From 3cfc4cff80b5e6613bb503a9d2d44ee6f8236260 Mon Sep 17 00:00:00 2001 From: Wilder Rodrigues Date: Fri, 25 Sep 2015 16:10:43 +0200 Subject: [PATCH] Fixing the dhcpsrvr iptables file - Instead of changing the router type in a local variable, lets have a dedicated file for the dhcpsrvr routers - The file is called iptables-dhcpsrvr, just like we have iptables-vpcrouter and iptables-router --- .../config/etc/iptables/iptables-dhcpsrvr | 58 +++++++++++++++++++ .../config/opt/cloud/bin/cs/CsNetfilter.py | 2 - 2 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr b/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr new file mode 100644 index 00000000000..b49b6b2f244 --- /dev/null +++ b/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr @@ -0,0 +1,58 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +*nat +:PREROUTING ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +:FW_EGRESS_RULES - [0:0] +:FW_OUTBOUND - [0:0] +-A INPUT -d 224.0.0.18/32 -j ACCEPT +-A INPUT -d 225.0.0.50/32 -j ACCEPT +-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT +-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT +-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT +-A INPUT -i eth1 -p tcp -m tcp -m state --state NEW,ESTABLISHED --dport 3922 -j ACCEPT +-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT +-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT +-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND +-A FW_EGRESS_RULES -j ACCEPT +-I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FW_OUTBOUND -j FW_EGRESS_RULES +COMMIT +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +-A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark +-A POSTROUTING -p udp -m udp --dport bootpc -j CHECKSUM --checksum-fill +COMMIT diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py index a72e53d5494..99c15018bba 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py @@ -177,8 +177,6 @@ class CsNetfilters(object): These standard firewall rules vary according to the device type """ type = CsCmdLine("cmdline").get_type() - if type == 'dhcpsrvr': - type = 'router' try: table = ''