cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhais...@apache.org
Subject git commit: updated refs/heads/4.3 to aa3b615
Date Fri, 06 Feb 2015 10:03:03 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/4.3 66027f43b -> aa3b61503


CLOUDSTACK-5494: Fixed dns is open to public in VR

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 81994cf443ca64aead822ed1b3cf1c22d10bd9fe)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/aa3b6150
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/aa3b6150
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/aa3b6150

Branch: refs/heads/4.3
Commit: aa3b61503771ad2f92feb0226eb177534847e9f8
Parents: 66027f4
Author: Jayapal <jayapal@apache.org>
Authored: Tue Jan 27 16:33:03 2015 +0530
Committer: Rohit Yadav <rohit.yadav@shapeblue.com>
Committed: Fri Feb 6 15:32:46 2015 +0530

----------------------------------------------------------------------
 .../debian/config/etc/init.d/cloud-early-config |  6 ++++
 .../patches/debian/config/root/createIpAlias.sh | 29 ++++++++++++++++++++
 .../patches/debian/config/root/deleteIpAlias.sh |  2 ++
 3 files changed, 37 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aa3b6150/systemvm/patches/debian/config/etc/init.d/cloud-early-config
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/init.d/cloud-early-config b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
index 1ccc7a3..89fecff 100755
--- a/systemvm/patches/debian/config/etc/init.d/cloud-early-config
+++ b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
@@ -966,6 +966,12 @@ setup_router() {
   cp /etc/iptables/iptables-router /etc/iptables/rules
   setup_sshd $ETH1_IP "eth1"
   load_modules
+
+  #Only allow DNS service for current network
+  sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m
udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
+  sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m
udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
+  sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m
tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
+  sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m
tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
 }
 
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aa3b6150/systemvm/patches/debian/config/root/createIpAlias.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/createIpAlias.sh b/systemvm/patches/debian/config/root/createIpAlias.sh
index cd273f6..160bc5e 100755
--- a/systemvm/patches/debian/config/root/createIpAlias.sh
+++ b/systemvm/patches/debian/config/root/createIpAlias.sh
@@ -60,6 +60,7 @@ setup_apache2() {
 var="$1"
 cert="/root/.ssh/id_rsa.cloud"
 config_ips=""
+setDnsRules=0
 
 while [ -n "$var" ]
 do
@@ -71,6 +72,7 @@ do
  setup_apache2 "$routerip"
  config_ips="${config_ips}"$routerip":"
  var=$( echo $var | sed "s/${var1}-//" )
+ setDnsRules=1
 done
 
 #restarting the apache server for the config to take effect.
@@ -95,6 +97,33 @@ then
    unlock_exit $result $lock $locked
 fi
 
+if [ "$setDnsRules" -eq 1 ]
+then
+    //check wether chain exist
+    iptables-save -t filter | grep 'dnsIpAlias_allow'
+
+    if [ $? -eq  0 ]
+    then
+      iptables -F dnsIpAlias_allow
+    else
+        //if not exist create it
+        iptables -N dnsIpAlias_allow
+        iptables -A INPUT -i eth0 -p tcp --dport 53 -j dnsIpAlias_allow
+        iptables -A INPUT -i eth0 -p udp --dport 53 -j dnsIpAlias_allow
+    fi
+
+    for cidr in $(ip addr | grep eth0 | grep inet | awk '{print $2}');
+    do
+        iptables -A dnsIpAlias_allow  -i eth0 -p tcp --dport 53 -s $cidr -j ACCEPT
+        iptables -A dnsIpAlias_allow  -i eth0 -p udp --dport 53 -s $cidr -j ACCEPT
+    done
+else
+        iptables -D INPUT -i eth0 -p tcp --dport 53 -j dnsIpAlias_allow
+        iptables -D INPUT -i eth0 -p udp --dport 53 -j dnsIpAlias_allow
+        iptables -X dnsIpAlias_allow
+fi
+
+
 #restaring the password service to enable it on the ip aliases
 /etc/init.d/cloud-passwd-srvr restart
 unlock_exit $? $lock $locked
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aa3b6150/systemvm/patches/debian/config/root/deleteIpAlias.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/deleteIpAlias.sh b/systemvm/patches/debian/config/root/deleteIpAlias.sh
index 47edb92..c6b1cce 100755
--- a/systemvm/patches/debian/config/root/deleteIpAlias.sh
+++ b/systemvm/patches/debian/config/root/deleteIpAlias.sh
@@ -55,6 +55,8 @@ service apache2 restart
 
 releaseLockFile $lock $locked
 
+iptables -F dnsIpAlias_allow
+
 #recreating the active ip aliases
 /root/createIpAlias.sh $2
 unlock_exit $? $lock $locked
\ No newline at end of file


Mime
View raw message