etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-9067 - Remove old script file from the project 

- Java constants also removed
   - Project still compiling and all unit tests passing.
This commit is contained in:
Wilder Rodrigues 2015-11-17 12:14:56 +01:00
parent bf0c4f2ecb
commit 6477bd8ff7
16 changed files with 7 additions and 2819 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
core/src/com/cloud/agent/resource/virtualnetwork/VRScripts.java
View File

@ -45,37 +45,25 @@ public class VRScripts {
// New scripts for use with chef
public static final String UPDATE_CONFIG = "update_config.py";
// Script still in use - mostly by HyperV
public static final String S2SVPN_CHECK = "checkbatchs2svpn.sh";
public static final String S2SVPN_IPSEC = "ipsectunnel.sh";
public static final String DHCP = "edithosts.sh";
public static final String DNSMASQ_CONFIG = "dnsmasq.sh";
public static final String FIREWALL_EGRESS = "firewall_egress.sh";
public static final String FIREWALL_INGRESS = "firewall_ingress.sh";
public static final String FIREWALL_NAT = "firewall_nat.sh";
public static final String IPALIAS_CREATE = "createipAlias.sh";
public static final String IPALIAS_DELETE = "deleteipAlias.sh";
public static final String IPASSOC = "ipassoc.sh";
public static final String LB = "loadbalancer.sh";
public static final String MONITOR_SERVICE = "monitor_service.sh";
public static final String ROUTER_ALERTS = "getRouterAlerts.sh";
public static final String PASSWORD = "savepassword.sh";
public static final String ROUTER_ALERTS = "getRouterAlerts.sh";
public static final String RVR_CHECK = "checkrouter.sh";
public static final String RVR_BUMPUP_PRI = "bumpup_priority.sh";
public static final String VMDATA = "vmdata.py";
public static final String RVR_BUMPUP_PRI = "bumpup_priority.sh";
public static final String VERSION = "get_template_version.sh";
public static final String VPC_ACL = "vpc_acl.sh";
public static final String VPC_GUEST_NETWORK = "vpc_guestnw.sh";
public static final String VPC_IPASSOC = "vpc_ipassoc.sh";
public static final String VPC_LB = "vpc_loadbalancer.sh";
public static final String VPC_PRIVATEGW = "vpc_privateGateway.sh";
public static final String VPC_PRIVATEGW_ACL = "vpc_privategw_acl.sh";
public static final String VPC_PORTFORWARDING = "vpc_portforwarding.sh";
public static final String VPC_SOURCE_NAT = "vpc_snat.sh";
public static final String VPC_STATIC_NAT = "vpc_staticnat.sh";
public static final String VPC_STATIC_ROUTE = "vpc_staticroute.sh";
public static final String VPN_L2TP = "vpn_l2tp.sh";
public static final String UPDATE_HOST_PASSWD = "update_host_passwd.sh";
public static final String VR_CFG = "vr_cfg.sh";
}
}

217
core/test/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResourceTest.java
View File

@ -24,8 +24,6 @@ import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
@ -83,9 +81,6 @@ import com.cloud.network.vpc.NetworkACLItem.TrafficType;
import com.cloud.network.vpc.VpcGateway;
import com.cloud.utils.ExecutionResult;
import com.cloud.utils.net.NetUtils;
import com.google.common.base.Function;
import com.google.common.base.Predicate;
import com.google.common.collect.Collections2;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration(loader = AnnotationConfigContextLoader.class)
@ -154,18 +149,14 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
private void verifyFile(final NetworkElementCommand cmd, final String path, final String filename, final String content) {
if (cmd instanceof AggregationControlCommand) {
verifyFile((AggregationControlCommand)cmd, path, filename, content);
verifyFile(cmd, path, filename, content);
} else if (cmd instanceof LoadBalancerConfigCommand) {
verifyFile((LoadBalancerConfigCommand)cmd, path, filename, content);
}
}
protected void verifyCommand(final NetworkElementCommand cmd, final String script, final String args) {
if (cmd instanceof SetPortForwardingRulesVpcCommand) {
verifyArgs((SetPortForwardingRulesVpcCommand) cmd, script, args);
} else if (cmd instanceof SetPortForwardingRulesCommand) {
verifyArgs((SetPortForwardingRulesCommand) cmd, script, args);
} else if (cmd instanceof SetStaticRouteCommand) {
if (cmd instanceof SetStaticRouteCommand) {
verifyArgs((SetStaticRouteCommand) cmd, script, args);
} else if (cmd instanceof SetStaticNatRulesCommand) {
verifyArgs((SetStaticNatRulesCommand) cmd, script, args);
@ -175,18 +166,10 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
verifyArgs((SavePasswordCommand)cmd, script, args);
} else if (cmd instanceof DhcpEntryCommand) {
verifyArgs((DhcpEntryCommand)cmd, script, args);
} else if (cmd instanceof CreateIpAliasCommand) {
verifyArgs((CreateIpAliasCommand)cmd, script, args);
} else if (cmd instanceof DnsMasqConfigCommand) {
verifyArgs((DnsMasqConfigCommand)cmd, script, args);
} else if (cmd instanceof DeleteIpAliasCommand) {
verifyArgs((DeleteIpAliasCommand)cmd, script, args);
} else if (cmd instanceof VmDataCommand) {
verifyArgs((VmDataCommand)cmd, script, args);
} else if (cmd instanceof SetFirewallRulesCommand) {
verifyArgs((SetFirewallRulesCommand)cmd, script, args);
} else if (cmd instanceof BumpUpPriorityCommand) {
verifyArgs((BumpUpPriorityCommand)cmd, script, args);
} else if (cmd instanceof RemoteAccessVpnCfgCommand) {
verifyArgs((RemoteAccessVpnCfgCommand)cmd, script, args);
} else if (cmd instanceof VpnUsersCfgCommand) {
@ -229,11 +212,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
assertTrue(answer.getResult());
}
private void verifyArgs(final BumpUpPriorityCommand cmd, final String script, final String args) {
assertEquals(script, VRScripts.RVR_BUMPUP_PRI);
assertEquals(args, null);
}
@Test
public void testSetPortForwardingRulesVpcCommand() {
final SetPortForwardingRulesVpcCommand cmd = generateSetPortForwardingRulesVpcCommand();
@ -257,21 +235,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
return cmd;
}
private void verifyArgs(final SetPortForwardingRulesVpcCommand cmd, final String script, final String args) {
assertTrue(script.equals(VRScripts.VPC_PORTFORWARDING));
_count ++;
switch (_count) {
case 1:
assertEquals(args, "-A -P tcp -l 64.1.1.10 -p 22:80 -r 10.10.1.10 -d 22-80");
break;
case 2:
assertEquals(args, "-D -P udp -l 64.1.1.11 -p 8080:8080 -r 10.10.1.11 -d 8080-8080");
break;
default:
fail("Failed to recongize the match!");
}
}
@Test
public void testSetPortForwardingRulesCommand() {
final SetPortForwardingRulesCommand cmd = generateSetPortForwardingRulesCommand();
@ -294,21 +257,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
return cmd;
}
private void verifyArgs(final SetPortForwardingRulesCommand cmd, final String script, final String args) {
assertTrue(script.equals(VRScripts.FIREWALL_NAT));
_count ++;
switch (_count) {
case 1:
assertEquals(args, "-A -P tcp -l 64.1.1.10 -p 22:80 -r 10.10.1.10 -d 22:80");
break;
case 2:
assertEquals(args, "-D -P udp -l 64.1.1.11 -p 8080:8080 -r 10.10.1.11 -d 8080:8080");
break;
default:
fail("Failed to recongize the match!");
}
}
@Test
public void testIpAssocCommand() {
final IpAssocCommand cmd = generateIpAssocCommand();
@ -383,22 +331,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
assertEquals(VRScripts.UPDATE_CONFIG, script);
assertEquals(VRScripts.IP_ASSOCIATION_CONFIG, args);
break;
case 2:
assertEquals(script, VRScripts.VPC_PRIVATEGW);
assertEquals(args, " -A -l 64.1.1.10 -c eth2");
break;
case 3:
assertEquals(script, VRScripts.VPC_IPASSOC);
assertEquals(args, " -D -l 64.1.1.11 -c eth2 -g 64.1.1.1 -m 24 -n 64.1.1.0");
break;
case 4:
assertEquals(script, VRScripts.VPC_PRIVATEGW);
assertEquals(args, " -D -l 64.1.1.11 -c eth2");
break;
case 5:
assertEquals(script, VRScripts.VPC_IPASSOC);
assertEquals(args, " -A -l 65.1.1.11 -c eth2 -g 65.1.1.1 -m 24 -n 65.1.1.0");
break;
default:
fail("Failed to recongize the match!");
}
@ -676,17 +608,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
return cmd;
}
private void verifyArgs(final SetFirewallRulesCommand cmd, final String script, final String args) {
assertEquals(script, VRScripts.FIREWALL_INGRESS);
//Since the arguments are generated with a Set
//one can not make a bet on the order
assertTrue(args.startsWith(" -F -a "));
assertTrue(args.contains("64.10.10.10:ICMP:0:0:10.10.1.1/24-10.10.1.2/24:"));
assertTrue(args.contains("64.10.10.10:reverted:0:0:0:"));
assertTrue(args.contains("64.10.10.10:TCP:22:80:10.10.1.1/24-10.10.1.2/24:"));
}
@Test
public void testVmDataCommand() {
final Answer answer = _resource.executeRequest(generateVmDataCommand());
@ -804,11 +725,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
return cmd;
}
private void verifyArgs(final CreateIpAliasCommand cmd, final String script, final String args) {
assertEquals(script, VRScripts.IPALIAS_CREATE);
assertEquals(args, "1:169.254.3.10:255.255.255.0-2:169.254.3.11:255.255.255.0-3:169.254.3.12:255.255.255.0-");
}
@Test
public void testDeleteIpAliasCommand() {
final Answer answer = _resource.executeRequest(generateDeleteIpAliasCommand());
@ -825,11 +741,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
return cmd;
}
private void verifyArgs(final DeleteIpAliasCommand cmd, final String script, final String args) {
assertEquals(script, VRScripts.IPALIAS_DELETE);
assertEquals(args, "1:169.254.3.10:255.255.255.0-2:169.254.3.11:255.255.255.0-3:169.254.3.12:255.255.255.0-- 1:169.254.3.10:255.255.255.0-2:169.254.3.11:255.255.255.0-3:169.254.3.12:255.255.255.0-");
}
@Test
public void testDnsMasqConfigCommand() {
final Answer answer = _resource.executeRequest(generateDnsMasqConfigCommand());
@ -951,10 +862,6 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
assertEquals(script, VRScripts.LB);
assertEquals(args, " -i 10.1.10.2 -f " + _file + " -a 64.10.1.10:80:, -s 10.1.10.2:8081:0/0:,,");
break;
case 4:
assertEquals(script, VRScripts.VPC_LB);
assertEquals(args, " -i 10.1.10.2 -f " + _file + " -a 64.10.1.10:80:, -s 10.1.10.2:8081:0/0:,,");
break;
default:
fail();
}
@ -1009,122 +916,4 @@ public class VirtualRoutingResourceTest implements VirtualRouterDeployer {
assertTrue(args.startsWith("-c /var/cache/cloud/VR-"));
assertTrue(args.endsWith(".cfg"));
}
protected void verifyFile(final AggregationControlCommand cmd, final String path, final String filename, final String content) {
assertEquals(path, "/var/cache/cloud/");
assertTrue(filename.startsWith("VR-"));
assertTrue(filename.endsWith(".cfg"));
final Collection<String> filteredScripts = Collections2.transform(Collections2.filter (
Arrays.asList(content.split("</?script>")), new Predicate<String>() {
@Override
public boolean apply(final String str) {
return str.trim().startsWith("/opt/cloud");
}
}), new Function<String, String>() {
@Override
public String apply(final String str) {
return str.trim();
}
});
final String[] scripts = filteredScripts.toArray(new String[filteredScripts
.size()]);
assertEquals(
"/opt/cloud/bin/ipassoc.sh -A -s -f -l 64.1.1.10/24 -c eth2 -g 64.1.1.1",
scripts[0]);
assertEquals(
"/opt/cloud/bin/ipassoc.sh -D -l 64.1.1.11/24 -c eth2 -g 64.1.1.1",
scripts[1]);
assertEquals(
"/opt/cloud/bin/ipassoc.sh -A -l 65.1.1.11/24 -c eth2 -g 65.1.1.1",
scripts[2]);
assertEquals(
"/opt/cloud/bin/vpc_ipassoc.sh -A -l 64.1.1.10 -c eth2 -g 64.1.1.1 -m 24 -n 64.1.1.0",
scripts[3]);
assertEquals(
"/opt/cloud/bin/vpc_privateGateway.sh -A -l 64.1.1.10 -c eth2",
scripts[4]);
assertEquals(
"/opt/cloud/bin/vpc_ipassoc.sh -D -l 64.1.1.11 -c eth2 -g 64.1.1.1 -m 24 -n 64.1.1.0",
scripts[5]);
assertEquals(
"/opt/cloud/bin/vpc_privateGateway.sh -D -l 64.1.1.11 -c eth2",
scripts[6]);
assertEquals(
"/opt/cloud/bin/vpc_ipassoc.sh -A -l 65.1.1.11 -c eth2 -g 65.1.1.1 -m 24 -n 65.1.1.0",
scripts[7]);
//the list generated by SetFirewallCmd is actually generated through a Set
//therefore we can not bet on the order of the parameters
assertTrue(
scripts[8].matches("/opt/cloud/bin/firewall_ingress.sh -F -a .*"));
assertTrue(
scripts[8].contains("64.10.10.10:ICMP:0:0:10.10.1.1/24-10.10.1.2/24:"));
assertTrue(
scripts[8].contains("64.10.10.10:TCP:22:80:10.10.1.1/24-10.10.1.2/24:"));
assertTrue(
scripts[8].contains("64.10.10.10:reverted:0:0:0:"));
assertEquals(
"/opt/cloud/bin/firewall_nat.sh -A -P tcp -l 64.1.1.10 -p 22:80 -r 10.10.1.10 -d 22:80",
scripts[9]);
assertEquals(
"/opt/cloud/bin/firewall_nat.sh -D -P udp -l 64.1.1.11 -p 8080:8080 -r 10.10.1.11 -d 8080:8080",
scripts[10]);
assertEquals(
"/opt/cloud/bin/vpc_portforwarding.sh -A -P tcp -l 64.1.1.10 -p 22:80 -r 10.10.1.10 -d 22-80",
scripts[11]);
assertEquals(
"/opt/cloud/bin/vpc_portforwarding.sh -D -P udp -l 64.1.1.11 -p 8080:8080 -r 10.10.1.11 -d 8080-8080",
scripts[12]);
assertEquals(
"/opt/cloud/bin/createIpAlias.sh 1:169.254.3.10:255.255.255.0-2:169.254.3.11:255.255.255.0-3:169.254.3.12:255.255.255.0-",
scripts[13]);
assertEquals(
"/opt/cloud/bin/deleteIpAlias.sh 1:169.254.3.10:255.255.255.0-2:169.254.3.11:255.255.255.0-3:169.254.3.12:255.255.255.0-- 1:169.254.3.10:255.255.255.0-2:169.254.3.11:255.255.255.0-3:169.254.3.12:255.255.255.0-",
scripts[14]);
assertEquals(
"/opt/cloud/bin/dnsmasq.sh 10.1.20.2:10.1.20.1:255.255.255.0:10.1.20.5-10.1.21.2:10.1.21.1:255.255.255.0:10.1.21.5-",
scripts[15]);
assertEquals(
"/opt/cloud/bin/vpn_l2tp.sh -r 10.10.1.10-10.10.1.20 -p sharedkey -s 124.10.10.10 -l 10.10.1.1 -c -C 10.1.1.1/24 -i eth2",
scripts[16]);
assertEquals(
"/opt/cloud/bin/vpn_l2tp.sh -d -s 124.10.10.10 -C 10.1.1.1/24 -i eth2",
scripts[17]);
assertEquals(
"/opt/cloud/bin/vpn_l2tp.sh -r 10.10.1.10-10.10.1.20 -p sharedkey -s 124.10.10.10 -l 10.10.1.1 -c -C 10.1.1.1/24 -i eth1",
scripts[18]);
assertEquals(
"/opt/cloud/bin/firewall_nat.sh -A -P tcp -l 64.1.1.10 -p 22:80 -r 10.10.1.10 -d 22:80",
scripts[19]);
assertEquals(
"/opt/cloud/bin/firewall_nat.sh -D -P udp -l 64.1.1.11 -p 8080:8080 -r 10.10.1.11 -d 8080:8080",
scripts[20]);
assertEquals(
"/opt/cloud/bin/vpc_portforwarding.sh -A -P tcp -l 64.1.1.10 -p 22:80 -r 10.10.1.10 -d 22-80",
scripts[21]);
assertEquals(
"/opt/cloud/bin/vpc_portforwarding.sh -D -P udp -l 64.1.1.11 -p 8080:8080 -r 10.10.1.11 -d 8080-8080",
scripts[22]);
assertEquals(
"/opt/cloud/bin/edithosts.sh -m 12:34:56:78:90:AB -4 10.1.10.2 -h vm1",
scripts[23]);
assertEquals(
"/opt/cloud/bin/edithosts.sh -m 12:34:56:78:90:AB -h vm1 -6 2001:db8:0:0:0:ff00:42:8329 -u 00:03:00:01:12:34:56:78:90:AB",
scripts[24]);
assertEquals(
"/opt/cloud/bin/edithosts.sh -m 12:34:56:78:90:AB -4 10.1.10.2 -h vm1 -6 2001:db8:0:0:0:ff00:42:8329 -u 00:03:00:01:12:34:56:78:90:AB",
scripts[25]);
assertEquals("/opt/cloud/bin/savepassword.sh -v 10.1.10.4 -p 123pass",
scripts[26]);
assertEquals(
"/opt/cloud/bin/vmdata.py -d eyIxMC4xLjEwLjQiOltbInVzZXJkYXRhIiwidXNlci1kYXRhIiwidXNlci1kYXRhIl0sWyJtZXRhZGF0YSIsInNlcnZpY2Utb2ZmZXJpbmciLCJzZXJ2aWNlT2ZmZXJpbmciXSxbIm1ldGFkYXRhIiwiYXZhaWxhYmlsaXR5LXpvbmUiLCJ6b25lTmFtZSJdLFsibWV0YWRhdGEiLCJsb2NhbC1pcHY0IiwiMTAuMS4xMC40Il0sWyJtZXRhZGF0YSIsImxvY2FsLWhvc3RuYW1lIiwidGVzdC12bSJdLFsibWV0YWRhdGEiLCJwdWJsaWMtaXB2NCIsIjExMC4xLjEwLjQiXSxbIm1ldGFkYXRhIiwicHVibGljLWhvc3RuYW1lIiwiaG9zdG5hbWUiXSxbIm1ldGFkYXRhIiwiaW5zdGFuY2UtaWQiLCJpLTQtVk0iXSxbIm1ldGFkYXRhIiwidm0taWQiLCI0Il0sWyJtZXRhZGF0YSIsInB1YmxpYy1rZXlzIiwicHVibGlja2V5Il0sWyJtZXRhZGF0YSIsImNsb3VkLWlkZW50aWZpZXIiLCJDbG91ZFN0YWNrLXt0ZXN0fSJdXX0=",
scripts[27]);
}
}
}

129
systemvm/patches/debian/config/opt/cloud/bin/createIpAlias.sh
View File

@ -1,129 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
usage() {
printf " %s <alias_count:ip:netmask;alias_count2:ip2:netmask2;....> \n" $(basename $0) >&2
}
source /root/func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
PORTS_CONF=/etc/apache2/ports.conf
PORTS_CONF_BAK=/etc/ports.conf.bak
FAIL_DIR=/etc/failure_config
CMDLINE=$(cat /var/cache/cloud/cmdline | tr '\n' ' ')
if [ ! -d "$FAIL_DIR" ]
then
mkdir "$FAIL_DIR"
fi
#bakup ports.conf
cp "$PORTS_CONF" "$PORTS_CONF_BAK"
domain=$(echo "$CMDLINE" | grep -o " domain=.* " | sed -e 's/domain=//' | awk '{print $1}')
setup_apache2() {
local ip=$1
logger -t cloud "Setting up apache web server for $ip"
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ipAlias.${ip}.meta-data
cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data
cp /etc/apache2/ports.conf /etc/apache2/conf.d/ports.${ip}.meta-data.conf
sed -i -e "s/<VirtualHost.*>/<VirtualHost $ip:80>\nServerName $domain/" /etc/apache2/sites-available/ipAlias.${ip}.meta-data
sed -i -e "s/<VirtualHost.*>/<VirtualHost $ip:443>\nServerName $domain/" /etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data
sed -i -e "/NameVirtualHost .*:80/d" /etc/apache2/conf.d/ports.${ip}.meta-data.conf
sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/conf.d/ports.${ip}.meta-data.conf
sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/conf.d/ports.${ip}.meta-data.conf
ln -s /etc/apache2/sites-available/ipAlias.${ip}.meta-data /etc/apache2/sites-enabled/ipAlias.${ip}.meta-data
ln -s /etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data /etc/apache2/sites-enabled/ipAlias.${ip}-ssl.meta-data
}
var="$1"
cert="/root/.ssh/id_rsa.cloud"
config_ips=""
setDnsRules=0
while [ -n "$var" ]
do
var1=$(echo $var | cut -f1 -d "-")
alias_count=$( echo $var1 | cut -f1 -d ":" )
routerip=$(echo $var1 | cut -f2 -d ":")
netmask=$(echo $var1 | cut -f3 -d ":")
ifconfig eth0:$alias_count $routerip netmask $netmask up
setup_apache2 "$routerip"
config_ips="${config_ips}"$routerip":"
var=$( echo $var | sed "s/${var1}-//" )
setDnsRules=1
done
#restarting the apache server for the config to take effect.
service apache2 restart
result=$?
if [ "$result" -ne "0" ]
then
logger -t cloud "createIpAlias.sh: could not configure apache2 server"
logger -t cloud "createIpAlias.sh: reverting to the old config"
logger -t cloud "createIpAlias.sh: moving out the failure config to $FAIL_DIR"
while [ -n "$config_ips" ]
do
ip=$( echo $config_ips | cut -f1 -d ":" )
mv "/etc/apache2/sites-available/ipAlias.${ip}.meta-data" "$FAIL_DIR/ipAlias.${ip}.meta-data"
mv "/etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data" "$FAIL_DIR/ipAlias.${ip}-ssl.meta-data"
mv "/etc/apache2/conf.d/ports.${ip}.meta-data.conf" "$FAIL_DIR/ports.${ip}.meta-data.conf"
rm -f "/etc/apache2/sites-enabled/ipAlias.${ip}.meta-data"
rm -f "/etc/apache2/sites-enabled/ipAlias.${ip}-ssl.meta-data"
config_ips=$( echo $config_ips | sed "s/${ip}://" )
done
service apache2 restart
unlock_exit $result $lock $locked
fi
if [ "$setDnsRules" -eq 1 ]
then
//check wether chain exist
iptables-save -t filter | grep 'dnsIpAlias_allow'
if [ $? -eq 0 ]
then
iptables -F dnsIpAlias_allow
else
//if not exist create it
iptables -N dnsIpAlias_allow
iptables -A INPUT -i eth0 -p tcp --dport 53 -j dnsIpAlias_allow
iptables -A INPUT -i eth0 -p udp --dport 53 -j dnsIpAlias_allow
fi
for cidr in $(ip addr | grep eth0 | grep inet | awk '{print $2}');
do
iptables -A dnsIpAlias_allow -i eth0 -p tcp --dport 53 -s $cidr -j ACCEPT
iptables -A dnsIpAlias_allow -i eth0 -p udp --dport 53 -s $cidr -j ACCEPT
done
else
iptables -D INPUT -i eth0 -p tcp --dport 53 -j dnsIpAlias_allow
iptables -D INPUT -i eth0 -p udp --dport 53 -j dnsIpAlias_allow
iptables -X dnsIpAlias_allow
fi
#restaring the password service to enable it on the ip aliases
/etc/init.d/cloud-passwd-srvr restart
unlock_exit $? $lock $locked

62
systemvm/patches/debian/config/opt/cloud/bin/deleteIpAlias.sh
View File

@ -1,62 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
usage() {
printf " %s <alias_count:ip:netmask;alias_count2:ip2:netmask2;....> \n" $(basename $0) >&2
}
source /root/func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
remove_apache_config() {
local ip=$1
logger -t cloud "removing apache web server config for $ip"
rm -f "/etc/apache2/sites-available/ipAlias.${ip}.meta-data"
rm -f "/etc/apache2/sites-available/ipAlias.${ip}-ssl.meta-data"
rm -f "/etc/apache2/conf.d/ports.${ip}.meta-data.conf"
rm -f "/etc/apache2/sites-enabled/ipAlias.${ip}-ssl.meta-data"
rm -f "/etc/apache2/sites-enabled/ipAlias.${ip}.meta-data"
}
var="$1"
cert="/root/.ssh/id_rsa.cloud"
while [[ !( "$var" == "-" ) ]]
do
var1=$(echo $var | cut -f1 -d "-")
alias_count=$( echo $var1 | cut -f1 -d ":" )
routerip=$( echo $var1 | cut -f2 -d ":" )
ifconfig eth0:$alias_count down
remove_apache_config "$routerip"
var=$( echo $var | sed "s/${var1}-//" )
done
#restarting the apache server for the config to take effect.
service apache2 restart
releaseLockFile $lock $locked
iptables -F dnsIpAlias_allow
#recreating the active ip aliases
/opt/cloud/bin/createIpAlias.sh $2
unlock_exit $? $lock $locked

188
systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
View File

@ -1,188 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# $Id: firewallRule_egress.sh 9947 2013-01-17 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewallRule_egress.sh $
# firewallRule_egress.sh -- allow some ports / protocols from vm instances
# @VERSION@
source /root/func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
#set -x
usage() {
printf "Usage: %s: -a protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
}
fw_egress_remove_backup() {
# remove backup rules, ignore errors as they could not be present
sudo iptables -D FW_OUTBOUND -j _FW_EGRESS_RULES >/dev/null 2>&1
sudo iptables -F _FW_EGRESS_RULES >/dev/null 2>&1
sudo iptables -X _FW_EGRESS_RULES >/dev/null 2>&1
}
fw_egress_save() {
sudo iptables -E FW_EGRESS_RULES _FW_EGRESS_RULES
}
fw_egress_chain () {
#supress errors 2>/dev/null
fw_egress_remove_backup
fw_egress_save
sudo iptables -N FW_EGRESS_RULES
sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
}
fw_egress_backup_restore() {
sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
sudo iptables -E _FW_EGRESS_RULES FW_EGRESS_RULES
fw_egress_remove_backup
}
fw_entry_for_egress() {
local rule=$1
local prot=$(echo $rule | cut -d: -f2)
local sport=$(echo $rule | cut -d: -f3)
local eport=$(echo $rule | cut -d: -f4)
local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
if [ "$sport" == "0" -a "$eport" == "0" ]
then
DPORT=""
else
DPORT="--dport $sport:$eport"
fi
logger -t cloud "$(basename $0): enter apply fw egress rules for guest $prot:$sport:$eport:$cidrs"
for lcidr in $cidrs
do
[ "$prot" == "reverted" ] && continue;
if [ "$prot" == "icmp" ]
then
typecode="$sport/$eport"
[ "$eport" == "-1" ] && typecode="$sport"
[ "$sport" == "-1" ] && typecode="any"
sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
-j $target
result=$?
elif [ "$prot" == "all" ]
then
sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j $target
result=$?
else
sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr $DPORT -j $target
result=$?
fi
[ $result -gt 0 ] &&
logger -t cloud "Error adding iptables entry for guest network $prot:$sport:$eport:$cidrs" &&
break
done
logger -t cloud "$(basename $0): exit apply egress firewall rules for guest network"
return $result
}
aflag=0
rules=""
rules_list=""
ip=""
dev=""
pflag=0
shift
shift
while getopts 'a:P:' OPTION
do
case $OPTION in
a) aflag=1
rules="$OPTARG"
;;
P) pflag=1
pvalue="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
if [ "$aflag" != "1" ]
then
usage
unlock_exit 2 $lock $locked
fi
if [ -n "$rules" ]
then
rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
fi
# rule format
# protocal:sport:eport:cidr
#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
# if any entry is reverted , entry will be in the format reverted:0:0:0
# example : tcp:80:80:0.0.0.0/0:, tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
success=0
if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
then
target="DROP"
else
target="ACCEPT"
fi
fw_egress_chain
for r in $rules_list
do
fw_entry_for_egress $r
success=$?
if [ $success -gt 0 ]
then
logger -t cloud "failure to apply fw egress rules "
break
else
logger -t cloud "successful in applying fw egress rules"
fi
done
if [ $success -gt 0 ]
then
logger -t cloud "restoring from backup for guest network"
fw_egress_backup_restore
else
logger -t cloud "deleting backup for guest network"
if [ "$pvalue" == "1" ]
then
#Adding default policy rule
sudo iptables -A FW_EGRESS_RULES -j ACCEPT
fi
fi
fw_egress_remove_backup
unlock_exit $success $lock $locked

202
systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh
View File

@ -1,202 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# firewall_rule.sh -- allow some ports / protocols to vm instances
# @VERSION@
source /root/func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
usage() {
printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
}
#set -x
#FIXME: eating up the error code during execution of iptables
fw_remove_backup() {
local pubIp=$1
sudo iptables -t mangle -F _FIREWALL_$pubIp 2> /dev/null
sudo iptables -t mangle -D PREROUTING -d $pubIp -j _FIREWALL_$pubIp 2> /dev/null
sudo iptables -t mangle -X _FIREWALL_$pubIp 2> /dev/null
}
fw_restore() {
local pubIp=$1
sudo iptables -t mangle -F FIREWALL_$pubIp 2> /dev/null
sudo iptables -t mangle -D PREROUTING -d $pubIp -j FIREWALL_$pubIp 2> /dev/null
sudo iptables -t mangle -X FIREWALL_$pubIp 2> /dev/null
sudo iptables -t mangle -E _FIREWALL_$pubIp FIREWALL_$pubIp 2> /dev/null
}
fw_chain_for_ip () {
local pubIp=$1
fw_remove_backup $1
sudo iptables -t mangle -E FIREWALL_$pubIp _FIREWALL_$pubIp 2> /dev/null
sudo iptables -t mangle -N FIREWALL_$pubIp 2> /dev/null
# drop if no rules match (this will be the last rule in the chain)
sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null
# ensure outgoing connections are maintained (first rule in chain)
sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null
#ensure that this table is after VPN chain
sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp
success=$?
if [ $success -gt 0 ]
then
# if VPN chain is not present for various reasons, try to add in to the first slot */
sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp
fi
}
fw_entry_for_public_ip() {
local rules=$1
local pubIp=$(echo $rules | cut -d: -f1)
local prot=$(echo $rules | cut -d: -f2)
local sport=$(echo $rules | cut -d: -f3)
local eport=$(echo $rules | cut -d: -f4)
local scidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
logger -t cloud "$(basename $0): enter apply firewall rules for public ip $pubIp:$prot:$sport:$eport:$scidrs"
# note that rules are inserted after the RELATED,ESTABLISHED rule
# but before the DROP rule
for src in $scidrs
do
[ "$prot" == "reverted" ] && continue;
if [ "$prot" == "icmp" ]
then
typecode="$sport/$eport"
[ "$eport" == "-1" ] && typecode="$sport"
[ "$sport" == "-1" ] && typecode="any"
sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
--icmp-type $typecode -j RETURN
else
sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
--dport $sport:$eport -j RETURN
fi
result=$?
[ $result -gt 0 ] &&
logger -t cloud "Error adding iptables entry for $pubIp:$prot:$sport:$eport:$src" &&
break
done
logger -t cloud "$(basename $0): exit apply firewall rules for public ip $pubIp"
return $result
}
get_vif_list() {
local vif_list=""
for i in /sys/class/net/eth*; do
vif=$(basename $i);
if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ]
then
vif_list="$vif_list $vif";
fi
done
if [ "$vif_list" == "" ]
then
vif_list="eth0"
fi
logger -t cloud "FirewallRule public interfaces = $vif_list"
echo $vif_list
}
shift
rules=
while getopts 'a:' OPTION
do
case $OPTION in
a) aflag=1
rules="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
VIF_LIST=$(get_vif_list)
if [ "$rules" == "" ]
then
rules="none"
fi
#-a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
# The reverted entries will fix the following partially
#FIXME: rule leak: when there are multiple ip address, there will chance that entry will be left over if the ipadress does not appear in the current execution when compare to old one
# example : In the below first transaction have 2 ip's whereas in second transaction it having one ip, so after the second trasaction 200.1.2.3 ip will have rules in mangle table.
# 1) -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,200.16.92.44:tcp:220:220:0.0.0.0/0:,
# 2) -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,
success=0
publicIps=
rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
for r in $rules_list
do
pubIp=$(echo $r | cut -d: -f1)
publicIps="$pubIp $publicIps"
done
unique_ips=$(echo $publicIps| tr " " "\n" | sort | uniq | tr "\n" " ")
for u in $unique_ips
do
fw_chain_for_ip $u
done
for r in $rules_list
do
pubIp=$(echo $r | cut -d: -f1)
fw_entry_for_public_ip $r
success=$?
if [ $success -gt 0 ]
then
logger -t cloud "$(basename $0): failure to apply fw rules for ip $pubIp"
break
else
logger -t cloud "$(basename $0): successful in applying fw rules for ip $pubIp"
fi
done
if [ $success -gt 0 ]
then
for p in $unique_ips
do
logger -t cloud "$(basename $0): restoring from backup for ip: $p"
fw_restore $p
done
fi
for p in $unique_ips
do
logger -t cloud "$(basename $0): deleting backup for ip: $p"
fw_remove_backup $p
done
unlock_exit $success $lock $locked

358
systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh
View File

@ -1,358 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# $Id: firewall.sh 9947 2010-06-25 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewall.sh $
# firewall.sh -- allow some ports / protocols to vm instances
# @VERSION@
source /root/func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
vpnoutmark="0x525"
usage() {
printf "Usage: %s: (-A|-D) -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code) -l <public ip address> -d <target port> -s <source cidrs> [-G] \n" $(basename $0) >&2
}
#set -x
get_dev_list() {
ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}'
ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}'
}
ip_to_dev() {
local ip=$1
for dev in $DEV_LIST; do
ip addr show dev $dev | grep inet | grep $ip &>> /dev/null
[ $? -eq 0 ] && echo $dev && return 0
done
return 1
}
doHairpinNat () {
local vrGuestIPNetwork=$(sudo ip addr show dev eth0 | grep inet | grep eth0 | awk '{print $2}' | head -1)
local vrGuestIP=$(echo $vrGuestIPNetwork | awk -F'/' '{print $1}')
local publicIp=$1
local prot=$2
local port=$3
local guestVmIp=$4
local guestPort=$(echo $5 | sed 's/:/-/')
local op=$6
local destPort=$5
logger -t cloud "$(basename $0): create HairPin entry : public ip=$publicIp \
instance ip=$guestVmIp proto=$proto portRange=$guestPort op=$op"
if [ "$prot" == "all" ]
then
logger -t cloud "creating hairpin nat rules for static nat"
(sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -j DNAT --to-destination $guestVmIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
else
(sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -p $prot --dport $port -j DNAT --to-destination $guestVmIp:$guestPort &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -p $prot --dport $destPort -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
fi
}
#Port (address translation) forwarding for tcp or udp
tcp_or_udp_entry() {
local instIp=$1
local dport0=$2
local dport=$(echo $2 | sed 's/:/-/')
local publicIp=$3
local port=$4
local op=$5
local proto=$6
local cidrs=$7
logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
#if adding, this might be a duplicate, so delete the old one first
[ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport0 $publicIp $port "-D" $proto $cidrs
# the delete operation may have errored out but the only possible reason is
# that the rules didn't exist in the first place
local dev=$(ip_to_dev $publicIp)
local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
# shortcircuit the process if error and it is an append operation
# continue if it is delete
(sudo iptables -t nat $op PREROUTING --proto $proto -i $dev -d $publicIp \
--destination-port $port -j DNAT \
--to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
--destination-port $port -j MARK --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
--destination-port $port -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
(doHairpinNat $publicIp $proto $port $instIp $dport0 $op) &&
(sudo iptables -t nat $op OUTPUT --proto $proto -d $publicIp \
--destination-port $port -j DNAT \
--to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp -m state \
--state ESTABLISHED,RELATED -m comment --comment "$publicIp:$port" -j ACCEPT &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp \
--destination-port $dport0 -m state --state NEW -m comment --comment "$publicIp:$port" -j ACCEPT &>> $OUTFILE)
local result=$?
logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
return $result
}
#Forward icmp
icmp_entry() {
local instIp=$1
local icmptype=$2
local publicIp=$3
local op=$4
logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
instance ip=$instIp proto=icmp port=$port dport=$dport op=$op"
#if adding, this might be a duplicate, so delete the old one first
[ "$op" == "-A" ] && icmp_entry $instIp $icmpType $publicIp "-D"
# the delete operation may have errored out but the only possible reason is
# that the rules didn't exist in the first place
local dev=$(ip_to_dev $publicIp)
sudo iptables -t nat $op PREROUTING --proto icmp -i $dev -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE
sudo iptables -t nat $op OUTPUT --proto icmp -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE
sudo iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype -j ACCEPT &>> $OUTFILE
result=$?
logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
return $result
}
one_to_one_fw_entry() {
local publicIp=$1
local instIp=$2
local proto=$3
local portRange=$4
local op=$5
logger -t cloud "$(basename $0): create firewall entry for static nat: public ip=$publicIp \
instance ip=$instIp proto=$proto portRange=$portRange op=$op"
#if adding, this might be a duplicate, so delete the old one first
[ "$op" == "-A" ] && one_to_one_fw_entry $publicIp $instIp $proto $portRange "-D"
# the delete operation may have errored out but the only possible reason is
# that the rules didn't exist in the first place
local dev=$(ip_to_dev $publicIp)
[ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
# shortcircuit the process if error and it is an append operation
# continue if it is delete
(sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
--destination-port $portRange -j DNAT \
--to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
(doHairpinNat $publicIp $proto $portRange $instIp $portRange $op) &&
(sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
--destination-port $portRange -m state \
--state NEW -j ACCEPT &>> $OUTFILE )
result=$?
logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result"
return $result
}
fw_chain_for_ip() {
local pubIp=$1
if iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
then
logger -t cloud "$(basename $0): created a firewall chain for $pubIp"
(sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP) &&
(sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT ) &&
(sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp)
return $?
fi
logger -t cloud "fw chain for $pubIp already exists"
return 0
}
static_nat() {
local publicIp=$1
local instIp=$2
local op=$3
local op2="-D"
local rulenum=
local proto="all"
logger -t cloud "$(basename $0): static nat: public ip=$publicIp \
instance ip=$instIp op=$op"
#TODO check error below
fw_chain_for_ip $publicIp
#if adding, this might be a duplicate, so delete the old one first
[ "$op" == "-A" ] && static_nat $publicIp $instIp "-D"
# the delete operation may have errored out but the only possible reason is
# that the rules didn't exist in the first place
[ "$op" == "-A" ] && op2="-I"
if [ "$op" == "-A" ]
then
# put static nat rule one rule after VPN no-NAT rule
# rule chain can be used to improve it later
iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
if [ $? -eq 0 ]
then
rulenum=2
else
rulenum=1
fi
fi
local dev=$(ip_to_dev $publicIp)
[ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
# shortcircuit the process if error and it is an append operation
# continue if it is delete
(sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
-j MARK -m state --state NEW --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
-m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables -t mangle $op PREROUTING -s $instIp -i eth0 \
-j MARK -m state --state NEW --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables -t mangle $op PREROUTING -s $instIp -i eth0 \
-m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp -j DNAT \
--to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp -m state \
--state NEW -j ACCEPT &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables -t nat $op2 POSTROUTING $rulenum -s $instIp -j SNAT \
-o $dev --to-source $publicIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
(doHairpinNat $publicIp $proto "all" $instIp "0:65535" $op)
result=$?
logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
return $result
}
rflag=
Pflag=
pflag=
tflag=
lflag=
dflag=
sflag=
Gflag=
op=""
while getopts 'ADr:P:p:t:l:d:s:G' OPTION
do
case $OPTION in
A) op="-A"
;;
D) op="-D"
;;
r) rflag=1
instanceIp="$OPTARG"
;;
P) Pflag=1
protocol="$OPTARG"
;;
p) pflag=1
ports="$OPTARG"
;;
t) tflag=1
icmptype="$OPTARG"
;;
l) lflag=1
publicIp="$OPTARG"
;;
s) sflag=1
cidrs="$OPTARG"
;;
d) dflag=1
dport="$OPTARG"
;;
G) Gflag=1
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
DEV_LIST=$(get_dev_list)
OUTFILE=$(mktemp)
#Firewall ports for one-to-one/static NAT
if [ "$Gflag" == "1" ]
then
if [ "$protocol" == "" ]
then
static_nat $publicIp $instanceIp $op
else
one_to_one_fw_entry $publicIp $instanceIp $protocol $dport $op
fi
result=$?
if [ "$result" -ne 0 ] && [ "$op" != "-D" ]; then
cat $OUTFILE >&2
fi
rm -f $OUTFILE
if [ "$op" == "-D" ];then
result=0
fi
unlock_exit $result $lock $locked
fi
if [ "$sflag" != "1" ]
then
cidrs="0/0"
fi
case $protocol in
tcp|udp)
tcp_or_udp_entry $instanceIp $dport $publicIp $ports $op $protocol $cidrs
result=$?
if [ "$result" -ne 0 ] && [ "$op" != "-D" ];then
cat $OUTFILE >&2
fi
rm -f $OUTFILE
if [ "$op" == "-D" ];then
result=0
fi
unlock_exit $result $lock $locked
;;
"icmp")
icmp_entry $instanceIp $icmptype $publicIp $op
if [ "$op" == "-D" ];then
result=0
fi
unlock_exit $? $lock $locked
;;
*)
printf "Invalid protocol-- must be tcp, udp or icmp\n" >&2
unlock_exit 5 $lock $locked
;;
esac
unlock_exit 0 $lock $locked

55
systemvm/patches/debian/config/opt/cloud/bin/getRouterAlerts.sh
View File

@ -1,55 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# getRouterAlerts.sh --- Send the alerts from routerServiceMonitor.log to Management Server
#set -x
filename=/var/log/routerServiceMonitor.log #Monitor service log file
if [ -n "$1" -a -n "$2" ]
then
reqDateVal=$(date -d "$1 $2" "+%s");
else
reqDateVal=0
fi
if [ -f $filename ]
then
while read line
do
if [ -n "$line" ]
then
dateval=`echo $line |awk '{print $1, $2}'`
IFS=',' read -a array <<< "$dateval"
dateval=${array[0]}
toDateVal=$(date -d "$dateval" "+%s")
if [ "$toDateVal" -gt "$reqDateVal" ]
then
alerts="$line\n$alerts"
else
break
fi
fi
done < <(tac $filename)
fi
if [ -n "$alerts" ]; then
echo $alerts
else
echo "No Alerts"
fi

250
systemvm/patches/debian/config/opt/cloud/bin/vpc_acl.sh
View File

@ -1,250 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# firewall_rule.sh -- allow some ports / protocols to vm instances
# @VERSION@
source /root/func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
usage() {
printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
}
#set -x
#FIXME: eating up the error code during execution of iptables
acl_switch_to_new() {
sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$dev 2>/dev/null
sudo iptables-save | grep "\-j _ACL_INBOUND_$dev" | grep "\-A" | while read rule;
do
rule1=$(echo $rule | sed 's/\_ACL_INBOUND/ACL_INBOUND/')
sudo iptables $rule1
rule2=$(echo $rule | sed 's/\-A/\-D/')
sudo iptables $rule2
done
sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j _ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
}
acl_remove_backup() {
sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$dev 2>/dev/null
sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j _ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
}
acl_remove() {
sudo iptables -F ACL_INBOUND_$dev 2>/dev/null
sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$dev 2>/dev/null
sudo iptables -X ACL_INBOUND_$dev 2>/dev/null
sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
}
acl_restore() {
acl_remove
sudo iptables -E _ACL_INBOUND_$dev ACL_INBOUND_$dev 2>/dev/null
sudo iptables -t mangle -E _ACL_OUTBOUND_$dev ACL_OUTBOUND_$dev 2>/dev/null
}
acl_save() {
acl_remove_backup
sudo iptables -E ACL_INBOUND_$dev _ACL_INBOUND_$dev 2>/dev/null
sudo iptables -t mangle -E ACL_OUTBOUND_$dev _ACL_OUTBOUND_$dev 2>/dev/null
}
acl_chain_for_guest_network () {
acl_save
# inbound
sudo iptables -N ACL_INBOUND_$dev 2>/dev/null
# drop if no rules match (this will be the last rule in the chain)
sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null
sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$dev 2>/dev/null
# outbound
sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null
}
acl_entry_for_guest_network() {
local rule=$1
local ttype=$(echo $rule | cut -d: -f1)
local prot=$(echo $rule | cut -d: -f2)
local sport=$(echo $rule | cut -d: -f3)
local eport=$(echo $rule | cut -d: -f4)
local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
local action=$(echo $rule | cut -d: -f6)
if [ "$sport" == "0" -a "$eport" == "0" ]
then
DPORT=""
else
DPORT="--dport $sport:$eport"
fi
logger -t cloud "$(basename $0): enter apply acl rules for guest network: $gcidr, inbound:$inbound:$prot:$sport:$eport:$cidrs"
# note that rules are inserted after the RELATED,ESTABLISHED rule
# but before the DROP rule
for lcidr in $cidrs
do
[ "$prot" == "reverted" ] && continue;
if [ "$prot" == "icmp" ]
then
typecode="$sport/$eport"
[ "$eport" == "-1" ] && typecode="$sport"
[ "$sport" == "-1" ] && typecode="any"
if [ "$ttype" == "Ingress" ]
then
sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
--icmp-type $typecode -j $action
else
let egress++
sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
--icmp-type $typecode -j $action
fi
else
if [ "$ttype" == "Ingress" ]
then
sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
$DPORT -j $action
else
let egress++
sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
$DPORT -j $action
fi
fi
result=$?
[ $result -gt 0 ] &&
logger -t cloud "Error adding iptables entry for guest network : $gcidr,inbound:$inbound:$prot:$sport:$eport:$cidrs" &&
break
done
logger -t cloud "$(basename $0): exit apply acl rules for guest network : $gcidr"
return $result
}
dflag=0
gflag=0
aflag=0
Mflag=0
rules=""
rules_list=""
ip=""
dev=""
mac=""
while getopts 'd:i:m:M:a:' OPTION
do
case $OPTION in
d) dflag=1
dev="$OPTARG"
;;
i) iflag=1
ip="$OPTARG"
;;
m) mflag=1
mask="$OPTARG"
;;
M) Mflag=1
mac="$OPTARG"
;;
a) aflag=1
rules="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
if [ "$dflag$iflag$mflag$aflag" != "1111" ]
then
usage
unlock_exit 2 $lock $locked
fi
# override dev with mac address match, if provided
if [[ ! -z "$mac" ]]; then
logger -t cloud "$(basename $0): mac $mac passed, trying to match to device"
for i in `ls /sys/class/net`; do
if grep -q $mac /sys/class/net/$i/address; then
dev=$i
logger -t cloud "$(basename $0): matched dev $i to mac $mac, dev is now $dev"
break
fi
done
fi
gcidr="$ip/$mask"
if [ -n "$rules" ]
then
rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
fi
# rule format
# protocal:sport:eport:cidr
#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:ACCEPT:,172.16.92.44:tcp:220:220:0.0.0.0/0:DROP,200.1.1.2:reverted:0:0:0
success=0
acl_chain_for_guest_network
egress=0
for r in $rules_list
do
acl_entry_for_guest_network $r
success=$?
if [ $success -gt 0 ]
then
logger -t cloud "$(basename $0): failure to apply fw rules for guest network: $gcidr"
break
else
logger -t cloud "$(basename $0): successful in applying fw rules for guest network: $gcidr"
fi
done
if [ $success -gt 0 ]
then
logger -t cloud "$(basename $0): restoring from backup for guest network: $gcidr"
acl_restore
else
logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr"
if [ $egress -eq 0 ]
then
sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j ACCEPT 2>/dev/null
else
sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
fi
acl_switch_to_new
fi
unlock_exit $success $lock $locked

316
systemvm/patches/debian/config/opt/cloud/bin/vpc_guestnw.sh
View File

@ -1,316 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# guestnw.sh -- create/destroy guest network
# @VERSION@
source /root/func.sh
source /opt/cloud/bin/vpc_func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
usage() {
printf "Usage:\n %s -A -M <mac> -d <dev> -i <ip address> -g <gateway> -m <network mask> -s <dns ip> -e < domain> [-f] \n" $(basename $0) >&2
printf " %s -D -d <dev> -i <ip address> \n" $(basename $0) >&2
}
destroy_acl_chain() {
sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -F ACL_INBOUND_$dev 2>/dev/null
sudo iptables -D FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev 2>/dev/null
sudo iptables -X ACL_INBOUND_$dev 2>/dev/null
}
create_acl_chain() {
destroy_acl_chain
sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j ACCEPT 2>/dev/null
sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -N ACL_INBOUND_$dev 2>/dev/null
# drop if no rules match (this will be the last rule in the chain)
sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null
sudo iptables -A FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev 2>/dev/null
}
setup_apache2() {
logger -t cloud "Setting up apache web server for $dev"
cp /etc/apache2/vhostexample.conf /etc/apache2/conf.d/vhost$dev.conf
sed -i -e "s/<VirtualHost.*:80>/<VirtualHost $ip:80>/" /etc/apache2/conf.d/vhost$dev.conf
sed -i -e "s/<VirtualHost.*:443>/<VirtualHost $ip:443>/" /etc/apache2/conf.d/vhost$dev.conf
sed -i -e "s/\tServerName.*/\tServerName vhost$dev.cloudinternal.com/" /etc/apache2/conf.d/vhost$dev.conf
sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/conf.d/vhost$dev.conf
sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/conf.d/vhost$dev.conf
service apache2 restart
sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
}
desetup_apache2() {
logger -t cloud "Desetting up apache web server for $dev"
rm -f /etc/apache2/conf.d/vhost$dev.conf
service apache2 restart
sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
}
setup_dnsmasq() {
logger -t cloud "Setting up dnsmasq for network $ip/$mask "
# setup rules to allow dhcp/dns request
sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -D INPUT -i $dev -d $ip -p tcp -m tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
sudo iptables -A INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -i $dev -d $ip -p tcp -m tcp --dport 53 -j ACCEPT
# setup static
sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf
echo "dhcp-range=interface:$dev,set:interface-$dev,$ip,static" >> /etc/dnsmasq.d/cloud.conf
# setup DOMAIN
[ -z $DOMAIN ] && DOMAIN="cloudnine.internal"
sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,15.*$/d" /etc/dnsmasq.d/cloud.conf
echo "dhcp-option=tag:interface-$dev,15,$DOMAIN" >> /etc/dnsmasq.d/cloud.conf
service dnsmasq restart
sleep 1
}
desetup_dnsmasq() {
logger -t cloud "Desetting up dnsmasq for network $ip/$mask "
# remove rules to allow dhcp/dns request
sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,option:router.*$/d" /etc/dnsmasq.d/cloud.conf
sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,6.*$/d" /etc/dnsmasq.d/cloud.conf
sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf
service dnsmasq restart
sleep 1
}
setup_passwdsvcs() {
logger -t cloud "Setting up password service for network $ip/$mask, eth $dev "
sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
nohup bash /opt/cloud/bin/vpc_passwd_server $ip >/dev/null 2>&1 &
}
desetup_passwdsvcs() {
logger -t cloud "Desetting up password service for network $ip/$mask, eth $dev "
sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
pid=`ps -ef | grep passwd_server_ip.py | grep $ip | grep -v grep | awk '{print $2}'`
if [ -n "$pid" ]
then
kill -9 $pid
fi
}
create_guest_network() {
# need to wait for eth device to appear before configuring it
timer=0
# match dev based on mac, if passed
if [[ ! -z "$mac" ]]; then
logger -t cloud "$(basename $0): mac $mac passed, trying to match to device"
while [ ! $timer -gt 15 ]; do
for i in `ls /sys/class/net`; do
if grep -q $mac /sys/class/net/$i/address; then
dev=$i
logger -t cloud "$(basename $0): matched dev $i to mac $mac, dev is now $dev"
timer=15
break
fi
done
sleep 1;
timer=$[timer + 1]
done
else
while ! `grep -q $dev /proc/net/dev` ; do
logger -t cloud "$(basename $0):Waiting for interface $dev to appear, $timer seconds"
sleep 1;
if [ $timer -gt 15 ]; then
logger -t cloud "$(basename $0):interface $dev never appeared"
break
fi
timer=$[timer + 1]
done
fi
logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask "
# setup ip configuration
sudo ip addr add dev $dev $ip/$mask brd +
sudo ip link set $dev up
sudo arping -c 3 -I $dev -A -U -s $ip $ip
echo 1 > /proc/sys/net/ipv4/conf/$dev/rp_filter
# restore mark from connection mark
local tableName="Table_$dev"
sudo ip route add $subnet/$mask dev $dev table $tableName proto static
sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
sudo iptables -t mangle -A PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
# set up hairpin
sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
create_acl_chain
setup_dnsmasq
setup_apache2
setup_passwdsvcs
#enable rps, rfs
enable_rpsrfs $dev
}
enable_rpsrfs() {
if [ -f /etc/rpsrfsenable ]
then
enable=$(cat /etc/rpsrfsenable)
if [ $enable -eq 0 ]
then
return 0
fi
else
return 0
fi
proc=$(cat /proc/cpuinfo | grep "processor" | wc -l)
if [ $proc -le 1 ]
then
return 0
fi
dev=$1
num=1
num=$(($num<<$proc))
num=$(($num-1));
echo $num;
hex=$(printf "%x\n" $num)
echo $hex;
#enable rps
echo $hex > /sys/class/net/$dev/queues/rx-0/rps_cpus
#enble rfs
rps_flow_entries=$(cat /proc/sys/net/core/rps_sock_flow_entries)
if [ $rps_flow_entries -eq 0 ]
then
echo 256 > /proc/sys/net/core/rps_sock_flow_entries
fi
echo 256 > /sys/class/net/$dev/queues/rx-0/rps_flow_cnt
}
destroy_guest_network() {
logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask "
sudo ip addr del dev $dev $ip/$mask
sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
destroy_acl_chain
desetup_dnsmasq
desetup_apache2
desetup_passwdsvcs
}
#set -x
iflag=0
mflag=0
nflag=0
dflag=
gflag=
Cflag=
Dflag=
Mflag=
op=""
while getopts 'CDn:m:M:d:i:g:s:e:' OPTION
do
case $OPTION in
C) Cflag=1
op="-C"
;;
D) Dflag=1
op="-D"
;;
n) nflag=1
subnet="$OPTARG"
;;
m) mflag=1
mask="$OPTARG"
;;
M) Mflag=1
mac="$OPTARG"
;;
d) dflag=1
dev="$OPTARG"
;;
i) iflag=1
ip="$OPTARG"
;;
g) gflag=1
gw="$OPTARG"
;;
s) sflag=1
DNS="$OPTARG"
;;
e) eflag=1
DOMAIN="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
vpccidr=$(getVPCcidr)
if [ "$Cflag$Dflag$dflag" != "11" ]
then
usage
unlock_exit 2 $lock $locked
fi
if [ "$Cflag" == "1" ] && [ "$iflag$gflag$mflag" != "111" ]
then
usage
unlock_exit 2 $lock $locked
fi
if [ "$Cflag" == "1" ]
then
create_guest_network
fi
if [ "$Dflag" == "1" ]
then
destroy_guest_network
fi
unlock_exit 0 $lock $locked

223
systemvm/patches/debian/config/opt/cloud/bin/vpc_ipassoc.sh
View File

@ -1,223 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# ipassoc.sh -- associate/disassociate a public ip with an instance
# @VERSION@
source /root/func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
usage() {
printf "Usage:\n %s -A -l <public-ip-address> -c <dev> [-f] \n" $(basename $0) >&2
printf " %s -D -l <public-ip-address> -c <dev> [-f] \n" $(basename $0) >&2
}
add_routing() {
logger -t cloud "$(basename $0):Add routing $pubIp on interface $ethDev"
local tableName="Table_$ethDev"
sudo ip route add $subnet/$mask dev $ethDev table $tableName proto static
sudo ip route add default via $defaultGwIP table $tableName proto static
sudo ip route flush cache
sudo ip route | grep default
if [ $? -gt 0 ]
then
sudo ip route add default via $defaultGwIP
fi
return 0
}
remove_routing() {
return 0
}
add_an_ip () {
# need to wait for eth device to appear before configuring it
timer=0
while ! `grep -q $ethDev /proc/net/dev` ; do
logger -t cloud "$(basename $0):Waiting for interface $ethDev to appear, $timer seconds"
sleep 1;
if [ $timer -gt 15 ]; then
logger -t cloud "$(basename $0):interface $ethDev never appeared"
break
fi
timer=$[timer + 1]
done
logger -t cloud "$(basename $0):Adding ip $pubIp on interface $ethDev"
sudo ip link show $ethDev | grep "state DOWN" > /dev/null
local old_state=$?
sudo ip addr add dev $ethDev $pubIp/$mask brd +
if [ $old_state -eq 0 ]
then
sudo ip link set $ethDev up
fi
sudo arping -c 1 -I $ethDev -A -U -s $pubIp $pubIp
sudo arping -c 1 -I $ethDev -A -U -s $pubIp $pubIp
local tableNo=${ethDev:3}
sudo iptables-save -t mangle | grep "PREROUTING -i $ethDev -m state --state NEW -j CONNMARK --set-xmark" 2>/dev/null
if [ $? -gt 0 ]
then
sudo iptables -t mangle -A PREROUTING -i $ethDev -m state --state NEW -j CONNMARK --set-mark $tableNo 2>/dev/null
fi
enable_rpsrfs $ethDev
add_routing
return $?
}
enable_rpsrfs() {
if [ -f /etc/rpsrfsenable ]
then
enable=$(cat /etc/rpsrfsenable)
if [ $enable -eq 0 ]
then
return 0
fi
else
return 0
fi
proc=$(cat /proc/cpuinfo | grep "processor" | wc -l)
if [ $proc -le 1 ]
then
return 0
fi
dev=$1
num=1
num=$(($num<<$proc))
num=$(($num-1));
echo $num;
hex=$(printf "%x\n" $num)
echo $hex;
#enable rps
echo $hex > /sys/class/net/$dev/queues/rx-0/rps_cpus
#enble rfs
rps_flow_entries=$(cat /proc/sys/net/core/rps_sock_flow_entries)
if [ $rps_flow_entries -eq 0 ]
then
echo 256 > /proc/sys/net/core/rps_sock_flow_entries
fi
if [ $(cat /sys/class/net/$dev/queues/rx-0/rps_flow_cnt) -eq 0 ]
then
echo 256 > /sys/class/net/$dev/queues/rx-0/rps_flow_cnt
fi
}
remove_an_ip () {
logger -t cloud "$(basename $0):Removing ip $pubIp on interface $ethDev"
local existingIpMask=$(sudo ip addr show dev $ethDev | grep -v "inet6" | grep "inet " | awk '{print $2}')
sudo ip addr del dev $ethDev $pubIp/$mask
# reapply IPs in this interface
for ipMask in $existingIpMask
do
if [ "$ipMask" == "$pubIp/$mask" ]
then
continue
fi
sudo ip addr add dev $ethDev $ipMask brd +
done
remove_routing
return 0
}
#set -x
lflag=0
cflag=0
gflag=0
mflag=0
nflag=0
op=""
while getopts 'ADl:c:g:m:n:' OPTION
do
case $OPTION in
A) Aflag=1
op="-A"
;;
D) Dflag=1
op="-D"
;;
l) lflag=1
pubIp="$OPTARG"
;;
c) cflag=1
ethDev="$OPTARG"
;;
g) gflag=1
defaultGwIP="$OPTARG"
;;
m) mflag=1
mask="$OPTARG"
;;
n) nflag=1
subnet="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
if [ "$Aflag$Dflag" != "1" ]
then
usage
unlock_exit 2 $lock $locked
fi
if [ "$lflag$cflag$gflag$mflag$nflag" != "11111" ]
then
usage
unlock_exit 2 $lock $locked
fi
if [ "$Aflag" == "1" ]
then
add_an_ip
unlock_exit $? $lock $locked
fi
if [ "$Dflag" == "1" ]
then
remove_an_ip
unlock_exit $? $lock $locked
fi
unlock_exit 1 $lock $locked

229
systemvm/patches/debian/config/opt/cloud/bin/vpc_loadbalancer.sh
View File

@ -1,229 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# @VERSION@
do_ilb_if_ilb () {
local typ=""
local pattern="type=(.*)"
for keyval in $(cat /var/cache/cloud/cmdline)
do
if [[ $keyval =~ $pattern ]]; then
typ=${BASH_REMATCH[1]};
fi
done
if [ "$typ" == "ilbvm" ]
then
logger -t cloud "$(basename $0): Detected that we are running in an internal load balancer vm"
$(dirname $0)/ilb.sh "$@"
exit $?
fi
}
logger -t cloud "$(basename $0): Entering $(dirname $0)/$(basename $0)"
do_ilb_if_ilb "$@"
source /root/func.sh
source /opt/cloud/bin/vpc_func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
usage() {
printf "Usage: %s: -i <domR eth1 ip> -a <added public ip address ip:port> -d <removed ip:port> -f <load balancer config> -s <stats ip ip:port:cidr> \n" $(basename $0) >&2
}
# set -x
fw_remove_backup() {
sudo iptables -F back_load_balancer 2> /dev/null
sudo iptables -D INPUT -p tcp -j back_load_balancer 2> /dev/null
sudo iptables -X back_load_balancer 2> /dev/null
sudo iptables -F back_lb_stats 2> /dev/null
sudo iptables -D INPUT -p tcp -j back_lb_stats 2> /dev/null
sudo iptables -X back_lb_stats 2> /dev/null
}
fw_remove() {
sudo iptables -F load_balancer 2> /dev/null
sudo iptables -D INPUT -p tcp -j load_balancer 2> /dev/null
sudo iptables -X load_balancer 2> /dev/null
sudo iptables -F lb_stats 2> /dev/null
sudo iptables -D INPUT -p tcp -j lb_stats 2> /dev/null
sudo iptables -X lb_stats 2> /dev/null
}
fw_backup() {
fw_remove_backup
sudo iptables -E load_balancer back_load_balancer 2> /dev/null
sudo iptables -E lb_stats back_lb_stats 2> /dev/null
}
fw_restore() {
fw_remove
sudo iptables -E back_load_balancer load_balancer 2> /dev/null
sudo iptables -E back_lb_stats lb_stats 2> /dev/null
}
fw_chain_create () {
fw_backup
sudo iptables -N load_balancer 2> /dev/null
sudo iptables -A INPUT -p tcp -j load_balancer 2> /dev/null
sudo iptables -N lb_stats 2> /dev/null
sudo iptables -A INPUT -p tcp -j lb_stats 2> /dev/null
}
# firewall entry to ensure that haproxy can receive on specified port
fw_entry() {
local added=$1
local removed=$2
local stats=$3
if [ "$added" == "none" ]
then
added=""
fi
if [ "$removed" == "none" ]
then
removed=""
fi
local a=$(echo $added | cut -d, -f1- --output-delimiter=" ")
local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ")
fw_chain_create
success=0
while [ 1 ]
do
for i in $a
do
local pubIp=$(echo $i | cut -d: -f1)
local dport=$(echo $i | cut -d: -f2)
sudo iptables -A load_balancer -p tcp -d $pubIp --dport $dport -j ACL_INBOUND_$dev 2>/dev/null
success=$?
if [ $success -gt 0 ]
then
break
fi
done
if [ "$stats" != "none" ]
then
local pubIp=$(echo $stats | cut -d: -f1)
local dport=$(echo $stats | cut -d: -f2)
local cidrs=$(echo $stats | cut -d: -f3 | sed 's/-/,/')
sudo iptables -A lb_stats -s $cidrs -p tcp -d $pubIp --dport $dport -j ACCEPT 2>/dev/null
success=$?
fi
break
done
if [ $success -gt 0 ]
then
fw_restore
else
fw_remove_backup
fi
return $success
}
#Hot reconfigure HA Proxy in the routing domain
reconfig_lb() {
logger -t cloud "Reconfiguring loadbalancer using $1"
/root/reconfigLB.sh $1
return $?
}
# Restore the HA Proxy to its previous state, and revert iptables rules on DomR
restore_lb() {
logger -t cloud "Restoring HA Proxy to previous state"
# Copy the old version of haproxy.cfg into the file that reconfigLB.sh uses
cp /etc/haproxy/haproxy.cfg.old /etc/haproxy/haproxy.cfg.new
if [ $? -eq 0 ]
then
# Run reconfigLB.sh again
/root/reconfigLB.sh /etc/haproxy/haproxy.cfg.new
fi
}
iflag=
aflag=
dflag=
fflag=
sflag=
while getopts 'i:a:d:f:s:' OPTION
do
case $OPTION in
i) iflag=1
ip="$OPTARG"
;;
a) aflag=1
addedIps="$OPTARG"
;;
d) dflag=1
removedIps="$OPTARG"
;;
s) sflag=1
statsIp="$OPTARG"
;;
f) fflag=1
cfgfile="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
dev=$(getEthByIp $ip)
if [ "$addedIps" == "" ]
then
addedIps="none"
fi
if [ "$removedIps" == "" ]
then
removedIps="none"
fi
# hot reconfigure haproxy
reconfig_lb $cfgfile
if [ $? -gt 0 ]
then
logger -t cloud "Reconfiguring loadbalancer failed"
unlock_exit 1 $lock $locked
fi
# iptables entry to ensure that haproxy receives traffic
fw_entry $addedIps $removedIps $statsIp
result=$?
if [ $result -gt 0 ]
then
logger -t cloud "Failed to apply firewall rules for load balancing, reverting HA Proxy config"
# Restore the LB
restore_lb
fi
unlock_exit $result $lock $locked

126
systemvm/patches/debian/config/opt/cloud/bin/vpc_portforwarding.sh
View File

@ -1,126 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# @VERSION@
source /root/func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
usage() {
printf "Usage: %s: (-A|-D) -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code) -l <public ip address> -d <target port> -s <source cidrs> [-G] \n" $(basename $0) >&2
}
#set -x
#Port (address translation) forwarding for tcp or udp
tcp_or_udp_nat() {
local op=$1
local proto=$2
local publicIp=$3
local ports=$4
local instIp=$5
local dports=$6
logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
#if adding, this might be a duplicate, so delete the old one first
[ "$op" == "-A" ] && tcp_or_udp_nat "-D" $proto $publicIp $ports $instIp $dports
# the delete operation may have errored out but the only possible reason is
# that the rules didn't exist in the first place
# shortcircuit the process if error and it is an append operation
# continue if it is delete
local PROTO=""
if [ "$proto" != "any" ]
then
PROTO="--proto $proto"
fi
local DEST_PORT=""
if [ "$ports" != "any" ]
then
DEST_PORT="--destination-port $ports"
fi
local TO_DEST="--to-destination $instIp"
if [ "$dports" != "any" ]
then
TO_DEST="--to-destination $instIp:$dports"
fi
sudo iptables -t nat $op PREROUTING $PROTO -d $publicIp $DEST_PORT -j DNAT \
$TO_DEST &>> $OUTFILE
local result=$?
logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
# the rule may not exist
if [ "$op" == "-D" ]
then
return 0
fi
return $result
}
rflag=
Pflag=
pflag=
lflag=
dflag=
op=""
protocal="any"
ports="any"
dports="any"
while getopts 'ADr:P:p:l:d:' OPTION
do
case $OPTION in
A) op="-A"
;;
D) op="-D"
;;
r) rflag=1
instanceIp="$OPTARG"
;;
P) Pflag=1
protocol="$OPTARG"
;;
p) pflag=1
ports="$OPTARG"
;;
l) lflag=1
publicIp="$OPTARG"
;;
d) dflag=1
dports="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
OUTFILE=$(mktemp)
tcp_or_udp_nat $op $protocol $publicIp $ports $instanceIp $dports
result=$?
unlock_exit $result $lock $locked

98
systemvm/patches/debian/config/opt/cloud/bin/vpc_privateGateway.sh
View File

@ -1,98 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# @VERSION@
source /root/func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
usage() {
printf "Usage:\n %s -A -l <public-ip-address>\n" $(basename $0) >&2
printf " %s -D -l <public-ip-address>\n" $(basename $0) >&2
}
add_snat() {
logger -t cloud "$(basename $0):Added SourceNAT $pubIp on interface $ethDev"
sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $pubIp
sudo iptables -t nat -A POSTROUTING -j SNAT -o $ethDev --to-source $pubIp
return $?
}
remove_snat() {
logger -t cloud "$(basename $0):Removing SourceNAT $pubIp on interface $ethDev"
sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $pubIp
return $?
}
#set -x
lflag=0
cflag=0
op=""
while getopts 'ADl:c:' OPTION
do
case $OPTION in
A) Aflag=1
op="-A"
;;
D) Dflag=1
op="-D"
;;
l) lflag=1
pubIp="$OPTARG"
;;
c) cflag=1
ethDev="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
if [ "$Aflag$Dflag" != "1" ]
then
usage
unlock_exit 2 $lock $locked
fi
if [ "$lflag$cflag" != "11" ]
then
usage
unlock_exit 2 $lock $locked
fi
if [ "$Aflag" == "1" ]
then
add_snat $publicIp
unlock_exit $? $lock $locked
fi
if [ "$Dflag" == "1" ]
then
remove_snat $publicIp
unlock_exit $? $lock $locked
fi
unlock_exit 1 $lock $locked

229
systemvm/patches/debian/config/opt/cloud/bin/vpc_privategw_acl.sh
View File

@ -1,229 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# vpc_privategw_acl.sh_rule.sh -- allow/block some ports / protocols to vm instances
# @VERSION@
source /root/func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
usage() {
printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
}
#set -x
#FIXME: eating up the error code during execution of iptables
acl_switch_to_new() {
sudo iptables -D FORWARD -o $dev -j _ACL_INBOUND_$dev 2>/dev/null
sudo iptables-save | grep "\-j _ACL_INBOUND_$dev" | grep "\-A" | while read rule;
do
rule1=$(echo $rule | sed 's/\_ACL_INBOUND/ACL_INBOUND/')
sudo iptables $rule1
rule2=$(echo $rule | sed 's/\-A/\-D/')
sudo iptables $rule2
done
sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -j _ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
}
acl_remove_backup() {
sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
sudo iptables -D FORWARD -o $dev -j _ACL_INBOUND_$dev 2>/dev/null
sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -j _ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
}
acl_remove() {
sudo iptables -F ACL_INBOUND_$dev 2>/dev/null
sudo iptables -D FORWARD -o $dev -j ACL_INBOUND_$dev 2>/dev/null
sudo iptables -X ACL_INBOUND_$dev 2>/dev/null
sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -j ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
}
acl_restore() {
acl_remove
sudo iptables -E _ACL_INBOUND_$dev ACL_INBOUND_$dev 2>/dev/null
sudo iptables -t mangle -E _ACL_OUTBOUND_$dev ACL_OUTBOUND_$dev 2>/dev/null
}
acl_save() {
acl_remove_backup
sudo iptables -E ACL_INBOUND_$dev _ACL_INBOUND_$dev 2>/dev/null
sudo iptables -t mangle -E ACL_OUTBOUND_$dev _ACL_OUTBOUND_$dev 2>/dev/null
}
acl_chain_for_guest_network () {
acl_save
# inbound
sudo iptables -N ACL_INBOUND_$dev 2>/dev/null
# drop if no rules match (this will be the last rule in the chain)
sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null
sudo iptables -A FORWARD -o $dev -j ACL_INBOUND_$dev 2>/dev/null
# outbound
sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev -j ACL_OUTBOUND_$dev 2>/dev/null
}
acl_entry_for_guest_network() {
local rule=$1
local ttype=$(echo $rule | cut -d: -f1)
local prot=$(echo $rule | cut -d: -f2)
local sport=$(echo $rule | cut -d: -f3)
local eport=$(echo $rule | cut -d: -f4)
local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
local action=$(echo $rule | cut -d: -f6)
if [ "$sport" == "0" -a "$eport" == "0" ]
then
DPORT=""
else
DPORT="--dport $sport:$eport"
fi
logger -t cloud "$(basename $0): enter apply acl rules on private gateway interface : $dev, inbound:$inbound:$prot:$sport:$eport:$cidrs"
# note that rules are inserted after the RELATED,ESTABLISHED rule
# but before the DROP rule
for lcidr in $cidrs
do
[ "$prot" == "reverted" ] && continue;
if [ "$prot" == "icmp" ]
then
typecode="$sport/$eport"
[ "$eport" == "-1" ] && typecode="$sport"
[ "$sport" == "-1" ] && typecode="any"
if [ "$ttype" == "Ingress" ]
then
sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
--icmp-type $typecode -j $action
else
let egress++
sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
--icmp-type $typecode -j $action
fi
else
if [ "$ttype" == "Ingress" ]
then
sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
$DPORT -j $action
else
let egress++
sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
$DPORT -j $action
fi
fi
result=$?
[ $result -gt 0 ] &&
logger -t cloud "Error adding iptables entry for private gateway interface : $dev,inbound:$inbound:$prot:$sport:$eport:$cidrs" &&
break
done
logger -t cloud "$(basename $0): exit apply acl rules for private gw interface : $dev"
return $result
}
dflag=0
gflag=0
aflag=0
mflag=0
rules=""
rules_list=""
dev=""
mac=""
while getopts 'd:a:M:' OPTION
do
case $OPTION in
d) dflag=1
dev="$OPTARG"
;;
a) aflag=1
rules="$OPTARG"
;;
M) mflag=1
mac="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
if [ "$dflag$aflag" != "11" ]
then
usage
unlock_exit 2 $lock $locked
fi
if [ -n "$rules" ]
then
rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
fi
# rule format
# protocal:sport:eport:cidr
#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:ACCEPT:,172.16.92.44:tcp:220:220:0.0.0.0/0:DROP,200.1.1.2:reverted:0:0:0
success=0
acl_chain_for_guest_network
egress=0
for r in $rules_list
do
acl_entry_for_guest_network $r
success=$?
if [ $success -gt 0 ]
then
logger -t cloud "$(basename $0): failure to apply acl rules on private gateway interface : $dev"
break
else
logger -t cloud "$(basename $0): successful in applying acl rules on private gateway interface : $dev"
fi
done
if [ $success -gt 0 ]
then
logger -t cloud "$(basename $0): restoring from backup on private gateway interface : $dev"
acl_restore
else
logger -t cloud "$(basename $0): deleting backup on private gateway interface : $dev"
if [ $egress -eq 0 ]
then
sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j ACCEPT 2>/dev/null
else
sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
fi
acl_switch_to_new
fi
unlock_exit $success $lock $locked

124
systemvm/patches/debian/config/opt/cloud/bin/vpc_staticnat.sh
View File

@ -1,124 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# @VERSION@
source /root/func.sh
source /opt/cloud/bin/vpc_func.sh
lock="biglock"
locked=$(getLockFile $lock)
if [ "$locked" != "1" ]
then
exit 1
fi
usage() {
printf "Usage: %s: (-A|-D) -r <target-instance-ip> -l <public ip address> -d < eth device> \n" $(basename $0) >&2
}
#set -x
vpnoutmark="0x525"
static_nat() {
local op=$1
local publicIp=$2
local instIp=$3
local op2="-D"
local tableNo=${ethDev:3}
logger -t cloud "$(basename $0): static nat: public ip=$publicIp \
instance ip=$instIp op=$op"
#if adding, this might be a duplicate, so delete the old one first
[ "$op" == "-A" ] && static_nat "-D" $publicIp $instIp
# the delete operation may have errored out but the only possible reason is
# that the rules didn't exist in the first place
[ "$op" == "-A" ] && op2="-I"
if [ "$op" == "-A" ]
then
# put static nat rule one rule after VPN no-NAT rule
# rule chain can be used to improve it later
iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
if [ $? -eq 0 ]
then
rulenum=2
else
rulenum=1
fi
fi
# shortcircuit the process if error and it is an append operation
# continue if it is delete
(sudo iptables -t nat $op PREROUTING -d $publicIp -j DNAT \
--to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
# add mark to force the package go out through the eth the public IP is on
#(sudo iptables -t mangle $op PREROUTING -s $instIp -j MARK \
# --set-mark $tableNo &> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables -t nat $op2 POSTROUTING $rulenum -o $ethDev -s $instIp -j SNAT \
--to-source $publicIp &>> $OUTFILE )
result=$?
logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
if [ "$op" == "-D" ]
then
return 0
fi
return $result
}
rflag=
lflag=
dflag=
op=""
while getopts 'ADr:l:' OPTION
do
case $OPTION in
A) op="-A"
;;
D) op="-D"
;;
r) rflag=1
instanceIp="$OPTARG"
;;
l) lflag=1
publicIp="$OPTARG"
;;
?) usage
unlock_exit 2 $lock $locked
;;
esac
done
ethDev=$(getEthByIp $publicIp)
result=$?
if [ $result -gt 0 ]
then
if [ "$op" == "-D" ]
then
removeRulesForIp $publicIp
unlock_exit 0 $lock $locked
else
unlock_exit $result $lock $locked
fi
fi
OUTFILE=$(mktemp)
static_nat $op $publicIp $instanceIp
result=$?
unlock_exit $result $lock $locked