  A)	Aflag=1
+		op="-A"
+		;;
+  D)	Dflag=1
+		op="-D"
+		;;
+  l)	lflag=1
+		pubIp="$OPTARG"
+		;;
+  c)	cflag=1
+		ethDev="$OPTARG"
+		;;
+  ?)	usage
+                unlock_exit 2 $lock $locked
+		;;
+  esac
+done
+
+if [ "$Aflag$Dflag" != "1" ]
+then
+  usage
+  unlock_exit 2 $lock $locked
+fi
+
+if [ "$lflag$cflag" != "11" ]
+then
+  usage
+  unlock_exit 2 $lock $locked
+fi
+
+if [ "$Aflag" == "1" ]
+then
+  add_snat  $publicIp
+  unlock_exit $? $lock $locked
+fi
+
+if [ "$Dflag" == "1" ]
+then
+  remove_sat  $publicIp
+  unlock_exit $? $lock $locked
+fi
+
+unlock_exit 1 $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/opt/cloud/bin/vpc_staticnat.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_staticnat.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_staticnat.sh
new file mode 100755
index 0000000..a98a262
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_staticnat.sh
@@ -0,0 +1,124 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# @VERSION@
+
+source /root/func.sh
+source /opt/cloud/bin/vpc_func.sh
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+usage() {
+  printf "Usage: %s: (-A|-D)   -r <target-instance-ip>  -l <public ip address> -d < eth device>  \n" $(basename $0) >&2
+}
+
+#set -x
+
+vpnoutmark="0x525"
+
+static_nat() {
+  local op=$1
+  local publicIp=$2
+  local instIp=$3
+  local op2="-D"
+  local tableNo=${ethDev:3}
+
+  logger -t cloud "$(basename $0): static nat: public ip=$publicIp \
+  instance ip=$instIp  op=$op"
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && static_nat "-D" $publicIp $instIp 
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+  [ "$op" == "-A" ] && op2="-I"
+  if [ "$op" == "-A" ]
+  then
+    # put static nat rule one rule after VPN no-NAT rule
+    # rule chain can be used to improve it later
+    iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
+    if [ $? -eq 0 ]
+    then
+      rulenum=2
+    else
+      rulenum=1
+    fi
+  fi
+
+  # shortcircuit the process if error and it is an append operation
+  # continue if it is delete
+  (sudo iptables -t nat $op  PREROUTING -d $publicIp -j DNAT \
+           --to-destination $instIp &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  # add mark to force the package go out through the eth the public IP is on
+  #(sudo iptables -t mangle $op PREROUTING -s $instIp -j MARK \
+  #         --set-mark $tableNo &> $OUTFILE ||  [ "$op" == "-D" ]) &&
+  (sudo iptables -t nat $op2 POSTROUTING $rulenum -o $ethDev -s $instIp -j SNAT \
+           --to-source $publicIp &>> $OUTFILE )
+  result=$?
+  logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
+  if [ "$op" == "-D" ]
+  then
+    return 0
+  fi
+  return $result
+}
+
+
+
+rflag=
+lflag=
+dflag=
+op=""
+while getopts 'ADr:l:' OPTION
+
+do
+  case $OPTION in
+  A)    op="-A"
+        ;;
+  D)    op="-D"
+        ;;
+  r)    rflag=1
+        instanceIp="$OPTARG"
+        ;;
+  l)    lflag=1
+        publicIp="$OPTARG"
+        ;;
+  ?)    usage
+        unlock_exit 2 $lock $locked
+        ;;
+  esac
+done
+
+ethDev=$(getEthByIp $publicIp)
+result=$?
+if [ $result -gt 0 ]
+then
+  if [ "$op" == "-D" ]
+  then 
+    removeRulesForIp $publicIp
+    unlock_exit 0 $lock $locked
+  else
+    unlock_exit $result $lock $locked
+  fi
+fi
+OUTFILE=$(mktemp)
+
+static_nat $op $publicIp $instanceIp
+result=$?
+unlock_exit $result $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/opt/cloud/bin/vpc_staticroute.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_staticroute.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_staticroute.sh
new file mode 100755
index 0000000..2a9f50a
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_staticroute.sh
@@ -0,0 +1,134 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# @VERSION@
+
+source /root/func.sh
+source /opt/cloud/bin/vpc_func.sh
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+usage() {
+  printf "Usage: %s:  -a < routes > \n" $(basename $0) >&2
+}
+
+#set -x
+
+flush_table_backup() {
+  flush_table "static_route_back"
+}
+
+flush_table() {
+  local tab=$1
+  sudo ip route flush table $tab
+}
+
+copy_table() {
+  local from=$1
+  local to=$2
+  sudo ip route show table $from | while read route
+  do
+    sudo ip route add table $to $route
+  done
+}
+
+backup_table() {
+  flush_table "static_route_back"
+  copy_table "static_route" "static_route_back"
+  flush_table "static_route"
+}
+
+restore_table() {
+  flush_table "static_route"
+  copy_table "static_route_back" "static_route"
+  flush_table "static_route_back"
+}
+
+static_route() {
+  local rule=$1
+  local ip=$(echo $rule | cut -d: -f1)
+  if [ $ip == "Revoke" ]
+  then
+    return 0
+  fi
+  local gateway=$(echo $rule | cut -d: -f2)
+  local cidr=$(echo $rule | cut -d: -f3)
+  logger -t cloud "$(basename $0): static route: public ip=$ip \
+  	gateway=$gateway cidr=$cidr"
+  local dev=$(getEthByIp $ip)
+  if [ $? -gt 0 ]
+  then
+    return 1
+  fi
+  sudo ip route add $cidr dev $dev via $gateway table static_route &>/dev/null
+  result=$?
+  logger -t cloud "$(basename $0): done static route: public ip=$ip \
+  	gateway=$gateway cidr=$cidr"
+  return $result
+}
+
+gflag=
+aflag=
+while getopts 'a:' OPTION
+
+do
+  case $OPTION in
+  a)    aflag=1
+        rules="$OPTARG"
+        ;;
+  ?)    usage
+        unlock_exit 2 $lock $locked
+        ;;
+  esac
+done
+
+if [ -n "$rules" ]
+then
+  rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
+fi
+
+success=0
+
+backup_table
+
+for r in $rules_list
+do
+  static_route $r
+  success=$?
+  if [ $success -gt 0 ]
+  then
+    logger -t cloud "$(basename $0): failure to apply fw rules for guest network: $gcidr"
+    break
+  else
+    logger -t cloud "$(basename $0): successful in applying fw rules for guest network: $gcidr"
+  fi
+done
+
+if [ $success -gt 0 ]
+then
+  logger -t cloud "$(basename $0): restoring from backup for guest network: $gcidr"
+  restore_table
+else
+  logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr"
+  flush_table_backup
+fi
+unlock_exit $success $lock $locked
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/.ssh/authorized_keys
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/.ssh/authorized_keys b/systemvm/patches/debian/config/root/.ssh/authorized_keys
new file mode 100644
index 0000000..7286760
--- /dev/null
+++ b/systemvm/patches/debian/config/root/.ssh/authorized_keys
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvFu3MLSPphFRBR1yM7nBukXWS9gPdAXfqq9cfC8ZqQN9ybi531aj44CybZ4BVT4kLfzbAs7+7nJeSIpPHxjv9XFqbxjIxoFeGYkj7s0RrJgtsEmvAAubZ3mYboUAYUivMgnJFLnv4VqyAbpjix6CfECUiU4ygwo24F3F6bAmhl4Vo1R5TSUdDIX876YePJTFtuVkLl4lu/+xw1QRWrgaSFosGICT37IKY7RjE79Ozb0GjNHyJPPgVAGkUVO4LawroL9dYOBlzdHpmqqA9Kc44oQBpvcU7s1+ezRTt7fZNnP7TG9ninZtrvnP4qmwAc4iUJ7N1bwh0mCblnoTfZ28hw== anthony@mobl-ant

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/bumpup_priority.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/bumpup_priority.sh b/systemvm/patches/debian/config/root/bumpup_priority.sh
new file mode 100755
index 0000000..2b8d8c3
--- /dev/null
+++ b/systemvm/patches/debian/config/root/bumpup_priority.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+touch /tmp/rrouter_bumped

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/clearUsageRules.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/clearUsageRules.sh b/systemvm/patches/debian/config/root/clearUsageRules.sh
new file mode 100755
index 0000000..061688b
--- /dev/null
+++ b/systemvm/patches/debian/config/root/clearUsageRules.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+ 
+
+# clearUsageRules.sh - remove iptable rules for removed public interfaces
+# @VERSION@
+
+if [ -f /root/removedVifs ]
+then
+    var=`cat /root/removedVifs`
+    # loop through even vif to be cleared
+    for i in $var; do
+        # Make sure vif doesn't exist
+        if [ ! -f /sys/class/net/$i ]
+        then
+            # remove rules
+            iptables -D NETWORK_STATS -i eth0 -o $i > /dev/null;
+            iptables -D NETWORK_STATS -i $i -o eth0 > /dev/null;
+            iptables -D NETWORK_STATS -o $i ! -i eth0 -p tcp > /dev/null;
+            iptables -D NETWORK_STATS -i $i ! -o eth0 -p tcp > /dev/null;
+        fi
+    done
+rm /root/removedVifs
+fi

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/createIpAlias.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/createIpAlias.sh b/systemvm/patches/debian/config/root/createIpAlias.sh
new file mode 100755
index 0000000..cd273f6
--- /dev/null
+++ b/systemvm/patches/debian/config/root/createIpAlias.sh
@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+usage() {
+  printf " %s   <alias_count:ip:netmask;alias_count2:ip2:netmask2;....> \n" $(basename $0) >&2
+}
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+PORTS_CONF=/etc/apache2/ports.conf
+PORTS_CONF_BAK=/etc/ports.conf.bak
+FAIL_DIR=/etc/failure_config
+CMDLINE=$(cat /var/cache/cloud/cmdline | tr '\n' ' ')
+
+if [ ! -d "$FAIL_DIR" ]
+  then
+      mkdir "$FAIL_DIR"
+fi
+#bakup ports.conf
+cp "$PORTS_CONF" "$PORTS_CONF_BAK"
+
+domain=$(echo "$CMDLINE" | grep -o " domain=.* " | sed -e 's/domain=//' | awk '{print $1}')
+
+setup_apache2() {
+  local ip=$1
+  logger -t cloud "Setting up apache web server for $ip"
+  cp /etc/apache2/sites-available/default  /etc/apache2/sites-available/ipAlias.${ip}.meta-data
+  cp /etc/apache2/sites-available/default-ssl  /etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data
+  cp /etc/apache2/ports.conf /etc/apache2/conf.d/ports.${ip}.meta-data.conf
+  sed -i -e "s/<VirtualHost.*>/<VirtualHost $ip:80>\nServerName $domain/" /etc/apache2/sites-available/ipAlias.${ip}.meta-data
+  sed -i -e "s/<VirtualHost.*>/<VirtualHost $ip:443>\nServerName $domain/" /etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data
+  sed -i -e "/NameVirtualHost .*:80/d" /etc/apache2/conf.d/ports.${ip}.meta-data.conf
+  sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/conf.d/ports.${ip}.meta-data.conf
+  sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/conf.d/ports.${ip}.meta-data.conf
+  ln -s /etc/apache2/sites-available/ipAlias.${ip}.meta-data /etc/apache2/sites-enabled/ipAlias.${ip}.meta-data
+  ln -s /etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data /etc/apache2/sites-enabled/ipAlias.${ip}-ssl.meta-data
+}
+
+var="$1"
+cert="/root/.ssh/id_rsa.cloud"
+config_ips=""
+
+while [ -n "$var" ]
+do
+ var1=$(echo $var | cut -f1 -d "-")
+ alias_count=$( echo $var1 | cut -f1 -d ":" )
+ routerip=$(echo $var1 | cut -f2 -d ":")
+ netmask=$(echo $var1 | cut -f3 -d ":")
+ ifconfig eth0:$alias_count $routerip netmask $netmask up
+ setup_apache2 "$routerip"
+ config_ips="${config_ips}"$routerip":"
+ var=$( echo $var | sed "s/${var1}-//" )
+done
+
+#restarting the apache server for the config to take effect.
+service apache2 restart
+result=$?
+if [ "$result" -ne "0" ]
+then
+   logger -t cloud "createIpAlias.sh: could not configure apache2 server"
+   logger -t cloud "createIpAlias.sh: reverting to the old config"
+   logger -t cloud "createIpAlias.sh: moving out the failure config to $FAIL_DIR"
+   while [ -n "$config_ips" ]
+   do
+      ip=$( echo $config_ips | cut -f1 -d ":" )
+      mv  "/etc/apache2/sites-available/ipAlias.${ip}.meta-data" "$FAIL_DIR/ipAlias.${ip}.meta-data"
+      mv  "/etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data" "$FAIL_DIR/ipAlias.${ip}-ssl.meta-data"
+      mv  "/etc/apache2/conf.d/ports.${ip}.meta-data.conf"       "$FAIL_DIR/ports.${ip}.meta-data.conf"
+      rm -f "/etc/apache2/sites-enabled/ipAlias.${ip}.meta-data"
+      rm -f "/etc/apache2/sites-enabled/ipAlias.${ip}-ssl.meta-data"
+      config_ips=$( echo $config_ips | sed "s/${ip}://" )
+   done
+   service apache2 restart
+   unlock_exit $result $lock $locked
+fi
+
+#restaring the password service to enable it on the ip aliases
+/etc/init.d/cloud-passwd-srvr restart
+unlock_exit $? $lock $locked
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/deleteIpAlias.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/deleteIpAlias.sh b/systemvm/patches/debian/config/root/deleteIpAlias.sh
new file mode 100755
index 0000000..47edb92
--- /dev/null
+++ b/systemvm/patches/debian/config/root/deleteIpAlias.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+usage() {
+  printf " %s   <alias_count:ip:netmask;alias_count2:ip2:netmask2;....> \n" $(basename $0) >&2
+}
+
+source /root/func.sh
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+remove_apache_config() {
+local ip=$1
+ logger -t cloud "removing apache web server config for $ip"
+ rm -f "/etc/apache2/sites-available/ipAlias.${ip}.meta-data"
+ rm -f "/etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data"
+ rm -f "/etc/apache2/conf.d/ports.${ip}.meta-data.conf"
+ rm -f "/etc/apache2/sites-enabled/ipAlias.${ip}-ssl.meta-data"
+ rm -f "/etc/apache2/sites-enabled/ipAlias.${ip}.meta-data"
+}
+
+var="$1"
+cert="/root/.ssh/id_rsa.cloud"
+
+while [[ !( "$var" == "-" ) ]]
+do
+ var1=$(echo $var | cut -f1 -d "-")
+ alias_count=$( echo $var1 | cut -f1 -d ":" )
+ routerip=$( echo $var1 | cut -f2 -d ":" )
+ ifconfig eth0:$alias_count  down
+ remove_apache_config "$routerip"
+ var=$( echo $var | sed "s/${var1}-//" )
+done
+#restarting the apache server for the config to take effect.
+service apache2 restart
+
+releaseLockFile $lock $locked
+
+#recreating the active ip aliases
+/root/createIpAlias.sh $2
+unlock_exit $? $lock $locked
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/dnsmasq.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/dnsmasq.sh b/systemvm/patches/debian/config/root/dnsmasq.sh
new file mode 100755
index 0000000..8fae25c
--- /dev/null
+++ b/systemvm/patches/debian/config/root/dnsmasq.sh
@@ -0,0 +1,130 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+usage() {
+  printf "Usage: %s:  <routerAliasIp:gateway:netmask:start_ip_of_subnet:-routerAlisIp:gateway:....>\n" $(basename $0) >&2
+}
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+#set -x
+#backup the old config file
+DHCP_CONFIG=/etc/dnsmasq.d/multiple_ranges.conf
+DHCP_CONFIG_BAK=/etc/dnsmasq.d/multiple_ranges.conf.bak
+DHCP_CONFIG_MAIN=/etc/dnsmasq.conf
+DHCP_CONFIG_MAIN_BAK=/etc/dnsmasq.conf.bak
+DHCP_FAILURE_CONFIG=/etc/multiple_ranges.conf.failure
+DHCP_FAILURE_CONFIG_MAIN=/etc/dnsmasq.conf.failure
+CMDLINE=$(cat /var/cache/cloud/cmdline | tr '\n' ' ')
+
+#take a backup copy of the dnsmasq file.
+cp "$DHCP_CONFIG_MAIN"  "$DHCP_CONFIG_MAIN_BAK"
+cp "$DHCP_CONFIG" "$DHCP_CONFIG_BAK"
+
+#empty the config file
+echo > $DHCP_CONFIG
+
+var="$1"
+dhcp_range=""
+dhcp_gateway=""
+dhcp_netmask=""
+dns_option=""
+dns_servers=""
+count=0
+
+
+# fetching the dns Ips from the command line.
+dns1=$(echo "$CMDLINE" | grep -o " dns1=[[:digit:]].* " | sed -e 's/dns1=//' | awk '{print $1}')
+dns2=$(echo "$CMDLINE" | grep -o " dns2=[[:digit:]].* "  | sed -e 's/dns2=//' | awk '{print $1}')
+
+dns_servers="${dns1}"
+if [ -n "$dns2" ]
+then
+dns_servers="${dns1},${dns2}"
+fi
+
+
+# check if useextdns is true
+use_ext_dns=$(echo "$CMDLINE" | grep -o "useextdns=true")
+while [ -n "$var" ]
+do
+ var1=$(echo $var | cut -f1 -d "-")
+ routerip=$( echo $var1 | cut -f1 -d ":" )
+ gateway=$(echo $var1 | cut -f2 -d ":")
+ netmask=$(echo $var1 | cut -f3 -d ":")
+ start_ip_of_subnet=$(echo $var1 | cut -f4 -d ":")
+ dhcp_range="${dhcp_range}"'dhcp-range=set:range'$count","$start_ip_of_subnet",static \n"
+ dhcp_gateway="${dhcp_gateway}"'dhcp-option=tag:range'$count",3,"$gateway" \n"
+ dhcp_netmask="${dhcp_netmask}"'dhcp-option=tag:range'$count",1,"$netmask" \n"
+ if [ -n "$use_ext_dns" ]
+ then
+ dns_option="${dns_option}"'dhcp-option=tag:range'$count",6,"$dns_servers" \n"
+ else
+ dns_option="${dns_option}"'dhcp-option=tag:range'$count",6,$routerip"","$dns_servers" \n"
+ fi
+ var=$( echo $var | sed "s/${var1}-//" )
+ count=$[$count+1]
+done
+
+#logging the configuration being removed.
+log=""
+log="${log}"`grep "^dhcp-option=6" "$DHCP_CONFIG_MAIN"`"\n"
+log="${log}"`grep "^dhcp-option=option:router" "$DHCP_CONFIG_MAIN"`"\n"
+log="${log}"`grep "^dhcp-range=" "$DHCP_CONFIG_MAIN"`"\n"
+
+if [ "$log" != '\n\n\n' ]
+then
+ #Cleaning the existing dhcp confgiuration
+ logger -t cloud "dnsmasq.sh: remvoing the primaryip confg from dnsmasq.conf and adding it to /etc/dnsmaq.d/multiple_ranges.conf"
+ logger -t cloud "dnsmasq.sh: config removed from dnsmasq.conf is $log"
+ sed -i -e '/dhcp-option=6/d'  "$DHCP_CONFIG_MAIN"
+ sed -i -e '/dhcp-option=option:router/d' "$DHCP_CONFIG_MAIN"
+ sed -i -e '/^dhcp-range=/d' "$DHCP_CONFIG_MAIN"
+fi
+
+#wrting the new config into the config file.
+echo -e "$dhcp_range" >> "$DHCP_CONFIG"
+echo -e "$dhcp_gateway" >> "$DHCP_CONFIG"
+echo -e "$dhcp_netmask" >> "$DHCP_CONFIG"
+echo -e "$dns_option" >> "$DHCP_CONFIG"
+
+
+#restart the dnsmasq
+service dnsmasq restart
+result=$?
+if [ "$result" -ne "0" ]
+then
+   logger -t cloud "dnsmasq.sh: could not configure dnsmasq"
+   logger -t cloud "dnsmasq.sh: reverting to the old config"
+   logger -t cloud "dnsmasq.sh: copying the failure config to `$DHCP_FAILURE_CONFIG` and `$DHCP_FAILURE_CONFIG_MAIN`"
+   cp "$DHCP_CONFIG" "$DHCP_FAILURE_CONFIG"
+   cp "$DHCP_CONFIG_MAIN" "$DHCP_FAILURE_CONFIG_MAIN"
+   cp "$DHCP_CONFIG_BAK" "$DHCP_CONFIG"
+   cp "$DHCP_CONFIG_MAIN_BAK" "$DHCP_CONFIG_MAIN"
+   service dnsmasq restart
+   unlock_exit $result $lock $locked
+fi
+rm "$DHCP_CONFIG_BAK"
+rm "$DHCP_CONFIG_MAIN_BAK"
+unlock_exit $result $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/edithosts.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/edithosts.sh b/systemvm/patches/debian/config/root/edithosts.sh
new file mode 100755
index 0000000..b82fb8e
--- /dev/null
+++ b/systemvm/patches/debian/config/root/edithosts.sh
@@ -0,0 +1,234 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+ 
+# edithosts.sh -- edit the dhcphosts file on the routing domain
+
+usage() {
+  printf "Usage: %s: -m <MAC address> -4 <IPv4 address> -6 <IPv6 address> -h <hostname> -d <default router> -n <name server address> -s <Routes> -u <DUID> [-N]\n" $(basename $0) >&2
+}
+
+mac=
+ipv4=
+ipv6=
+host=
+dflt=
+dns=
+routes=
+duid=
+nondefault=
+
+while getopts 'm:4:h:d:n:s:6:u:N' OPTION
+do
+  case $OPTION in
+  m)    mac="$OPTARG"
+        ;;
+  4)    ipv4="$OPTARG"
+        ;;
+  6)    ipv6="$OPTARG"
+        ;;
+  u)    duid="$OPTARG"
+        ;;
+  h)    host="$OPTARG"
+        ;;
+  d)    dflt="$OPTARG"
+        ;;
+  n)    dns="$OPTARG"
+        ;;
+  s)    routes="$OPTARG"
+        ;;
+  N)    nondefault=1
+        ;;
+  ?)    usage
+        exit 2
+        ;;
+  esac
+done
+
+DHCP_HOSTS=/etc/dhcphosts.txt
+DHCP_OPTS=/etc/dhcpopts.txt
+DHCP_LEASES=/var/lib/misc/dnsmasq.leases
+HOSTS=/etc/hosts
+
+source /root/func.sh
+
+lock="biglock"
+#default timeout value is 30 mins as DhcpEntryCommand is not synchronized on agent side any more,
+#and multiple commands can be sent to the same VR at a time
+locked=$(getLockFile $lock 1800)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+grep "redundant_router=1" /var/cache/cloud/cmdline > /dev/null
+no_redundant=$?
+
+command -v dhcp_release > /dev/null 2>&1
+no_dhcp_release=$?
+
+wait_for_dnsmasq () {
+  local _pid=$(pidof dnsmasq)
+  for i in 0 1 2 3 4 5 6 7 8 9 10
+  do
+    sleep 1
+    _pid=$(pidof dnsmasq)
+    [ "$_pid" != "" ] && break;
+  done
+  [ "$_pid" != "" ] && return 0;
+  logger -t cloud "edithosts: timed out waiting for dnsmasq to start"
+  return 1
+}
+
+if [ $ipv6 ]
+then
+    no_dhcp_release=1
+fi
+
+if [ $no_dhcp_release -eq 0 ]
+then
+  #release previous dhcp lease if present
+  logger -t cloud "edithosts: releasing $ipv4"
+  dhcp_release eth0 $ipv4 $(grep "$ipv4 " $DHCP_LEASES | awk '{print $2}') > /dev/null 2>&1
+  logger -t cloud "edithosts: released $ipv4"
+fi
+
+logger -t cloud "edithosts: update $mac $ipv4 $ipv6 $host to hosts"
+
+[ ! -f $DHCP_HOSTS ] && touch $DHCP_HOSTS
+[ ! -f $DHCP_OPTS ] && touch $DHCP_OPTS
+[ ! -f $DHCP_LEASES ] && touch $DHCP_LEASES
+
+#delete any previous entries from the dhcp hosts file
+sed -i  /$mac/d $DHCP_HOSTS
+if [ $ipv4 ]
+then
+  sed -i  /$ipv4,/d $DHCP_HOSTS
+fi
+if [ $ipv6 ]
+then
+  #searching with [$ipv6], matching other ip so using $ipv6],
+  sed -i  /$ipv6],/d $DHCP_HOSTS
+fi
+# don't want to do this in the future, we can have same VM with multiple nics/entries
+#sed -i  /$host,/d $DHCP_HOSTS
+
+
+#put in the new entry
+if [ $ipv4 ]
+then
+  echo "$mac,$ipv4,$host,infinite" >>$DHCP_HOSTS
+fi
+if [ $ipv6 ]
+then
+  if [ $nondefault ]
+  then
+    echo "id:$duid,set:nondefault6,[$ipv6],$host,infinite" >>$DHCP_HOSTS
+  else
+    echo "id:$duid,[$ipv6],$host,infinite" >>$DHCP_HOSTS
+  fi
+fi
+
+#delete leases to supplied mac and ip addresses
+if [ $ipv4 ]
+then
+  sed -i  /$mac/d $DHCP_LEASES 
+  sed -i  /"$ipv4 "/d $DHCP_LEASES 
+fi
+if [ $ipv6 ]
+then
+  sed -i  /$duid/d $DHCP_LEASES 
+  sed -i  /"$ipv6 "/d $DHCP_LEASES 
+fi
+sed -i  /"$host "/d $DHCP_LEASES 
+
+#put in the new entry
+if [ $ipv4 ]
+then
+  echo "0 $mac $ipv4 $host *" >> $DHCP_LEASES
+fi
+if [ $ipv6 ]
+then
+  echo "0 $duid $ipv6 $host *" >> $DHCP_LEASES
+fi
+
+#edit hosts file as well
+if [ $ipv4 ]
+then
+  sed -i  /"$ipv4 "/d $HOSTS
+fi
+if [ $ipv6 ]
+then
+  sed -i  /"$ipv6 "/d $HOSTS
+fi
+sed -i  /" $host$"/d $HOSTS
+if [ $ipv4 ]
+then
+  echo "$ipv4 $host" >> $HOSTS
+fi
+if [ $ipv6 ]
+then
+  echo "$ipv6 $host" >> $HOSTS
+fi
+
+if [ "$dflt" != "" ]
+then
+  #make sure dnsmasq looks into options file
+  sed -i /dhcp-optsfile/d /etc/dnsmasq.conf
+  echo "dhcp-optsfile=$DHCP_OPTS" >> /etc/dnsmasq.conf
+
+  tag=$(echo $ipv4 | tr '.' '_')
+  sed -i /$tag/d $DHCP_OPTS
+  if [ "$dflt" == "0.0.0.0" ]
+  then
+    logger -t cloud "$0: unset default router for $ipv4"
+    logger -t cloud "$0: unset dns server for $ipv4"
+    echo "$tag,3" >> $DHCP_OPTS
+    echo "$tag,6" >> $DHCP_OPTS
+    echo "$tag,15" >> $DHCP_OPTS
+  fi
+  [ "$routes" != "" ] && echo "$tag,121,$routes" >> $DHCP_OPTS
+  #delete entry we just put in because we need a tag
+  sed -i  /$ipv4,/d $DHCP_HOSTS
+  #put it back with a tag
+  echo "$mac,set:$tag,$ipv4,$host,infinite" >>$DHCP_HOSTS
+fi
+
+# make dnsmasq re-read files
+pid=$(pidof dnsmasq)
+if [ "$pid" != "" ]
+then
+  # use SIGHUP to avoid service outage if dhcp_release is available.
+  if [ $no_dhcp_release -eq 0 ]
+  then
+    kill -HUP $pid
+  else
+    service dnsmasq restart
+  fi
+else
+  if [ $no_redundant -eq 1 ]
+  then
+      wait_for_dnsmasq
+  else
+      logger -t cloud "edithosts: skip wait dnsmasq due to redundant virtual router"
+  fi
+fi
+
+ret=$?
+unlock_exit $ret $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6c261042/systemvm/patches/debian/config/root/firewall.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/firewall.sh b/systemvm/patches/debian/config/root/firewall.sh
new file mode 100755
index 0000000..5615360
--- /dev/null
+++ b/systemvm/patches/debian/config/root/firewall.sh
@@ -0,0 +1,357 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# $Id: firewall.sh 9947 2010-06-25 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewall.sh $
+# firewall.sh -- allow some ports / protocols to vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+vpnoutmark="0x525"
+
+usage() {
+  printf "Usage: %s: (-A|-D)   -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code)  -l <public ip address> -d <target port> -s <source cidrs> [-G]   \n" $(basename $0) >&2
+}
+
+#set -x
+
+get_dev_list() {
+  ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}'
+  ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}'
+}
+
+ip_to_dev() {
+  local ip=$1
+
+  for dev in $DEV_LIST; do
+    ip addr show dev $dev | grep inet | grep $ip &>> /dev/null
+    [ $? -eq 0 ] && echo $dev && return 0
+  done
+  return 1
+}
+
+doHairpinNat () {
+  local vrGuestIPNetwork=$(sudo ip addr show dev eth0 | grep inet | grep eth0 | awk '{print $2}' | head -1)
+  local vrGuestIP=$(echo $vrGuestIPNetwork | awk -F'/' '{print $1}')
+
+  local publicIp=$1
+  local prot=$2
+  local port=$3
+  local guestVmIp=$4
+  local guestPort=$(echo $5 | sed 's/:/-/')
+  local op=$6
+  logger -t cloud "$(basename $0): create HairPin entry : public ip=$publicIp \
+  instance ip=$guestVmIp proto=$proto portRange=$guestPort op=$op"
+
+  if [ "$prot" == "all" ]
+	then
+  		logger -t cloud "creating hairpin nat rules for static nat" 
+  		(sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -j DNAT --to-destination $guestVmIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  		(sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
+	else
+  		(sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -p $prot --dport $port -j DNAT --to-destination $guestVmIp:$guestPort &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  		(sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -p $prot --dport $port -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
+	fi
+}
+
+#Port (address translation) forwarding for tcp or udp
+tcp_or_udp_entry() {
+  local instIp=$1
+  local dport0=$2
+  local dport=$(echo $2 | sed 's/:/-/')
+  local publicIp=$3
+  local port=$4
+  local op=$5
+  local proto=$6
+  local cidrs=$7
+
+  logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
+  instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
+
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport0 $publicIp $port "-D" $proto $cidrs
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+  local dev=$(ip_to_dev $publicIp)
+  local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
+  # shortcircuit the process if error and it is an append operation
+  # continue if it is delete
+  (sudo iptables -t nat $op PREROUTING --proto $proto -i $dev -d $publicIp \
+           --destination-port $port -j DNAT  \
+           --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
+           --destination-port $port -j MARK --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) && 
+  (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
+           --destination-port $port -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  (doHairpinNat $publicIp $proto $port $instIp $dport0 $op) &&
+  (sudo iptables -t nat $op OUTPUT  --proto $proto -d $publicIp  \
+           --destination-port $port -j DNAT  \
+           --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp -m state \
+           --state ESTABLISHED,RELATED -m comment --comment "$publicIp:$port" -j ACCEPT &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp  \
+           --destination-port $dport0 -m state --state NEW -m comment --comment "$publicIp:$port" -j ACCEPT &>>  $OUTFILE)
+      
+
+  local result=$?
+  logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
+  return $result
+}
+
+
+#Forward icmp
+icmp_entry() {
+  local instIp=$1
+  local icmptype=$2
+  local publicIp=$3
+  local op=$4
+  
+  logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
+  instance ip=$instIp proto=icmp port=$port dport=$dport op=$op"
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && icmp_entry $instIp $icmpType $publicIp "-D" 
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+  local dev=$(ip_to_dev $publicIp)
+  sudo iptables -t nat $op PREROUTING --proto icmp -i $dev -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>>  $OUTFILE
+       
+  sudo iptables -t nat $op OUTPUT  --proto icmp -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>>  $OUTFILE
+  sudo iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype  -j ACCEPT &>>  $OUTFILE
+      
+  result=$?
+  logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
+  return $result
+}
+
+
+
+one_to_one_fw_entry() {
+  local publicIp=$1
+  local instIp=$2  
+  local proto=$3
+  local portRange=$4 
+  local op=$5
+  logger -t cloud "$(basename $0): create firewall entry for static nat: public ip=$publicIp \
+  instance ip=$instIp proto=$proto portRange=$portRange op=$op"
+
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && one_to_one_fw_entry $publicIp $instIp $proto $portRange "-D" 
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+
+  local dev=$(ip_to_dev $publicIp)
+  [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
+
+  # shortcircuit the process if error and it is an append operation
+  # continue if it is delete
+  (sudo iptables -t nat $op  PREROUTING -i $dev -d $publicIp --proto $proto \
+           --destination-port $portRange -j DNAT \
+           --to-destination $instIp &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (doHairpinNat $publicIp $proto $portRange $instIp $portRange $op) &&
+  (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
+           --destination-port $portRange -m state \
+           --state NEW -j ACCEPT &>>  $OUTFILE )
+
+  result=$?
+  logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result"
+  return $result
+}
+
+fw_chain_for_ip() {
+  local pubIp=$1
+  if  iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
+  then
+    logger -t cloud "$(basename $0): created a firewall chain for $pubIp"
+    (sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP) &&
+    (sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT ) &&
+    (sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp)
+    return $?
+  fi
+  logger -t cloud "fw chain for $pubIp already exists"
+  return 0
+}
+
+static_nat() {
+  local publicIp=$1
+  local instIp=$2  
+  local op=$3
+  local op2="-D"
+  local rulenum=
+  local proto="all"
+
+  logger -t cloud "$(basename $0): static nat: public ip=$publicIp \
+  instance ip=$instIp  op=$op"
+  
+  #TODO check error below
+  fw_chain_for_ip $publicIp
+
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && static_nat $publicIp $instIp  "-D" 
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+  [ "$op" == "-A" ] && op2="-I"
+  if [ "$op" == "-A" ]
+  then
+    # put static nat rule one rule after VPN no-NAT rule
+    # rule chain can be used to improve it later
+    iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
+    if [ $? -eq 0 ]
+    then
+      rulenum=2
+    else
+      rulenum=1
+    fi
+  fi
+
+  local dev=$(ip_to_dev $publicIp)
+  [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
+  local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
+
+  # shortcircuit the process if error and it is an append operation
+  # continue if it is delete
+  (sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
+           -j MARK -m state --state NEW --set-mark $tableNo &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
+           -m state --state NEW -j CONNMARK --save-mark &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t mangle $op  PREROUTING -s $instIp -i eth0  \
+           -j MARK -m state --state NEW --set-mark $tableNo &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t mangle $op PREROUTING -s $instIp -i eth0  \
+           -m state --state NEW -j CONNMARK --save-mark &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t nat $op  PREROUTING -i $dev -d $publicIp -j DNAT \
+           --to-destination $instIp &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp  -m state \
+           --state NEW -j ACCEPT &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t nat $op2 POSTROUTING $rulenum -s $instIp -j SNAT \
+           -o $dev --to-source $publicIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  (doHairpinNat $publicIp $proto "all" $instIp "0:65535" $op)
+
+  result=$?
+  logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
+  return $result
+}
+
+
+
+rflag=
+Pflag=
+pflag=
+tflag=
+lflag=
+dflag=
+sflag=
+Gflag=
+op=""
+
+while getopts 'ADr:P:p:t:l:d:s:G' OPTION
+do
+  case $OPTION in
+  A)    op="-A"
+        ;;
+  D)    op="-D"
+        ;;
+  r)    rflag=1
+        instanceIp="$OPTARG"
+        ;;
+  P)    Pflag=1
+        protocol="$OPTARG"
+        ;;
+  p)    pflag=1
+        ports="$OPTARG"
+        ;;
+  t)    tflag=1
+        icmptype="$OPTARG"
+        ;;
+  l)    lflag=1
+        publicIp="$OPTARG"
+        ;;
+  s)    sflag=1
+        cidrs="$OPTARG"
+        ;;
+  d)    dflag=1
+        dport="$OPTARG"
+        ;;
+  G)    Gflag=1
+        ;;
+  ?)    usage
+        unlock_exit 2 $lock $locked
+        ;;
+  esac
+done
+
+DEV_LIST=$(get_dev_list)
+OUTFILE=$(mktemp)
+
+#Firewall ports for one-to-one/static NAT
+if [ "$Gflag" == "1" ]
+then
+  if [ "$protocol" == "" ] 
+  then
+    static_nat $publicIp $instanceIp  $op
+  else
+    one_to_one_fw_entry $publicIp $instanceIp  $protocol $dport $op
+  fi
+  result=$?
+  if [ "$result" -ne 0 ] && [ "$op" != "-D" ]; then
+      cat $OUTFILE >&2
+  fi
+  rm -f $OUTFILE
+  if [ "$op" == "-D" ];then
+     result=0
+  fi
+  unlock_exit $result $lock $locked
+fi
+
+if [ "$sflag" != "1" ]
+then
+    cidrs="0/0"
+fi
+
+case $protocol  in
+  tcp|udp)    
+        tcp_or_udp_entry $instanceIp $dport $publicIp $ports $op $protocol $cidrs
+        result=$?
+        if [ "$result" -ne 0 ] && [ "$op" != "-D" ];then
+           cat $OUTFILE >&2
+        fi
+        rm -f $OUTFILE
+        if [ "$op" == "-D" ];then
+           result=0
+        fi
+        unlock_exit $result $lock $locked
+        ;;
+  "icmp")  
+  
+        icmp_entry $instanceIp $icmptype $publicIp $op 
+        if [ "$op" == "-D" ];then
+           result=0
+        fi
+        unlock_exit $? $lock $locked
+        ;;
+      *)
+        printf "Invalid protocol-- must be tcp, udp or icmp\n" >&2
+        unlock_exit 5 $lock $locked
+        ;;
+esac
+
+unlock_exit 0 $lock $locked


Mime
View raw message