cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mc...@apache.org
Subject [16/53] [abbrv] git commit: updated refs/heads/rbac to 33cd1ab
Date Wed, 22 Jan 2014 19:27:41 GMT
CLOUDSTACK-5779: Move firewall to use routerProxy


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/0ea1c7df
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/0ea1c7df
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/0ea1c7df

Branch: refs/heads/rbac
Commit: 0ea1c7dfc411db0d3710ac2c4fb238111cbec328
Parents: ce67e24
Author: Sheng Yang <sheng.yang@citrix.com>
Authored: Fri Jan 17 11:51:42 2014 -0800
Committer: Sheng Yang <sheng.yang@citrix.com>
Committed: Fri Jan 17 12:36:42 2014 -0800

----------------------------------------------------------------------
 .../virtualnetwork/VirtualRoutingResource.java  |  82 ++---
 .../vmware/resource/VmwareResource.java         |  16 +-
 .../xen/resource/CitrixResourceBase.java        |  16 +-
 scripts/network/domr/call_firewall.sh           |  70 ----
 scripts/vm/hypervisor/xenserver/vmops           |  19 +-
 .../config/opt/cloud/bin/firewall_egress.sh     | 187 ++++++++++
 .../config/opt/cloud/bin/firewall_ingress.sh    | 202 +++++++++++
 .../debian/config/opt/cloud/bin/firewall_nat.sh | 358 +++++++++++++++++++
 systemvm/patches/debian/config/root/firewall.sh | 358 -------------------
 .../debian/config/root/firewallRule_egress.sh   | 187 ----------
 .../patches/debian/config/root/firewall_rule.sh | 202 -----------
 11 files changed, 803 insertions(+), 894 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
----------------------------------------------------------------------
diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
index 20cc0cc..c66b9cb 100755
--- a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
+++ b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
@@ -102,7 +102,6 @@ import java.util.Map;
 public class VirtualRoutingResource implements Manager {
     private static final Logger s_logger = Logger.getLogger(VirtualRoutingResource.class);
     private String _publicIpAddress;
-    private String _firewallPath;
     private String _loadbPath;
     private String _publicEthIf;
     private String _privateEthIf;
@@ -232,18 +231,16 @@ public class VirtualRoutingResource implements Manager {
         FirewallRule.TrafficType trafficType = allrules[0].getTrafficType();
 
         String[][] rules = cmd.generateFwRules();
-        final Script command = new Script(_firewallPath, _timeout, s_logger);
-        command.add(routerIp);
-        command.add("-F");
+        String args = " -F";
 
         if (trafficType == FirewallRule.TrafficType.Egress) {
-            command.add("-E");
+            args += "-E";
             if (egressDefault.equals("true")) {
-                command.add("-P ", "1");
+                args += " -P 1";
             } else if (egressDefault.equals("System")) {
-                command.add("-P ", "2");
+                args += " -P 2";
             } else {
-                command.add("-P ", "0");
+                args += " -P 0";
             }
         }
 
@@ -253,10 +250,17 @@ public class VirtualRoutingResource implements Manager {
             for (int i = 0; i < fwRules.length; i++) {
                 sb.append(fwRules[i]).append(',');
             }
-            command.add("-a", sb.toString());
+            args += " -a " + sb.toString();
+        }
+
+        String result = null;
+
+        if (trafficType == FirewallRule.TrafficType.Egress) {
+            result = routerProxy("firewall_egress.sh", routerIp, args);
+        } else {
+            result = routerProxy("firewall_ingress.sh", routerIp, args);
         }
 
-        String result = command.execute();
         if (result != null) {
             return new SetFirewallRulesAnswer(cmd, false, results);
         }
@@ -270,22 +274,21 @@ public class VirtualRoutingResource implements Manager {
         int i = 0;
         boolean endResult = true;
         for (PortForwardingRuleTO rule : cmd.getRules()) {
-            String result = null;
-            final Script command = new Script(_firewallPath, _timeout, s_logger);
-
-            command.add(routerIp);
-            command.add(rule.revoked() ? "-D" : "-A");
-            command.add("-P ", rule.getProtocol().toLowerCase());
-            command.add("-l ", rule.getSrcIp());
-            command.add("-p ", rule.getStringSrcPortRange());
-            command.add("-r ", rule.getDstIp());
-            command.add("-d ", rule.getStringDstPortRange());
-            result = command.execute();
-            if (result == null) {
-                results[i++] = null;
-            } else {
+            StringBuilder args = new StringBuilder();
+            args.append(rule.revoked() ? " -D " : " -A ");
+            args.append(" -P ").append(rule.getProtocol().toLowerCase());
+            args.append(" -l ").append(rule.getSrcIp());
+            args.append(" -p ").append(rule.getStringSrcPortRange());
+            args.append(" -r ").append(rule.getDstIp());
+            args.append(" -d ").append(rule.getStringDstPortRange());
+
+            String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
+
+            if (result == null || result.isEmpty()) {
                 results[i++] = "Failed";
                 endResult = false;
+            } else {
+                results[i++] = null;
             }
         }
 
@@ -325,28 +328,26 @@ public class VirtualRoutingResource implements Manager {
         int i = 0;
         boolean endResult = true;
         for (StaticNatRuleTO rule : cmd.getRules()) {
-            String result = null;
-            final Script command = new Script(_firewallPath, _timeout, s_logger);
-            command.add(routerIp);
-            command.add(rule.revoked() ? "-D" : "-A");
-
             //1:1 NAT needs instanceip;publicip;domrip;op
-            command.add(" -l ", rule.getSrcIp());
-            command.add(" -r ", rule.getDstIp());
+            StringBuilder args = new StringBuilder();
+            args.append(rule.revoked() ? " -D " : " -A ");
+            args.append(" -l ").append(rule.getSrcIp());
+            args.append(" -r ").append(rule.getDstIp());
 
             if (rule.getProtocol() != null) {
-                command.add(" -P ", rule.getProtocol().toLowerCase());
+                args.append(" -P ").append(rule.getProtocol().toLowerCase());
             }
 
-            command.add(" -d ", rule.getStringSrcPortRange());
-            command.add(" -G ");
+            args.append(" -d ").append(rule.getStringSrcPortRange());
+            args.append(" -G ");
 
-            result = command.execute();
-            if (result == null) {
-                results[i++] = null;
-            } else {
+            String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
+
+            if (result == null || result.isEmpty()) {
                 results[i++] = "Failed";
                 endResult = false;
+            } else {
+                results[i++] = null;
             }
         }
 
@@ -1105,11 +1106,6 @@ public class VirtualRoutingResource implements Manager {
             s_logger.warn("Incoming public ip address is overriden.  Will always be using the same ip address: " + _publicIpAddress);
         }
 
-        _firewallPath = findScript("call_firewall.sh");
-        if (_firewallPath == null) {
-            throw new ConfigurationException("Unable to find the call_firewall.sh");
-        }
-
         _loadbPath = findScript("call_loadbalancer.sh");
         if (_loadbPath == null) {
             throw new ConfigurationException("Unable to find the call_loadbalancer.sh");

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java b/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
index 817fdec..1a0b97b 100755
--- a/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
+++ b/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
@@ -847,10 +847,10 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
 
             try {
                 VmwareManager mgr = getServiceContext().getStockObject(VmwareManager.CONTEXT_STOCK_NAME);
-                Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall.sh " + args);
+                Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_nat.sh " + args);
 
                 if (s_logger.isDebugEnabled())
-                    s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall.sh " + args);
+                    s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_nat.sh " + args);
 
                 if (!result.first()) {
                     s_logger.error("SetPortForwardingRulesCommand failure on setting one rule. args: " + args);
@@ -905,16 +905,16 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
             Pair<Boolean, String> result = null;
 
             if (trafficType == FirewallRule.TrafficType.Egress) {
-                result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewallRule_egress.sh " + args);
+                result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_egress.sh " + args);
             } else {
-                result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall_rule.sh " + args);
+                result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_ingress.sh " + args);
             }
 
             if (s_logger.isDebugEnabled()) {
                 if (trafficType == FirewallRule.TrafficType.Egress) {
-                    s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewallRule_egress.sh " + args);
+                    s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_egress.sh " + args);
                 } else {
-                    s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall_rule.sh " + args);
+                    s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_ingress.sh " + args);
                 }
             }
 
@@ -1012,10 +1012,10 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
             try {
                 VmwareManager mgr = getServiceContext().getStockObject(VmwareManager.CONTEXT_STOCK_NAME);
                 String controlIp = getRouterSshControlIp(cmd);
-                Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall.sh " + args);
+                Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_nat.sh " + args);
 
                 if (s_logger.isDebugEnabled())
-                    s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall.sh " + args);
+                    s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_nat.sh " + args);
 
                 if (!result.first()) {
                     s_logger.error("SetStaticNatRulesCommand failure on setting one rule. args: " + args);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
index ddb7912..e7e4ee3 100644
--- a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
+++ b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
@@ -2047,7 +2047,6 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
         boolean endResult = true;
         for (PortForwardingRuleTO rule : cmd.getRules()) {
             StringBuilder args = new StringBuilder();
-            args.append(routerIp);
             args.append(rule.revoked() ? " -D " : " -A ");
             args.append(" -P ").append(rule.getProtocol().toLowerCase());
             args.append(" -l ").append(rule.getSrcIp());
@@ -2055,7 +2054,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
             args.append(" -r ").append(rule.getDstIp());
             args.append(" -d ").append(rule.getStringDstPortRange());
 
-            String result = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args.toString());
+            String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
 
             if (result == null || result.isEmpty()) {
                 results[i++] = "Failed";
@@ -2096,14 +2095,12 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
         Connection conn = getConnection();
 
         String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP);
-        //String args = routerIp;
         String[] results = new String[cmd.getRules().length];
         int i = 0;
         boolean endResult = true;
         for (StaticNatRuleTO rule : cmd.getRules()) {
             //1:1 NAT needs instanceip;publicip;domrip;op
             StringBuilder args = new StringBuilder();
-            args.append(routerIp);
             args.append(rule.revoked() ? " -D " : " -A ");
             args.append(" -l ").append(rule.getSrcIp());
             args.append(" -r ").append(rule.getDstIp());
@@ -2115,7 +2112,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
             args.append(" -d ").append(rule.getStringSrcPortRange());
             args.append(" -G ");
 
-            String result = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args.toString());
+            String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
 
             if (result == null || result.isEmpty()) {
                 results[i++] = "Failed";
@@ -7606,8 +7603,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
         }
 
         String[][] rules = cmd.generateFwRules();
-        String args = "";
-        args += routerIp + " -F";
+        String args = " -F";
         if (trafficType == FirewallRule.TrafficType.Egress) {
             args += " -E";
             if (egressDefault.equals("true")) {
@@ -7627,7 +7623,11 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
             args += " -a " + sb.toString();
         }
 
-        callResult = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args);
+        if (trafficType == FirewallRule.TrafficType.Egress) {
+            callResult = routerProxy("firewall_egress.sh", routerIp, args);
+        } else {
+            callResult = routerProxy("firewall_ingress.sh", routerIp, args);
+        }
 
         if (callResult == null || callResult.isEmpty()) {
             //FIXME - in the future we have to process each rule separately; now we temporarily set every rule to be false if single rule fails

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/scripts/network/domr/call_firewall.sh
----------------------------------------------------------------------
diff --git a/scripts/network/domr/call_firewall.sh b/scripts/network/domr/call_firewall.sh
deleted file mode 100755
index f6ad0be..0000000
--- a/scripts/network/domr/call_firewall.sh
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-# 
-#   http://www.apache.org/licenses/LICENSE-2.0
-# 
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-
-# $Id: call_firewall.sh 9132 2010-06-04 20:17:43Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/branches/2.0.0/java/scripts/vm/hypervisor/xenserver/patch/call_firewall.sh $
-# firewall.sh -- allow some ports / protocols to vm instances
-usage() {
-  printf "Usage for Firewall rule  : %s: <domR eth1 ip> -F " $(basename $0) >&2
-  printf "Usage for other purposes : %s: <domR eth1 ip> (-A|-D) -i <domR eth1 ip>  -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code)  -l <public ip address> -d <target port> [-f <firewall ip> -u <firewall user> -y <firewall password> -z <firewall enable password> ] \n" $(basename $0) >&2
-}
-
-#set -x
-
-check_gw() {
-  ping -c 1 -n -q $1 > /dev/null
-  if [ $? -gt 0 ]
-  then
-    sleep 1
-    ping -c 1 -n -q $1 > /dev/null
-  fi
-  return $?;
-}
-
-cert="/root/.ssh/id_rsa.cloud"
-domRIp=$1
-shift
-
-check_gw "$domRIp"
-if [ $? -gt 0 ]
-then
-  exit 1
-fi
-fflag=
-eflag=
-while getopts ':FE' OPTION
-do
-  case $OPTION in 
-  F)    fflag=1
-      	  ;;
-  E) eflag=1
-	  ;;
-  \?)  ;;
-  esac
-done
-
-if [ -n "$eflag" ]
-then
-	ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewallRule_egress.sh $*"
-elif [ -n "$fflag" ]
-then
-	ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewall_rule.sh $*"
-else
-	ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewall.sh $*"
-fi
-exit $?

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/scripts/vm/hypervisor/xenserver/vmops
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index 53a0002..82d4a9f 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -222,23 +222,6 @@ def setLinkLocalIP(session, args):
     txt = 'success'
     return txt
 
-
-    
-@echo
-def setFirewallRule(session, args):
-    sargs = args['args']
-    cmd = sargs.split(' ')
-    cmd.insert(0, "/opt/cloud/bin/call_firewall.sh")
-    cmd.insert(0, "/bin/bash")
-    try:
-        txt = util.pread2(cmd)
-        txt = 'success'
-    except:
-        logging.debug(" set firewall rule failed "  )
-        txt = '' 
-
-    return txt
-    
 @echo
 def routerProxy(session, args):
     sargs = args['args']
@@ -1556,7 +1539,7 @@ if __name__ == "__main__":
                             "getgateway": getgateway, "preparemigration": preparemigration, 
                             "setIptables": setIptables, "pingdomr": pingdomr, "pingxenserver": pingxenserver,  
                             "savePassword": savePassword, 
-                            "setFirewallRule": setFirewallRule, "routerProxy": routerProxy, 
+                            "routerProxy": routerProxy, 
                             "setLoadBalancerRule": setLoadBalancerRule, "createFile": createFile, "deleteFile": deleteFile, 
                             "network_rules":network_rules, 
                             "can_bridge_firewall":can_bridge_firewall, "default_network_rules":default_network_rules,

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
new file mode 100755
index 0000000..b1e7a40
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
@@ -0,0 +1,187 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# $Id: firewallRule_egress.sh 9947 2013-01-17 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewallRule_egress.sh $
+# firewallRule_egress.sh -- allow some ports / protocols from vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+#set -x
+usage() {
+  printf "Usage: %s:  -a protocol:startport:endport:sourcecidrs>  \n" $(basename $0) >&2
+  printf "sourcecidrs format:  cidr1-cidr2-cidr3-...\n"
+}
+
+fw_egress_remove_backup() {
+  sudo iptables -D FW_OUTBOUND -j _FW_EGRESS_RULES 
+  sudo iptables -F _FW_EGRESS_RULES 
+  sudo iptables -X _FW_EGRESS_RULES 
+}
+
+fw_egress_save() {
+  sudo iptables -E FW_EGRESS_RULES _FW_EGRESS_RULES 
+}
+
+fw_egress_chain () {
+#supress errors 2>/dev/null
+  fw_egress_remove_backup
+  fw_egress_save
+  sudo iptables -N FW_EGRESS_RULES 
+  sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
+}
+
+fw_egress_backup_restore() {
+   sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
+   sudo iptables -E _FW_EGRESS_RULES FW_EGRESS_RULES 
+   fw_egress_remove_backup
+}
+
+
+fw_entry_for_egress() {
+  local rule=$1
+
+  local prot=$(echo $rule | cut -d: -f2)
+  local sport=$(echo $rule | cut -d: -f3)
+  local eport=$(echo $rule | cut -d: -f4)
+  local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
+  if [ "$sport" == "0" -a "$eport" == "0" ]
+  then
+      DPORT=""
+  else
+      DPORT="--dport $sport:$eport"
+  fi
+  logger -t cloud "$(basename $0): enter apply fw egress rules for guest $prot:$sport:$eport:$cidrs"  
+  
+  for lcidr in $cidrs
+  do
+    [ "$prot" == "reverted" ] && continue;
+    if [ "$prot" == "icmp" ]
+    then
+      typecode="$sport/$eport"
+      [ "$eport" == "-1" ] && typecode="$sport"
+      [ "$sport" == "-1" ] && typecode="any"
+      sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
+                     -j $target
+      result=$?
+    elif [ "$prot" == "all" ]
+    then
+	    sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j $target
+	    result=$?
+    else
+	    sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr  $DPORT -j $target
+	    result=$?
+    fi
+  
+    [ $result -gt 0 ] && 
+       logger -t cloud "Error adding iptables entry for guest network $prot:$sport:$eport:$cidrs" &&
+       break
+  done
+
+  logger -t cloud "$(basename $0): exit apply egress firewall rules for guest network"  
+  return $result
+}
+
+
+aflag=0
+rules=""
+rules_list=""
+ip=""
+dev=""
+pflag=0
+shift
+shift
+while getopts 'a:P:' OPTION
+do
+  case $OPTION in
+  a)	aflag=1
+		rules="$OPTARG"
+		;;
+  P)   pflag=1
+       pvalue="$OPTARG"
+       ;;
+  ?)	usage
+                unlock_exit 2 $lock $locked
+		;;
+  esac
+done
+
+if [ "$aflag" != "1" ]
+then
+  usage
+  unlock_exit 2 $lock $locked
+fi
+
+if [ -n "$rules" ]
+then
+  rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
+fi
+
+# rule format
+# protocal:sport:eport:cidr
+#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
+#    if any entry is reverted , entry will be in the format reverted:0:0:0
+# example : tcp:80:80:0.0.0.0/0:, tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0 
+
+success=0
+
+if [ "$pvalue" == "0" -o "$pvalue" == "2" ]
+  then
+     target="ACCEPT"
+  else
+     target="DROP"
+  fi
+
+fw_egress_chain
+for r in $rules_list
+do
+  fw_entry_for_egress $r
+  success=$?
+  if [ $success -gt 0 ]
+  then
+    logger -t cloud "failure to apply fw egress rules "
+    break
+  else
+    logger -t cloud "successful in applying fw egress rules"
+  fi
+done
+
+if [ $success -gt 0 ]
+then
+  logger -t cloud "restoring from backup for guest network"
+  fw_egress_backup_restore
+else
+  logger -t cloud "deleting backup for guest network"
+    if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
+       then
+       #Adding default policy rule
+       sudo iptables -A FW_EGRESS_RULES  -j ACCEPT
+    fi
+
+fi
+
+fw_egress_remove_backup
+
+unlock_exit $success $lock $locked
+
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh
new file mode 100755
index 0000000..9e459f0
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh
@@ -0,0 +1,202 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# firewall_rule.sh -- allow some ports / protocols to vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+usage() {
+  printf "Usage: %s:  -a <public ip address:protocol:startport:endport:sourcecidrs>  \n" $(basename $0) >&2
+  printf "sourcecidrs format:  cidr1-cidr2-cidr3-...\n"
+}
+#set -x
+#FIXME: eating up the error code during execution of iptables
+fw_remove_backup() {
+  local pubIp=$1
+  sudo iptables -t mangle -F _FIREWALL_$pubIp 2> /dev/null
+  sudo iptables -t mangle -D PREROUTING  -d $pubIp -j _FIREWALL_$pubIp  2> /dev/null
+  sudo iptables -t mangle -X _FIREWALL_$pubIp 2> /dev/null
+}
+
+fw_restore() {
+  local pubIp=$1
+  sudo iptables -t mangle -F FIREWALL_$pubIp 2> /dev/null
+  sudo iptables -t mangle -D PREROUTING  -d $pubIp  -j FIREWALL_$pubIp  2> /dev/null
+  sudo iptables -t mangle -X FIREWALL_$pubIp 2> /dev/null
+  sudo iptables -t mangle -E _FIREWALL_$pubIp FIREWALL_$pubIp 2> /dev/null
+}
+
+fw_chain_for_ip () {
+  local pubIp=$1
+  fw_remove_backup $1
+  sudo iptables -t mangle -E FIREWALL_$pubIp _FIREWALL_$pubIp 2> /dev/null
+  sudo iptables -t mangle -N FIREWALL_$pubIp 2> /dev/null
+  # drop if no rules match (this will be the last rule in the chain)
+  sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null
+  # ensure outgoing connections are maintained (first rule in chain)
+  sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null
+  #ensure that this table is after VPN chain
+  sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp
+  success=$?
+  if [ $success -gt 0 ]
+  then
+  # if VPN chain is not present for various reasons, try to add in to the first slot */
+     sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp
+  fi
+}
+
+fw_entry_for_public_ip() {
+  local rules=$1
+
+  local pubIp=$(echo $rules | cut -d: -f1)
+  local prot=$(echo $rules | cut -d: -f2)
+  local sport=$(echo $rules | cut -d: -f3)    
+  local eport=$(echo $rules | cut -d: -f4)    
+  local scidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
+  
+  logger -t cloud "$(basename $0): enter apply firewall rules for public ip $pubIp:$prot:$sport:$eport:$scidrs"  
+
+
+  # note that rules are inserted after the RELATED,ESTABLISHED rule 
+  # but before the DROP rule
+  for src in $scidrs
+  do
+    [ "$prot" == "reverted" ] && continue;
+    if [ "$prot" == "icmp" ]
+    then
+      typecode="$sport/$eport"
+      [ "$eport" == "-1" ] && typecode="$sport"
+      [ "$sport" == "-1" ] && typecode="any"
+      sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
+                    --icmp-type $typecode  -j RETURN
+    else
+       sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
+                    --dport $sport:$eport -j RETURN
+    fi
+    result=$?
+    [ $result -gt 0 ] && 
+       logger -t cloud "Error adding iptables entry for $pubIp:$prot:$sport:$eport:$src" &&
+       break
+  done
+      
+  logger -t cloud "$(basename $0): exit apply firewall rules for public ip $pubIp"  
+  return $result
+}
+
+get_vif_list() {
+  local vif_list=""
+  for i in /sys/class/net/eth*; do 
+    vif=$(basename $i);
+    if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ]
+    then
+      vif_list="$vif_list $vif";
+    fi
+  done
+  if [ "$vif_list" == "" ]
+  then
+      vif_list="eth0"
+  fi
+  
+  logger -t cloud "FirewallRule public interfaces = $vif_list"
+  echo $vif_list
+}
+
+shift 
+rules=
+while getopts 'a:' OPTION
+do
+  case $OPTION in
+  a)	aflag=1
+		rules="$OPTARG"
+		;;
+  ?)	usage
+                unlock_exit 2 $lock $locked
+		;;
+  esac
+done
+
+VIF_LIST=$(get_vif_list)
+
+if [ "$rules" == "" ]
+then
+  rules="none"
+fi
+
+#-a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
+#    if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
+# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0 
+# The reverted entries will fix the following partially 
+#FIXME: rule leak: when there are multiple ip address, there will chance that entry will be left over if the ipadress  does not appear in the current execution when compare to old one 
+# example :  In the below first transaction have 2 ip's whereas in second transaction it having one ip, so after the second trasaction 200.1.2.3 ip will have rules in mangle table.
+#  1)  -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,200.16.92.44:tcp:220:220:0.0.0.0/0:,
+#  2)  -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,
+
+
+success=0
+publicIps=
+rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
+for r in $rules_list
+do
+  pubIp=$(echo $r | cut -d: -f1)
+  publicIps="$pubIp $publicIps"
+done
+
+unique_ips=$(echo $publicIps| tr " " "\n" | sort | uniq | tr "\n" " ")
+
+for u in $unique_ips
+do
+  fw_chain_for_ip $u
+done
+
+for r in $rules_list
+do
+  pubIp=$(echo $r | cut -d: -f1)
+  fw_entry_for_public_ip $r
+  success=$?
+  if [ $success -gt 0 ]
+  then
+    logger -t cloud "$(basename $0): failure to apply fw rules for ip $pubIp"
+    break
+  else
+    logger -t cloud "$(basename $0): successful in applying fw rules for ip $pubIp"
+  fi
+done
+
+if [ $success -gt 0 ]
+then
+    for p in $unique_ips
+    do
+      logger -t cloud "$(basename $0): restoring from backup for ip: $p"
+      fw_restore $p
+    done
+fi 
+for p in $unique_ips
+do
+   logger -t cloud "$(basename $0): deleting backup for ip: $p"
+   fw_remove_backup $p
+done
+
+unlock_exit $success $lock $locked
+

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh
new file mode 100755
index 0000000..8c0e0fc
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh
@@ -0,0 +1,358 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# $Id: firewall.sh 9947 2010-06-25 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewall.sh $
+# firewall.sh -- allow some ports / protocols to vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+    exit 1
+fi
+
+vpnoutmark="0x525"
+
+usage() {
+  printf "Usage: %s: (-A|-D)   -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code)  -l <public ip address> -d <target port> -s <source cidrs> [-G]   \n" $(basename $0) >&2
+}
+
+#set -x
+
+get_dev_list() {
+  ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}'
+  ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}'
+}
+
+ip_to_dev() {
+  local ip=$1
+
+  for dev in $DEV_LIST; do
+    ip addr show dev $dev | grep inet | grep $ip &>> /dev/null
+    [ $? -eq 0 ] && echo $dev && return 0
+  done
+  return 1
+}
+
+doHairpinNat () {
+  local vrGuestIPNetwork=$(sudo ip addr show dev eth0 | grep inet | grep eth0 | awk '{print $2}' | head -1)
+  local vrGuestIP=$(echo $vrGuestIPNetwork | awk -F'/' '{print $1}')
+
+  local publicIp=$1
+  local prot=$2
+  local port=$3
+  local guestVmIp=$4
+  local guestPort=$(echo $5 | sed 's/:/-/')
+  local op=$6
+  local destPort=$5
+  logger -t cloud "$(basename $0): create HairPin entry : public ip=$publicIp \
+  instance ip=$guestVmIp proto=$proto portRange=$guestPort op=$op"
+
+  if [ "$prot" == "all" ]
+	then
+  		logger -t cloud "creating hairpin nat rules for static nat" 
+  		(sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -j DNAT --to-destination $guestVmIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  		(sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
+	else
+  		(sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -p $prot --dport $port -j DNAT --to-destination $guestVmIp:$guestPort &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  		(sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -p $prot --dport $destPort -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
+	fi
+}
+
+#Port (address translation) forwarding for tcp or udp
+tcp_or_udp_entry() {
+  local instIp=$1
+  local dport0=$2
+  local dport=$(echo $2 | sed 's/:/-/')
+  local publicIp=$3
+  local port=$4
+  local op=$5
+  local proto=$6
+  local cidrs=$7
+
+  logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
+  instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
+
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport0 $publicIp $port "-D" $proto $cidrs
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+  local dev=$(ip_to_dev $publicIp)
+  local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
+  # shortcircuit the process if error and it is an append operation
+  # continue if it is delete
+  (sudo iptables -t nat $op PREROUTING --proto $proto -i $dev -d $publicIp \
+           --destination-port $port -j DNAT  \
+           --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
+           --destination-port $port -j MARK --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) && 
+  (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
+           --destination-port $port -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  (doHairpinNat $publicIp $proto $port $instIp $dport0 $op) &&
+  (sudo iptables -t nat $op OUTPUT  --proto $proto -d $publicIp  \
+           --destination-port $port -j DNAT  \
+           --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp -m state \
+           --state ESTABLISHED,RELATED -m comment --comment "$publicIp:$port" -j ACCEPT &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp  \
+           --destination-port $dport0 -m state --state NEW -m comment --comment "$publicIp:$port" -j ACCEPT &>>  $OUTFILE)
+      
+
+  local result=$?
+  logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
+  return $result
+}
+
+
+#Forward icmp
+icmp_entry() {
+  local instIp=$1
+  local icmptype=$2
+  local publicIp=$3
+  local op=$4
+  
+  logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
+  instance ip=$instIp proto=icmp port=$port dport=$dport op=$op"
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && icmp_entry $instIp $icmpType $publicIp "-D" 
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+  local dev=$(ip_to_dev $publicIp)
+  sudo iptables -t nat $op PREROUTING --proto icmp -i $dev -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>>  $OUTFILE
+       
+  sudo iptables -t nat $op OUTPUT  --proto icmp -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>>  $OUTFILE
+  sudo iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype  -j ACCEPT &>>  $OUTFILE
+      
+  result=$?
+  logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
+  return $result
+}
+
+
+
+one_to_one_fw_entry() {
+  local publicIp=$1
+  local instIp=$2  
+  local proto=$3
+  local portRange=$4 
+  local op=$5
+  logger -t cloud "$(basename $0): create firewall entry for static nat: public ip=$publicIp \
+  instance ip=$instIp proto=$proto portRange=$portRange op=$op"
+
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && one_to_one_fw_entry $publicIp $instIp $proto $portRange "-D" 
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+
+  local dev=$(ip_to_dev $publicIp)
+  [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
+
+  # shortcircuit the process if error and it is an append operation
+  # continue if it is delete
+  (sudo iptables -t nat $op  PREROUTING -i $dev -d $publicIp --proto $proto \
+           --destination-port $portRange -j DNAT \
+           --to-destination $instIp &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (doHairpinNat $publicIp $proto $portRange $instIp $portRange $op) &&
+  (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
+           --destination-port $portRange -m state \
+           --state NEW -j ACCEPT &>>  $OUTFILE )
+
+  result=$?
+  logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result"
+  return $result
+}
+
+fw_chain_for_ip() {
+  local pubIp=$1
+  if  iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
+  then
+    logger -t cloud "$(basename $0): created a firewall chain for $pubIp"
+    (sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP) &&
+    (sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT ) &&
+    (sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp)
+    return $?
+  fi
+  logger -t cloud "fw chain for $pubIp already exists"
+  return 0
+}
+
+static_nat() {
+  local publicIp=$1
+  local instIp=$2  
+  local op=$3
+  local op2="-D"
+  local rulenum=
+  local proto="all"
+
+  logger -t cloud "$(basename $0): static nat: public ip=$publicIp \
+  instance ip=$instIp  op=$op"
+  
+  #TODO check error below
+  fw_chain_for_ip $publicIp
+
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && static_nat $publicIp $instIp  "-D" 
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+  [ "$op" == "-A" ] && op2="-I"
+  if [ "$op" == "-A" ]
+  then
+    # put static nat rule one rule after VPN no-NAT rule
+    # rule chain can be used to improve it later
+    iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
+    if [ $? -eq 0 ]
+    then
+      rulenum=2
+    else
+      rulenum=1
+    fi
+  fi
+
+  local dev=$(ip_to_dev $publicIp)
+  [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
+  local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
+
+  # shortcircuit the process if error and it is an append operation
+  # continue if it is delete
+  (sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
+           -j MARK -m state --state NEW --set-mark $tableNo &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
+           -m state --state NEW -j CONNMARK --save-mark &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t mangle $op  PREROUTING -s $instIp -i eth0  \
+           -j MARK -m state --state NEW --set-mark $tableNo &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t mangle $op PREROUTING -s $instIp -i eth0  \
+           -m state --state NEW -j CONNMARK --save-mark &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t nat $op  PREROUTING -i $dev -d $publicIp -j DNAT \
+           --to-destination $instIp &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp  -m state \
+           --state NEW -j ACCEPT &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t nat $op2 POSTROUTING $rulenum -s $instIp -j SNAT \
+           -o $dev --to-source $publicIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  (doHairpinNat $publicIp $proto "all" $instIp "0:65535" $op)
+
+  result=$?
+  logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
+  return $result
+}
+
+
+
+rflag=
+Pflag=
+pflag=
+tflag=
+lflag=
+dflag=
+sflag=
+Gflag=
+op=""
+
+while getopts 'ADr:P:p:t:l:d:s:G' OPTION
+do
+  case $OPTION in
+  A)    op="-A"
+        ;;
+  D)    op="-D"
+        ;;
+  r)    rflag=1
+        instanceIp="$OPTARG"
+        ;;
+  P)    Pflag=1
+        protocol="$OPTARG"
+        ;;
+  p)    pflag=1
+        ports="$OPTARG"
+        ;;
+  t)    tflag=1
+        icmptype="$OPTARG"
+        ;;
+  l)    lflag=1
+        publicIp="$OPTARG"
+        ;;
+  s)    sflag=1
+        cidrs="$OPTARG"
+        ;;
+  d)    dflag=1
+        dport="$OPTARG"
+        ;;
+  G)    Gflag=1
+        ;;
+  ?)    usage
+        unlock_exit 2 $lock $locked
+        ;;
+  esac
+done
+
+DEV_LIST=$(get_dev_list)
+OUTFILE=$(mktemp)
+
+#Firewall ports for one-to-one/static NAT
+if [ "$Gflag" == "1" ]
+then
+  if [ "$protocol" == "" ] 
+  then
+    static_nat $publicIp $instanceIp  $op
+  else
+    one_to_one_fw_entry $publicIp $instanceIp  $protocol $dport $op
+  fi
+  result=$?
+  if [ "$result" -ne 0 ] && [ "$op" != "-D" ]; then
+      cat $OUTFILE >&2
+  fi
+  rm -f $OUTFILE
+  if [ "$op" == "-D" ];then
+     result=0
+  fi
+  unlock_exit $result $lock $locked
+fi
+
+if [ "$sflag" != "1" ]
+then
+    cidrs="0/0"
+fi
+
+case $protocol  in
+  tcp|udp)    
+        tcp_or_udp_entry $instanceIp $dport $publicIp $ports $op $protocol $cidrs
+        result=$?
+        if [ "$result" -ne 0 ] && [ "$op" != "-D" ];then
+           cat $OUTFILE >&2
+        fi
+        rm -f $OUTFILE
+        if [ "$op" == "-D" ];then
+           result=0
+        fi
+        unlock_exit $result $lock $locked
+        ;;
+  "icmp")  
+  
+        icmp_entry $instanceIp $icmptype $publicIp $op 
+        if [ "$op" == "-D" ];then
+           result=0
+        fi
+        unlock_exit $? $lock $locked
+        ;;
+      *)
+        printf "Invalid protocol-- must be tcp, udp or icmp\n" >&2
+        unlock_exit 5 $lock $locked
+        ;;
+esac
+
+unlock_exit 0 $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/systemvm/patches/debian/config/root/firewall.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/firewall.sh b/systemvm/patches/debian/config/root/firewall.sh
deleted file mode 100755
index 8c0e0fc..0000000
--- a/systemvm/patches/debian/config/root/firewall.sh
+++ /dev/null
@@ -1,358 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# $Id: firewall.sh 9947 2010-06-25 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewall.sh $
-# firewall.sh -- allow some ports / protocols to vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
-    exit 1
-fi
-
-vpnoutmark="0x525"
-
-usage() {
-  printf "Usage: %s: (-A|-D)   -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code)  -l <public ip address> -d <target port> -s <source cidrs> [-G]   \n" $(basename $0) >&2
-}
-
-#set -x
-
-get_dev_list() {
-  ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}'
-  ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}'
-}
-
-ip_to_dev() {
-  local ip=$1
-
-  for dev in $DEV_LIST; do
-    ip addr show dev $dev | grep inet | grep $ip &>> /dev/null
-    [ $? -eq 0 ] && echo $dev && return 0
-  done
-  return 1
-}
-
-doHairpinNat () {
-  local vrGuestIPNetwork=$(sudo ip addr show dev eth0 | grep inet | grep eth0 | awk '{print $2}' | head -1)
-  local vrGuestIP=$(echo $vrGuestIPNetwork | awk -F'/' '{print $1}')
-
-  local publicIp=$1
-  local prot=$2
-  local port=$3
-  local guestVmIp=$4
-  local guestPort=$(echo $5 | sed 's/:/-/')
-  local op=$6
-  local destPort=$5
-  logger -t cloud "$(basename $0): create HairPin entry : public ip=$publicIp \
-  instance ip=$guestVmIp proto=$proto portRange=$guestPort op=$op"
-
-  if [ "$prot" == "all" ]
-	then
-  		logger -t cloud "creating hairpin nat rules for static nat" 
-  		(sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -j DNAT --to-destination $guestVmIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
-  		(sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
-	else
-  		(sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -p $prot --dport $port -j DNAT --to-destination $guestVmIp:$guestPort &>> $OUTFILE || [ "$op" == "-D" ]) &&
-  		(sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -p $prot --dport $destPort -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
-	fi
-}
-
-#Port (address translation) forwarding for tcp or udp
-tcp_or_udp_entry() {
-  local instIp=$1
-  local dport0=$2
-  local dport=$(echo $2 | sed 's/:/-/')
-  local publicIp=$3
-  local port=$4
-  local op=$5
-  local proto=$6
-  local cidrs=$7
-
-  logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
-  instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
-
-  #if adding, this might be a duplicate, so delete the old one first
-  [ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport0 $publicIp $port "-D" $proto $cidrs
-  # the delete operation may have errored out but the only possible reason is 
-  # that the rules didn't exist in the first place
-  local dev=$(ip_to_dev $publicIp)
-  local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
-  # shortcircuit the process if error and it is an append operation
-  # continue if it is delete
-  (sudo iptables -t nat $op PREROUTING --proto $proto -i $dev -d $publicIp \
-           --destination-port $port -j DNAT  \
-           --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
-  (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
-           --destination-port $port -j MARK --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) && 
-  (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
-           --destination-port $port -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
-  (doHairpinNat $publicIp $proto $port $instIp $dport0 $op) &&
-  (sudo iptables -t nat $op OUTPUT  --proto $proto -d $publicIp  \
-           --destination-port $port -j DNAT  \
-           --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
-  (sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp -m state \
-           --state ESTABLISHED,RELATED -m comment --comment "$publicIp:$port" -j ACCEPT &>>  $OUTFILE || [ "$op" == "-D" ]) &&
-  (sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp  \
-           --destination-port $dport0 -m state --state NEW -m comment --comment "$publicIp:$port" -j ACCEPT &>>  $OUTFILE)
-      
-
-  local result=$?
-  logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
-  return $result
-}
-
-
-#Forward icmp
-icmp_entry() {
-  local instIp=$1
-  local icmptype=$2
-  local publicIp=$3
-  local op=$4
-  
-  logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
-  instance ip=$instIp proto=icmp port=$port dport=$dport op=$op"
-  #if adding, this might be a duplicate, so delete the old one first
-  [ "$op" == "-A" ] && icmp_entry $instIp $icmpType $publicIp "-D" 
-  # the delete operation may have errored out but the only possible reason is 
-  # that the rules didn't exist in the first place
-  local dev=$(ip_to_dev $publicIp)
-  sudo iptables -t nat $op PREROUTING --proto icmp -i $dev -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>>  $OUTFILE
-       
-  sudo iptables -t nat $op OUTPUT  --proto icmp -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>>  $OUTFILE
-  sudo iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype  -j ACCEPT &>>  $OUTFILE
-      
-  result=$?
-  logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
-  return $result
-}
-
-
-
-one_to_one_fw_entry() {
-  local publicIp=$1
-  local instIp=$2  
-  local proto=$3
-  local portRange=$4 
-  local op=$5
-  logger -t cloud "$(basename $0): create firewall entry for static nat: public ip=$publicIp \
-  instance ip=$instIp proto=$proto portRange=$portRange op=$op"
-
-  #if adding, this might be a duplicate, so delete the old one first
-  [ "$op" == "-A" ] && one_to_one_fw_entry $publicIp $instIp $proto $portRange "-D" 
-  # the delete operation may have errored out but the only possible reason is 
-  # that the rules didn't exist in the first place
-
-  local dev=$(ip_to_dev $publicIp)
-  [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
-
-  # shortcircuit the process if error and it is an append operation
-  # continue if it is delete
-  (sudo iptables -t nat $op  PREROUTING -i $dev -d $publicIp --proto $proto \
-           --destination-port $portRange -j DNAT \
-           --to-destination $instIp &>>  $OUTFILE || [ "$op" == "-D" ]) &&
-  (doHairpinNat $publicIp $proto $portRange $instIp $portRange $op) &&
-  (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
-           --destination-port $portRange -m state \
-           --state NEW -j ACCEPT &>>  $OUTFILE )
-
-  result=$?
-  logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result"
-  return $result
-}
-
-fw_chain_for_ip() {
-  local pubIp=$1
-  if  iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
-  then
-    logger -t cloud "$(basename $0): created a firewall chain for $pubIp"
-    (sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP) &&
-    (sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT ) &&
-    (sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp)
-    return $?
-  fi
-  logger -t cloud "fw chain for $pubIp already exists"
-  return 0
-}
-
-static_nat() {
-  local publicIp=$1
-  local instIp=$2  
-  local op=$3
-  local op2="-D"
-  local rulenum=
-  local proto="all"
-
-  logger -t cloud "$(basename $0): static nat: public ip=$publicIp \
-  instance ip=$instIp  op=$op"
-  
-  #TODO check error below
-  fw_chain_for_ip $publicIp
-
-  #if adding, this might be a duplicate, so delete the old one first
-  [ "$op" == "-A" ] && static_nat $publicIp $instIp  "-D" 
-  # the delete operation may have errored out but the only possible reason is 
-  # that the rules didn't exist in the first place
-  [ "$op" == "-A" ] && op2="-I"
-  if [ "$op" == "-A" ]
-  then
-    # put static nat rule one rule after VPN no-NAT rule
-    # rule chain can be used to improve it later
-    iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
-    if [ $? -eq 0 ]
-    then
-      rulenum=2
-    else
-      rulenum=1
-    fi
-  fi
-
-  local dev=$(ip_to_dev $publicIp)
-  [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
-  local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
-
-  # shortcircuit the process if error and it is an append operation
-  # continue if it is delete
-  (sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
-           -j MARK -m state --state NEW --set-mark $tableNo &>>  $OUTFILE || [ "$op" == "-D" ]) &&
-  (sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
-           -m state --state NEW -j CONNMARK --save-mark &>>  $OUTFILE || [ "$op" == "-D" ]) &&
-  (sudo iptables -t mangle $op  PREROUTING -s $instIp -i eth0  \
-           -j MARK -m state --state NEW --set-mark $tableNo &>>  $OUTFILE || [ "$op" == "-D" ]) &&
-  (sudo iptables -t mangle $op PREROUTING -s $instIp -i eth0  \
-           -m state --state NEW -j CONNMARK --save-mark &>>  $OUTFILE || [ "$op" == "-D" ]) &&
-  (sudo iptables -t nat $op  PREROUTING -i $dev -d $publicIp -j DNAT \
-           --to-destination $instIp &>>  $OUTFILE || [ "$op" == "-D" ]) &&
-  (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp  -m state \
-           --state NEW -j ACCEPT &>>  $OUTFILE || [ "$op" == "-D" ]) &&
-  (sudo iptables -t nat $op2 POSTROUTING $rulenum -s $instIp -j SNAT \
-           -o $dev --to-source $publicIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
-  (doHairpinNat $publicIp $proto "all" $instIp "0:65535" $op)
-
-  result=$?
-  logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
-  return $result
-}
-
-
-
-rflag=
-Pflag=
-pflag=
-tflag=
-lflag=
-dflag=
-sflag=
-Gflag=
-op=""
-
-while getopts 'ADr:P:p:t:l:d:s:G' OPTION
-do
-  case $OPTION in
-  A)    op="-A"
-        ;;
-  D)    op="-D"
-        ;;
-  r)    rflag=1
-        instanceIp="$OPTARG"
-        ;;
-  P)    Pflag=1
-        protocol="$OPTARG"
-        ;;
-  p)    pflag=1
-        ports="$OPTARG"
-        ;;
-  t)    tflag=1
-        icmptype="$OPTARG"
-        ;;
-  l)    lflag=1
-        publicIp="$OPTARG"
-        ;;
-  s)    sflag=1
-        cidrs="$OPTARG"
-        ;;
-  d)    dflag=1
-        dport="$OPTARG"
-        ;;
-  G)    Gflag=1
-        ;;
-  ?)    usage
-        unlock_exit 2 $lock $locked
-        ;;
-  esac
-done
-
-DEV_LIST=$(get_dev_list)
-OUTFILE=$(mktemp)
-
-#Firewall ports for one-to-one/static NAT
-if [ "$Gflag" == "1" ]
-then
-  if [ "$protocol" == "" ] 
-  then
-    static_nat $publicIp $instanceIp  $op
-  else
-    one_to_one_fw_entry $publicIp $instanceIp  $protocol $dport $op
-  fi
-  result=$?
-  if [ "$result" -ne 0 ] && [ "$op" != "-D" ]; then
-      cat $OUTFILE >&2
-  fi
-  rm -f $OUTFILE
-  if [ "$op" == "-D" ];then
-     result=0
-  fi
-  unlock_exit $result $lock $locked
-fi
-
-if [ "$sflag" != "1" ]
-then
-    cidrs="0/0"
-fi
-
-case $protocol  in
-  tcp|udp)    
-        tcp_or_udp_entry $instanceIp $dport $publicIp $ports $op $protocol $cidrs
-        result=$?
-        if [ "$result" -ne 0 ] && [ "$op" != "-D" ];then
-           cat $OUTFILE >&2
-        fi
-        rm -f $OUTFILE
-        if [ "$op" == "-D" ];then
-           result=0
-        fi
-        unlock_exit $result $lock $locked
-        ;;
-  "icmp")  
-  
-        icmp_entry $instanceIp $icmptype $publicIp $op 
-        if [ "$op" == "-D" ];then
-           result=0
-        fi
-        unlock_exit $? $lock $locked
-        ;;
-      *)
-        printf "Invalid protocol-- must be tcp, udp or icmp\n" >&2
-        unlock_exit 5 $lock $locked
-        ;;
-esac
-
-unlock_exit 0 $lock $locked

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/systemvm/patches/debian/config/root/firewallRule_egress.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/firewallRule_egress.sh b/systemvm/patches/debian/config/root/firewallRule_egress.sh
deleted file mode 100755
index b1e7a40..0000000
--- a/systemvm/patches/debian/config/root/firewallRule_egress.sh
+++ /dev/null
@@ -1,187 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# $Id: firewallRule_egress.sh 9947 2013-01-17 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewallRule_egress.sh $
-# firewallRule_egress.sh -- allow some ports / protocols from vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
-    exit 1
-fi
-#set -x
-usage() {
-  printf "Usage: %s:  -a protocol:startport:endport:sourcecidrs>  \n" $(basename $0) >&2
-  printf "sourcecidrs format:  cidr1-cidr2-cidr3-...\n"
-}
-
-fw_egress_remove_backup() {
-  sudo iptables -D FW_OUTBOUND -j _FW_EGRESS_RULES 
-  sudo iptables -F _FW_EGRESS_RULES 
-  sudo iptables -X _FW_EGRESS_RULES 
-}
-
-fw_egress_save() {
-  sudo iptables -E FW_EGRESS_RULES _FW_EGRESS_RULES 
-}
-
-fw_egress_chain () {
-#supress errors 2>/dev/null
-  fw_egress_remove_backup
-  fw_egress_save
-  sudo iptables -N FW_EGRESS_RULES 
-  sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
-}
-
-fw_egress_backup_restore() {
-   sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
-   sudo iptables -E _FW_EGRESS_RULES FW_EGRESS_RULES 
-   fw_egress_remove_backup
-}
-
-
-fw_entry_for_egress() {
-  local rule=$1
-
-  local prot=$(echo $rule | cut -d: -f2)
-  local sport=$(echo $rule | cut -d: -f3)
-  local eport=$(echo $rule | cut -d: -f4)
-  local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
-  if [ "$sport" == "0" -a "$eport" == "0" ]
-  then
-      DPORT=""
-  else
-      DPORT="--dport $sport:$eport"
-  fi
-  logger -t cloud "$(basename $0): enter apply fw egress rules for guest $prot:$sport:$eport:$cidrs"  
-  
-  for lcidr in $cidrs
-  do
-    [ "$prot" == "reverted" ] && continue;
-    if [ "$prot" == "icmp" ]
-    then
-      typecode="$sport/$eport"
-      [ "$eport" == "-1" ] && typecode="$sport"
-      [ "$sport" == "-1" ] && typecode="any"
-      sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
-                     -j $target
-      result=$?
-    elif [ "$prot" == "all" ]
-    then
-	    sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j $target
-	    result=$?
-    else
-	    sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr  $DPORT -j $target
-	    result=$?
-    fi
-  
-    [ $result -gt 0 ] && 
-       logger -t cloud "Error adding iptables entry for guest network $prot:$sport:$eport:$cidrs" &&
-       break
-  done
-
-  logger -t cloud "$(basename $0): exit apply egress firewall rules for guest network"  
-  return $result
-}
-
-
-aflag=0
-rules=""
-rules_list=""
-ip=""
-dev=""
-pflag=0
-shift
-shift
-while getopts 'a:P:' OPTION
-do
-  case $OPTION in
-  a)	aflag=1
-		rules="$OPTARG"
-		;;
-  P)   pflag=1
-       pvalue="$OPTARG"
-       ;;
-  ?)	usage
-                unlock_exit 2 $lock $locked
-		;;
-  esac
-done
-
-if [ "$aflag" != "1" ]
-then
-  usage
-  unlock_exit 2 $lock $locked
-fi
-
-if [ -n "$rules" ]
-then
-  rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
-fi
-
-# rule format
-# protocal:sport:eport:cidr
-#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
-#    if any entry is reverted , entry will be in the format reverted:0:0:0
-# example : tcp:80:80:0.0.0.0/0:, tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0 
-
-success=0
-
-if [ "$pvalue" == "0" -o "$pvalue" == "2" ]
-  then
-     target="ACCEPT"
-  else
-     target="DROP"
-  fi
-
-fw_egress_chain
-for r in $rules_list
-do
-  fw_entry_for_egress $r
-  success=$?
-  if [ $success -gt 0 ]
-  then
-    logger -t cloud "failure to apply fw egress rules "
-    break
-  else
-    logger -t cloud "successful in applying fw egress rules"
-  fi
-done
-
-if [ $success -gt 0 ]
-then
-  logger -t cloud "restoring from backup for guest network"
-  fw_egress_backup_restore
-else
-  logger -t cloud "deleting backup for guest network"
-    if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
-       then
-       #Adding default policy rule
-       sudo iptables -A FW_EGRESS_RULES  -j ACCEPT
-    fi
-
-fi
-
-fw_egress_remove_backup
-
-unlock_exit $success $lock $locked
-
-

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/systemvm/patches/debian/config/root/firewall_rule.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/firewall_rule.sh b/systemvm/patches/debian/config/root/firewall_rule.sh
deleted file mode 100755
index 9e459f0..0000000
--- a/systemvm/patches/debian/config/root/firewall_rule.sh
+++ /dev/null
@@ -1,202 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# firewall_rule.sh -- allow some ports / protocols to vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
-    exit 1
-fi
-
-usage() {
-  printf "Usage: %s:  -a <public ip address:protocol:startport:endport:sourcecidrs>  \n" $(basename $0) >&2
-  printf "sourcecidrs format:  cidr1-cidr2-cidr3-...\n"
-}
-#set -x
-#FIXME: eating up the error code during execution of iptables
-fw_remove_backup() {
-  local pubIp=$1
-  sudo iptables -t mangle -F _FIREWALL_$pubIp 2> /dev/null
-  sudo iptables -t mangle -D PREROUTING  -d $pubIp -j _FIREWALL_$pubIp  2> /dev/null
-  sudo iptables -t mangle -X _FIREWALL_$pubIp 2> /dev/null
-}
-
-fw_restore() {
-  local pubIp=$1
-  sudo iptables -t mangle -F FIREWALL_$pubIp 2> /dev/null
-  sudo iptables -t mangle -D PREROUTING  -d $pubIp  -j FIREWALL_$pubIp  2> /dev/null
-  sudo iptables -t mangle -X FIREWALL_$pubIp 2> /dev/null
-  sudo iptables -t mangle -E _FIREWALL_$pubIp FIREWALL_$pubIp 2> /dev/null
-}
-
-fw_chain_for_ip () {
-  local pubIp=$1
-  fw_remove_backup $1
-  sudo iptables -t mangle -E FIREWALL_$pubIp _FIREWALL_$pubIp 2> /dev/null
-  sudo iptables -t mangle -N FIREWALL_$pubIp 2> /dev/null
-  # drop if no rules match (this will be the last rule in the chain)
-  sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null
-  # ensure outgoing connections are maintained (first rule in chain)
-  sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null
-  #ensure that this table is after VPN chain
-  sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp
-  success=$?
-  if [ $success -gt 0 ]
-  then
-  # if VPN chain is not present for various reasons, try to add in to the first slot */
-     sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp
-  fi
-}
-
-fw_entry_for_public_ip() {
-  local rules=$1
-
-  local pubIp=$(echo $rules | cut -d: -f1)
-  local prot=$(echo $rules | cut -d: -f2)
-  local sport=$(echo $rules | cut -d: -f3)    
-  local eport=$(echo $rules | cut -d: -f4)    
-  local scidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
-  
-  logger -t cloud "$(basename $0): enter apply firewall rules for public ip $pubIp:$prot:$sport:$eport:$scidrs"  
-
-
-  # note that rules are inserted after the RELATED,ESTABLISHED rule 
-  # but before the DROP rule
-  for src in $scidrs
-  do
-    [ "$prot" == "reverted" ] && continue;
-    if [ "$prot" == "icmp" ]
-    then
-      typecode="$sport/$eport"
-      [ "$eport" == "-1" ] && typecode="$sport"
-      [ "$sport" == "-1" ] && typecode="any"
-      sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
-                    --icmp-type $typecode  -j RETURN
-    else
-       sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
-                    --dport $sport:$eport -j RETURN
-    fi
-    result=$?
-    [ $result -gt 0 ] && 
-       logger -t cloud "Error adding iptables entry for $pubIp:$prot:$sport:$eport:$src" &&
-       break
-  done
-      
-  logger -t cloud "$(basename $0): exit apply firewall rules for public ip $pubIp"  
-  return $result
-}
-
-get_vif_list() {
-  local vif_list=""
-  for i in /sys/class/net/eth*; do 
-    vif=$(basename $i);
-    if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ]
-    then
-      vif_list="$vif_list $vif";
-    fi
-  done
-  if [ "$vif_list" == "" ]
-  then
-      vif_list="eth0"
-  fi
-  
-  logger -t cloud "FirewallRule public interfaces = $vif_list"
-  echo $vif_list
-}
-
-shift 
-rules=
-while getopts 'a:' OPTION
-do
-  case $OPTION in
-  a)	aflag=1
-		rules="$OPTARG"
-		;;
-  ?)	usage
-                unlock_exit 2 $lock $locked
-		;;
-  esac
-done
-
-VIF_LIST=$(get_vif_list)
-
-if [ "$rules" == "" ]
-then
-  rules="none"
-fi
-
-#-a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
-#    if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
-# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0 
-# The reverted entries will fix the following partially 
-#FIXME: rule leak: when there are multiple ip address, there will chance that entry will be left over if the ipadress  does not appear in the current execution when compare to old one 
-# example :  In the below first transaction have 2 ip's whereas in second transaction it having one ip, so after the second trasaction 200.1.2.3 ip will have rules in mangle table.
-#  1)  -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,200.16.92.44:tcp:220:220:0.0.0.0/0:,
-#  2)  -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,
-
-
-success=0
-publicIps=
-rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
-for r in $rules_list
-do
-  pubIp=$(echo $r | cut -d: -f1)
-  publicIps="$pubIp $publicIps"
-done
-
-unique_ips=$(echo $publicIps| tr " " "\n" | sort | uniq | tr "\n" " ")
-
-for u in $unique_ips
-do
-  fw_chain_for_ip $u
-done
-
-for r in $rules_list
-do
-  pubIp=$(echo $r | cut -d: -f1)
-  fw_entry_for_public_ip $r
-  success=$?
-  if [ $success -gt 0 ]
-  then
-    logger -t cloud "$(basename $0): failure to apply fw rules for ip $pubIp"
-    break
-  else
-    logger -t cloud "$(basename $0): successful in applying fw rules for ip $pubIp"
-  fi
-done
-
-if [ $success -gt 0 ]
-then
-    for p in $unique_ips
-    do
-      logger -t cloud "$(basename $0): restoring from backup for ip: $p"
-      fw_restore $p
-    done
-fi 
-for p in $unique_ips
-do
-   logger -t cloud "$(basename $0): deleting backup for ip: $p"
-   fw_remove_backup $p
-done
-
-unlock_exit $success $lock $locked
-


Mime
View raw message