Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7A6241906B for ; Tue, 5 Apr 2016 07:29:45 +0000 (UTC) Received: (qmail 87318 invoked by uid 500); 5 Apr 2016 07:29:44 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 87255 invoked by uid 500); 5 Apr 2016 07:29:44 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 87242 invoked by uid 99); 5 Apr 2016 07:29:43 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Apr 2016 07:29:43 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 766C6C06C8 for ; Tue, 5 Apr 2016 07:29:43 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.102 X-Spam-Level: X-Spam-Status: No, score=-0.102 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=li.nux.ro Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id ErzPuDM6MyGh for ; Tue, 5 Apr 2016 07:29:41 +0000 (UTC) Received: from mailserver.lastdot.org (mailserver.lastdot.org [31.193.175.196]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 649955FAF5 for ; Tue, 5 Apr 2016 07:29:40 +0000 (UTC) Received: from localhost (localhost [IPv6:::1]) by mailserver.lastdot.org (Postfix) with ESMTP id D4B182C425A for ; Tue, 5 Apr 2016 08:29:31 +0100 (BST) Received: from mailserver.lastdot.org ([IPv6:::1]) by localhost (mailserver.lastdot.org [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id Iyaz7PTfNlBf for ; Tue, 5 Apr 2016 08:29:30 +0100 (BST) Received: from localhost (localhost [IPv6:::1]) by mailserver.lastdot.org (Postfix) with ESMTP id B37272C425C for ; Tue, 5 Apr 2016 08:29:30 +0100 (BST) DKIM-Filter: OpenDKIM Filter v2.9.2 mailserver.lastdot.org B37272C425C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=li.nux.ro; s=C605E3A6-F3C6-11E3-AEB0-DFF9218DCAC4; t=1459841370; bh=/hrWuCG5sE7iMf8KCQkOWYYBNnyChexK2R0BLnISUGs=; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type: Content-Transfer-Encoding; b=tD6Id1Yaf+uCl+bbOox2nRkWGNlC3QhktRQ3WlT1oLBqhNatimoQS4RaZYl8Kbswl 6QBMMybv11zDuqtsmcMuFQ+qpgB6fDyMCnRB78T1jqdVmgRHLk9ima6wB+CbtEKECV MikQAKDiEHZ/dxgNhCXdmCc1e34PCb66Z+t+TUAE= X-Virus-Scanned: amavisd-new at mailserver.lastdot.org Received: from mailserver.lastdot.org ([IPv6:::1]) by localhost (mailserver.lastdot.org [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id Zg5qr8HhKgW4 for ; Tue, 5 Apr 2016 08:29:30 +0100 (BST) Received: from mailserver.lastdot.org (mailserver.lastdot.org [31.193.175.196]) by mailserver.lastdot.org (Postfix) with ESMTP id 874742C425A for ; Tue, 5 Apr 2016 08:29:30 +0100 (BST) Date: Tue, 5 Apr 2016 08:29:30 +0100 (BST) From: Nux! To: dev@cloudstack.apache.org Message-ID: <1007848747.1626.1459841370145.JavaMail.zimbra@li.nux.ro> In-Reply-To: <1551AA76-43C0-45FE-8F62-4C2FE4E36A96@persistent.co.in> References: <1154113302.104683.1459507330707.JavaMail.zimbra@li.nux.ro> <215197425.934.1459788427995.JavaMail.zimbra@li.nux.ro> <1551AA76-43C0-45FE-8F62-4C2FE4E36A96@persistent.co.in> Subject: Re: Hooking into the SecurityGroups MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailer: Zimbra 8.6.0_GA_1194 (ZimbraWebClient - FF38 (Linux)/8.6.0_GA_1194) Thread-Topic: Hooking into the SecurityGroups Thread-Index: gckrq9IDtix2Y6HMEjqZBSL4jfz2wqBhYa1M8GU2xwAhSNjHwA== Thanks Jayapal! I won't propose this change as a pull request since this is a pretty custom= job. Myipset (with a different name) will include all our data centre (AS) subne= ts, the end result being that with a simple "iptables-save -c" I can now kn= ow what traffic was done against our data centre as well as global traffic;= then with simple arithmetic I can calculate exactly the amount of traffic = done outside our networks. e.g. iptables-save -c |grep -i vnet0 [542306:28257982] -A BF-breth0-109-IN -m physdev --physdev-in vnet0 --physd= ev-is-bridged -m set --match-set myipset dst=20 [719558:37497155] -A BF-breth0-109-IN -m physdev --physdev-in vnet0 --physd= ev-is-bridged -j i-2-38-def=20 [562386:3982131066] -A BF-breth0-109-OUT -m physdev --physdev-out vnet0 --p= hysdev-is-bridged -m set --match-set myipset src=20 [765296:5230761832] -A BF-breth0-109-OUT -m physdev --physdev-out vnet0 --p= hysdev-is-bridged -j i-2-38-def ... Logging and graphing this is another adventure, but I'm glad I got the Clou= dstack bit done, unless anyone else wants to point to some horrible mistake= . :) -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Jayapal Uradi" > To: dev@cloudstack.apache.org > Sent: Tuesday, 5 April, 2016 06:00:19 > Subject: Re: Hooking into the SecurityGroups > Hi Nux, >=20 > I think ipset =E2=80=98myipset=E2=80=99 changes might be there in other c= ommits. If you do not > have special requirement then you can use the existing ipset which is wit= h the > vmname ex: i-2-3-VM. Except this it looks good to me. >=20 >=20 > Thanks, > Jayapal >=20 >=20 >> On 04-Apr-2016, at 10:17 pm, Nux! wrote: >>=20 >> Well, this is what we got working in the end. If someone has any suggest= ions on >> how to improve it, that'd be great. >>=20 >> https://github.com/NuxRo/cloudstack/commit/de6f97367fc2dc02378f367c462ea= aec8f92e234 >>=20 >> -- >> Sent from the Delta quadrant using Borg technology! >>=20 >> Nux! >> www.nux.ro >>=20 >> ----- Original Message ----- >>> From: "Nux!" >>> To: "dev" >>> Sent: Friday, 1 April, 2016 11:42:10 >>> Subject: Hooking into the SecurityGroups >>=20 >>> Hi, >>>=20 >>> I want to hook into the SGs and add a few iptables rules every time a V= M is >>> spawned and delete them when the VM is moved/deleted. >>> Has anyone done this before? Any pointers before I go and butcher it? := -) >>>=20 >>> Lucian >>>=20 >>> -- >>> Sent from the Delta quadrant using Borg technology! >>>=20 >>> Nux! >>> www.nux.ro >=20 >=20 >=20 >=20 > DISCLAIMER > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > This e-mail may contain privileged and confidential information which is = the > property of Accelerite, a Persistent Systems business. It is intended onl= y for > the use of the individual or entity to which it is addressed. If you are = not > the intended recipient, you are not authorized to read, retain, copy, pri= nt, > distribute or use this message. If you have received this communication i= n > error, please notify the sender and delete all copies of this message. > Accelerite, a Persistent Systems business does not accept any liability f= or > virus infected mails.