etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Revert "bug 10561: Allowing ICMP traffic through static NAT" 

This reverts commit 5e74e24bb359456967866cb2c6cc0f6f73570f97.

Conflicts:

	server/src/com/cloud/network/rules/RulesManagerImpl.java
This commit is contained in:
alena 2011-08-09 15:33:21 -07:00
parent d79fd2ca03
commit 56d5054e39
2 changed files with 4 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
patches/systemvm/debian/config/root/firewall.sh
View File

@ -126,22 +126,12 @@ one_to_one_fw_entry() {
# shortcircuit the process if error and it is an append operation
# continue if it is delete
if [ $proto == "icmp" ]
then
(sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
-j DNAT \
--to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
-m state \
--state NEW -j ACCEPT &>> $OUTFILE )
else
(sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
(sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
--destination-port $portRange -j DNAT \
--to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
(sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
--destination-port $portRange -m state \
--state NEW -j ACCEPT &>> $OUTFILE )
fi
result=$?
logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result"

2
server/src/com/cloud/network/rules/RulesManagerImpl.java
View File

@ -352,6 +352,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager {
ipAddress.setOneToOneNat(true);
ipAddress.setAssociatedWithVmId(vmId);
return _ipAddressDao.update(ipAddress.getId(), ipAddress);
}
@ -976,6 +977,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager {
s_logger.warn("Unable to revoke all static nat rules for ip " + ipAddress);
success = false;
}
if (success) {
ipAddress.setOneToOneNat(false);
ipAddress.setAssociatedWithVmId(null);