Return-Path: 
 <commits-return-46887-apmail-cloudstack-commits-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-commits-archive@www.apache.org
Delivered-To: apmail-cloudstack-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id C439B105C4
	for <apmail-cloudstack-commits-archive@www.apache.org>;
 Mon,  8 Dec 2014 06:38:19 +0000 (UTC)
Received: (qmail 55627 invoked by uid 500); 8 Dec 2014 06:38:19 -0000
Delivered-To: apmail-cloudstack-commits-archive@cloudstack.apache.org
Received: (qmail 55591 invoked by uid 500); 8 Dec 2014 06:38:19 -0000
Mailing-List: contact commits-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:commits@cloudstack.apache.org>
List-Id: <commits.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list commits@cloudstack.apache.org
Received: (qmail 55582 invoked by uid 99); 8 Dec 2014 06:38:19 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Dec 2014 06:38:19 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id 5358D9C05DA; Mon,  8 Dec 2014 06:38:19 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: jayapal@apache.org
To: commits@cloudstack.apache.org
Message-Id: <d85ee952e20a400f87fce3fdb202098b@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: git commit: updated refs/heads/master to 8f8e311
Date: Mon,  8 Dec 2014 06:38:19 +0000 (UTC)

Repository: cloudstack
Updated Branches:
  refs/heads/master b1e4c6db0 -> 8f8e31111


CLOUDSTACK-8030: Updated router to come up egress default ALLOW

    On default iptables rules are updated to add ACCEPT egress traffic.
    If the network egress default policy is false, CS remove ACCEPT and adds the DROP rule which
    is egress default rule when there are no other egress rules.

    If the CS network egress default policy is true, CS won't configure any default rule for egress because
    router already came up to accept egress traffic. If there are already egress rules for network then the
    egress rules get applied on VR.

    For isolated network with out firewall service, VR default allows egress traffic (guestnetwork --> public network)


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/8f8e3111
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/8f8e3111
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/8f8e3111

Branch: refs/heads/master
Commit: 8f8e311110e5f5ee37db0e18cd5c9ed0021d44f4
Parents: b1e4c6d
Author: Jayapal <jayapal@apache.org>
Authored: Wed Dec 3 16:49:24 2014 +0530
Committer: Jayapal <jayapal@apache.org>
Committed: Mon Dec 8 11:32:01 2014 +0530

----------------------------------------------------------------------
 .../orchestration/NetworkOrchestrator.java      | 30 +++++++++++---------
 .../xenserver/resource/CitrixResourceBase.java  |  1 +
 .../network/element/VirtualRouterElement.java   |  5 ++--
 .../VirtualNetworkApplianceManagerImpl.java     |  5 +++-
 .../debian/config/etc/iptables/iptables-router  |  3 ++
 .../config/opt/cloud/bin/firewall_egress.sh     |  8 +++---
 6 files changed, 31 insertions(+), 21 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8f8e3111/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
----------------------------------------------------------------------
diff --git a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
index 1993981..4e42750 100644
--- a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
+++ b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
@@ -1147,6 +1147,22 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
     // This method re-programs the rules/ips for existing network
     protected boolean reprogramNetworkRules(long networkId, Account caller, Network network) throws ResourceUnavailableException {
         boolean success = true;
+
+        //Apply egress rules first to effect the egress policy early on the guest traffic
+        List<FirewallRuleVO> firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
+        NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
+        DataCenter zone = _dcDao.findById(network.getDataCenterId());
+        if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall)
+                && (network.getGuestType() == Network.GuestType.Isolated || (network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced))) {
+            // add default egress rule to accept the traffic
+            _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), offering.getEgressDefaultPolicy(), true);
+        }
+        if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) {
+            s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart");
+            success = false;
+        }
+
+
         // associate all ip addresses
         if (!_ipAddrMgr.applyIpAssociations(network, false)) {
             s_logger.warn("Failed to apply ip addresses as a part of network id" + networkId + " restart");
@@ -1166,20 +1182,6 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
             success = false;
         }
 
-        List<FirewallRuleVO> firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
-        NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
-        //there are no egress rules then apply the default egress rule
-        DataCenter zone = _dcDao.findById(network.getDataCenterId());
-        if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall)
-                && (network.getGuestType() == Network.GuestType.Isolated || (network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced))) {
-            // add default egress rule to accept the traffic
-            _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), offering.getEgressDefaultPolicy(), true);
-        }
-        if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) {
-            s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart");
-            success = false;
-        }
-
         // apply port forwarding rules
         if (!_rulesMgr.applyPortForwardingRulesForNetwork(networkId, false, caller)) {
             s_logger.warn("Failed to reapply port forwarding rule(s) as a part of network id=" + networkId + " restart");

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8f8e3111/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
index 19919d7..f01153f 100644
--- a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
+++ b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
@@ -572,6 +572,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
     public ExecutionResult createFileInVR(String routerIp, String path, String filename, String content) {
         Connection conn = getConnection();
         String rc = callHostPlugin(conn, "vmops", "createFileInDomr", "domrip", routerIp, "filepath", path + filename, "filecontents", content);
+        s_logger.debug ("VR Config file " + filename + " got created in VR with ip " + routerIp + " with content \n" + content);
         // Fail case would be start with "fail#"
         return new ExecutionResult(rc.startsWith("succ#"), rc.substring(5));
     }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8f8e3111/server/src/com/cloud/network/element/VirtualRouterElement.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/element/VirtualRouterElement.java b/server/src/com/cloud/network/element/VirtualRouterElement.java
index 546aab4..5d7f525 100644
--- a/server/src/com/cloud/network/element/VirtualRouterElement.java
+++ b/server/src/com/cloud/network/element/VirtualRouterElement.java
@@ -260,9 +260,10 @@ public class VirtualRouterElement extends AdapterBase implements VirtualRouterEl
             }
 
             if (rules != null && rules.size() == 1) {
-                // for VR no need to add default egress rule to DENY traffic
+                // for VR no need to add default egress rule to ALLOW traffic
+                //The default allow rule is added from the router defalut iptables rules iptables-router
                 if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System
-                        && !_networkMdl.getNetworkEgressDefaultPolicy(network.getId())) {
+                        && _networkMdl.getNetworkEgressDefaultPolicy(network.getId())) {
                     return true;
                 }
             }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8f8e3111/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index ba76e57..fb1e8b8 100644
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -1918,7 +1918,7 @@ Configurable, StateListener<State, VirtualMachine.Event, VirtualMachine> {
 
 
         // construct rule when egress policy is true. In true case for VR we default allow rule need to be added
-        if (defaultEgressPolicy) {
+        if (!defaultEgressPolicy) {
             systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
 
             List<String> sourceCidr = new ArrayList<String>();
@@ -1928,6 +1928,9 @@ Configurable, StateListener<State, VirtualMachine.Event, VirtualMachine> {
                     null, null, null, FirewallRule.TrafficType.Egress, FirewallRule.FirewallRuleType.System);
 
             rules.add(rule);
+        } else {
+            s_logger.debug(" Egress policy for the Network "+ networkId +" is "+defaultEgressPolicy + " So no need"+
+                    " of default rule is needed. ");
         }
     }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8f8e3111/systemvm/patches/debian/config/etc/iptables/iptables-router
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-router b/systemvm/patches/debian/config/etc/iptables/iptables-router
index 3f5bc5f..f16b942 100644
--- a/systemvm/patches/debian/config/etc/iptables/iptables-router
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-router
@@ -24,6 +24,7 @@ COMMIT
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
+:FW_EGRESS_RULES - [0:0]
 :FW_OUTBOUND - [0:0]
 -A INPUT -d 224.0.0.18/32 -j ACCEPT
 -A INPUT -d 225.0.0.50/32 -j ACCEPT
@@ -42,7 +43,9 @@ COMMIT
 -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
 -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
+-A FW_EGRESS_RULES -j ACCEPT
 -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FW_OUTBOUND -j FW_EGRESS_RULES
 COMMIT
 *mangle
 :PREROUTING ACCEPT [0:0]

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8f8e3111/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
index b1e7a40..767f17e 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
@@ -145,11 +145,11 @@ fi
 
 success=0
 
-if [ "$pvalue" == "0" -o "$pvalue" == "2" ]
+if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
   then
-     target="ACCEPT"
-  else
      target="DROP"
+  else
+     target="ACCEPT"
   fi
 
 fw_egress_chain
@@ -172,7 +172,7 @@ then
   fw_egress_backup_restore
 else
   logger -t cloud "deleting backup for guest network"
-    if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
+    if [ "$pvalue" == "1" ]
        then
        #Adding default policy rule
        sudo iptables -A FW_EGRESS_RULES  -j ACCEPT