diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 4eed8ecd92b..720ecffaf05 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -45,9 +45,9 @@ from cs.CsProcess import CsProcess class CsPassword(CsDataBag): - + TOKEN_FILE="/tmp/passwdsrvrtoken" - + def process(self): for item in self.dbag: if item == "id": @@ -75,7 +75,7 @@ class CsPassword(CsDataBag): class CsStaticRoutes(CsDataBag): - + def process(self): logging.debug("Processing CsStaticRoutes file ==> %s" % self.dbag) for item in self.dbag: @@ -119,7 +119,7 @@ class CsAcl(CsDataBag): self.rule['allowed'] = True self.rule['action'] = "ACCEPT" - + if self.rule['type'] == 'all' and not obj['source_cidr_list']: self.rule['cidr'] = ['0.0.0.0/0'] else: @@ -887,6 +887,12 @@ class CsForwardingRules(CsDataBag): device = self.getDeviceByIp(rule["public_ip"]) if device is None: raise Exception("Ip address %s has no device in the ips databag" % rule["public_ip"]) + self.fw.append(["mangle", "", + "-A PREROUTING -s %s/32 -m state --state NEW -j MARK --set-xmark 0x%s/0xffffffff" % \ + (rule["internal_ip"], device[len("eth"):])]) + self.fw.append(["mangle", "", + "-A PREROUTING -s %s/32 -m state --state NEW -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff" % \ + rule["internal_ip"]]) self.fw.append(["nat", "front", "-A PREROUTING -d %s/32 -j DNAT --to-destination %s" % (rule["public_ip"], rule["internal_ip"])]) self.fw.append(["nat", "front", diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py index 24d75e55e85..b2cc26e8879 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py @@ -282,19 +282,20 @@ class CsIP: route = CsRoute() if not self.get_type() in ["control"]: route.add_table(self.dev) - + CsRule(self.dev).addMark() self.check_is_up() - self.set_mark() + if self.dnum != '0': + self.set_mark() self.arpPing() - + CsRpsrfs(self.dev).enable() self.post_config_change("add") '''For isolated/redundant and dhcpsrvr routers, call this method after the post_config is complete ''' if not self.config.is_vpc(): self.setup_router_control() - + if self.config.is_vpc() or self.cl.is_redundant(): # The code looks redundant here, but we actually have to cater for routers and # VPC routers in a different manner. Please do not remove this block otherwise @@ -324,9 +325,10 @@ class CsIP: CsHelper.execute(cmd2) def set_mark(self): - cmd = "-A PREROUTING -i %s -m state --state NEW -j CONNMARK --set-xmark %s/0xffffffff" % \ - (self.getDevice(), self.dnum) - self.fw.append(["mangle", "", cmd]) + if self.get_type() in ['public']: + cmd = "-A PREROUTING -i %s -m state --state NEW -j CONNMARK --set-xmark %s/0xffffffff" % \ + (self.getDevice(), self.dnum) + self.fw.append(["mangle", "", cmd]) def get_type(self): """ Return the type of the IP @@ -349,16 +351,16 @@ class CsIP: def setup_router_control(self): if self.config.is_vpc(): return - + self.fw.append( ["filter", "", "-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT"]) self.fw.append( ["filter", "", "-A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT"]) - + self.fw.append(["filter", "", "-P INPUT DROP"]) self.fw.append(["filter", "", "-P FORWARD DROP"]) - + def fw_router(self): if self.config.is_vpc(): return @@ -392,6 +394,10 @@ class CsIP: "-j CONNMARK --set-xmark %s/0xffffffff" % self.dnum]) self.fw.append( ["mangle", "", "-A FIREWALL_%s -j DROP" % self.address['public_ip']]) + self.fw.append(["filter", "", + "-A FORWARD -i %s -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.dev]) + self.fw.append(["filter", "", + "-A FORWARD -i eth0 -o %s -j FW_OUTBOUND" % self.dev]) self.fw.append(["filter", "", "-A INPUT -d 224.0.0.18/32 -j ACCEPT"]) self.fw.append(["filter", "", "-A INPUT -d 225.0.0.50/32 -j ACCEPT"]) @@ -415,15 +421,8 @@ class CsIP: ["filter", "", "-A FORWARD -i %s -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.dev]) self.fw.append( ["filter", "", "-A FORWARD -i %s -o %s -m state --state NEW -j ACCEPT" % (self.dev, self.dev)]) - self.fw.append( - ["filter", "", "-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT"]) self.fw.append( ["filter", "", "-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT"]) - self.fw.append( - ["filter", "", "-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND"]) - self.fw.append(["mangle", "", - "-A PREROUTING -i %s -m state --state NEW " % self.dev + - "-j CONNMARK --set-xmark %s/0xffffffff" % self.dnum]) self.fw.append(['', 'front', '-A FORWARD -j NETWORK_STATS']) self.fw.append(['', 'front', '-A INPUT -j NETWORK_STATS']) @@ -432,7 +431,7 @@ class CsIP: self.fw.append(['', '', '-A NETWORK_STATS -i eth2 -o eth0']) self.fw.append(['', '', '-A NETWORK_STATS -o eth2 ! -i eth0 -p tcp']) self.fw.append(['', '', '-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp']) - + def fw_vpcrouter(self): if not self.config.is_vpc(): return @@ -550,7 +549,7 @@ class CsIP: for i in CsHelper.execute(cmd): vals = i.lstrip().split() if (vals[0] == 'inet'): - + cidr = vals[1] for ip, device in self.iplist.iteritems(): logging.info(