etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-5779: Move firewall to use routerProxy

This commit is contained in:
Sheng Yang 2014-01-17 11:51:42 -08:00
parent ce67e24d0a
commit 0ea1c7dfc4
8 changed files with 55 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
View File

@ -102,7 +102,6 @@ import java.util.Map;
public class VirtualRoutingResource implements Manager {
private static final Logger s_logger = Logger.getLogger(VirtualRoutingResource.class);
private String _publicIpAddress;
private String _firewallPath;
private String _loadbPath;
private String _publicEthIf;
private String _privateEthIf;
@ -232,18 +231,16 @@ public class VirtualRoutingResource implements Manager {
FirewallRule.TrafficType trafficType = allrules[0].getTrafficType();
String[][] rules = cmd.generateFwRules();
final Script command = new Script(_firewallPath, _timeout, s_logger);
command.add(routerIp);
command.add("-F");
String args = " -F";
if (trafficType == FirewallRule.TrafficType.Egress) {
command.add("-E");
args += "-E";
if (egressDefault.equals("true")) {
command.add("-P ", "1");
args += " -P 1";
} else if (egressDefault.equals("System")) {
command.add("-P ", "2");
args += " -P 2";
} else {
command.add("-P ", "0");
args += " -P 0";
}
}
@ -253,10 +250,17 @@ public class VirtualRoutingResource implements Manager {
for (int i = 0; i < fwRules.length; i++) {
sb.append(fwRules[i]).append(',');
}
command.add("-a", sb.toString());
args += " -a " + sb.toString();
}
String result = null;
if (trafficType == FirewallRule.TrafficType.Egress) {
result = routerProxy("firewall_egress.sh", routerIp, args);
} else {
result = routerProxy("firewall_ingress.sh", routerIp, args);
}
String result = command.execute();
if (result != null) {
return new SetFirewallRulesAnswer(cmd, false, results);
}
@ -270,22 +274,21 @@ public class VirtualRoutingResource implements Manager {
int i = 0;
boolean endResult = true;
for (PortForwardingRuleTO rule : cmd.getRules()) {
String result = null;
final Script command = new Script(_firewallPath, _timeout, s_logger);
StringBuilder args = new StringBuilder();
args.append(rule.revoked() ? " -D " : " -A ");
args.append(" -P ").append(rule.getProtocol().toLowerCase());
args.append(" -l ").append(rule.getSrcIp());
args.append(" -p ").append(rule.getStringSrcPortRange());
args.append(" -r ").append(rule.getDstIp());
args.append(" -d ").append(rule.getStringDstPortRange());
command.add(routerIp);
command.add(rule.revoked() ? "-D" : "-A");
command.add("-P ", rule.getProtocol().toLowerCase());
command.add("-l ", rule.getSrcIp());
command.add("-p ", rule.getStringSrcPortRange());
command.add("-r ", rule.getDstIp());
command.add("-d ", rule.getStringDstPortRange());
result = command.execute();
if (result == null) {
results[i++] = null;
} else {
String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
if (result == null || result.isEmpty()) {
results[i++] = "Failed";
endResult = false;
} else {
results[i++] = null;
}
}
@ -325,28 +328,26 @@ public class VirtualRoutingResource implements Manager {
int i = 0;
boolean endResult = true;
for (StaticNatRuleTO rule : cmd.getRules()) {
String result = null;
final Script command = new Script(_firewallPath, _timeout, s_logger);
command.add(routerIp);
command.add(rule.revoked() ? "-D" : "-A");
//1:1 NAT needs instanceip;publicip;domrip;op
command.add(" -l ", rule.getSrcIp());
command.add(" -r ", rule.getDstIp());
StringBuilder args = new StringBuilder();
args.append(rule.revoked() ? " -D " : " -A ");
args.append(" -l ").append(rule.getSrcIp());
args.append(" -r ").append(rule.getDstIp());
if (rule.getProtocol() != null) {
command.add(" -P ", rule.getProtocol().toLowerCase());
args.append(" -P ").append(rule.getProtocol().toLowerCase());
}
command.add(" -d ", rule.getStringSrcPortRange());
command.add(" -G ");
args.append(" -d ").append(rule.getStringSrcPortRange());
args.append(" -G ");
result = command.execute();
if (result == null) {
results[i++] = null;
} else {
String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
if (result == null || result.isEmpty()) {
results[i++] = "Failed";
endResult = false;
} else {
results[i++] = null;
}
}
@ -1105,11 +1106,6 @@ public class VirtualRoutingResource implements Manager {
s_logger.warn("Incoming public ip address is overriden. Will always be using the same ip address: " + _publicIpAddress);
}
_firewallPath = findScript("call_firewall.sh");
if (_firewallPath == null) {
throw new ConfigurationException("Unable to find the call_firewall.sh");
}
_loadbPath = findScript("call_loadbalancer.sh");
if (_loadbPath == null) {
throw new ConfigurationException("Unable to find the call_loadbalancer.sh");

16
plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
View File

@ -847,10 +847,10 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
try {
VmwareManager mgr = getServiceContext().getStockObject(VmwareManager.CONTEXT_STOCK_NAME);
Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall.sh " + args);
Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_nat.sh " + args);
if (s_logger.isDebugEnabled())
s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall.sh " + args);
s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_nat.sh " + args);
if (!result.first()) {
s_logger.error("SetPortForwardingRulesCommand failure on setting one rule. args: " + args);
@ -905,16 +905,16 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
Pair<Boolean, String> result = null;
if (trafficType == FirewallRule.TrafficType.Egress) {
result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewallRule_egress.sh " + args);
result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_egress.sh " + args);
} else {
result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall_rule.sh " + args);
result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_ingress.sh " + args);
}
if (s_logger.isDebugEnabled()) {
if (trafficType == FirewallRule.TrafficType.Egress) {
s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewallRule_egress.sh " + args);
s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_egress.sh " + args);
} else {
s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall_rule.sh " + args);
s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_ingress.sh " + args);
}
}
@ -1012,10 +1012,10 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
try {
VmwareManager mgr = getServiceContext().getStockObject(VmwareManager.CONTEXT_STOCK_NAME);
String controlIp = getRouterSshControlIp(cmd);
Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall.sh " + args);
Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_nat.sh " + args);
if (s_logger.isDebugEnabled())
s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall.sh " + args);
s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_nat.sh " + args);
if (!result.first()) {
s_logger.error("SetStaticNatRulesCommand failure on setting one rule. args: " + args);

16
plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
View File

@ -2047,7 +2047,6 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
boolean endResult = true;
for (PortForwardingRuleTO rule : cmd.getRules()) {
StringBuilder args = new StringBuilder();
args.append(routerIp);
args.append(rule.revoked() ? " -D " : " -A ");
args.append(" -P ").append(rule.getProtocol().toLowerCase());
args.append(" -l ").append(rule.getSrcIp());
@ -2055,7 +2054,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
args.append(" -r ").append(rule.getDstIp());
args.append(" -d ").append(rule.getStringDstPortRange());
String result = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args.toString());
String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
if (result == null || result.isEmpty()) {
results[i++] = "Failed";
@ -2096,14 +2095,12 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
Connection conn = getConnection();
String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP);
//String args = routerIp;
String[] results = new String[cmd.getRules().length];
int i = 0;
boolean endResult = true;
for (StaticNatRuleTO rule : cmd.getRules()) {
//1:1 NAT needs instanceip;publicip;domrip;op
StringBuilder args = new StringBuilder();
args.append(routerIp);
args.append(rule.revoked() ? " -D " : " -A ");
args.append(" -l ").append(rule.getSrcIp());
args.append(" -r ").append(rule.getDstIp());
@ -2115,7 +2112,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
args.append(" -d ").append(rule.getStringSrcPortRange());
args.append(" -G ");
String result = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args.toString());
String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
if (result == null || result.isEmpty()) {
results[i++] = "Failed";
@ -7606,8 +7603,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
}
String[][] rules = cmd.generateFwRules();
String args = "";
args += routerIp + " -F";
String args = " -F";
if (trafficType == FirewallRule.TrafficType.Egress) {
args += " -E";
if (egressDefault.equals("true")) {
@ -7627,7 +7623,11 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
args += " -a " + sb.toString();
}
callResult = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args);
if (trafficType == FirewallRule.TrafficType.Egress) {
callResult = routerProxy("firewall_egress.sh", routerIp, args);
} else {
callResult = routerProxy("firewall_ingress.sh", routerIp, args);
}
if (callResult == null || callResult.isEmpty()) {
//FIXME - in the future we have to process each rule separately; now we temporarily set every rule to be false if single rule fails

70
scripts/network/domr/call_firewall.sh
View File

@ -1,70 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# $Id: call_firewall.sh 9132 2010-06-04 20:17:43Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/branches/2.0.0/java/scripts/vm/hypervisor/xenserver/patch/call_firewall.sh $
# firewall.sh -- allow some ports / protocols to vm instances
usage() {
printf "Usage for Firewall rule : %s: <domR eth1 ip> -F " $(basename $0) >&2
printf "Usage for other purposes : %s: <domR eth1 ip> (-A|-D) -i <domR eth1 ip> -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code) -l <public ip address> -d <target port> [-f <firewall ip> -u <firewall user> -y <firewall password> -z <firewall enable password> ] \n" $(basename $0) >&2
}
#set -x
check_gw() {
ping -c 1 -n -q $1 > /dev/null
if [ $? -gt 0 ]
then
sleep 1
ping -c 1 -n -q $1 > /dev/null
fi
return $?;
}
cert="/root/.ssh/id_rsa.cloud"
domRIp=$1
shift
check_gw "$domRIp"
if [ $? -gt 0 ]
then
exit 1
fi
fflag=
eflag=
while getopts ':FE' OPTION
do
case $OPTION in
F) fflag=1
;;
E) eflag=1
;;
\?) ;;
esac
done
if [ -n "$eflag" ]
then
ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewallRule_egress.sh $*"
elif [ -n "$fflag" ]
then
ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewall_rule.sh $*"
else
ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewall.sh $*"
fi
exit $?

19
scripts/vm/hypervisor/xenserver/vmops
View File

@ -222,23 +222,6 @@ def setLinkLocalIP(session, args):
txt = 'success'
return txt
@echo
def setFirewallRule(session, args):
sargs = args['args']
cmd = sargs.split(' ')
cmd.insert(0, "/opt/cloud/bin/call_firewall.sh")
cmd.insert(0, "/bin/bash")
try:
txt = util.pread2(cmd)
txt = 'success'
except:
logging.debug(" set firewall rule failed " )
txt = ''
return txt
@echo
def routerProxy(session, args):
sargs = args['args']
@ -1556,7 +1539,7 @@ if __name__ == "__main__":
"getgateway": getgateway, "preparemigration": preparemigration,
"setIptables": setIptables, "pingdomr": pingdomr, "pingxenserver": pingxenserver,
"savePassword": savePassword,
"setFirewallRule": setFirewallRule, "routerProxy": routerProxy,
"routerProxy": routerProxy,
"setLoadBalancerRule": setLoadBalancerRule, "createFile": createFile, "deleteFile": deleteFile,
"network_rules":network_rules,
"can_bridge_firewall":can_bridge_firewall, "default_network_rules":default_network_rules,

0
systemvm/patches/debian/config/root/firewallRule_egress.sh → systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
View File

0
systemvm/patches/debian/config/root/firewall_rule.sh → systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh
View File

0
systemvm/patches/debian/config/root/firewall.sh → systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh
View File