diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java index 20cc0ccdc4b..c66b9cbd811 100755 --- a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java +++ b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java @@ -102,7 +102,6 @@ import java.util.Map; public class VirtualRoutingResource implements Manager { private static final Logger s_logger = Logger.getLogger(VirtualRoutingResource.class); private String _publicIpAddress; - private String _firewallPath; private String _loadbPath; private String _publicEthIf; private String _privateEthIf; @@ -232,18 +231,16 @@ public class VirtualRoutingResource implements Manager { FirewallRule.TrafficType trafficType = allrules[0].getTrafficType(); String[][] rules = cmd.generateFwRules(); - final Script command = new Script(_firewallPath, _timeout, s_logger); - command.add(routerIp); - command.add("-F"); + String args = " -F"; if (trafficType == FirewallRule.TrafficType.Egress) { - command.add("-E"); + args += "-E"; if (egressDefault.equals("true")) { - command.add("-P ", "1"); + args += " -P 1"; } else if (egressDefault.equals("System")) { - command.add("-P ", "2"); + args += " -P 2"; } else { - command.add("-P ", "0"); + args += " -P 0"; } } @@ -253,10 +250,17 @@ public class VirtualRoutingResource implements Manager { for (int i = 0; i < fwRules.length; i++) { sb.append(fwRules[i]).append(','); } - command.add("-a", sb.toString()); + args += " -a " + sb.toString(); + } + + String result = null; + + if (trafficType == FirewallRule.TrafficType.Egress) { + result = routerProxy("firewall_egress.sh", routerIp, args); + } else { + result = routerProxy("firewall_ingress.sh", routerIp, args); } - String result = command.execute(); if (result != null) { return new SetFirewallRulesAnswer(cmd, false, results); } @@ -270,22 +274,21 @@ public class VirtualRoutingResource implements Manager { int i = 0; boolean endResult = true; for (PortForwardingRuleTO rule : cmd.getRules()) { - String result = null; - final Script command = new Script(_firewallPath, _timeout, s_logger); + StringBuilder args = new StringBuilder(); + args.append(rule.revoked() ? " -D " : " -A "); + args.append(" -P ").append(rule.getProtocol().toLowerCase()); + args.append(" -l ").append(rule.getSrcIp()); + args.append(" -p ").append(rule.getStringSrcPortRange()); + args.append(" -r ").append(rule.getDstIp()); + args.append(" -d ").append(rule.getStringDstPortRange()); - command.add(routerIp); - command.add(rule.revoked() ? "-D" : "-A"); - command.add("-P ", rule.getProtocol().toLowerCase()); - command.add("-l ", rule.getSrcIp()); - command.add("-p ", rule.getStringSrcPortRange()); - command.add("-r ", rule.getDstIp()); - command.add("-d ", rule.getStringDstPortRange()); - result = command.execute(); - if (result == null) { - results[i++] = null; - } else { + String result = routerProxy("firewall_nat.sh", routerIp, args.toString()); + + if (result == null || result.isEmpty()) { results[i++] = "Failed"; endResult = false; + } else { + results[i++] = null; } } @@ -325,28 +328,26 @@ public class VirtualRoutingResource implements Manager { int i = 0; boolean endResult = true; for (StaticNatRuleTO rule : cmd.getRules()) { - String result = null; - final Script command = new Script(_firewallPath, _timeout, s_logger); - command.add(routerIp); - command.add(rule.revoked() ? "-D" : "-A"); - //1:1 NAT needs instanceip;publicip;domrip;op - command.add(" -l ", rule.getSrcIp()); - command.add(" -r ", rule.getDstIp()); + StringBuilder args = new StringBuilder(); + args.append(rule.revoked() ? " -D " : " -A "); + args.append(" -l ").append(rule.getSrcIp()); + args.append(" -r ").append(rule.getDstIp()); if (rule.getProtocol() != null) { - command.add(" -P ", rule.getProtocol().toLowerCase()); + args.append(" -P ").append(rule.getProtocol().toLowerCase()); } - command.add(" -d ", rule.getStringSrcPortRange()); - command.add(" -G "); + args.append(" -d ").append(rule.getStringSrcPortRange()); + args.append(" -G "); - result = command.execute(); - if (result == null) { - results[i++] = null; - } else { + String result = routerProxy("firewall_nat.sh", routerIp, args.toString()); + + if (result == null || result.isEmpty()) { results[i++] = "Failed"; endResult = false; + } else { + results[i++] = null; } } @@ -1105,11 +1106,6 @@ public class VirtualRoutingResource implements Manager { s_logger.warn("Incoming public ip address is overriden. Will always be using the same ip address: " + _publicIpAddress); } - _firewallPath = findScript("call_firewall.sh"); - if (_firewallPath == null) { - throw new ConfigurationException("Unable to find the call_firewall.sh"); - } - _loadbPath = findScript("call_loadbalancer.sh"); if (_loadbPath == null) { throw new ConfigurationException("Unable to find the call_loadbalancer.sh"); diff --git a/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java b/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java index 817fdec2a2f..1a0b97bf687 100755 --- a/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java +++ b/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java @@ -847,10 +847,10 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa try { VmwareManager mgr = getServiceContext().getStockObject(VmwareManager.CONTEXT_STOCK_NAME); - Pair result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall.sh " + args); + Pair result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_nat.sh " + args); if (s_logger.isDebugEnabled()) - s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall.sh " + args); + s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_nat.sh " + args); if (!result.first()) { s_logger.error("SetPortForwardingRulesCommand failure on setting one rule. args: " + args); @@ -905,16 +905,16 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa Pair result = null; if (trafficType == FirewallRule.TrafficType.Egress) { - result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewallRule_egress.sh " + args); + result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_egress.sh " + args); } else { - result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall_rule.sh " + args); + result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_ingress.sh " + args); } if (s_logger.isDebugEnabled()) { if (trafficType == FirewallRule.TrafficType.Egress) { - s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewallRule_egress.sh " + args); + s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_egress.sh " + args); } else { - s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall_rule.sh " + args); + s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_ingress.sh " + args); } } @@ -1012,10 +1012,10 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa try { VmwareManager mgr = getServiceContext().getStockObject(VmwareManager.CONTEXT_STOCK_NAME); String controlIp = getRouterSshControlIp(cmd); - Pair result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall.sh " + args); + Pair result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_nat.sh " + args); if (s_logger.isDebugEnabled()) - s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall.sh " + args); + s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_nat.sh " + args); if (!result.first()) { s_logger.error("SetStaticNatRulesCommand failure on setting one rule. args: " + args); diff --git a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java index ddb7912d2b4..e7e4ee3f849 100644 --- a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java +++ b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java @@ -2047,7 +2047,6 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe boolean endResult = true; for (PortForwardingRuleTO rule : cmd.getRules()) { StringBuilder args = new StringBuilder(); - args.append(routerIp); args.append(rule.revoked() ? " -D " : " -A "); args.append(" -P ").append(rule.getProtocol().toLowerCase()); args.append(" -l ").append(rule.getSrcIp()); @@ -2055,7 +2054,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe args.append(" -r ").append(rule.getDstIp()); args.append(" -d ").append(rule.getStringDstPortRange()); - String result = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args.toString()); + String result = routerProxy("firewall_nat.sh", routerIp, args.toString()); if (result == null || result.isEmpty()) { results[i++] = "Failed"; @@ -2096,14 +2095,12 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe Connection conn = getConnection(); String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP); - //String args = routerIp; String[] results = new String[cmd.getRules().length]; int i = 0; boolean endResult = true; for (StaticNatRuleTO rule : cmd.getRules()) { //1:1 NAT needs instanceip;publicip;domrip;op StringBuilder args = new StringBuilder(); - args.append(routerIp); args.append(rule.revoked() ? " -D " : " -A "); args.append(" -l ").append(rule.getSrcIp()); args.append(" -r ").append(rule.getDstIp()); @@ -2115,7 +2112,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe args.append(" -d ").append(rule.getStringSrcPortRange()); args.append(" -G "); - String result = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args.toString()); + String result = routerProxy("firewall_nat.sh", routerIp, args.toString()); if (result == null || result.isEmpty()) { results[i++] = "Failed"; @@ -7606,8 +7603,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe } String[][] rules = cmd.generateFwRules(); - String args = ""; - args += routerIp + " -F"; + String args = " -F"; if (trafficType == FirewallRule.TrafficType.Egress) { args += " -E"; if (egressDefault.equals("true")) { @@ -7627,7 +7623,11 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe args += " -a " + sb.toString(); } - callResult = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args); + if (trafficType == FirewallRule.TrafficType.Egress) { + callResult = routerProxy("firewall_egress.sh", routerIp, args); + } else { + callResult = routerProxy("firewall_ingress.sh", routerIp, args); + } if (callResult == null || callResult.isEmpty()) { //FIXME - in the future we have to process each rule separately; now we temporarily set every rule to be false if single rule fails diff --git a/scripts/network/domr/call_firewall.sh b/scripts/network/domr/call_firewall.sh deleted file mode 100755 index f6ad0be1316..00000000000 --- a/scripts/network/domr/call_firewall.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/env bash -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. - - -# $Id: call_firewall.sh 9132 2010-06-04 20:17:43Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/branches/2.0.0/java/scripts/vm/hypervisor/xenserver/patch/call_firewall.sh $ -# firewall.sh -- allow some ports / protocols to vm instances -usage() { - printf "Usage for Firewall rule : %s: -F " $(basename $0) >&2 - printf "Usage for other purposes : %s: (-A|-D) -i -r -P protocol (-p port_range | -t icmp_type_code) -l -d [-f -u -y -z ] \n" $(basename $0) >&2 -} - -#set -x - -check_gw() { - ping -c 1 -n -q $1 > /dev/null - if [ $? -gt 0 ] - then - sleep 1 - ping -c 1 -n -q $1 > /dev/null - fi - return $?; -} - -cert="/root/.ssh/id_rsa.cloud" -domRIp=$1 -shift - -check_gw "$domRIp" -if [ $? -gt 0 ] -then - exit 1 -fi -fflag= -eflag= -while getopts ':FE' OPTION -do - case $OPTION in - F) fflag=1 - ;; - E) eflag=1 - ;; - \?) ;; - esac -done - -if [ -n "$eflag" ] -then - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewallRule_egress.sh $*" -elif [ -n "$fflag" ] -then - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewall_rule.sh $*" -else - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewall.sh $*" -fi -exit $? diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops index 53a00027be6..82d4a9f84c7 100755 --- a/scripts/vm/hypervisor/xenserver/vmops +++ b/scripts/vm/hypervisor/xenserver/vmops @@ -222,23 +222,6 @@ def setLinkLocalIP(session, args): txt = 'success' return txt - - -@echo -def setFirewallRule(session, args): - sargs = args['args'] - cmd = sargs.split(' ') - cmd.insert(0, "/opt/cloud/bin/call_firewall.sh") - cmd.insert(0, "/bin/bash") - try: - txt = util.pread2(cmd) - txt = 'success' - except: - logging.debug(" set firewall rule failed " ) - txt = '' - - return txt - @echo def routerProxy(session, args): sargs = args['args'] @@ -1556,7 +1539,7 @@ if __name__ == "__main__": "getgateway": getgateway, "preparemigration": preparemigration, "setIptables": setIptables, "pingdomr": pingdomr, "pingxenserver": pingxenserver, "savePassword": savePassword, - "setFirewallRule": setFirewallRule, "routerProxy": routerProxy, + "routerProxy": routerProxy, "setLoadBalancerRule": setLoadBalancerRule, "createFile": createFile, "deleteFile": deleteFile, "network_rules":network_rules, "can_bridge_firewall":can_bridge_firewall, "default_network_rules":default_network_rules, diff --git a/systemvm/patches/debian/config/root/firewallRule_egress.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh similarity index 100% rename from systemvm/patches/debian/config/root/firewallRule_egress.sh rename to systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh diff --git a/systemvm/patches/debian/config/root/firewall_rule.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh similarity index 100% rename from systemvm/patches/debian/config/root/firewall_rule.sh rename to systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh diff --git a/systemvm/patches/debian/config/root/firewall.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh similarity index 100% rename from systemvm/patches/debian/config/root/firewall.sh rename to systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh