incubator-cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From anthon...@apache.org
Subject [1/2] git commit: CS-16049 : VPC, VR provides metadata and user data through port 80, this port should be only open for targeting to this VR ip
Date Wed, 03 Oct 2012 17:06:56 GMT
Updated Branches:
  refs/heads/4.0 95df352e8 -> a51343508


CS-16049 : VPC, VR provides metadata and user data through port 80, this port should be only
open for targeting to this VR ip


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/a5134350
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/a5134350
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/a5134350

Branch: refs/heads/4.0
Commit: a5134350898448cae8a1259a92345e479febdf5e
Parents: ed09444
Author: Anthony Xu <anthony@cloud.com>
Authored: Thu Sep 27 14:28:06 2012 -0700
Committer: Anthony Xu <anthony@cloud.com>
Committed: Wed Oct 3 10:06:55 2012 -0700

----------------------------------------------------------------------
 .../debian/config/opt/cloud/bin/vpc_guestnw.sh     |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/a5134350/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
index ae966ec..faf62c6 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
@@ -66,6 +66,7 @@ setup_apache2() {
   sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/conf.d/vhost$dev.conf
   sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/conf.d/vhost$dev.conf
   service apache2 restart
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
   sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
 }
 
@@ -110,11 +111,14 @@ desetup_dnsmasq() {
 
 setup_passwdsvcs() {
   logger -t cloud "Setting up password service for network $ip/$mask, eth $dev "
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
   nohup bash /opt/cloud/bin/vpc_passwd_server $ip >/dev/null 2>&1 &
 }
 
 desetup_passwdsvcs() {
   logger -t cloud "Desetting up password service for network $ip/$mask, eth $dev "
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
   pid=`ps -ef | grep socat | grep $ip | grep -v grep | awk '{print $2}'`
   if [ -n "$pid" ]
   then
@@ -131,6 +135,8 @@ create_guest_network() {
   # restore mark from  connection mark
   local tableName="Table_$dev"
   sudo ip route add $subnet/$mask dev $dev table $tableName proto static
+  sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK
--restore-mark
+  sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
   sudo iptables -t mangle -A PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK
--restore-mark
   # set up hairpin
   sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
@@ -145,7 +151,7 @@ destroy_guest_network() {
 
   sudo ip addr del dev $dev $ip/$mask
   sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK
--restore-mark
-  sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
+  sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
   destroy_acl_chain
   desetup_dnsmasq
   desetup_apache2


Mime
View raw message