bug 8209,8370,8459: cleanup scripting

2011-02-08 00:05:33 -08:00 · 2011-02-08 00:05:33 -08:00 · 57a1160324
parent 36141ee48c
commit 57a1160324
11 changed files with 202 additions and 1776 deletions
--- a/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
+++ b/api/src/com/cloud/agent/api/to/FirewallRuleTO.java
@ -20,6 +20,7 @@ package com.cloud.agent.api.to;
 import com.cloud.network.IpAddress;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.FirewallRule.State;
+import com.cloud.utils.net.NetUtils;

 /**
 * FirewallRuleTO transfers a port range for an ip to be opened.
@ -82,6 +83,10 @@ public class FirewallRuleTO {
    public int[] getSrcPortRange() {
        return srcPortRange;
    }
+    
+    public String getStringSrcPortRange() {
+        return NetUtils.portRangeToString(srcPortRange);
+    }

    public boolean revoked() {
        return revoked;
--- a/api/src/com/cloud/agent/api/to/PortForwardingRuleTO.java
+++ b/api/src/com/cloud/agent/api/to/PortForwardingRuleTO.java
@ -18,6 +18,7 @@
 package com.cloud.agent.api.to;

 import com.cloud.network.rules.PortForwardingRule;
+import com.cloud.utils.net.NetUtils;

 /**
 * PortForwardingRuleTO specifies one port forwarding rule.
@ -52,4 +53,8 @@ public class PortForwardingRuleTO extends FirewallRuleTO {
    public int[] getDstPortRange() {
        return dstPortRange;
    }
+
+    public String getStringDstPortRange() {
+        return NetUtils.portRangeToString(dstPortRange);
+    }
 }
--- a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
+++ b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
@ -1129,31 +1129,31 @@ public abstract class CitrixResourceBase implements ServerResource {

    protected SetPortForwardingRulesAnswer execute(SetPortForwardingRulesCommand cmd) {
        Connection conn = getConnection();
-        String args;
+        
        String routerName = cmd.getAccessDetail(NetworkElementCommand.ROUTER_NAME);
        String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP);
+        String args = routerIp;
        String[] results = new String[cmd.getRules().length];
        int i = 0;
        for (PortForwardingRuleTO rule : cmd.getRules()) {
            if (rule.isOneToOneNat()){
            	//1:1 NAT needs instanceip;publicip;domrip;op
-            	args = rule.revoked() ? "-D" : "-A";
+            	args += rule.revoked() ? " -D " : " -A ";
            	
    	        args += " -l " + rule.getSrcIp();
-    	        args += " -i " + routerIp;
    	        args += " -r " + rule.getDstIp();
-    	        args += " -G " + rule.getProtocol();
+    	        args += " -P " + rule.getProtocol().toLowerCase();
+                args += " -d " + rule.getStringDstPortRange();
+                args += " -G " ;
+
            } else {
-                args = rule.revoked() ? "-D" : "-A";
+                args += rule.revoked() ? " -D " : " -A ";
    
    	        args += " -P " + rule.getProtocol().toLowerCase();
    	        args += " -l " + rule.getSrcIp();
-    	        args += " -p " + rule.getSrcPortRange()[0];
-    	        args += " -n " + routerName;
-    	        args += " -i " + routerIp;
+    	        args += " -p " + rule.getStringSrcPortRange();
    	        args += " -r " + rule.getDstIp();
-    	        args += " -d " + rule.getDstPortRange()[0];
-    	        args += " -N " + rule.getVlanNetmask();
+    	        args += " -d " + rule.getStringDstPortRange();
    	
 //    	        String oldPrivateIP = rule.getOldPrivateIP();
 //    	        String oldPrivatePort = rule.getOldPrivatePort();
@ -1389,12 +1389,12 @@ public abstract class CitrixResourceBase implements ServerResource {
                throw new InternalErrorException("Failed to find DomR VIF to associate/disassociate IP with.");
            }

-            String args = null;
+            String args = privateIpAddress;
            
            if (add) {
-                args = "-A";
+                args += " -A ";
            } else {
-                args = "-D";
+                args += " -D ";
            }
            String cidrSize = Long.toString(NetUtils.getCidrSize(vlanNetmask));
            if (sourceNat) {
@ -1409,12 +1409,10 @@ public abstract class CitrixResourceBase implements ServerResource {
              	args += " -l ";
                args += publicIpAddress;
            }
-            args += " -i ";
-            args += privateIpAddress;
+            
            args += " -c ";
            args += "eth" + correctVif.getDevice(conn);
-            args += " -g ";
-            args += vlanGateway;
+            

            String result = callHostPlugin(conn, "vmops", "ipassoc", "args", args);
            if (result == null || result.isEmpty()) {
--- a/patches/systemvm/debian/config/root/firewall.sh
+++ b/patches/systemvm/debian/config/root/firewall.sh
@ -6,151 +6,130 @@
 # @VERSION@

 usage() {
-  printf "Usage: %s: (-A|-D) -i <domR eth1 ip>  -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code)  -l <public ip address> -d <target port> [-f <firewall ip> -u <firewall user> -y <firewall password> -z <firewall enable password> ] \n" $(basename $0) >&2
+  printf "Usage: %s: (-A|-D)   -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code)  -l <public ip address> -d <target port> [-G]   \n" $(basename $0) >&2
 }

-# set -x
+set -x

-get_dom0_ip () {
- eval "$1=$(ifconfig eth0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}')"
- return 0
+get_dev_list() {
+  ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}'
+  ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}'
+}
+
+ip_to_dev() {
+  local ip=$1
+
+  for dev in $DEV_LIST; do
+    ip addr show dev $dev | grep inet | grep $ip &>> /dev/null
+    [ $? -eq 0 ] && echo $dev && return 0
+  done
+  return 1
 }


-#Add the tcp firewall entries into iptables in the routing domain
-tcp_entry() {
+#Port (address translation) forwarding for tcp or udp
+tcp_or_udp_entry() {
  local instIp=$1
-  local dport=$2
-  local pubIp=$3
+  local dport=$(echo $2 | sed 's/:/-/')
+  local publicIp=$3
  local port=$4
  local op=$5
-  
-  for vif in $VIF_LIST; do 
-    iptables -t nat $op PREROUTING --proto tcp -i $vif -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null;
-  done;
-    	
-  iptables -t nat $op OUTPUT  --proto tcp -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null;
-  iptables $op FORWARD -p tcp -s 0/0 -d $instIp -m state --state ESTABLISHED,RELATED -j ACCEPT > /dev/null;
-  iptables $op FORWARD -p tcp -s 0/0 -d $instIp --destination-port $dport --syn -j ACCEPT > /dev/null;
+  local proto=$6
+  logger -t cloud "$(basename $0): port fwd entry for PAT: public ip=$publicIp 
+  instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
+
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport $publicIp $port "-D" $proto 
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+  local dev=$(ip_to_dev $publicIp)
+  # shortcircuit the process if error and it is an append operation
+  # continue if it is delete
+  (sudo iptables -t nat $op PREROUTING --proto $proto -i $dev -d $publicIp \
+           --destination-port $port -j DNAT  \
+           --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t nat $op OUTPUT  --proto $proto -d $publicIp  \
+           --destination-port $port -j DNAT  \
+           --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables $op FORWARD -p $proto -s 0/0 -d $instIp -m state \
+           --state ESTABLISHED,RELATED -j ACCEPT &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables $op FORWARD -p $proto -s 0/0 -d $instIp  \
+           --destination-port $dport -m state --state NEW  -j ACCEPT &>>  $OUTFILE)
  	
  return $?
 }

-#Add the udp firewall entries into iptables in the routing domain
-udp_entry() {
-  local instIp=$1
-  local dport=$2
-  local pubIp=$3
-  local port=$4
-  local op=$5
-  
-  for vif in $VIF_LIST; do 
-    iptables -t nat $op PREROUTING --proto udp -i $vif -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null;
-  done;
-   	
-  iptables -t nat $op OUTPUT  --proto udp -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null;
-  iptables $op FORWARD -p udp -s 0/0 -d $instIp --destination-port $dport  -j ACCEPT > /dev/null;
-  		
-  return $?
-}

-#Add the icmp firewall entries into iptables in the routing domain
+#Forward icmp
 icmp_entry() {
  local instIp=$1
  local icmptype=$2
-  local pubIp=$3
+  local publicIp=$3
  local op=$4
  
-  for vif in $VIF_LIST; do 
-    iptables -t nat $op PREROUTING --proto icmp -i $vif -d $pubIp --icmp-type $icmptype -j DNAT --to-destination $instIp >/dev/null;
-  done;
+  logger -t cloud "$(basename $0): port fwd entry for PAT: public ip=$publicIp \
+  instance ip=$instIp proto=icmp port=$port dport=$dport op=$op"
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && icmp_entry $instIp $icmpType $publicIp "-D" 
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+  local dev=$(ip_to_dev $publicIp)
+  sudo iptables -t nat $op PREROUTING --proto icmp -i $dev -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>>  $OUTFILE
   	
-  iptables -t nat $op OUTPUT  --proto icmp -d $pubIp --icmp-type $icmptype -j DNAT --to-destination $instIp:$dport >/dev/null;
-  iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype  -j ACCEPT > /dev/null;
+  sudo iptables -t nat $op OUTPUT  --proto icmp -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>>  $OUTFILE
+  sudo iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype  -j ACCEPT &>>  $OUTFILE
  	
  return $?
 }

-#Add 1:1 NAT entry
-add_one_to_one_nat_entry() {
-  local guestIp=$1
-  local publicIp=$2  
-  local dIp=$3
-  local op=$4 
-  if [ "$op" == "-D" ]
-  then
-  	iptables -t nat $op PREROUTING -i eth2 -d $publicIp -j DNAT --to-destination $guestIp
-  	if [ $? -gt 0 ]
-  	then
-  	  return 0
-  	fi
-  else
-  	iptables -t nat $op PREROUTING -i eth2 -d $publicIp -j DNAT --to-destination $guestIp
-  fi
-  iptables -t nat $op POSTROUTING -o eth2 -s $guestIp -j SNAT --to-source $publicIp
-  if [ "$op" == "-A" ]
-  then
-    iptables -P FORWARD DROP
-  fi
-  iptables $op FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-  iptables $op FORWARD -i eth2 -o eth0 -d $guestIp -m state --state NEW -j ACCEPT
-  iptables $op FORWARD -i eth0 -o eth2 -s $guestIp -m state --state NEW -j ACCEPT
-  
+
+
+one_to_one_fw_entry() {
+  local publicIp=$1
+  local instIp=$2  
+  local proto=$3
+  local portRange=$4 
+  local op=$5
+  logger -t cloud "$(basename $0): firewall entry for static nat: public ip=$publicIp \
+  instance ip=$instIp proto=$proto portRange=$portRange op=$op"
+
+  #if adding, this might be a duplicate, so delete the old one first
+  [ "$op" == "-A" ] && one_to_one_fw_entry $publicIp $instIp $proto $portRange "-D" 
+  # the delete operation may have errored out but the only possible reason is 
+  # that the rules didn't exist in the first place
+
+  local dev=$(ip_to_dev $publicIp)
+  [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
+
+  # shortcircuit the process if error and it is an append operation
+  # continue if it is delete
+  (sudo iptables -t nat $op  PREROUTING -i $dev -d $publicIp --proto $proto \
+           --destination-port $portRange -j DNAT \
+           --to-destination $instIp &>>  $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
+           --destination-port $portRange -m state \
+           --state NEW -j ACCEPT &>>  $OUTFILE )
+
  return $?
 }

-get_vif_list() {
-  local vif_list=""
-  for i in /sys/class/net/eth*; do 
-    vif=$(basename $i);
-    if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ]
-    then
-      vif_list="$vif_list $vif";
-    fi
-  done
-  
-  echo $vif_list
-}

-reverse_op() {
-	local op=$1
-	
-	if [ "$op" == "-A" ]
-	then
-		echo "-D"
-	else
-		echo "-A"
-	fi
-}

 rflag=
-iflag=
 Pflag=
 pflag=
 tflag=
 lflag=
 dflag=
-oflag=
-wflag=
-xflag=
-nflag=
-Nflag=
 Gflag=
 op=""
-oldPrivateIP=""
-oldPrivatePort=""

-while getopts 'ADr:i:P:p:t:l:d:w:x:n:N:G:' OPTION
+while getopts 'ADr:P:p:t:l:d:G' OPTION
 do
  case $OPTION in
-  A)	Aflag=1
-		op="-A"
+  A)	op="-A"
 		;;
-  D)	Dflag=1
-		op="-D"
-		;;
-  i)	iflag=1
-		domRIp="$OPTARG"
+  D)	op="-D"
 		;;
  r)	rflag=1
 		instanceIp="$OPTARG"
@ -170,20 +149,7 @@ do
  d)	dflag=1
 		dport="$OPTARG"
 		;;
-  w)	wflag=1
-  		oldPrivateIP="$OPTARG"
-  		;;
-  x)	xflag=1
-  		oldPrivatePort="$OPTARG"
-  		;;	
-  n)	nflag=1
-  		domRName="$OPTARG"
-  		;;
-  N)	Nflag=1
-  		netmask="$OPTARG"
-  		;;
  G)	Gflag=1
-		nat="$OPTARG"
 		;;
  ?)	usage
 		exit 2
@ -191,48 +157,30 @@ do
  esac
 done

-#1:1 NAT
+DEV_LIST=$(get_dev_list)
+OUTFILE=$(mktemp)
+
+#Firewall ports for one-to-one/static NAT
 if [ "$Gflag" == "1" ]
 then
-  add_one_to_one_nat_entry $instanceIp $publicIp $domRIp $op
-  exit $?
+  one_to_one_fw_entry $publicIp $instanceIp  $protocol $dport $op
+  result=$?
+  [ "$result" -ne 0 ] && cat $OUTFILE >&2
+  rm -f $OUTFILE
+  exit $result
 fi

-reverseOp=$(reverse_op $op)
-
-VIF_LIST=$(get_vif_list)

 case $protocol  in
-  "tcp")	
-  		# If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. 
-  		if [ "$oldPrivateIP" != "" ]
-  		then
-  			tcp_entry $oldPrivateIP $oldPrivatePort $publicIp $ports "-D"
-  		fi
-  		
-  		# Add/delete the new rule
-		tcp_entry $instanceIp $dport $publicIp $ports $op 
-		exit $?
+  tcp|udp)	
+		tcp_or_udp_entry $instanceIp $dport $publicIp $ports $op $protocol
+                result=$?
+                [ "$result" -ne 0 ] && cat $OUTFILE >&2
+                rm -f $OUTFILE
+		exit $result
 		;;
-  "udp")  
-  		# If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. 
-  		if [ "$oldPrivateIP" != "" ]
-  		then
-  			udp_entry $oldPrivateIP $oldPrivatePort $publicIp $ports "-D"
-		fi
-  
-		# Add/delete the new rule
-		udp_entry $instanceIp $dport $publicIp $ports $op 
-		exit $?
-        ;;
  "icmp")  
-  		# If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. 
-  		if [ "$oldPrivateIP" != "" ]
-  		then
-  			icmp_entry $oldPrivateIp $icmptype $publicIp "-D"
-  		fi
  
-  		# Add/delete the new rule
 		icmp_entry $instanceIp $icmptype $publicIp $op 
 		exit $?
        ;;
--- a/patches/systemvm/debian/config/root/ipassoc.sh
+++ b/patches/systemvm/debian/config/root/ipassoc.sh
@ -5,90 +5,41 @@
 #
 # @VERSION@
 usage() {
-  printf "Usage:\n %s -A  -i <domR eth1 ip>  -l <public-ip-address>  -r <domr name> [-f] \n" $(basename $0) >&2
-  printf " %s -D -i <domR eth1 ip> -l <public-ip-address> -r <domr name> [-f] \n" $(basename $0) >&2
-}
-
-#verify if supplied ip is indeed in the public domain
-check_public_ip() {
- if [[ $(expr match $1 "10.") -gt 0 ]] 
-  then
-    echo "Public IP ($1) cannot be a private IP address!\n"
-    exit 1
-  fi
-}
-
-#ensure that dom0 is set up to do routing and proxy arp
-check_ip_fw () {
-  if [ $(cat /proc/sys/net/ipv4/ip_forward) != 1 ];
-  then
-    printf "Warning. Dom0 not set up to do forwarding.\n" >&2
-    printf "Executing: echo 1 > /proc/sys/net/ipv4/ip_forward\n" >&2
-    printf "To make this permanent, set net.ipv4.ip_forward = 1 in /etc/sysctl.conf\n" >&2
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-  fi
-  #if [ $(cat /proc/sys/net/ipv4/conf/eth0/proxy_arp) != 1 ];
-  #then
-    #printf "Warning. Dom0 not set up to do proxy ARP.\n"
-    #printf "Executing: echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp\n"
-    #printf "To make this permanent, set net.ipv4.conf.eth0.proxy_arp = 1 in /etc/sysctl.conf\n"
-    #echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
-  #fi
+  printf "Usage:\n %s -A    -l <public-ip-address>   -c <dev> [-f] \n" $(basename $0) >&2
+  printf " %s -D  -l <public-ip-address>  -c <dev> [-f] \n" $(basename $0) >&2
 }


-# check if gateway domain is up and running
-check_gw() {
-  ping -c 1 -n -q $1 > /dev/null
-  if [ $? -gt 0 ]
-  then
-    sleep 1
-    ping -c 1 -n -q $1 > /dev/null
-  fi
-  return $?;
-}
-
-#Add 1:1 NAT entry
-add_one_to_one_nat_entry() {
-  local guestIp=$1
-  local publicIp=$2  
-  local dIp=$3
-  
-  iptables -t nat -A PREROUTING -i eth2 -d $publicIp -j DNAT --to-destination $guestIp
-  iptables -t nat -A POSTROUTING -o eth2 -s $guestIp -j SNAT --to-source $publicIp
-  iptables -P FORWARD DROP
-  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-  iptables -A FORWARD -i eth2 -o eth0 -d $guestIp -m state --state NEW -j ACCEPT
-  iptables -A FORWARD -i eth0 -o eth2 -s $guestIp -m state --state NEW -j ACCEPT
-  
-  return $?
-}
-
-#Add the NAT entries into iptables in the routing domain
 add_nat_entry() {
-  local dRIp=$1
-  local pubIp=$2
-   
-  ip addr add dev $correctVif $pubIp
-  iptables -t nat -I POSTROUTING   -j SNAT -o $correctVif --to-source $pubIp
-  arping -c 3 -I $correctVif -A -U -s $pubIp $pubIp
-     
+  local pubIp=$1
+  logger -t cloud "$(basename $0):Adding nat entry for ip $pubIp on interface $ethDev"
+  local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
+  sudo ip link set $ethDev up
+  sudo ip addr add dev $ethDev $pubIp
+  sudo iptables -A FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+  sudo iptables -A FORWARD -i eth0 -o $ethDev  -j ACCEPT
+  sudo iptables -t nat -I POSTROUTING   -j SNAT -o $ethDev --to-source $ipNoMask ;
+  sudo arping -c 3 -I $ethDev -A -U -s $ipNoMask $ipNoMask;
  if [ $? -gt 0  -a $? -ne 2 ]
  then
     return 1
  fi

  return 0
+   
 }

-#remove the NAT entries into iptables in the routing domain
 del_nat_entry() {
-  local dRIp=$1
-  local pubIp=$2
-   
-  iptables -t nat -D POSTROUTING   -j SNAT -o $correctVif --to-source $pubIp
-  ip addr del dev $correctVif $pubIp/32
-      
+  local pubIp=$1
+  logger -t cloud "$(basename $0):Deleting nat entry for ip $pubIp on interface $ethDev"
+  local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
+  local mask=$(echo $1 | awk -F'/' '{print $2}')
+  [ "$mask" == "" ] && mask="32"
+  sudo iptables -D FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+  sudo iptables -D FORWARD -i eth0 -o $ethDev  -j ACCEPT
+  sudo iptables -t nat -D POSTROUTING   -j SNAT -o $ethDev --to-source $ipNoMask;
+  sudo ip addr del dev $ethDev "$ipNoMask/$mask"
+ 
  if [ $? -gt 0  -a $? -ne 2 ]
  then
     return 1
@ -99,44 +50,58 @@ del_nat_entry() {


 add_an_ip () {
-  local dRIp=$1
-  local pubIp=$2
-   
-  ifconfig $correctVif up
-  ip addr add dev $correctVif $pubIp
-  arping -c 3 -I $correctVif -A -U -s $pubIp $pubIp
-     
+  local pubIp=$1
+  logger -t cloud "$(basename $0):Adding ip $pubIp on interface $ethDev"
+  local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
+
+  sudo ip link set $ethDev up
+  sudo ip addr add dev $ethDev $pubIp ;
+  sudo arping -c 3 -I $ethDev -A -U -s $ipNoMask $ipNoMask;
  return $?
+   
 }

 remove_an_ip () {
-  local dRIp=$1
-  local pubIp=$2
-   
-  ip addr del dev $correctVif $pubIp/32
-     
-  if [ $? -gt 0  -a $? -ne 2 ]
+  local pubIp=$1
+  logger -t cloud "$(basename $0):Removing ip $pubIp on interface $ethDev"
+  local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
+  local mask=$(echo $1 | awk -F'/' '{print $2}')
+  local existingIpMask=$(sudo ip addr show dev $ethDev | grep inet | awk '{print $2}'  | grep -w $ipNoMask)
+  [ "$existingIpMask" == "" ] && return 0
+  local existingMask=$(echo $existingIpMask | awk -F'/' '{print $2}')
+  if [ "$existingMask" == "32" ] 
+  then
+    sudo ip addr del dev $ethDev $existingIpMask
+    result=$?
+  fi
+  if [ "$existingMask" != "32" ] 
+  then
+        replaceIpMask=`sudo ip addr show dev $ethDev | grep inet | grep -v $existingIpMask | awk '{print $2}' | sort -t/ -k2 -n|tail -1`
+        sudo ip addr del dev $ethDev $existingIpMask;
+        if [ -n "$replaceIpMask" ]; then
+          sudo ip addr del dev $ethDev $replaceIpMask;
+          replaceIp=`echo $replaceIpMask | awk -F/ '{print $1}'`;
+          sudo ip addr add dev $ethDev $replaceIp/$existingMask;
+          sudo iptables -t nat -D POSTROUTING   -j SNAT -o $ethDev --to-source $ipNoMask ;
+          sudo iptables -t nat -A POSTROUTING   -j SNAT -o $ethDev --to-source $replaceIp ;
+        fi
+    result=$?
+  fi
+  if [ $result -gt 0  -a $result -ne 2 ]
  then
     return 1
  fi
+  return 0
 }

 #set -x

-rflag=
-iflag=
 lflag=
-aflag=
-nflag=
 fflag=
-vflag=
-gflag=
-nflag=
 cflag=
-Gflag=
 op=""

-while getopts 'fADr:i:a:l:v:g:n:c:G:' OPTION
+while getopts 'fADa:l:c:' OPTION
 do
  case $OPTION in
  A)	Aflag=1
@ -147,49 +112,18 @@ do
 		;;
  f)	fflag=1
 		;;
-  r)	rflag=1
-		domRname="$OPTARG"
-		;;
-  i)	iflag=1
-		domRIp="$OPTARG"
-		;;
  l)	lflag=1
 		publicIp="$OPTARG"
 		;;
-  a)	aflag=1
-		eth2mac="$OPTARG"
-		;;
-  v)	vflag=1
-  		vlanId="$OPTARG"
-  		;;
-  g)	gflag=1
-  		gateway="$OPTARG"
-  		;;
-  n)	nflag=1
-  		netmask="$OPTARG"
-  		;;
  c)	cflag=1
-  		correctVif="$OPTARG"
+  		ethDev="$OPTARG"
  		;;
-  G)    Gflag=1
-        guestIp="$OPTARG"
-        ;;
  ?)	usage
 		exit 2
 		;;
  esac
 done

-#1:1 NAT
-if [ "$Gflag" == "1" ]
-then
-  add_nat_entry $domRIp $publicIp 
-  if [ $? -eq 0 ]
-  then
-    add_one_to_one_nat_entry $guestIp $publicIp $domRIp
-  fi
-  exit $?
-fi

 #Either the A flag or the D flag but not both
 if [ "$Aflag$Dflag" != "1" ]
@ -198,39 +132,34 @@ then
 exit 2
 fi

-if [ "$Aflag$lflag$iflag$cflag" != "1111" ] && [ "$Dflag$lflag$iflag$cflag" != "1111" ]
+if [ "$lflag$cflag" != "11" ] 
 then
+   usage
   exit 2
 fi

-# check if gateway domain is up and running
-if ! check_gw "$domRIp"
-then
-   printf "Unable to ping the routing domain, exiting\n" >&2
-   exit 3
-fi

 if [ "$fflag" == "1" ] && [ "$Aflag" == "1" ]
 then
-  add_nat_entry $domRIp $publicIp 
+  add_nat_entry  $publicIp 
  exit $?
 fi

 if [ "$Aflag" == "1" ]
 then  
-  add_an_ip $domRIp $publicIp 
+  add_an_ip  $publicIp 
  exit $?
 fi

 if [ "$fflag" == "1" ] && [ "$Dflag" == "1" ]
 then
-  del_nat_entry $domRIp $publicIp 
+  del_nat_entry  $publicIp 
  exit $?
 fi

 if [ "$Dflag" == "1" ]
 then
-  remove_an_ip $domRIp $publicIp 
+  remove_an_ip  $publicIp 
  exit $?
 fi

--- a/scripts/network/domr/call_firewall.sh
+++ b/scripts/network/domr/call_firewall.sh
@ -21,75 +21,9 @@ check_gw() {
  return $?;
 }

-rflag=
-iflag=
-Pflag=
-pflag=
-tflag=
-lflag=
-dflag=
-oflag=
-wflag=
-xflag=
-nflag=
-Nflag=
-Gflag=
-op=""
-oldPrivateIP=""
-oldPrivatePort=""
-
-while getopts 'ADr:i:P:p:t:l:d:w:x:n:N:G:' OPTION
-do
-  case $OPTION in
-  A)	Aflag=1
-		op="-A"
-		;;
-  D)	Dflag=1
-		op="-D"
-		;;
-  i)	iflag=1
-		domRIp="$OPTARG"
-		;;
-  r)	rflag=1
-		instanceIp="$OPTARG"
-		;;
-  P)	Pflag=1
-		protocol="$OPTARG"
-		;;
-  p)	pflag=1
-		ports="$OPTARG"
-		;;
-  t)	tflag=1
-		icmptype="$OPTARG"
-		;;
-  l)	lflag=1
-		publicIp="$OPTARG"
-		;;
-  d)	dflag=1
-		dport="$OPTARG"
-		;;
-  w)	wflag=1
-  		oldPrivateIP="$OPTARG"
-  		;;
-  x)	xflag=1
-  		oldPrivatePort="$OPTARG"
-  		;;	
-  n)	nflag=1
-  		domRName="$OPTARG"
-  		;;
-  N)	Nflag=1
-  		netmask="$OPTARG"
-  		;;
-  G)    Gflag=1
-  		nat="OPTARG"
-  		;;
-  ?)	usage
-		exit 2
-		;;
-  esac
-done
-
 cert="/root/.ssh/id_rsa.cloud"
+domRIp=$1
+shift

 # Check if DomR is up and running. If not, exit with error code 1.
 check_gw "$domRIp"
@ -98,19 +32,6 @@ then
  exit 1
 fi

-#Either the A flag or the D flag but not both
-if [ "$Aflag$Dflag" != "1" ]
-then
-  usage
-  exit 2
-fi
-
-#Require -d with -p
-if [ "$pflag$dflag" != 11 -a "$pflag$dflag" != "" ]
-then
-  usage
-  exit 2
-fi

 ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewall.sh $*"
 exit $?
--- a/scripts/network/domr/firewall_vlan.sh
+++ b/scripts/network/domr/firewall_vlan.sh
@ -1,313 +0,0 @@
-#!/usr/bin/env bash
-# $Id: firewall_vlan.sh 9804 2010-06-22 18:36:49Z alex $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/scripts/network/domr/firewall_vlan.sh $
-# firewall.sh -- allow some ports / protocols to vm instances
-#
-#
-# @VERSION@
-
-usage() {
-  printf "Usage: %s: (-A|-D) -i <domR eth1 ip>  -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code)  -l <public ip address> -d <target port> [-f <firewall ip> -u <firewall user> -y <firewall password> -z <firewall enable password> -n <domr name> -N <VLAN netmask> ] \n" $(basename $0) >&2
-}
-
-# set -x
-cert="/root/.ssh/id_rsa.cloud"
-
-# check if gateway domain is up and running
-check_gw() {
-  ping -c 1 -n -q $1 > /dev/null
-  if [ $? -gt 0 ]
-  then
-    sleep 1
-    ping -c 1 -n -q $1 > /dev/null
-  fi
-  return $?;
-}
-
-get_dom0_ip () {
- eval "$1=$(ifconfig eth0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}')"
- return 0
-}
-
-get_value() {
-  local filename=$1
-  local keyname=$2
-  grep -i $keyname= $filename | cut -d= -f2
-}
-
-get_subnet() {
-	local ip=$1
-	local netmask=$2
-
-	local ip1=($(echo $ip | awk -F"." '{print $1,$2,$3,$4}'))
-	local netmask1=($(echo $netmask | awk -F"." '{print $1,$2,$3,$4}'))
-	local subnet=$((${ip1[0]} & ${netmask1[0]})).$((${ip1[1]} & ${netmask1[1]})).$((${ip1[2]} & ${netmask1[2]})).$((${ip1[3]} & ${netmask1[3]}))
-
-	echo $subnet
-}
-
-get_vif_list() {
-        local domRIp=$1
-
-        local command=" vifListDomR=\"\"; \
-                                        for i in /sys/class/net/eth*; do \
-                                                vif=\$(basename \$i); \
-                                                vifIp=\$(grep -i IPADDR= /etc/sysconfig/network-scripts/ifcfg-\$vif | cut -d= -f2); \
-                                                vifNetmask=\$(grep -i NETMASK= /etc/sysconfig/network-scripts/ifcfg-\$vif | cut -d= -f2); \
-                                                vifListDomR=\$vifListDomR\" \$vif:\$vifIp:\$vifNetmask\"; \
-                                        done; \
-                                        echo \$vifListDomR;"
-
-        local vifList=$(ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp $command)
-
-        echo $vifList
-}
-
-find_correct_vif() {
-	local domRIp=$1
-	local publicIp=$2
-	local vlanNetmask=$3
-	
-	local correctVif="none"
-	
-	local vlanSubnet=$(get_subnet $publicIp $vlanNetmask)
-	local vifList=$(get_vif_list $domRIp)
-
-	for i in $vifList
-	do
-		local vif=$(echo $i | cut -d: -f1)
-		local vifIp=$(echo $i | cut -d: -f2)
-		local vifNetmask=$(echo $i | cut -d: -f3)
-		local vifSubnet=$(get_subnet $vifIp $vifNetmask)
-		
-		if [ "$vlanSubnet" == "$vifSubnet" ]
-		then
-			correctVif="$vif"
-			break
-		fi
-	done
-	
-	echo $correctVif
-}
-
-#Add the tcp firewall entries into iptables in the routing domain
-tcp_entry() {
-  local dRIp=$1
-  local instIp=$2
-  local dport=$3
-  local pubIp=$4
-  local port=$5
-  local op=$6
-  local vif=$7
-  
-  ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
-    	iptables -t nat $op PREROUTING --proto tcp -i $vif -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null;
-    	iptables -t nat $op OUTPUT  --proto tcp -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null;
-    	iptables $op FORWARD -p tcp -s 0/0 -d $instIp -m state --state ESTABLISHED,RELATED -j ACCEPT > /dev/null;
-    	iptables $op FORWARD -p tcp -s 0/0 -d $instIp --destination-port $dport --syn -j ACCEPT > /dev/null;
-  "
-  	
-  return $?
-
-}
-
-#Add the udp firewall entries into iptables in the routing domain
-udp_entry() {
-  local dRIp=$1
-  local instIp=$2
-  local dport=$3
-  local pubIp=$4
-  local port=$5
-  local op=$6
-  local vif=$7
-  
-  ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
-    	iptables -t nat $op PREROUTING --proto udp -i $vif -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null;
-    	iptables -t nat $op OUTPUT  --proto udp -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null;
-    	iptables $op FORWARD -p udp -s 0/0 -d $instIp --destination-port $dport  -j ACCEPT > /dev/null;
-  "
-  		
-  return $?
-
-}
-
-#Add the icmp firewall entries into iptables in the routing domain
-icmp_entry() {
-  local dRIp=$1
-  local instIp=$2
-  local icmptype=$3
-  local pubIp=$4
-  local op=$5
-  local vif=$6
-  
-  ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
-    	iptables -t nat $op PREROUTING --proto icmp -i $vif -d $pubIp --icmp-type $icmptype -j DNAT --to-destination $instIp >/dev/null;
-    	iptables -t nat $op OUTPUT  --proto icmp -d $pubIp --icmp-type $icmptype -j DNAT --to-destination $instIp:$dport >/dev/null;
-    	iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype  -j ACCEPT > /dev/null;
-  "
-  	
-  return $?
-  		
-}
-
-reverse_op() {
-	local op=$1
-	
-	if [ "$op" == "-A" ]
-	then
-		echo "-D"
-	else
-		echo "-A"
-	fi
-}
-
-rflag=
-iflag=
-Pflag=
-pflag=
-tflag=
-lflag=
-dflag=
-oflag=
-wflag=
-xflag=
-nflag=
-Nflag=
-op=""
-oldPrivateIP=""
-oldPrivatePort=""
-
-while getopts 'ADr:i:P:p:t:l:d:w:x:n:N:' OPTION
-do
-  case $OPTION in
-  A)	Aflag=1
-		op="-A"
-		;;
-  D)	Dflag=1
-		op="-D"
-		;;
-  i)	iflag=1
-		domRIp="$OPTARG"
-		;;
-  r)	rflag=1
-		instanceIp="$OPTARG"
-		;;
-  P)	Pflag=1
-		protocol="$OPTARG"
-		;;
-  p)	pflag=1
-		ports="$OPTARG"
-		;;
-  t)	tflag=1
-		icmptype="$OPTARG"
-		;;
-  l)	lflag=1
-		publicIp="$OPTARG"
-		;;
-  d)	dflag=1
-		dport="$OPTARG"
-		;;
-  w)	wflag=1
-  		oldPrivateIP="$OPTARG"
-  		;;
-  x)	xflag=1
-  		oldPrivatePort="$OPTARG"
-  		;;	
-  n)	nflag=1
-  		domRName="$OPTARG"
-  		;;
-  N)	Nflag=1
-  		netmask="$OPTARG"
-  		;;
-  ?)	usage
-		exit 2
-		;;
-  esac
-done
-
-# domRIp is guaranteed to be present at this point
-
-# Check if DomR is up and running. If not, exit with error code 1.
-check_gw "$domRIp"
-if [ $? -gt 0 ]
-then
-	exit 1
-fi
-
-#Either the A flag or the D flag but not both
-if [ "$Aflag$Dflag" != "1" ]
-then
- usage
- exit 2
-fi
-
-#Either the tflag or the p flag but not both
-if [ "$rflag$iflag$Pflag$pflag$tflag$lflag" != "11111" ]
-then
- usage
- exit 2
-fi
-
-#Require -d with -p
-if [ "$pflag$dflag" != 11 -a "$pflag$dflag" != "" ]
-then
- usage
- exit 2
-fi
-
-# Router name must be passed in
-if [ "$nflag" != "1" ]
-then
-	usage
-	exit 2
-fi
-
-# The netmask of the public IP's VLAN must be passed in
-if [ "$Nflag" != "1" ]
-then
-	usage
-	exit 2
-fi
-
-reverseOp=$(reverse_op $op)
-
-# Find the VIF that we need to use on DomR
-correctVif=$(find_correct_vif $domRIp $publicIp $netmask)
-
-case $protocol  in
-  "tcp")	
-  		# If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. 
-  		if [ "$oldPrivateIP" != "" ]
-  		then
-  			tcp_entry $domRIp $oldPrivateIP $oldPrivatePort $publicIp $ports "-D" $correctVif
-  		fi
-  		
-  		# Add/delete the new rule
-		tcp_entry $domRIp $instanceIp $dport $publicIp $ports $op $correctVif
-		;;
-  "udp")  
-  		# If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. 
-  		if [ "$oldPrivateIP" != "" ]
-  		then
-  			udp_entry $domRIp $oldPrivateIP $oldPrivatePort $publicIp $ports "-D" $correctVif
-		fi
-  
-		# Add/delete the new rule
-		udp_entry $domRIp $instanceIp $dport $publicIp $ports $op $correctVif
-        ;;
-  "icmp")  
-  		# If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. 
-  		if [ "$oldPrivateIP" != "" ]
-  		then
-  			icmp_entry $domRIp $oldPrivateIp $icmptype $publicIp "-D" $correctVif
-  		fi
-  
-  		# Add/delete the new rule
-		icmp_entry $domRIp $instanceIp $icmptype $publicIp $op $correctVif
-        ;;
-      *)
-        printf "Invalid protocol-- must be tcp, udp or icmp\n" >&2
-        exit 5
-        ;;
-esac
-
-exit 0
--- a/scripts/network/domr/ipassoc.sh
+++ b/scripts/network/domr/ipassoc.sh
@ -10,33 +10,8 @@ usage() {
 }

 cert="/root/.ssh/id_rsa.cloud"
-
-#verify if supplied ip is indeed in the public domain
-check_public_ip() {
- if [[ $(expr match $1 "10.") -gt 0 ]] 
-  then
-    echo "Public IP ($1) cannot be a private IP address!\n"
-    exit 1
-  fi
-}
-
-#ensure that dom0 is set up to do routing and proxy arp
-check_ip_fw () {
-  if [ $(cat /proc/sys/net/ipv4/ip_forward) != 1 ];
-  then
-    printf "Warning. Dom0 not set up to do forwarding.\n" >&2
-    printf "Executing: echo 1 > /proc/sys/net/ipv4/ip_forward\n" >&2
-    printf "To make this permanent, set net.ipv4.ip_forward = 1 in /etc/sysctl.conf\n" >&2
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-  fi
-  #if [ $(cat /proc/sys/net/ipv4/conf/eth0/proxy_arp) != 1 ];
-  #then
-    #printf "Warning. Dom0 not set up to do proxy ARP.\n"
-    #printf "Executing: echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp\n"
-    #printf "To make this permanent, set net.ipv4.conf.eth0.proxy_arp = 1 in /etc/sysctl.conf\n"
-    #echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
-  #fi
-}
+domRIp=$1
+shift


 # check if gateway domain is up and running
@ -50,226 +25,15 @@ check_gw() {
  return $?;
 }

-#Add 1:1 NAT entry
-add_one_to_one_nat_entry() {
-  local guestIp=$1
-  local publicIp=$2  
-  local dIp=$3
-  ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dIp "\
-  iptables -t nat -A PREROUTING -i eth2 -d $publicIp -j DNAT --to-destination $guestIp
-  iptables -t nat -A POSTROUTING -o eth2 -s $guestIp -j SNAT --to-source $publicIp
-  iptables -P FORWARD DROP
-  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-  iptables -A FORWARD -i eth2 -o eth0 -d $guestIp -m state --state NEW -j ACCEPT
-  iptables -A FORWARD -i eth0 -o eth2 -s $guestIp -m state --state NEW -j ACCEPT
-  "
-  return $?
-}

-#Add the NAT entries into iptables in the routing domain
-add_nat_entry() {
-  local dRIp=$1
-  local pubIp=$2
-  local ipNoMask=$(echo $2 | awk -F'/' '{print $1}')
-   ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
-      ip addr add dev $correctVif $pubIp
-      iptables -A FORWARD -i $correctVif -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-      iptables -A FORWARD -i eth0 -o $correctVif  -j ACCEPT
-      iptables -t nat -I POSTROUTING   -j SNAT -o $correctVif --to-source $ipNoMask ;
-      arping -c 3 -I $correctVif -A -U -s $ipNoMask $ipNoMask;
-     "
-  if [ $? -gt 0  -a $? -ne 2 ]
-  then
-     return 1
-  fi
-
-  return 0
-}
-
-#remove the NAT entries into iptables in the routing domain
-del_nat_entry() {
-  local dRIp=$1
-  local pubIp=$2
-  local ipNoMask=$(echo $2 | awk -F'/' '{print $1}')
-  local mask=$(echo $2 | awk -F'/' '{print $2}')
-  [ "$mask" == "" ] && mask="32"
-   ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
-      iptables -D FORWARD -i $correctVif -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-      iptables -D FORWARD -i eth0 -o $correctVif  -j ACCEPT
-      iptables -t nat -D POSTROUTING   -j SNAT -o $correctVif --to-source $ipNoMask;
-      ip addr del dev $correctVif "$ipNoMask/$mask"
-     "
- 
-  if [ $? -gt 0  -a $? -ne 2 ]
-  then
-     return 1
-  fi
-
-  return $?
-}
-
-
-add_an_ip () {
-  local dRIp=$1
-  local pubIp=$2
-  local ipNoMask=$(echo $2 | awk -F'/' '{print $1}')
-   ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
-   	  ifconfig $correctVif up;
-      ip addr add dev $correctVif $pubIp ;
-      arping -c 3 -I $correctVif -A -U -s $ipNoMask $ipNoMask;
-     "
-   return $?
-}
-
-remove_an_ip () {
-  local dRIp=$1
-  local pubIp=$2
-  local ipNoMask=$(echo $2 | awk -F'/' '{print $1}')
-  local mask=$(echo $2 | awk -F'/' '{print $2}')
-  local existingIpMask=$(ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "
-      ip addr show dev $correctVif | grep inet | awk '{print \$2}'  | grep -w $ipNoMask 
-     ")
-  [ "$existingIpMask" == "" ] && return 0
-  local existingMask=$(echo $existingIpMask | awk -F'/' '{print $2}')
-  if [ "$existingMask" == "32" ] 
-  then
-    ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "
-        ip addr del dev $correctVif $existingIpMask
-       "
-    result=$?
-  fi
-  if [ "$existingMask" != "32" ] 
-  then
-    ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "
-        replaceIpMask=\`ip addr show dev $correctVif | grep inet | grep -v $existingIpMask | awk '{print \$2}' | sort -t/ -k2 -n|tail -1\`
-        ip addr del dev $correctVif $existingIpMask;
-        if [ -n \"\$replaceIpMask\" ]; then
-          ip addr del dev $correctVif \$replaceIpMask;
-          replaceIp=\`echo \$replaceIpMask | awk -F/ '{print \$1}'\`;
-          ip addr add dev $correctVif \$replaceIp/$existingMask;
-          iptables -t nat -D POSTROUTING   -j SNAT -o $correctVif --to-source $ipNoMask ;
-          iptables -t nat -A POSTROUTING   -j SNAT -o $correctVif --to-source \$replaceIp ;
-        fi
-       "
-    result=$?
-  fi
-  if [ $result -gt 0  -a $result -ne 2 ]
-  then
-     return 1
-  fi
-}
-
-#set -x
-
-rflag=
-iflag=
-lflag=
-aflag=
-nflag=
-fflag=
-vflag=
-gflag=
-nflag=
-cflag=
-Gflag=
-op=""
-
-while getopts 'fADr:i:a:l:v:g:n:c:G:' OPTION
-do
-  case $OPTION in
-  A)	Aflag=1
-		op="-A"
-		;;
-  D)	Dflag=1
-		op="-D"
-		;;
-  f)	fflag=1
-		;;
-  r)	rflag=1
-		domRname="$OPTARG"
-		;;
-  i)	iflag=1
-		domRIp="$OPTARG"
-		;;
-  l)	lflag=1
-		publicIp="$OPTARG"
-		;;
-  a)	aflag=1
-		eth2mac="$OPTARG"
-		;;
-  v)	vflag=1
-  		vlanId="$OPTARG"
-  		;;
-  g)	gflag=1
-  		gateway="$OPTARG"
-  		;;
-  n)	nflag=1
-  		netmask="$OPTARG"
-  		;;
-  c)	cflag=1
-  		correctVif="$OPTARG"
-  		;;
-  G)    Gflag=1
-        guestIp="$OPTARG"
-        ;;
-  ?)	usage
-		exit 2
-		;;
-  esac
-done
-
-#1:1 NAT
-if [ "$Gflag" == "1" ]
+# Check if DomR is up and running. If not, exit with error code 1.
+check_gw "$domRIp"
+if [ $? -gt 0 ]
 then
-  add_nat_entry $domRIp $publicIp 
-  if [ $? -eq 0 ]
-  then
-    add_one_to_one_nat_entry $guestIp $publicIp $domRIp
-  fi
-  exit $?
+  exit 1
 fi

-#Either the A flag or the D flag but not both
-if [ "$Aflag$Dflag" != "1" ]
-then
- usage
- exit 2
-fi

-if [ "$Aflag$lflag$iflag$cflag" != "1111" ] && [ "$Dflag$lflag$iflag$cflag" != "1111" ]
-then
-   exit 2
-fi
+ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/ipassoc.sh $*"
+exit $?

-# check if gateway domain is up and running
-if ! check_gw "$domRIp"
-then
-   printf "Unable to ping the routing domain, exiting\n" >&2
-   exit 3
-fi
-
-if [ "$fflag" == "1" ] && [ "$Aflag" == "1" ]
-then
-  add_nat_entry $domRIp $publicIp 
-  exit $?
-fi
-
-if [ "$Aflag" == "1" ]
-then  
-  add_an_ip $domRIp $publicIp 
-  exit $?
-fi
-
-if [ "$fflag" == "1" ] && [ "$Dflag" == "1" ]
-then
-  del_nat_entry $domRIp $publicIp 
-  exit $?
-fi
-
-if [ "$Dflag" == "1" ]
-then
-  remove_an_ip $domRIp $publicIp 
-  exit $?
-fi
-
-exit 0
--- a/scripts/network/domr/ipassoc_vlan.sh
+++ b/scripts/network/domr/ipassoc_vlan.sh
@ -1,560 +0,0 @@
-#!/usr/bin/env bash
-# $Id: ipassoc_vlan.sh 9804 2010-06-22 18:36:49Z alex $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/scripts/network/domr/ipassoc_vlan.sh $
-# ipassoc.sh -- associate/disassociate a public ip with an instance
-#
-#
-# @VERSION@
-
-# set -x
-usage() {
-  printf "Usage:\n %s -A  -i <domR eth1 ip>  -l <public-ip-address>  -r <domr name> [-f] \n" $(basename $0) >&2
-  printf " %s -D -i <domR eth1 ip> -l <public-ip-address> -r <domr name> [-f] \n" $(basename $0) >&2
-  printf "If associating first IP in vlan or disassociating last IP in vlan, the following are required: -v <vlan id> -g <vlan gateway> -n <vlan netmask> \n" $(basename $0) >&2
-}
-
-cert="/root/.ssh/id_rsa.cloud"
-
-get_value() {
-  local filename=$1
-  local keyname=$2
-  grep -i $keyname= $filename | cut -d= -f2
-}
-
-#verify if supplied ip is indeed in the public domain
-check_public_ip() {
- if [[ $(expr match $1 "10.") -gt 0 ]] 
-  then
-    echo "Public IP ($1) cannot be a private IP address!\n"
-    exit 1
-  fi
-}
-
-#ensure that dom0 is set up to do routing and proxy arp
-check_ip_fw () {
-  if [ $(cat /proc/sys/net/ipv4/ip_forward) != 1 ];
-  then
-    printf "Warning. Dom0 not set up to do forwarding.\n" >&2
-    printf "Executing: echo 1 > /proc/sys/net/ipv4/ip_forward\n" >&2
-    printf "To make this permanent, set net.ipv4.ip_forward = 1 in /etc/sysctl.conf\n" >&2
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-  fi
-  #if [ $(cat /proc/sys/net/ipv4/conf/eth0/proxy_arp) != 1 ];
-  #then
-    #printf "Warning. Dom0 not set up to do proxy ARP.\n"
-    #printf "Executing: echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp\n"
-    #printf "To make this permanent, set net.ipv4.conf.eth0.proxy_arp = 1 in /etc/sysctl.conf\n"
-    #echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
-  #fi
-}
-
-
-# check if gateway domain is up and running
-check_gw() {
-  ping -c 1 -n -q $1 > /dev/null
-  if [ $? -gt 0 ]
-  then
-    sleep 1
-    ping -c 1 -n -q $1 > /dev/null
-  fi
-  return $?;
-}
-
-#Add the NAT entries into iptables in the routing domain
-add_nat_entry() {
-  local dRIp=$1
-  local pubIp=$2
-   ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
-      ip addr add dev eth2 $pubIp
-      iptables -t nat -I POSTROUTING   -j SNAT -o eth2 --to-source $pubIp ;
-      /sbin/arping -c 3 -I eth2 -A -U -s $pubIp $pubIp;
-     "
-  if [ $? -gt 0  -a $? -ne 2 ]
-  then
-     return 1
-  fi
-
-  return 0
-}
-
-#remove the NAT entries into iptables in the routing domain
-del_nat_entry() {
-  local dRIp=$1
-  local pubIp=$2
-   ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
-      iptables -t nat -D POSTROUTING   -j SNAT -o eth2 --to-source $pubIp;
-      ip addr del dev eth2 $pubIp/32
-     "
- 
-  if [ $? -gt 0  -a $? -ne 2 ]
-  then
-     return 1
-  fi
-
-  return $?
-}
-
-_vifname() {
- local vmname=$1
- local domid=$(xm domid $vmname)
- echo vif${domid}
-}
-
-add_acct_rule() {
-  local vmname=$1
-  local intf=$2
-  local dstip=$3
-
-  local vifname=$(_vifname $vmname)
-
-  iptables -A FORWARD -m physdev  --physdev-out $vifname.$intf -d $dstip -j ACCEPT
-
-  return $?
-}
-
-remove_acct_rule() {
-  local vmname=$1
-  local intf=$2
-  local dstip=$3
-
-  local vifname=$(_vifname $vmname)
-
-  iptables -D FORWARD -m physdev  --physdev-out $vifname.$intf -d $dstip -j ACCEPT
-
-  return $?
-}
-
-add_first_ip() {
-  local domRname=$1
-  local domRIp=$2
-  local publicIp=$3
-  local eth2mac=$4
-  local vifname=""
-  local domid=0
-
-  if  ! xm list $domRname  &>/dev/null
-  then
-    printf "Error: routing domain $domRname does not exist\n" >&2
-    exit 2
-  fi
-
-
-  #check_public_ip "$publicIp"
-
-    
-  # Ensure that dom0 is set up to do routing
-  #check_ip_fw
-   
-  
-  #program ip tables in domR and route in dom0
-  if  ! add_nat_entry $domRIp $publicIp 
-  then
-     printf  "Unable add nat entry on gateway, exiting\n" >&2
-     return 4
-  fi
-
-  return 0
-}
-
-check_if_ip_assigned_to_vif() {
-		local domRIp=$1
-        local vif=$2
-        local ip=$3
-
-        local vifIp=$(ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp "\
-                                text=\$(ifconfig $vif | grep \"inet addr\" | cut -d: -f2); \
-                                ip="none"; \
-                                for i in \$text; do ip=\$i; break; done; \
-                                echo \$ip;")
-
-        if [ "$ip" == "$vifIp" ]
-        then
-            	return 0
-        else
-            	return 1
-        fi
-}
-
-
-add_an_ip () {
-  local dRIp=$1
-  local pubIp=$2
-  local vif=$3
-  local vflag=$4
-  local vlanNetmask=$5
-  
-   ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
-      ip addr add dev $vif $pubIp; \
-      if [ "$vflag" == "1" ]; then ifconfig $vif netmask $vlanNetmask up; fi; \
-      /sbin/arping -c 3 -I $vif -A -U -s $pubIp $pubIp; \
-     "
-   return $?
-}
-
-number_of_bits() {
-        local decNum=$1
-
-        local bits=0
-        while [ $decNum -gt 0 ]
-        do
-          	local lastBit=$(expr $decNum % 2)
-                if [ "$lastBit" == "1" ]
-                then
-                    	let bits+=1
-                fi
-                let decNum=$decNum/2
-        done
-
-	echo $bits
-}
-
-netmask_to_cidr() {
-        local netmask=$1
-
-        local cidr=0
-        local IFS=.
-        for octet in $netmask
-        do
-                local octetBits=$(number_of_bits $octet)
-                let cidr+=$octetBits
-        done
-
-        echo $cidr
-}
-
-
-remove_an_ip () {
-  local dRIp=$1
-  local pubIp=$2
-  local vif=$3
-  local vlanNetmask=$4
-  
-  # Check if the public IP is assigned to the VIF itself
-  check_if_ip_assigned_to_vif $dRIp $vif $pubIp
-  
-  if [ $? -eq 0 ]
-  then
-	# Convert the VLAN netmask to a CIDR
-	local cidr=$(netmask_to_cidr $vlanNetmask)
-	
-	# Delete the IP address by providing the correct CIDR (not 32 in this case)
-	# Then, set the correct netmask on the VIF, since at this point it will have a netmask of 255.255.255.255
-	# Finally, detect what the new IP address on the VIF is, and correct the ifcfg-VIF file to reflect this
-	
-	ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
-		ip addr del dev $vif $pubIp/$cidr; \
-		ifconfig $vif netmask $vlanNetmask up; \
-		text=\$(ifconfig $vif | grep \"inet addr\" | cut -d: -f2); \
-		ip="none"; \
-		for i in \$text; do ip=\$i; break; done; \
-		sed -i /IPADDR/d /etc/sysconfig/network-scripts/ifcfg-$vif; \
-		echo "IPADDR=\$ip" >> /etc/sysconfig/network-scripts/ifcfg-$vif; \
-	"
-  else
-	ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
-		ip addr del dev $vif $pubIp/32
-	"
-  fi
-  
-  if [ $? -gt 0  -a $? -ne 2 ]
-  then
-     return 1
-  fi
-}
-
-attach_bridge_to_domr() {
-	local domRName=$1
-	local domRIp=$2
-	local vlanId=$3
-	local vlanGateway=$4
-	local vlanNetmask=$5
-	local publicIp=$6
-	
-	local bridgeName=xenbr1.$vlanId
-	
-	xm network-attach $domRName bridge=$bridgeName 
-	
-	if [ $? -gt 0 ]
-	then
-		return 1
-	fi
-	
-	# Figure out what VIF we just added! It will be the only VIF that does not have an IP address assigned in ifcfg-eth*, since we haven't created any ifcfg-eth* file yet.
-	local newVif="none"
-	local vifList=$(get_vif_list $domRIp)
-	
-	for i in $vifList
-	do
-		local vif=$(echo $i | cut -d: -f1)
-		local vifIp=$(echo $i | cut -d: -f2)
-		
-		if [ "$vifIp" == "" ]
-		then
-			newVif="$vif"
-			break
-		fi
-	done
-	
-	if [ "$newVif" == "none" ]
-	then
-		echo "Could not detect newly added VIF"
-		exit 1
-	fi
-	
-	local ifcfgFilePath="/etc/sysconfig/network-scripts/ifcfg-$newVif"
-	
-	# Via SSH: Create ifcfg-eth* file and add vlanGateway to /etc/sysconfig/network
-	ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp "\
-		touch $ifcfgFilePath; \
-		echo "DEVICE=$newVif" >> $ifcfgFilePath; \
-		echo "ONBOOT=yes" >> $ifcfgFilePath; \
-		echo "TYPE=Ethernet" >> $ifcfgFilePath; \
-		echo "IPADDR=$publicIp" >> $ifcfgFilePath; \
-		echo "NETMASK=$vlanNetmask" >> $ifcfgFilePath; \
-		echo "GATEWAY=$vlanGateway" >> /etc/sysconfig/network; \
-	"
-	
-	if [ $? -gt 0 ]
-	then
-		echo "Could not create ifcfg-eth* file for newly added VIF"
-		exit 1
-	fi
-	
-	return $?
-}
-
-get_vif_id() {
-	local domRIp=$1
-	local domRName=$2
-	local vifName=$3
-
-	# First get the MAC address of the VIF from DomR
-	local command="\
-		macAddrOfVif=\"none\"; \
-		for i in \$(ifconfig $vifName | grep HWaddr); do macAddrOfVif=\$i; done; \
-		echo \$macAddrOfVif;"
-
-	local macAddr=$(ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp "$command")
-
-	if [ "$macAddr" == "none" ]
-	then
-		echo "none"
-		return
-	fi
-
-	# Do xm network-list and find the vif ID that corresponds to the MAC address
-	local vifId="none"
-	local networkList=$(xm network-list $domRName | grep -i "$macAddr")
-	for i in $networkList; do vifId=$i; break; done;
-
-	echo $vifId
-}
-
-detach_bridge_from_domr() {
-	local domRName=$1
-	local domRIp=$2
-	local vlanGateway=$3
-	local correctVif=$4
-
-	local vifId=$(get_vif_id $domRIp $domRName $correctVif)
-	
-	xm network-detach $domRName $vifId
-	
-	if [ $? -gt 0 ]
-	then
-		return 1
-	fi
-	
-	# Remove ifcfg-eth* file and vlanGateway from /etc/sysconfig/network via SSH
-	ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp "\
-		rm /etc/sysconfig/network-scripts/ifcfg-$correctVif;
-		sed -i /"GATEWAY=$vlanGateway"/d /etc/sysconfig/network;
-	"
-	
-	return $?
-}
-
-get_subnet() {
-	local ip=$1
-	local netmask=$2
-
-	local ip1=($(echo $ip | awk -F"." '{print $1,$2,$3,$4}'))
-	local netmask1=($(echo $netmask | awk -F"." '{print $1,$2,$3,$4}'))
-	local subnet=$((${ip1[0]} & ${netmask1[0]})).$((${ip1[1]} & ${netmask1[1]})).$((${ip1[2]} & ${netmask1[2]})).$((${ip1[3]} & ${netmask1[3]}))
-
-	echo $subnet
-}
-
-get_vif_list() {
-        local domRIp=$1
-
-        local command=" vifListDomR=\"\"; \
-                                        for i in /sys/class/net/eth*; do \
-                                                vif=\$(basename \$i); \
-                                                vifIp=\$(grep -i IPADDR= /etc/sysconfig/network-scripts/ifcfg-\$vif | cut -d= -f2); \
-                                                vifNetmask=\$(grep -i NETMASK= /etc/sysconfig/network-scripts/ifcfg-\$vif | cut -d= -f2); \
-                                                vifListDomR=\$vifListDomR\" \$vif:\$vifIp:\$vifNetmask\"; \
-                                        done; \
-                                        echo \$vifListDomR;"
-
-        local vifList=$(ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp $command)
-
-        echo $vifList
-}
-
-find_correct_vif() {
-	local domRIp=$1
-	local publicIp=$2
-	local vlanNetmask=$3
-	
-	local correctVif="none"
-	
-	local vlanSubnet=$(get_subnet $publicIp $vlanNetmask)
-	local vifList=$(get_vif_list $domRIp)
-
-	for i in $vifList
-	do
-		local vif=$(echo $i | cut -d: -f1)
-		local vifIp=$(echo $i | cut -d: -f2)
-		local vifNetmask=$(echo $i | cut -d: -f3)
-		local vifSubnet=$(get_subnet $vifIp $vifNetmask)
-		
-		if [ "$vlanSubnet" == "$vifSubnet" ]
-		then
-			correctVif="$vif"
-			break
-		fi
-	done
-	
-	echo $correctVif
-}
-
-#set -x
-
-fflag=
-Aflag=
-Dflag=
-rflag=
-iflag=
-aflag=
-lflag=
-vflag=0
-gflag=
-nflag=
-op=""
-
-while getopts 'fADr:i:a:l:v:g:n:' OPTION
-do
-  case $OPTION in
-  A)	Aflag=1
-		op="-A"
-		;;
-  D)	Dflag=1
-		op="-D"
-		;;
-  f)	fflag=1
-		;;
-  r)	rflag=1
-		domRname="$OPTARG"
-		;;
-  i)	iflag=1
-		domRIp="$OPTARG"
-		;;
-  l)	lflag=1
-		publicIp="$OPTARG"
-		;;
-  a)	aflag=1
-		eth2mac="$OPTARG"
-		;;
-  v)	vflag=1
-  		vlanId="$OPTARG"
-  		;;
-  g)	gflag=1	
-  		gateway="$OPTARG"
-  		;;
-  n)	nflag=1
-  		netmask="$OPTARG"
-  		;;
-  ?)	usage
-		exit 2
-		;;
-  esac
-done
-
-#Either the A flag or the D flag but not both
-if [ "$Aflag$Dflag" != "1" ]
-then
- usage
- exit 2
-fi
-
-if [ "$Aflag$lflag$iflag$rflag$nflag" != "11111" ] && [ "$Dflag$lflag$iflag$rflag$nflag" != "11111" ]
-then
-   exit 2
-fi
-
-# If a vlanId is passed in, then a vlanGateway must be passed in
-if [ "$vflag" == "1" ] && [ "$gflag" != "1" ]
-then
-	usage
-	exit 2
-fi
-
-# check if gateway domain is up and running
-if ! check_gw "$domRIp"
-then
-   printf "Unable to ping the routing domain, exiting\n" >&2
-   exit 3
-fi
-
-# If this is an add and a vlanId was passed in, hotplug a new vif on DomR
-if [ "$Aflag" == "1" ] && [ "$vflag" == "1" ]
-then
-	attach_bridge_to_domr $domRname $domRIp $vlanId $gateway $netmask $publicIp
-  	
-	if [ $? -gt 0 ]
-	then
-		exit 1
-	fi
-fi
-
-# Find the VIF that we need to use on DomR
-correctVif=$(find_correct_vif $domRIp $publicIp $netmask)
-
-if [ "$fflag" == "1" ] && [ "$Aflag" == "1" ]
-then
-  add_nat_entry $domRIp $publicIp 
-  exit $?
-fi
-
-if [ "$Aflag" == "1" ]
-then  
-  add_an_ip $domRIp $publicIp $correctVif $vflag $netmask
-  exit $?
-fi
-
-if [ "$fflag" == "1" ] && [ "$Dflag" == "1" ]
-then
-  del_nat_entry $domRIp $publicIp 
-  exit $?
-fi
-
-if [ "$Dflag" == "1" ]
-then
-  remove_an_ip $domRIp $publicIp $correctVif $netmask
-  
-  # If a vlanId was passed in, remove the vlan's vif from DomR
-  if [ "$vflag" == "1" ]
-  then
-  	detach_bridge_from_domr $domRname $domRIp $gateway $correctVif
-  	
-	if [ $? -gt 0 ]
-	then
-		exit 1
-	fi
-  fi
-  
-  exit $?
-fi
-
-exit 0
-
--- a/scripts/network/domr/loadbalancer_vlan.sh
+++ b/scripts/network/domr/loadbalancer_vlan.sh
@ -1,275 +0,0 @@
-#!/usr/bin/env bash
-# $Id: loadbalancer_vlan.sh 9804 2010-06-22 18:36:49Z alex $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/scripts/network/domr/loadbalancer_vlan.sh $
-# loadbalancer.sh -- reconfigure loadbalancer rules
-#
-#
-# @VERSION@
-
-usage() {
-  printf "Usage: %s:  -i <domR eth1 ip>  -a <added public ip address> -d <removed> -f <load balancer config> \n" $(basename $0) >&2
-}
-
-# set -x
-cert="/root/.ssh/id_rsa.cloud"
-
-# check if gateway domain is up and running
-check_gw() {
-  ping -c 1 -n -q $1 > /dev/null
-  if [ $? -gt 0 ]
-  then
-    sleep 1
-    ping -c 1 -n -q $1 > /dev/null
-  fi
-  return $?;
-}
-
-get_value() {
-  local filename=$1
-  local keyname=$2
-  grep -i $keyname= $filename | cut -d= -f2
-}
-
-get_subnet() {
-	local ip=$1
-	local netmask=$2
-
-	local ip1=($(echo $ip | awk -F"." '{print $1,$2,$3,$4}'))
-	local netmask1=($(echo $netmask | awk -F"." '{print $1,$2,$3,$4}'))
-	local subnet=$((${ip1[0]} & ${netmask1[0]})).$((${ip1[1]} & ${netmask1[1]})).$((${ip1[2]} & ${netmask1[2]})).$((${ip1[3]} & ${netmask1[3]}))
-
-	echo $subnet
-}
-
-get_vif_list() {
-        local domRIp=$1
-
-        local command=" vifListDomR=\"\"; \
-                                        for i in /sys/class/net/eth*; do \
-                                                vif=\$(basename \$i); \
-                                                vifIp=\$(grep -i IPADDR= /etc/sysconfig/network-scripts/ifcfg-\$vif | cut -d= -f2); \
-                                                vifNetmask=\$(grep -i NETMASK= /etc/sysconfig/network-scripts/ifcfg-\$vif | cut -d= -f2); \
-                                                vifListDomR=\$vifListDomR\" \$vif:\$vifIp:\$vifNetmask\"; \
-                                        done; \
-                                        echo \$vifListDomR;"
-
-        local vifList=$(ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp $command)
-
-        echo $vifList
-}
-
-find_correct_vif() {
-	local domRIp=$1
-	local publicIp=$2
-	local vlanNetmask=$3
-	
-	local correctVif="none"
-	
-	local vlanSubnet=$(get_subnet $publicIp $vlanNetmask)
-	local vifList=$(get_vif_list $domRIp)
-
-	for i in $vifList
-	do
-		local vif=$(echo $i | cut -d: -f1)
-		local vifIp=$(echo $i | cut -d: -f2)
-		local vifNetmask=$(echo $i | cut -d: -f3)
-		local vifSubnet=$(get_subnet $vifIp $vifNetmask)
-		
-		if [ "$vlanSubnet" == "$vifSubnet" ]
-		then
-			correctVif="$vif"
-			break
-		fi
-	done
-	
-	echo $correctVif
-}
-
-#firewall entry to ensure that haproxy can receive on specified port
-fw_entry() {
-  local domRIp=$1
-  local added=$2
-  local removed=$3
-  
-  if [ "$added" == "none" ]
-  then
-  	added=""
-  fi
-  
-  if [ "$removed" == "none" ]
-  then
-  	removed=""
-  fi
-  
-  local a=$(echo $added | cut -d, -f1- --output-delimiter=" ")
-  local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ")
-  
-  for i in $a
-  do
-    local pubIp=$(echo $i | cut -d: -f1)
-    local dport=$(echo $i | cut -d: -f2)
-    local vlanNetmask=$(echo $i | cut -d: -f3)
-    
-    local vif=$(find_correct_vif $domRIp $pubIp $vlanNetmask)
-    
-    if [ "$domRIp" != "none" ]
-    then
-    	ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\
-      	iptables -D INPUT -i $vif -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null
-     	"
-     	
-     	ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\
-      	iptables -A INPUT -i $vif -p tcp -d $pubIp --dport $dport -j ACCEPT
-     	"
-     	
-     	if [ $? -gt 0 ]
-     	then
-     		exit 1
-     	fi
-    fi
-     
-  done
-
- for i in $r
- do
-    local pubIp=$(echo $i | cut -d: -f1)
-    local dport=$(echo $i | cut -d: -f2)
-    local vlanNetmask=$(echo $i | cut -d: -f3)
-    
-    local vif=$(find_correct_vif $domRIp $pubIp $vlanNetmask)
-    
-    if [ "$domRIp" != "none" ]
-    then
-    	ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\
-     	iptables -D INPUT -i $vif -p tcp -d $pubIp --dport $dport -j ACCEPT
-     	"
-    fi
-  	
-  done
-  
-  return 0
-}
-
-
-#Hot reconfigure HA Proxy in the routing domain
-reconfig_lb() {
-  local domRIp=$1
-  local cfg=$2
-
-  scp -P 3922 -q -o StrictHostKeyChecking=no -i $cert $cfg root@$domRIp:/etc/haproxy/haproxy.cfg.new
-
-  if [ $? -eq 0 ]
-  then
-     ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp /root/reconfigLB.sh
-  fi
-
-  return $?
-}
-
-# Restore the HA Proxy to its previous state, and revert iptables rules on DomR
-restore_lb() {
-	local domRIp=$1
-
-	# Copy the old version of haproxy.cfg into the file that reconfigLB.sh uses
-	ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\
-     	cp /etc/haproxy/haproxy.cfg.old /etc/haproxy/haproxy.cfg.new
-    "
-    
-    # Run reconfigLB.sh again
-    if [ $? -eq 0 ]
-  	then
-    	ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp /root/reconfigLB.sh
-  	fi
-}
-
-
-mflag=
-iflag=
-aflag=
-dflag=
-fflag=
-op=""
-addedIps=""
-removedIps=""
-
-while getopts 'i:a:d:f:' OPTION
-do
-  case $OPTION in
-  i)	iflag=1
-		domRIp="$OPTARG"
-		;;
-  a)	aflag=1
-		addedIps="$OPTARG"
-		;;
-  d)	dflag=1
-		removedIps="$OPTARG"
-		;;
-  f)	fflag=1
-		cfgfile="$OPTARG"
-		;;
-  ?)	usage
-		exit 2
-		;;
-  esac
-done
-
-# At this point, $domRIp is guaranteed to be either an IP address (if the DomR is running in the Management Server database), or "none"
-
-# If a DomR IP was passed in, check if DomR is up and running. If it isn't, exit 1.
-if [ "$domRIp" != "none" ]
-then
-	check_gw "$domRIp"
-	if [ $? -gt 0 ]
-	then
-   		exit 1
-	fi
-fi
-
-# If a DomR IP was passed in, reconfigure the HA Proxy.
-if [ "$domRIp" != "none" ]
-then
-	if [ "$iflag$fflag" != "11" ]
-	then
- 		usage
- 		exit 2
-	fi
-
-	#hot reconfigure haproxy
-	reconfig_lb $domRIp $cfgfile
-	
-	if [ $? -gt 0 ]
-	then
-		printf "Reconfiguring loadbalancer failed\n"
-		exit 1
-	fi
-
-fi
-
-if [ "$addedIps" == "" ]
-then
-	addedIps="none"
-fi
-
-if [ "$removedIps" == "" ]
-then
-	removedIps="none"
-fi
-
-# iptables entry to ensure that haproxy receives traffic
-fw_entry $domRIp $addedIps $removedIps
-  	
-if [ $? -gt 0 ]
-then
-	if [ "$domRIp" != "none" ]
-  	then
-  		# Restore the LB
-  		restore_lb $domRIp
-  		# Revert iptables rules on DomR, with addedIps and removedIps swapped 
-  		fw_entry $domRIp $removedIps $addedIps
-  	fi
-  	
-  	exit 1
-fi
- 
-exit 0
-  	
-
--- a/utils/src/com/cloud/utils/net/NetUtils.java
+++ b/utils/src/com/cloud/utils/net/NetUtils.java
@ -787,6 +787,10 @@ public class NetUtils {
 		
    	return getIpRangeEndIpFromCidr(cidr, 32 - Long.parseLong(cidrPair[1]));
    }
+    
+    public static String portRangeToString(int portRange[]){
+        return Integer.toString(portRange[0]) + ":" + Integer.toString(portRange[1]);
+    }

    // test only
 	private static void configLog4j() {