diff --git a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java index 17e8a5cef00..0002b737cc7 100644 --- a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java +++ b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java @@ -1584,7 +1584,8 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe String[] statRules = rules[LoadBalancerConfigurator.STATS]; String args = "vpc_loadbalancer.sh " + routerIp; - + String ip = cmd.getNic().getIp(); + args += " -i " + ip; StringBuilder sb = new StringBuilder(); if (addRules.length > 0) { for (int i = 0; i < addRules.length; i++) { diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh index 715c2e0424b..7b7935b76a0 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh @@ -31,17 +31,25 @@ usage() { } -destroy_acl_outbound_chain() { +destroy_acl_chain() { sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null sudo iptables -t mangle -D PREROUTING -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null + sudo iptables -F ACL_INBOUND_$dev 2>/dev/null + sudo iptables -D FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev 2>/dev/null + sudo iptables -X ACL_INBOUND_$dev 2>/dev/null + } -create_acl_outbound_chain() { - destroy_acl_outbound_chain +create_acl_chain() { + destroy_acl_chain sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null sudo iptables -t mangle -A PREROUTING -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null + sudo iptables -N ACL_INBOUND_$dev 2>/dev/null + # drop if no rules match (this will be the last rule in the chain) + sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null + sudo iptables -A FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev 2>/dev/null } @@ -133,7 +141,7 @@ create_guest_network() { sudo iptables -t mangle -A PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark # set up hairpin sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip - create_acl_outbound_chain + create_acl_chain setup_usage setup_dnsmasq setup_apache2 diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_loadbalancer.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_loadbalancer.sh index 18de1065992..ed854670300 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_loadbalancer.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_loadbalancer.sh @@ -15,6 +15,7 @@ # @VERSION@ source /root/func.sh +source /opt/cloud/bin/vpc_func.sh lock="biglock" locked=$(getLockFile $lock) @@ -90,7 +91,7 @@ fw_entry() { do local pubIp=$(echo $i | cut -d: -f1) local dport=$(echo $i | cut -d: -f2) - sudo iptables -A load_balancer -p tcp -d $pubIp --dport $dport -j ACCEPT 2>/dev/null + sudo iptables -A load_balancer -p tcp -d $pubIp --dport $dport -j ACL_INBOUND_$dev 2>/dev/null success=$? if [ $success -gt 0 ] then @@ -135,18 +136,16 @@ restore_lb() { fi } -mflag= iflag= aflag= dflag= -fflag= sflag= while getopts 'i:a:d:s:' OPTION do case $OPTION in i) iflag=1 - domRIp="$OPTARG" + ip="$OPTARG" ;; a) aflag=1 addedIps="$OPTARG" @@ -163,6 +162,9 @@ do esac done + +dev=$(getEthByIp $ip) + if [ "$addedIps" == "" ] then addedIps="none" @@ -184,14 +186,12 @@ fi # iptables entry to ensure that haproxy receives traffic fw_entry $addedIps $removedIps $statsIp - -if [ $? -gt 0 ] +result=$? +if [ $result -gt 0 ] then logger -t cloud "Failed to apply firewall rules for load balancing, reverting HA Proxy config" # Restore the LB restore_lb fi -unlock_exit 0 $lock $locked - - +unlock_exit $result $lock $locked