cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jaya...@apache.org
Subject git commit: updated refs/heads/4.5 to 8278d88
Date Wed, 10 Dec 2014 05:23:10 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/4.5 e22cc6e94 -> 8278d88f7


CLOUDSTACK-8030: Updated router to come up egress default ALLOW

    On default iptables rules are updated to add ACCEPT egress traffic.
    If the network egress default policy is false, CS remove ACCEPT and adds the DROP rule
which
    is egress default rule when there are no other egress rules.

    If the CS network egress default policy is true, CS won't configure any default rule for
egress because
    router already came up to accept egress traffic. If there are already egress rules for
network then the
    egress rules get applied on VR.

    For isolated network with out firewall service, VR default allows egress traffic (guestnetwork
--> public network)


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/8278d88f
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/8278d88f
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/8278d88f

Branch: refs/heads/4.5
Commit: 8278d88f76ee129af75cd585b916bd6719e34e4c
Parents: e22cc6e
Author: Jayapal <jayapal@apache.org>
Authored: Wed Dec 3 16:49:24 2014 +0530
Committer: Jayapal <jayapal@apache.org>
Committed: Wed Dec 10 10:13:41 2014 +0530

----------------------------------------------------------------------
 .../orchestration/NetworkOrchestrator.java      | 30 +++++++++++---------
 .../xenserver/resource/CitrixResourceBase.java  |  1 +
 .../network/element/VirtualRouterElement.java   |  5 ++--
 .../VirtualNetworkApplianceManagerImpl.java     |  5 +++-
 .../debian/config/etc/iptables/iptables-router  |  3 ++
 .../config/opt/cloud/bin/firewall_egress.sh     |  8 +++---
 6 files changed, 31 insertions(+), 21 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8278d88f/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
----------------------------------------------------------------------
diff --git a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
index 17a2a9b..b28a26b 100755
--- a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
+++ b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
@@ -1147,6 +1147,22 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
     // This method re-programs the rules/ips for existing network
     protected boolean reprogramNetworkRules(long networkId, Account caller, Network network)
throws ResourceUnavailableException {
         boolean success = true;
+
+        //Apply egress rules first to effect the egress policy early on the guest traffic
+        List<FirewallRuleVO> firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId,
Purpose.Firewall, FirewallRule.TrafficType.Egress);
+        NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
+        DataCenter zone = _dcDao.findById(network.getDataCenterId());
+        if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall)
&& _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall)
+                && (network.getGuestType() == Network.GuestType.Isolated || (network.getGuestType()
== Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced))) {
+            // add default egress rule to accept the traffic
+            _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), offering.getEgressDefaultPolicy(),
true);
+        }
+        if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller))
{
+            s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network
id=" + networkId + " restart");
+            success = false;
+        }
+
+
         // associate all ip addresses
         if (!_ipAddrMgr.applyIpAssociations(network, false)) {
             s_logger.warn("Failed to apply ip addresses as a part of network id" + networkId
+ " restart");
@@ -1166,20 +1182,6 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
             success = false;
         }
 
-        List<FirewallRuleVO> firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId,
Purpose.Firewall, FirewallRule.TrafficType.Egress);
-        NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
-        //there are no egress rules then apply the default egress rule
-        DataCenter zone = _dcDao.findById(network.getDataCenterId());
-        if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall)
&& _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall)
-                && (network.getGuestType() == Network.GuestType.Isolated || (network.getGuestType()
== Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced))) {
-            // add default egress rule to accept the traffic
-            _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), offering.getEgressDefaultPolicy(),
true);
-        }
-        if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller))
{
-            s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network
id=" + networkId + " restart");
-            success = false;
-        }
-
         // apply port forwarding rules
         if (!_rulesMgr.applyPortForwardingRulesForNetwork(networkId, false, caller)) {
             s_logger.warn("Failed to reapply port forwarding rule(s) as a part of network
id=" + networkId + " restart");

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8278d88f/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
index 9b282d8..a090b11 100644
--- a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
+++ b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
@@ -573,6 +573,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
     public ExecutionResult createFileInVR(String routerIp, String path, String filename,
String content) {
         Connection conn = getConnection();
         String rc = callHostPlugin(conn, "vmops", "createFileInDomr", "domrip", routerIp,
"filepath", path + filename, "filecontents", content);
+        s_logger.debug ("VR Config file " + filename + " got created in VR with ip " + routerIp
+ " with content \n" + content);
         // Fail case would be start with "fail#"
         return new ExecutionResult(rc.startsWith("succ#"), rc.substring(5));
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8278d88f/server/src/com/cloud/network/element/VirtualRouterElement.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/element/VirtualRouterElement.java b/server/src/com/cloud/network/element/VirtualRouterElement.java
index dc6ffc8..ae4c933 100755
--- a/server/src/com/cloud/network/element/VirtualRouterElement.java
+++ b/server/src/com/cloud/network/element/VirtualRouterElement.java
@@ -251,9 +251,10 @@ NetworkMigrationResponder, AggregatedCommandExecutor {
             }
 
             if (rules != null && rules.size() == 1) {
-                // for VR no need to add default egress rule to DENY traffic
+                // for VR no need to add default egress rule to ALLOW traffic
+                //The default allow rule is added from the router defalut iptables rules
iptables-router
                 if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress &&
rules.get(0).getType() == FirewallRule.FirewallRuleType.System &&
-                        !_networkMdl.getNetworkEgressDefaultPolicy(config.getId()))
+                        _networkMdl.getNetworkEgressDefaultPolicy(config.getId()))
                     return true;
             }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8278d88f/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index fb39c0a..6c5ff9c 100755
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -2789,7 +2789,7 @@ VirtualMachineGuru, Listener, Configurable, StateListener<State,
VirtualMachine.
 
 
         // construct rule when egress policy is true. In true case for VR we default allow
rule need to be added
-        if (defaultEgressPolicy) {
+        if (!defaultEgressPolicy) {
             systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
 
             List<String> sourceCidr = new ArrayList<String>();
@@ -2799,6 +2799,9 @@ VirtualMachineGuru, Listener, Configurable, StateListener<State,
VirtualMachine.
                     null, null, null, FirewallRule.TrafficType.Egress, FirewallRule.FirewallRuleType.System);
 
             rules.add(rule);
+        } else {
+            s_logger.debug(" Egress policy for the Network "+ networkId +" is "+defaultEgressPolicy
+ " So no need"+
+                    " of default rule is needed. ");
         }
     }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8278d88f/systemvm/patches/debian/config/etc/iptables/iptables-router
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-router b/systemvm/patches/debian/config/etc/iptables/iptables-router
index 3f5bc5f..f16b942 100644
--- a/systemvm/patches/debian/config/etc/iptables/iptables-router
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-router
@@ -24,6 +24,7 @@ COMMIT
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
+:FW_EGRESS_RULES - [0:0]
 :FW_OUTBOUND - [0:0]
 -A INPUT -d 224.0.0.18/32 -j ACCEPT
 -A INPUT -d 225.0.0.50/32 -j ACCEPT
@@ -42,7 +43,9 @@ COMMIT
 -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
 -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
+-A FW_EGRESS_RULES -j ACCEPT
 -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FW_OUTBOUND -j FW_EGRESS_RULES
 COMMIT
 *mangle
 :PREROUTING ACCEPT [0:0]

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8278d88f/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
index b1e7a40..767f17e 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
@@ -145,11 +145,11 @@ fi
 
 success=0
 
-if [ "$pvalue" == "0" -o "$pvalue" == "2" ]
+if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
   then
-     target="ACCEPT"
-  else
      target="DROP"
+  else
+     target="ACCEPT"
   fi
 
 fw_egress_chain
@@ -172,7 +172,7 @@ then
   fw_egress_backup_restore
 else
   logger -t cloud "deleting backup for guest network"
-    if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
+    if [ "$pvalue" == "1" ]
        then
        #Adding default policy rule
        sudo iptables -A FW_EGRESS_RULES  -j ACCEPT


Mime
View raw message