diff --git a/agent/bindir/cloudstack-agent-upgrade.in b/agent/bindir/cloudstack-agent-upgrade.in index 4972d3901fe..72b0fae5853 100644 --- a/agent/bindir/cloudstack-agent-upgrade.in +++ b/agent/bindir/cloudstack-agent-upgrade.in @@ -17,6 +17,8 @@ # under the License. from cloudutils.networkConfig import networkConfig from cloudutils.utilities import bash +import logging +import re def isOldStyleBridge(brName): if brName.find("cloudVirBr") == 0: return True @@ -33,6 +35,17 @@ def upgradeBridgeName(brName, enslavedDev): bash("ip link set %s down"%brName) bash("ip link set %s name %s"%(brName, newBrName)) bash("ip link set %s up" %newBrName) + cmd = "iptables-save | grep FORWARD | grep -w " + brName + rules = bash(cmd).stdout.split('\n') + rules.pop() + for rule in rules: + try: + delrule = re.sub("-A", "-D", rule) + newrule = re.sub(" " + brName + " ", " " + newBrName + " ", rule) + bash("iptables " + delrule) + bash("iptables " + newrule) + except: + logging.exception("Ignoring failure to update rules for rule " + rule + " on bridge " + brName) if __name__ == '__main__': netlib = networkConfig() bridges = netlib.listNetworks() diff --git a/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/BridgeVifDriver.java b/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/BridgeVifDriver.java index 91f52275b61..9ebf92672ea 100644 --- a/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/BridgeVifDriver.java +++ b/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/BridgeVifDriver.java @@ -45,7 +45,6 @@ public class BridgeVifDriver extends VifDriverBase { private static final Object _vnetBridgeMonitor = new Object(); private String _modifyVlanPath; - private String bridgeNameSchema; @Override public void configure(Map params) throws ConfigurationException { @@ -60,8 +59,6 @@ public class BridgeVifDriver extends VifDriverBase { networkScriptsDir = "scripts/vm/network/vnet"; } - bridgeNameSchema = (String) params.get("network.bridge.name.schema"); - String value = (String) params.get("scripts.timeout"); _timeout = NumbersUtil.parseInt(value, 30 * 60) * 1000; @@ -145,18 +142,7 @@ public class BridgeVifDriver extends VifDriverBase { } private String setVnetBrName(String pifName, String vnetId) { - String brName = null; - if (bridgeNameSchema != null) { - if (bridgeNameSchema.equalsIgnoreCase("3.0")) { - brName = "cloudVirBr" + vnetId; - } else if (bridgeNameSchema.equalsIgnoreCase("4.0")) { - brName = "br" + pifName + "-"+ vnetId; - } - } else { - brName = "br" + pifName + "-"+ vnetId; - } - - return brName; + return "br" + pifName + "-"+ vnetId; } private String createVlanBr(String vlanId, String nic) diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py index 0e0fafb5c9e..a7c64b0984e 100755 --- a/scripts/vm/network/security_group.py +++ b/scripts/vm/network/security_group.py @@ -322,8 +322,8 @@ def default_network_rules_systemvm(vm_name, localbrname): for bridge in bridges: if bridge != localbrname: if not addFWFramework(bridge): - return False - brfw = "BF-" + bridge + return False + brfw = getBrfw(bridge) vifs = getVifsForBridge(vm_name, bridge) for vif in vifs: try: @@ -429,7 +429,7 @@ def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname, sec_ips): return False vmName = vm_name - brfw = "BF-" + brname + brfw = getBrfw(brname) domID = getvmId(vm_name) delete_rules_for_vm_in_bridge_firewall_chain(vmName) vmchain = vm_name @@ -619,7 +619,7 @@ def network_rules_for_rebooted_vm(vmName): if brName is None or brName is "": brName = "cloudbr0" else: - brName = re.sub("^BF-", "", brName) + brName = execute("iptables-save |grep physdev-is-bridged |grep FORWARD |grep BF |grep '\-o' |awk '{print $4}' | head -1").strip() if 1 in [ vm_name.startswith(c) for c in ['r-', 's-', 'v-'] ]: @@ -632,8 +632,8 @@ def network_rules_for_rebooted_vm(vmName): vifs = getVifs(vmName) logging.debug(vifs, brName) for v in vifs: - execute("iptables -A " + "BF-" + brName + "-IN " + " -m physdev --physdev-is-bridged --physdev-in " + v + " -j "+ vmchain_default) - execute("iptables -A " + "BF-" + brName + "-OUT " + " -m physdev --physdev-is-bridged --physdev-out " + v + " -j "+ vmchain_default) + execute("iptables -A " + getBrfw(brName) + "-IN " + " -m physdev --physdev-is-bridged --physdev-in " + v + " -j "+ vmchain_default) + execute("iptables -A " + getBrfw(brName) + "-OUT " + " -m physdev --physdev-is-bridged --physdev-out " + v + " -j "+ vmchain_default) #change antispoof rule in vmchain try: @@ -939,6 +939,13 @@ def getvmId(vmName): return dom.ID() +def getBrfw(brname): + cmd = "iptables-save |grep physdev-is-bridged |grep FORWARD |grep BF |grep '\-o' | grep -w " + brname + "|awk '{print $9}' | head -1" + brfwname = bash("-c", cmd).stdout.strip() + if brfwname == "": + brfwname = "BF-" + brname + return brfwname + def addFWFramework(brname): try: cfo = configFileOps("/etc/sysctl.conf") @@ -952,7 +959,7 @@ def addFWFramework(brname): logging.debug("failed to turn on bridge netfilter") return False - brfw = "BF-" + brname + brfw = getBrfw(brname) try: execute("iptables -L " + brfw) except: