Return-Path: X-Original-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B727090AD for ; Mon, 21 May 2012 13:05:12 +0000 (UTC) Received: (qmail 58031 invoked by uid 500); 21 May 2012 13:05:12 -0000 Delivered-To: apmail-incubator-cloudstack-dev-archive@incubator.apache.org Received: (qmail 58001 invoked by uid 500); 21 May 2012 13:05:12 -0000 Mailing-List: contact cloudstack-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-dev@incubator.apache.org Delivered-To: mailing list cloudstack-dev@incubator.apache.org Received: (qmail 57993 invoked by uid 99); 21 May 2012 13:05:12 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 May 2012 13:05:12 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [109.72.87.137] (HELO smtp01.mail.pcextreme.nl) (109.72.87.137) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 May 2012 13:05:06 +0000 Received: from gateway.ceph.widodh.nl (gateway.ceph.widodh.nl [31.25.100.163]) by smtp01.mail.pcextreme.nl (Postfix) with ESMTPA id 2C63438D659; Mon, 21 May 2012 15:03:29 +0200 (CEST) From: Wido den Hollander To: cloudstack-dev@incubator.apache.org Cc: Wido den Hollander Subject: [PATCH] Create iptable rules for all bridges assigned to a system VM Date: Mon, 21 May 2012 15:03:20 +0200 Message-Id: <1337605401-26892-4-git-send-email-wido@widodh.nl> X-Mailer: git-send-email 1.7.5.4 In-Reply-To: <1337605401-26892-1-git-send-email-wido@widodh.nl> References: <1337605401-26892-1-git-send-email-wido@widodh.nl> X-Virus-Checked: Checked by ClamAV on apache.org The default_network_rules_systemvm method in security_group.py only created the appropriate rules for just one bridge. This however leads to traffic not being forwarded to the virtual machine in the case of the system VMs both (console & storage) having different bridges in basic networking. This patch makes sure rules are generated for all target devices based on their source device/bridge It however excludes the LinkLocalBridge since no filtering is needed on that bridge. Signed-off-by: Wido den Hollander --- .../computing/LibvirtComputingResource.java | 15 +---- scripts/vm/network/security_group.py | 66 +++++++++++++++----- 2 files changed, 51 insertions(+), 30 deletions(-) diff --git a/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java b/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java index 659306e..01a3709 100755 --- a/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java +++ b/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java @@ -3946,24 +3946,11 @@ public class LibvirtComputingResource extends ServerResourceBase implements if (!_can_bridge_firewall) { return false; } - List intfs = getInterfaces(conn, vmName); - if (intfs.size() < 1) { - return false; - } - /* FIX ME: */ - String brname = null; - if (vmName.startsWith("r-")) { - InterfaceDef intf = intfs.get(0); - brname = intf.getBrName(); - } else { - InterfaceDef intf = intfs.get(intfs.size() - 1); - brname = intf.getBrName(); - } Script cmd = new Script(_securityGroupPath, _timeout, s_logger); cmd.add("default_network_rules_systemvm"); cmd.add("--vmname", vmName); - cmd.add("--brname", brname); + cmd.add("--localbrname", _linkLocalBridgeName); String result = cmd.execute(); if (result != null) { return false; diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py index a5c2087..f753d7d 100755 --- a/scripts/vm/network/security_group.py +++ b/scripts/vm/network/security_group.py @@ -215,14 +215,10 @@ def default_ebtables_rules(vm_name, vm_ip, vm_mac, vif): return 'false' -def default_network_rules_systemvm(vm_name, brname): - if not addFWFramework(brname): - return False - - vifs = getVifs(vm_name) +def default_network_rules_systemvm(vm_name, localbrname): + bridges = getBridges(vm_name) domid = getvmId(vm_name) vmchain = vm_name - brfw = "BF-" + brname delete_rules_for_vm_in_bridge_firewall_chain(vm_name) @@ -231,14 +227,20 @@ def default_network_rules_systemvm(vm_name, brname): except: execute("iptables -F " + vmchain) - for vif in vifs: - try: - execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain) - execute("iptables -A " + brfw + "-IN" + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j " + vmchain) - execute("iptables -A " + vmchain + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j RETURN") - except: - logging.debug("Failed to program default rules") - return 'false' + for bridge in bridges: + if bridge != localbrname: + if not addFWFramework(bridge): + return False + brfw = "BF-" + bridge + vifs = getVifsForBridge(vm_name, bridge) + for vif in vifs: + try: + execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain) + execute("iptables -A " + brfw + "-IN" + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j " + vmchain) + execute("iptables -A " + vmchain + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j RETURN") + except: + logging.debug("Failed to program default rules") + return 'false' execute("iptables -A " + vmchain + " -j ACCEPT") @@ -678,12 +680,43 @@ def getVifs(vmName): return vifs dom = xml.dom.minidom.parseString(xmlfile) - vifs = [] for network in dom.getElementsByTagName("interface"): target = network.getElementsByTagName('target')[0] nicdev = target.getAttribute("dev").strip() vifs.append(nicdev) return vifs + +def getVifsForBridge(vmName, brname): + vifs = [] + try: + xmlfile = virsh("dumpxml", vmName).stdout + except: + return vifs + + dom = xml.dom.minidom.parseString(xmlfile) + for network in dom.getElementsByTagName("interface"): + source = network.getElementsByTagName('source')[0] + bridge = source.getAttribute("bridge").strip() + if bridge == brname: + target = network.getElementsByTagName('target')[0] + nicdev = target.getAttribute("dev").strip() + vifs.append(nicdev) + return vifs + +def getBridges(vmName): + bridges = [] + try: + xmlfile = virsh("dumpxml", vmName).stdout + except: + return bridges + + dom = xml.dom.minidom.parseString(xmlfile) + for network in dom.getElementsByTagName("interface"): + for source in network.getElementsByTagName('source'): + bridge = source.getAttribute("bridge").strip() + bridges.append(bridge) + return bridges + def getvmId(vmName): cmd = "virsh list |grep " + vmName + " | awk '{print $1}'" return bash("-c", cmd).stdout.strip() @@ -753,6 +786,7 @@ if __name__ == '__main__': parser.add_option("--seq", dest="seq") parser.add_option("--rules", dest="rules") parser.add_option("--brname", dest="brname") + parser.add_option("--localbrname", dest="localbrname") parser.add_option("--dhcpSvr", dest="dhcpSvr") parser.add_option("--hostIp", dest="hostIp") parser.add_option("--hostMacAddr", dest="hostMacAddr") @@ -765,7 +799,7 @@ if __name__ == '__main__': elif cmd == "destroy_network_rules_for_vm": destroy_network_rules_for_vm(option.vmName, option.vif) elif cmd == "default_network_rules_systemvm": - default_network_rules_systemvm(option.vmName, option.brname) + default_network_rules_systemvm(option.vmName, option.localbrname) elif cmd == "get_rule_logs_for_vms": get_rule_logs_for_vms() elif cmd == "add_network_rules": -- 1.7.5.4