cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhais...@apache.org
Subject [1/2] git commit: updated refs/heads/4.9 to 6f609e6
Date Tue, 08 Nov 2016 09:36:17 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/4.9 f19a1631a -> 6f609e694


CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic Networking

Allow DNS queries over TCP when egress filtering is configured.

When using DNSSEC more and more queries are done over TCP and this
requires 53/TCP to be allowed.

Signed-off-by: Wido den Hollander <wido@widodh.nl>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/8ea75f1a
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/8ea75f1a
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/8ea75f1a

Branch: refs/heads/4.9
Commit: 8ea75f1a85b53908f97a6397637ecb346b821387
Parents: fcee71f
Author: Wido den Hollander <wido@widodh.nl>
Authored: Thu Oct 20 10:14:36 2016 +0200
Committer: Wido den Hollander <wido@widodh.nl>
Committed: Mon Oct 31 09:57:25 2016 +0100

----------------------------------------------------------------------
 scripts/vm/network/security_group.py | 1 +
 1 file changed, 1 insertion(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8ea75f1a/scripts/vm/network/security_group.py
----------------------------------------------------------------------
diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index e459a29..8283256 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -493,6 +493,7 @@ def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname,
sec_ips):
         if vm_ip is not None:
             execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged
--physdev-in " + vif + " -m set ! --set " + vmipsetName + " src -j DROP")
             execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged
--physdev-in " + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53  -j RETURN
")
+            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged
--physdev-in " + vif + " -m set --set " + vmipsetName + " src -p tcp --dport 53  -j RETURN
")
             execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged
--physdev-in " + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress)
         execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out
" + vif + " -j " + vmchain)
         execute("iptables -A " + vmchain + " -j DROP")


Mime
View raw message