From 7087116fcbabb4e02f1836607b4e83bc755c049e Mon Sep 17 00:00:00 2001 From: Naredula Janardhana Reddy Date: Mon, 20 Feb 2012 16:16:53 +0530 Subject: [PATCH] Bug 13964: Summary of changes: Added Hairpin Nat. - defined Harpin NAT function. - Called Hairpin NAT while adding/deleting port forwading and Static NAT rules. - added rules in IPtables config file, this will be iniated during bootup to forward New/established connectons from eth0 to eth0. --- .../debian/config/etc/iptables/iptables-router | 2 ++ .../systemvm/debian/config/root/firewall.sh | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/patches/systemvm/debian/config/etc/iptables/iptables-router b/patches/systemvm/debian/config/etc/iptables/iptables-router index 5ac162a7b85..e1972e3a12d 100644 --- a/patches/systemvm/debian/config/etc/iptables/iptables-router +++ b/patches/systemvm/debian/config/etc/iptables/iptables-router @@ -22,6 +22,8 @@ COMMIT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth2 -j ACCEPT -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT +-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT *mangle :PREROUTING ACCEPT [0:0] diff --git a/patches/systemvm/debian/config/root/firewall.sh b/patches/systemvm/debian/config/root/firewall.sh index a2637943c46..0d36b5532ba 100755 --- a/patches/systemvm/debian/config/root/firewall.sh +++ b/patches/systemvm/debian/config/root/firewall.sh @@ -45,6 +45,22 @@ ip_to_dev() { return 1 } +doHairpinNat () { + local vrGuestIPNetwork=$(sudo ip addr show dev eth0 | grep inet | grep eth0 | awk '{print $2}' ) + local vrGuestIP=$(echo $vrGuestIPNetwork | awk -F'/' '{print $1}') + + local publicIp=$1 + local prot=$2 + local port=$3 + local guestVmIp=$4 + local guestPort=$(echo $5 | sed 's/:/-/') + local op=$6 + logger -t cloud "$(basename $0): create HairPin entry : public ip=$publicIp \ + instance ip=$guestVmIp proto=$proto portRange=$guestPort op=$op" + + (sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -p $prot --dport $port -j DNAT --to-destination $guestVmIp:$guestPort &>> $OUTFILE || [ "$op" == "-D" ]) && + (sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -p $prot --dport $port -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ]) +} #Port (address translation) forwarding for tcp or udp tcp_or_udp_entry() { @@ -75,6 +91,7 @@ tcp_or_udp_entry() { --destination-port $port -j MARK --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) && (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \ --destination-port $port -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) && + (doHairpinNat $publicIp $proto $port $instIp $dport0 $op) && (sudo iptables -t nat $op OUTPUT --proto $proto -d $publicIp \ --destination-port $port -j DNAT \ --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) && @@ -138,6 +155,7 @@ one_to_one_fw_entry() { (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \ --destination-port $portRange -j DNAT \ --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) && + (doHairpinNat $publicIp $proto $portRange $instIp $portRange $op) && (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \ --destination-port $portRange -m state \ --state NEW -j ACCEPT &>> $OUTFILE )