cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yas...@apache.org
Subject git commit: updated refs/heads/4.4 to 94a146a
Date Thu, 17 Apr 2014 02:13:13 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/4.4 d27c797ab -> 94a146a43


CLOUDSTACK-6432: Blocking DHCP server to service DNS outside network

This would cover only DHCP only network since in basic and shared network, the
private IP used by VR and network may expose to outside.


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/94a146a4
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/94a146a4
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/94a146a4

Branch: refs/heads/4.4
Commit: 94a146a43eeb08d5141458385b7c1f45acb2cfdf
Parents: d27c797
Author: Sheng Yang <sheng.yang@citrix.com>
Authored: Wed Apr 16 18:40:26 2014 -0700
Committer: Sheng Yang <sheng.yang@citrix.com>
Committed: Wed Apr 16 19:12:59 2014 -0700

----------------------------------------------------------------------
 .../router/VirtualNetworkApplianceManagerImpl.java       |  7 ++++++-
 .../patches/debian/config/etc/init.d/cloud-early-config  | 11 +++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94a146a4/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index 3cd3e80..8e97793 100755
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -2347,10 +2347,12 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase
implements V
             buf.append(" domain=" + domain);
         }
 
+        long cidrSize = 0;
+
         //setup dhcp range
         if (dc.getNetworkType() == NetworkType.Basic) {
             if (guestNic.isDefaultNic()) {
-                final long cidrSize = NetUtils.getCidrSize(guestNic.getNetmask());
+                cidrSize = NetUtils.getCidrSize(guestNic.getNetmask());
                 final String cidr = NetUtils.getCidrSubNet(guestNic.getGateway(), cidrSize);
                 if (cidr != null) {
                     dhcpRange = NetUtils.getIpRangeStartIpFromCidr(cidr, cidrSize);
@@ -2359,11 +2361,14 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase
implements V
         } else if (dc.getNetworkType() == NetworkType.Advanced) {
             final String cidr = guestNetwork.getCidr();
             if (cidr != null) {
+                cidrSize = NetUtils.getCidrSize(NetUtils.getCidrNetmask(cidr));
                 dhcpRange = NetUtils.getDhcpRange(cidr);
             }
         }
 
         if (dhcpRange != null) {
+            // To limit DNS to the cidr range
+            buf.append(" cidrsize=" + String.valueOf(cidrSize));
             buf.append(" dhcprange=" + dhcpRange);
         }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/94a146a4/systemvm/patches/debian/config/etc/init.d/cloud-early-config
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/init.d/cloud-early-config b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
index 3c47f13..f8ba8a1 100755
--- a/systemvm/patches/debian/config/etc/init.d/cloud-early-config
+++ b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
@@ -1073,8 +1073,16 @@ setup_dhcpsrvr() {
   enable_svc cloud 0
   enable_fwding 0
   chkconfig nfs-common off
+
   cp /etc/iptables/iptables-router /etc/iptables/rules.v4
   cp /etc/iptables/iptables-router /etc/iptables/rules
+
+  #Only allow DNS service for current network
+  sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m
udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
+  sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m
udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
+  sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m
tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
+  sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m
tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
+
   if [ "$SSHONGUEST" == "true" ]
   then
     setup_sshd $ETH0_IP "eth0"
@@ -1420,6 +1428,9 @@ for i in $CMDLINE
       vpccidr)
         VPCCIDR=$VALUE
         ;;
+      cidrsize)
+        CIDR_SIZE=$VALUE
+        ;;
     esac
 done
 


Mime
View raw message