Return-Path: X-Original-To: apmail-incubator-cloudstack-commits-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 92B1CD6DB for ; Wed, 3 Oct 2012 17:06:57 +0000 (UTC) Received: (qmail 30533 invoked by uid 500); 3 Oct 2012 17:06:57 -0000 Delivered-To: apmail-incubator-cloudstack-commits-archive@incubator.apache.org Received: (qmail 30494 invoked by uid 500); 3 Oct 2012 17:06:57 -0000 Mailing-List: contact cloudstack-commits-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-commits@incubator.apache.org Received: (qmail 30474 invoked by uid 99); 3 Oct 2012 17:06:57 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Oct 2012 17:06:57 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id F419637B1B; Wed, 3 Oct 2012 17:06:56 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: anthonyxu@apache.org To: cloudstack-commits@incubator.apache.org X-Mailer: ASF-Git Admin Mailer Subject: [1/2] git commit: CS-16049 : VPC, VR provides metadata and user data through port 80, this port should be only open for targeting to this VR ip Message-Id: <20121003170656.F419637B1B@tyr.zones.apache.org> Date: Wed, 3 Oct 2012 17:06:56 +0000 (UTC) Updated Branches: refs/heads/4.0 95df352e8 -> a51343508 CS-16049 : VPC, VR provides metadata and user data through port 80, this port should be only open for targeting to this VR ip Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/a5134350 Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/a5134350 Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/a5134350 Branch: refs/heads/4.0 Commit: a5134350898448cae8a1259a92345e479febdf5e Parents: ed09444 Author: Anthony Xu Authored: Thu Sep 27 14:28:06 2012 -0700 Committer: Anthony Xu Committed: Wed Oct 3 10:06:55 2012 -0700 ---------------------------------------------------------------------- .../debian/config/opt/cloud/bin/vpc_guestnw.sh | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/a5134350/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh ---------------------------------------------------------------------- diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh index ae966ec..faf62c6 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh @@ -66,6 +66,7 @@ setup_apache2() { sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/conf.d/vhost$dev.conf sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/conf.d/vhost$dev.conf service apache2 restart + sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT } @@ -110,11 +111,14 @@ desetup_dnsmasq() { setup_passwdsvcs() { logger -t cloud "Setting up password service for network $ip/$mask, eth $dev " + sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT + sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT nohup bash /opt/cloud/bin/vpc_passwd_server $ip >/dev/null 2>&1 & } desetup_passwdsvcs() { logger -t cloud "Desetting up password service for network $ip/$mask, eth $dev " + sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT pid=`ps -ef | grep socat | grep $ip | grep -v grep | awk '{print $2}'` if [ -n "$pid" ] then @@ -131,6 +135,8 @@ create_guest_network() { # restore mark from connection mark local tableName="Table_$dev" sudo ip route add $subnet/$mask dev $dev table $tableName proto static + sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark + sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip sudo iptables -t mangle -A PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark # set up hairpin sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip @@ -145,7 +151,7 @@ destroy_guest_network() { sudo ip addr del dev $dev $ip/$mask sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark - sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip + sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip destroy_acl_chain desetup_dnsmasq desetup_apache2