diff --git a/patches/systemvm/debian/config/root/firewall.sh b/patches/systemvm/debian/config/root/firewall.sh index 84cbab75d5f..201aa45ac74 100755 --- a/patches/systemvm/debian/config/root/firewall.sh +++ b/patches/systemvm/debian/config/root/firewall.sh @@ -126,12 +126,22 @@ one_to_one_fw_entry() { # shortcircuit the process if error and it is an append operation # continue if it is delete - (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \ + if [ $proto == "icmp" ] + then + (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \ + -j DNAT \ + --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) && + (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \ + -m state \ + --state NEW -j ACCEPT &>> $OUTFILE ) + else + (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \ --destination-port $portRange -j DNAT \ --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) && - (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \ + (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \ --destination-port $portRange -m state \ --state NEW -j ACCEPT &>> $OUTFILE ) + fi result=$? logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result" diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java index b7fed50a783..698894298fa 100755 --- a/server/src/com/cloud/network/rules/RulesManagerImpl.java +++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java @@ -424,8 +424,28 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { ipAddress.setOneToOneNat(true); ipAddress.setAssociatedWithVmId(vmId); - return _ipAddressDao.update(ipAddress.getId(), ipAddress); + if ( _ipAddressDao.update(ipAddress.getId(), ipAddress)) + { + List staticNatRules = new ArrayList(); + + FirewallRuleVO ruleVO = new FirewallRuleVO(null, ipAddress.getId(), 0, 0, "icmp", + networkId,vm.getAccountId(), vm.getDomainId(), Purpose.StaticNat); + staticNatRules.add(new StaticNatRuleImpl(ruleVO, guestNic.getIp4Address())); + + try { + if (!applyRules(staticNatRules, true)) { + return false; + } + + } catch (ResourceUnavailableException ex) { + s_logger.warn("Failed to apply icmp firewall rules due to ", ex); + return false; + } + return true; + + } + return false; } @DB @@ -1101,7 +1121,29 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { s_logger.warn("Unable to revoke all static nat rules for ip " + ipAddress); success = false; } + if (success) + { + long vmId = ipAddress.getAssociatedWithVmId(); + Nic guestNic = _networkMgr.getNicInNetwork(vmId, ipAddress.getAssociatedWithNetworkId()); + if (guestNic == null) { + throw new InvalidParameterValueException("Vm doesn't belong to the network " + ipAddress.getAssociatedWithNetworkId()); + } + List staticNatRules = new ArrayList(); + FirewallRuleVO ruleVO = new FirewallRuleVO(null, ipAddress.getId(), 0, 0, "icmp", + ipAddress.getAssociatedWithNetworkId(),ipAddress.getAccountId(), ipAddress.getDomainId(), Purpose.StaticNat); + ruleVO.setState(State.Revoke); + staticNatRules.add(new StaticNatRuleImpl(ruleVO, guestNic.getIp4Address())); + + try { + if (!applyRules(staticNatRules, true)) { + return false; + } + } catch (ResourceUnavailableException ex) { + s_logger.warn("Failed to apply icmp firewall rules due to ", ex); + return false; + } + } if (success) { ipAddress.setOneToOneNat(false); ipAddress.setAssociatedWithVmId(null);