diff --git a/api/src/com/cloud/agent/api/to/FirewallRuleTO.java b/api/src/com/cloud/agent/api/to/FirewallRuleTO.java index 428043b8fb2..d66c91c803f 100644 --- a/api/src/com/cloud/agent/api/to/FirewallRuleTO.java +++ b/api/src/com/cloud/agent/api/to/FirewallRuleTO.java @@ -20,6 +20,7 @@ package com.cloud.agent.api.to; import com.cloud.network.IpAddress; import com.cloud.network.rules.FirewallRule; import com.cloud.network.rules.FirewallRule.State; +import com.cloud.utils.net.NetUtils; /** * FirewallRuleTO transfers a port range for an ip to be opened. @@ -82,6 +83,10 @@ public class FirewallRuleTO { public int[] getSrcPortRange() { return srcPortRange; } + + public String getStringSrcPortRange() { + return NetUtils.portRangeToString(srcPortRange); + } public boolean revoked() { return revoked; diff --git a/api/src/com/cloud/agent/api/to/PortForwardingRuleTO.java b/api/src/com/cloud/agent/api/to/PortForwardingRuleTO.java index cd98f432e4f..43e0e74bc26 100644 --- a/api/src/com/cloud/agent/api/to/PortForwardingRuleTO.java +++ b/api/src/com/cloud/agent/api/to/PortForwardingRuleTO.java @@ -18,6 +18,7 @@ package com.cloud.agent.api.to; import com.cloud.network.rules.PortForwardingRule; +import com.cloud.utils.net.NetUtils; /** * PortForwardingRuleTO specifies one port forwarding rule. @@ -52,4 +53,8 @@ public class PortForwardingRuleTO extends FirewallRuleTO { public int[] getDstPortRange() { return dstPortRange; } + + public String getStringDstPortRange() { + return NetUtils.portRangeToString(dstPortRange); + } } diff --git a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java index 39ee2127490..11cda6f9628 100644 --- a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java +++ b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java @@ -1129,31 +1129,31 @@ public abstract class CitrixResourceBase implements ServerResource { protected SetPortForwardingRulesAnswer execute(SetPortForwardingRulesCommand cmd) { Connection conn = getConnection(); - String args; + String routerName = cmd.getAccessDetail(NetworkElementCommand.ROUTER_NAME); String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP); + String args = routerIp; String[] results = new String[cmd.getRules().length]; int i = 0; for (PortForwardingRuleTO rule : cmd.getRules()) { if (rule.isOneToOneNat()){ //1:1 NAT needs instanceip;publicip;domrip;op - args = rule.revoked() ? "-D" : "-A"; + args += rule.revoked() ? " -D " : " -A "; args += " -l " + rule.getSrcIp(); - args += " -i " + routerIp; args += " -r " + rule.getDstIp(); - args += " -G " + rule.getProtocol(); + args += " -P " + rule.getProtocol().toLowerCase(); + args += " -d " + rule.getStringDstPortRange(); + args += " -G " ; + } else { - args = rule.revoked() ? "-D" : "-A"; + args += rule.revoked() ? " -D " : " -A "; args += " -P " + rule.getProtocol().toLowerCase(); args += " -l " + rule.getSrcIp(); - args += " -p " + rule.getSrcPortRange()[0]; - args += " -n " + routerName; - args += " -i " + routerIp; + args += " -p " + rule.getStringSrcPortRange(); args += " -r " + rule.getDstIp(); - args += " -d " + rule.getDstPortRange()[0]; - args += " -N " + rule.getVlanNetmask(); + args += " -d " + rule.getStringDstPortRange(); // String oldPrivateIP = rule.getOldPrivateIP(); // String oldPrivatePort = rule.getOldPrivatePort(); @@ -1389,12 +1389,12 @@ public abstract class CitrixResourceBase implements ServerResource { throw new InternalErrorException("Failed to find DomR VIF to associate/disassociate IP with."); } - String args = null; + String args = privateIpAddress; if (add) { - args = "-A"; + args += " -A "; } else { - args = "-D"; + args += " -D "; } String cidrSize = Long.toString(NetUtils.getCidrSize(vlanNetmask)); if (sourceNat) { @@ -1409,12 +1409,10 @@ public abstract class CitrixResourceBase implements ServerResource { args += " -l "; args += publicIpAddress; } - args += " -i "; - args += privateIpAddress; + args += " -c "; args += "eth" + correctVif.getDevice(conn); - args += " -g "; - args += vlanGateway; + String result = callHostPlugin(conn, "vmops", "ipassoc", "args", args); if (result == null || result.isEmpty()) { diff --git a/patches/systemvm/debian/config/root/firewall.sh b/patches/systemvm/debian/config/root/firewall.sh index 494361057a2..0111973c658 100755 --- a/patches/systemvm/debian/config/root/firewall.sh +++ b/patches/systemvm/debian/config/root/firewall.sh @@ -6,151 +6,130 @@ # @VERSION@ usage() { - printf "Usage: %s: (-A|-D) -i -r -P protocol (-p port_range | -t icmp_type_code) -l -d [-f -u -y -z ] \n" $(basename $0) >&2 + printf "Usage: %s: (-A|-D) -r -P protocol (-p port_range | -t icmp_type_code) -l -d [-G] \n" $(basename $0) >&2 } -# set -x +set -x -get_dom0_ip () { - eval "$1=$(ifconfig eth0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}')" - return 0 +get_dev_list() { + ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}' + ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}' +} + +ip_to_dev() { + local ip=$1 + + for dev in $DEV_LIST; do + ip addr show dev $dev | grep inet | grep $ip &>> /dev/null + [ $? -eq 0 ] && echo $dev && return 0 + done + return 1 } -#Add the tcp firewall entries into iptables in the routing domain -tcp_entry() { +#Port (address translation) forwarding for tcp or udp +tcp_or_udp_entry() { local instIp=$1 - local dport=$2 - local pubIp=$3 + local dport=$(echo $2 | sed 's/:/-/') + local publicIp=$3 local port=$4 local op=$5 - - for vif in $VIF_LIST; do - iptables -t nat $op PREROUTING --proto tcp -i $vif -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null; - done; - - iptables -t nat $op OUTPUT --proto tcp -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables $op FORWARD -p tcp -s 0/0 -d $instIp -m state --state ESTABLISHED,RELATED -j ACCEPT > /dev/null; - iptables $op FORWARD -p tcp -s 0/0 -d $instIp --destination-port $dport --syn -j ACCEPT > /dev/null; + local proto=$6 + logger -t cloud "$(basename $0): port fwd entry for PAT: public ip=$publicIp + instance ip=$instIp proto=$proto port=$port dport=$dport op=$op" + + #if adding, this might be a duplicate, so delete the old one first + [ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport $publicIp $port "-D" $proto + # the delete operation may have errored out but the only possible reason is + # that the rules didn't exist in the first place + local dev=$(ip_to_dev $publicIp) + # shortcircuit the process if error and it is an append operation + # continue if it is delete + (sudo iptables -t nat $op PREROUTING --proto $proto -i $dev -d $publicIp \ + --destination-port $port -j DNAT \ + --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) && + (sudo iptables -t nat $op OUTPUT --proto $proto -d $publicIp \ + --destination-port $port -j DNAT \ + --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) && + (sudo iptables $op FORWARD -p $proto -s 0/0 -d $instIp -m state \ + --state ESTABLISHED,RELATED -j ACCEPT &>> $OUTFILE || [ "$op" == "-D" ]) && + (sudo iptables $op FORWARD -p $proto -s 0/0 -d $instIp \ + --destination-port $dport -m state --state NEW -j ACCEPT &>> $OUTFILE) return $? } -#Add the udp firewall entries into iptables in the routing domain -udp_entry() { - local instIp=$1 - local dport=$2 - local pubIp=$3 - local port=$4 - local op=$5 - - for vif in $VIF_LIST; do - iptables -t nat $op PREROUTING --proto udp -i $vif -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null; - done; - - iptables -t nat $op OUTPUT --proto udp -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables $op FORWARD -p udp -s 0/0 -d $instIp --destination-port $dport -j ACCEPT > /dev/null; - - return $? -} -#Add the icmp firewall entries into iptables in the routing domain +#Forward icmp icmp_entry() { local instIp=$1 local icmptype=$2 - local pubIp=$3 + local publicIp=$3 local op=$4 - for vif in $VIF_LIST; do - iptables -t nat $op PREROUTING --proto icmp -i $vif -d $pubIp --icmp-type $icmptype -j DNAT --to-destination $instIp >/dev/null; - done; + logger -t cloud "$(basename $0): port fwd entry for PAT: public ip=$publicIp \ + instance ip=$instIp proto=icmp port=$port dport=$dport op=$op" + #if adding, this might be a duplicate, so delete the old one first + [ "$op" == "-A" ] && icmp_entry $instIp $icmpType $publicIp "-D" + # the delete operation may have errored out but the only possible reason is + # that the rules didn't exist in the first place + local dev=$(ip_to_dev $publicIp) + sudo iptables -t nat $op PREROUTING --proto icmp -i $dev -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE - iptables -t nat $op OUTPUT --proto icmp -d $pubIp --icmp-type $icmptype -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype -j ACCEPT > /dev/null; + sudo iptables -t nat $op OUTPUT --proto icmp -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE + sudo iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype -j ACCEPT &>> $OUTFILE return $? } -#Add 1:1 NAT entry -add_one_to_one_nat_entry() { - local guestIp=$1 - local publicIp=$2 - local dIp=$3 - local op=$4 - if [ "$op" == "-D" ] - then - iptables -t nat $op PREROUTING -i eth2 -d $publicIp -j DNAT --to-destination $guestIp - if [ $? -gt 0 ] - then - return 0 - fi - else - iptables -t nat $op PREROUTING -i eth2 -d $publicIp -j DNAT --to-destination $guestIp - fi - iptables -t nat $op POSTROUTING -o eth2 -s $guestIp -j SNAT --to-source $publicIp - if [ "$op" == "-A" ] - then - iptables -P FORWARD DROP - fi - iptables $op FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables $op FORWARD -i eth2 -o eth0 -d $guestIp -m state --state NEW -j ACCEPT - iptables $op FORWARD -i eth0 -o eth2 -s $guestIp -m state --state NEW -j ACCEPT - + + +one_to_one_fw_entry() { + local publicIp=$1 + local instIp=$2 + local proto=$3 + local portRange=$4 + local op=$5 + logger -t cloud "$(basename $0): firewall entry for static nat: public ip=$publicIp \ + instance ip=$instIp proto=$proto portRange=$portRange op=$op" + + #if adding, this might be a duplicate, so delete the old one first + [ "$op" == "-A" ] && one_to_one_fw_entry $publicIp $instIp $proto $portRange "-D" + # the delete operation may have errored out but the only possible reason is + # that the rules didn't exist in the first place + + local dev=$(ip_to_dev $publicIp) + [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1 + + # shortcircuit the process if error and it is an append operation + # continue if it is delete + (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \ + --destination-port $portRange -j DNAT \ + --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) && + (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \ + --destination-port $portRange -m state \ + --state NEW -j ACCEPT &>> $OUTFILE ) + return $? } -get_vif_list() { - local vif_list="" - for i in /sys/class/net/eth*; do - vif=$(basename $i); - if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ] - then - vif_list="$vif_list $vif"; - fi - done - - echo $vif_list -} -reverse_op() { - local op=$1 - - if [ "$op" == "-A" ] - then - echo "-D" - else - echo "-A" - fi -} rflag= -iflag= Pflag= pflag= tflag= lflag= dflag= -oflag= -wflag= -xflag= -nflag= -Nflag= Gflag= op="" -oldPrivateIP="" -oldPrivatePort="" -while getopts 'ADr:i:P:p:t:l:d:w:x:n:N:G:' OPTION +while getopts 'ADr:P:p:t:l:d:G' OPTION do case $OPTION in - A) Aflag=1 - op="-A" + A) op="-A" ;; - D) Dflag=1 - op="-D" - ;; - i) iflag=1 - domRIp="$OPTARG" + D) op="-D" ;; r) rflag=1 instanceIp="$OPTARG" @@ -170,20 +149,7 @@ do d) dflag=1 dport="$OPTARG" ;; - w) wflag=1 - oldPrivateIP="$OPTARG" - ;; - x) xflag=1 - oldPrivatePort="$OPTARG" - ;; - n) nflag=1 - domRName="$OPTARG" - ;; - N) Nflag=1 - netmask="$OPTARG" - ;; G) Gflag=1 - nat="$OPTARG" ;; ?) usage exit 2 @@ -191,48 +157,30 @@ do esac done -#1:1 NAT +DEV_LIST=$(get_dev_list) +OUTFILE=$(mktemp) + +#Firewall ports for one-to-one/static NAT if [ "$Gflag" == "1" ] then - add_one_to_one_nat_entry $instanceIp $publicIp $domRIp $op - exit $? + one_to_one_fw_entry $publicIp $instanceIp $protocol $dport $op + result=$? + [ "$result" -ne 0 ] && cat $OUTFILE >&2 + rm -f $OUTFILE + exit $result fi -reverseOp=$(reverse_op $op) - -VIF_LIST=$(get_vif_list) case $protocol in - "tcp") - # If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. - if [ "$oldPrivateIP" != "" ] - then - tcp_entry $oldPrivateIP $oldPrivatePort $publicIp $ports "-D" - fi - - # Add/delete the new rule - tcp_entry $instanceIp $dport $publicIp $ports $op - exit $? + tcp|udp) + tcp_or_udp_entry $instanceIp $dport $publicIp $ports $op $protocol + result=$? + [ "$result" -ne 0 ] && cat $OUTFILE >&2 + rm -f $OUTFILE + exit $result ;; - "udp") - # If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. - if [ "$oldPrivateIP" != "" ] - then - udp_entry $oldPrivateIP $oldPrivatePort $publicIp $ports "-D" - fi - - # Add/delete the new rule - udp_entry $instanceIp $dport $publicIp $ports $op - exit $? - ;; "icmp") - # If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. - if [ "$oldPrivateIP" != "" ] - then - icmp_entry $oldPrivateIp $icmptype $publicIp "-D" - fi - # Add/delete the new rule icmp_entry $instanceIp $icmptype $publicIp $op exit $? ;; diff --git a/patches/systemvm/debian/config/root/ipassoc.sh b/patches/systemvm/debian/config/root/ipassoc.sh index d1cfba82ecb..e7739772747 100644 --- a/patches/systemvm/debian/config/root/ipassoc.sh +++ b/patches/systemvm/debian/config/root/ipassoc.sh @@ -5,90 +5,41 @@ # # @VERSION@ usage() { - printf "Usage:\n %s -A -i -l -r [-f] \n" $(basename $0) >&2 - printf " %s -D -i -l -r [-f] \n" $(basename $0) >&2 -} - -#verify if supplied ip is indeed in the public domain -check_public_ip() { - if [[ $(expr match $1 "10.") -gt 0 ]] - then - echo "Public IP ($1) cannot be a private IP address!\n" - exit 1 - fi -} - -#ensure that dom0 is set up to do routing and proxy arp -check_ip_fw () { - if [ $(cat /proc/sys/net/ipv4/ip_forward) != 1 ]; - then - printf "Warning. Dom0 not set up to do forwarding.\n" >&2 - printf "Executing: echo 1 > /proc/sys/net/ipv4/ip_forward\n" >&2 - printf "To make this permanent, set net.ipv4.ip_forward = 1 in /etc/sysctl.conf\n" >&2 - echo 1 > /proc/sys/net/ipv4/ip_forward - fi - #if [ $(cat /proc/sys/net/ipv4/conf/eth0/proxy_arp) != 1 ]; - #then - #printf "Warning. Dom0 not set up to do proxy ARP.\n" - #printf "Executing: echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp\n" - #printf "To make this permanent, set net.ipv4.conf.eth0.proxy_arp = 1 in /etc/sysctl.conf\n" - #echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp - #fi + printf "Usage:\n %s -A -l -c [-f] \n" $(basename $0) >&2 + printf " %s -D -l -c [-f] \n" $(basename $0) >&2 } -# check if gateway domain is up and running -check_gw() { - ping -c 1 -n -q $1 > /dev/null - if [ $? -gt 0 ] - then - sleep 1 - ping -c 1 -n -q $1 > /dev/null - fi - return $?; -} - -#Add 1:1 NAT entry -add_one_to_one_nat_entry() { - local guestIp=$1 - local publicIp=$2 - local dIp=$3 - - iptables -t nat -A PREROUTING -i eth2 -d $publicIp -j DNAT --to-destination $guestIp - iptables -t nat -A POSTROUTING -o eth2 -s $guestIp -j SNAT --to-source $publicIp - iptables -P FORWARD DROP - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -i eth2 -o eth0 -d $guestIp -m state --state NEW -j ACCEPT - iptables -A FORWARD -i eth0 -o eth2 -s $guestIp -m state --state NEW -j ACCEPT - - return $? -} - -#Add the NAT entries into iptables in the routing domain add_nat_entry() { - local dRIp=$1 - local pubIp=$2 - - ip addr add dev $correctVif $pubIp - iptables -t nat -I POSTROUTING -j SNAT -o $correctVif --to-source $pubIp - arping -c 3 -I $correctVif -A -U -s $pubIp $pubIp - + local pubIp=$1 + logger -t cloud "$(basename $0):Adding nat entry for ip $pubIp on interface $ethDev" + local ipNoMask=$(echo $1 | awk -F'/' '{print $1}') + sudo ip link set $ethDev up + sudo ip addr add dev $ethDev $pubIp + sudo iptables -A FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT + sudo iptables -A FORWARD -i eth0 -o $ethDev -j ACCEPT + sudo iptables -t nat -I POSTROUTING -j SNAT -o $ethDev --to-source $ipNoMask ; + sudo arping -c 3 -I $ethDev -A -U -s $ipNoMask $ipNoMask; if [ $? -gt 0 -a $? -ne 2 ] then return 1 fi return 0 + } -#remove the NAT entries into iptables in the routing domain del_nat_entry() { - local dRIp=$1 - local pubIp=$2 - - iptables -t nat -D POSTROUTING -j SNAT -o $correctVif --to-source $pubIp - ip addr del dev $correctVif $pubIp/32 - + local pubIp=$1 + logger -t cloud "$(basename $0):Deleting nat entry for ip $pubIp on interface $ethDev" + local ipNoMask=$(echo $1 | awk -F'/' '{print $1}') + local mask=$(echo $1 | awk -F'/' '{print $2}') + [ "$mask" == "" ] && mask="32" + sudo iptables -D FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT + sudo iptables -D FORWARD -i eth0 -o $ethDev -j ACCEPT + sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $ipNoMask; + sudo ip addr del dev $ethDev "$ipNoMask/$mask" + if [ $? -gt 0 -a $? -ne 2 ] then return 1 @@ -99,44 +50,58 @@ del_nat_entry() { add_an_ip () { - local dRIp=$1 - local pubIp=$2 - - ifconfig $correctVif up - ip addr add dev $correctVif $pubIp - arping -c 3 -I $correctVif -A -U -s $pubIp $pubIp - + local pubIp=$1 + logger -t cloud "$(basename $0):Adding ip $pubIp on interface $ethDev" + local ipNoMask=$(echo $1 | awk -F'/' '{print $1}') + + sudo ip link set $ethDev up + sudo ip addr add dev $ethDev $pubIp ; + sudo arping -c 3 -I $ethDev -A -U -s $ipNoMask $ipNoMask; return $? + } remove_an_ip () { - local dRIp=$1 - local pubIp=$2 - - ip addr del dev $correctVif $pubIp/32 - - if [ $? -gt 0 -a $? -ne 2 ] + local pubIp=$1 + logger -t cloud "$(basename $0):Removing ip $pubIp on interface $ethDev" + local ipNoMask=$(echo $1 | awk -F'/' '{print $1}') + local mask=$(echo $1 | awk -F'/' '{print $2}') + local existingIpMask=$(sudo ip addr show dev $ethDev | grep inet | awk '{print $2}' | grep -w $ipNoMask) + [ "$existingIpMask" == "" ] && return 0 + local existingMask=$(echo $existingIpMask | awk -F'/' '{print $2}') + if [ "$existingMask" == "32" ] + then + sudo ip addr del dev $ethDev $existingIpMask + result=$? + fi + if [ "$existingMask" != "32" ] + then + replaceIpMask=`sudo ip addr show dev $ethDev | grep inet | grep -v $existingIpMask | awk '{print $2}' | sort -t/ -k2 -n|tail -1` + sudo ip addr del dev $ethDev $existingIpMask; + if [ -n "$replaceIpMask" ]; then + sudo ip addr del dev $ethDev $replaceIpMask; + replaceIp=`echo $replaceIpMask | awk -F/ '{print $1}'`; + sudo ip addr add dev $ethDev $replaceIp/$existingMask; + sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $ipNoMask ; + sudo iptables -t nat -A POSTROUTING -j SNAT -o $ethDev --to-source $replaceIp ; + fi + result=$? + fi + if [ $result -gt 0 -a $result -ne 2 ] then return 1 fi + return 0 } #set -x -rflag= -iflag= lflag= -aflag= -nflag= fflag= -vflag= -gflag= -nflag= cflag= -Gflag= op="" -while getopts 'fADr:i:a:l:v:g:n:c:G:' OPTION +while getopts 'fADa:l:c:' OPTION do case $OPTION in A) Aflag=1 @@ -147,49 +112,18 @@ do ;; f) fflag=1 ;; - r) rflag=1 - domRname="$OPTARG" - ;; - i) iflag=1 - domRIp="$OPTARG" - ;; l) lflag=1 publicIp="$OPTARG" ;; - a) aflag=1 - eth2mac="$OPTARG" - ;; - v) vflag=1 - vlanId="$OPTARG" - ;; - g) gflag=1 - gateway="$OPTARG" - ;; - n) nflag=1 - netmask="$OPTARG" - ;; c) cflag=1 - correctVif="$OPTARG" + ethDev="$OPTARG" ;; - G) Gflag=1 - guestIp="$OPTARG" - ;; ?) usage exit 2 ;; esac done -#1:1 NAT -if [ "$Gflag" == "1" ] -then - add_nat_entry $domRIp $publicIp - if [ $? -eq 0 ] - then - add_one_to_one_nat_entry $guestIp $publicIp $domRIp - fi - exit $? -fi #Either the A flag or the D flag but not both if [ "$Aflag$Dflag" != "1" ] @@ -198,39 +132,34 @@ then exit 2 fi -if [ "$Aflag$lflag$iflag$cflag" != "1111" ] && [ "$Dflag$lflag$iflag$cflag" != "1111" ] +if [ "$lflag$cflag" != "11" ] then + usage exit 2 fi -# check if gateway domain is up and running -if ! check_gw "$domRIp" -then - printf "Unable to ping the routing domain, exiting\n" >&2 - exit 3 -fi if [ "$fflag" == "1" ] && [ "$Aflag" == "1" ] then - add_nat_entry $domRIp $publicIp + add_nat_entry $publicIp exit $? fi if [ "$Aflag" == "1" ] then - add_an_ip $domRIp $publicIp + add_an_ip $publicIp exit $? fi if [ "$fflag" == "1" ] && [ "$Dflag" == "1" ] then - del_nat_entry $domRIp $publicIp + del_nat_entry $publicIp exit $? fi if [ "$Dflag" == "1" ] then - remove_an_ip $domRIp $publicIp + remove_an_ip $publicIp exit $? fi diff --git a/scripts/network/domr/call_firewall.sh b/scripts/network/domr/call_firewall.sh index 8c84a121829..d0afee6791c 100755 --- a/scripts/network/domr/call_firewall.sh +++ b/scripts/network/domr/call_firewall.sh @@ -21,75 +21,9 @@ check_gw() { return $?; } -rflag= -iflag= -Pflag= -pflag= -tflag= -lflag= -dflag= -oflag= -wflag= -xflag= -nflag= -Nflag= -Gflag= -op="" -oldPrivateIP="" -oldPrivatePort="" - -while getopts 'ADr:i:P:p:t:l:d:w:x:n:N:G:' OPTION -do - case $OPTION in - A) Aflag=1 - op="-A" - ;; - D) Dflag=1 - op="-D" - ;; - i) iflag=1 - domRIp="$OPTARG" - ;; - r) rflag=1 - instanceIp="$OPTARG" - ;; - P) Pflag=1 - protocol="$OPTARG" - ;; - p) pflag=1 - ports="$OPTARG" - ;; - t) tflag=1 - icmptype="$OPTARG" - ;; - l) lflag=1 - publicIp="$OPTARG" - ;; - d) dflag=1 - dport="$OPTARG" - ;; - w) wflag=1 - oldPrivateIP="$OPTARG" - ;; - x) xflag=1 - oldPrivatePort="$OPTARG" - ;; - n) nflag=1 - domRName="$OPTARG" - ;; - N) Nflag=1 - netmask="$OPTARG" - ;; - G) Gflag=1 - nat="OPTARG" - ;; - ?) usage - exit 2 - ;; - esac -done - cert="/root/.ssh/id_rsa.cloud" +domRIp=$1 +shift # Check if DomR is up and running. If not, exit with error code 1. check_gw "$domRIp" @@ -98,19 +32,6 @@ then exit 1 fi -#Either the A flag or the D flag but not both -if [ "$Aflag$Dflag" != "1" ] -then - usage - exit 2 -fi - -#Require -d with -p -if [ "$pflag$dflag" != 11 -a "$pflag$dflag" != "" ] -then - usage - exit 2 -fi ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewall.sh $*" exit $? diff --git a/scripts/network/domr/firewall_vlan.sh b/scripts/network/domr/firewall_vlan.sh deleted file mode 100755 index 707e347c711..00000000000 --- a/scripts/network/domr/firewall_vlan.sh +++ /dev/null @@ -1,313 +0,0 @@ -#!/usr/bin/env bash -# $Id: firewall_vlan.sh 9804 2010-06-22 18:36:49Z alex $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/scripts/network/domr/firewall_vlan.sh $ -# firewall.sh -- allow some ports / protocols to vm instances -# -# -# @VERSION@ - -usage() { - printf "Usage: %s: (-A|-D) -i -r -P protocol (-p port_range | -t icmp_type_code) -l -d [-f -u -y -z -n -N ] \n" $(basename $0) >&2 -} - -# set -x -cert="/root/.ssh/id_rsa.cloud" - -# check if gateway domain is up and running -check_gw() { - ping -c 1 -n -q $1 > /dev/null - if [ $? -gt 0 ] - then - sleep 1 - ping -c 1 -n -q $1 > /dev/null - fi - return $?; -} - -get_dom0_ip () { - eval "$1=$(ifconfig eth0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}')" - return 0 -} - -get_value() { - local filename=$1 - local keyname=$2 - grep -i $keyname= $filename | cut -d= -f2 -} - -get_subnet() { - local ip=$1 - local netmask=$2 - - local ip1=($(echo $ip | awk -F"." '{print $1,$2,$3,$4}')) - local netmask1=($(echo $netmask | awk -F"." '{print $1,$2,$3,$4}')) - local subnet=$((${ip1[0]} & ${netmask1[0]})).$((${ip1[1]} & ${netmask1[1]})).$((${ip1[2]} & ${netmask1[2]})).$((${ip1[3]} & ${netmask1[3]})) - - echo $subnet -} - -get_vif_list() { - local domRIp=$1 - - local command=" vifListDomR=\"\"; \ - for i in /sys/class/net/eth*; do \ - vif=\$(basename \$i); \ - vifIp=\$(grep -i IPADDR= /etc/sysconfig/network-scripts/ifcfg-\$vif | cut -d= -f2); \ - vifNetmask=\$(grep -i NETMASK= /etc/sysconfig/network-scripts/ifcfg-\$vif | cut -d= -f2); \ - vifListDomR=\$vifListDomR\" \$vif:\$vifIp:\$vifNetmask\"; \ - done; \ - echo \$vifListDomR;" - - local vifList=$(ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp $command) - - echo $vifList -} - -find_correct_vif() { - local domRIp=$1 - local publicIp=$2 - local vlanNetmask=$3 - - local correctVif="none" - - local vlanSubnet=$(get_subnet $publicIp $vlanNetmask) - local vifList=$(get_vif_list $domRIp) - - for i in $vifList - do - local vif=$(echo $i | cut -d: -f1) - local vifIp=$(echo $i | cut -d: -f2) - local vifNetmask=$(echo $i | cut -d: -f3) - local vifSubnet=$(get_subnet $vifIp $vifNetmask) - - if [ "$vlanSubnet" == "$vifSubnet" ] - then - correctVif="$vif" - break - fi - done - - echo $correctVif -} - -#Add the tcp firewall entries into iptables in the routing domain -tcp_entry() { - local dRIp=$1 - local instIp=$2 - local dport=$3 - local pubIp=$4 - local port=$5 - local op=$6 - local vif=$7 - - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - iptables -t nat $op PREROUTING --proto tcp -i $vif -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables -t nat $op OUTPUT --proto tcp -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables $op FORWARD -p tcp -s 0/0 -d $instIp -m state --state ESTABLISHED,RELATED -j ACCEPT > /dev/null; - iptables $op FORWARD -p tcp -s 0/0 -d $instIp --destination-port $dport --syn -j ACCEPT > /dev/null; - " - - return $? - -} - -#Add the udp firewall entries into iptables in the routing domain -udp_entry() { - local dRIp=$1 - local instIp=$2 - local dport=$3 - local pubIp=$4 - local port=$5 - local op=$6 - local vif=$7 - - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - iptables -t nat $op PREROUTING --proto udp -i $vif -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables -t nat $op OUTPUT --proto udp -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables $op FORWARD -p udp -s 0/0 -d $instIp --destination-port $dport -j ACCEPT > /dev/null; - " - - return $? - -} - -#Add the icmp firewall entries into iptables in the routing domain -icmp_entry() { - local dRIp=$1 - local instIp=$2 - local icmptype=$3 - local pubIp=$4 - local op=$5 - local vif=$6 - - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - iptables -t nat $op PREROUTING --proto icmp -i $vif -d $pubIp --icmp-type $icmptype -j DNAT --to-destination $instIp >/dev/null; - iptables -t nat $op OUTPUT --proto icmp -d $pubIp --icmp-type $icmptype -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype -j ACCEPT > /dev/null; - " - - return $? - -} - -reverse_op() { - local op=$1 - - if [ "$op" == "-A" ] - then - echo "-D" - else - echo "-A" - fi -} - -rflag= -iflag= -Pflag= -pflag= -tflag= -lflag= -dflag= -oflag= -wflag= -xflag= -nflag= -Nflag= -op="" -oldPrivateIP="" -oldPrivatePort="" - -while getopts 'ADr:i:P:p:t:l:d:w:x:n:N:' OPTION -do - case $OPTION in - A) Aflag=1 - op="-A" - ;; - D) Dflag=1 - op="-D" - ;; - i) iflag=1 - domRIp="$OPTARG" - ;; - r) rflag=1 - instanceIp="$OPTARG" - ;; - P) Pflag=1 - protocol="$OPTARG" - ;; - p) pflag=1 - ports="$OPTARG" - ;; - t) tflag=1 - icmptype="$OPTARG" - ;; - l) lflag=1 - publicIp="$OPTARG" - ;; - d) dflag=1 - dport="$OPTARG" - ;; - w) wflag=1 - oldPrivateIP="$OPTARG" - ;; - x) xflag=1 - oldPrivatePort="$OPTARG" - ;; - n) nflag=1 - domRName="$OPTARG" - ;; - N) Nflag=1 - netmask="$OPTARG" - ;; - ?) usage - exit 2 - ;; - esac -done - -# domRIp is guaranteed to be present at this point - -# Check if DomR is up and running. If not, exit with error code 1. -check_gw "$domRIp" -if [ $? -gt 0 ] -then - exit 1 -fi - -#Either the A flag or the D flag but not both -if [ "$Aflag$Dflag" != "1" ] -then - usage - exit 2 -fi - -#Either the tflag or the p flag but not both -if [ "$rflag$iflag$Pflag$pflag$tflag$lflag" != "11111" ] -then - usage - exit 2 -fi - -#Require -d with -p -if [ "$pflag$dflag" != 11 -a "$pflag$dflag" != "" ] -then - usage - exit 2 -fi - -# Router name must be passed in -if [ "$nflag" != "1" ] -then - usage - exit 2 -fi - -# The netmask of the public IP's VLAN must be passed in -if [ "$Nflag" != "1" ] -then - usage - exit 2 -fi - -reverseOp=$(reverse_op $op) - -# Find the VIF that we need to use on DomR -correctVif=$(find_correct_vif $domRIp $publicIp $netmask) - -case $protocol in - "tcp") - # If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. - if [ "$oldPrivateIP" != "" ] - then - tcp_entry $domRIp $oldPrivateIP $oldPrivatePort $publicIp $ports "-D" $correctVif - fi - - # Add/delete the new rule - tcp_entry $domRIp $instanceIp $dport $publicIp $ports $op $correctVif - ;; - "udp") - # If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. - if [ "$oldPrivateIP" != "" ] - then - udp_entry $domRIp $oldPrivateIP $oldPrivatePort $publicIp $ports "-D" $correctVif - fi - - # Add/delete the new rule - udp_entry $domRIp $instanceIp $dport $publicIp $ports $op $correctVif - ;; - "icmp") - # If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. - if [ "$oldPrivateIP" != "" ] - then - icmp_entry $domRIp $oldPrivateIp $icmptype $publicIp "-D" $correctVif - fi - - # Add/delete the new rule - icmp_entry $domRIp $instanceIp $icmptype $publicIp $op $correctVif - ;; - *) - printf "Invalid protocol-- must be tcp, udp or icmp\n" >&2 - exit 5 - ;; -esac - -exit 0 diff --git a/scripts/network/domr/ipassoc.sh b/scripts/network/domr/ipassoc.sh index 6bf23dfa956..4c2356c047d 100755 --- a/scripts/network/domr/ipassoc.sh +++ b/scripts/network/domr/ipassoc.sh @@ -10,33 +10,8 @@ usage() { } cert="/root/.ssh/id_rsa.cloud" - -#verify if supplied ip is indeed in the public domain -check_public_ip() { - if [[ $(expr match $1 "10.") -gt 0 ]] - then - echo "Public IP ($1) cannot be a private IP address!\n" - exit 1 - fi -} - -#ensure that dom0 is set up to do routing and proxy arp -check_ip_fw () { - if [ $(cat /proc/sys/net/ipv4/ip_forward) != 1 ]; - then - printf "Warning. Dom0 not set up to do forwarding.\n" >&2 - printf "Executing: echo 1 > /proc/sys/net/ipv4/ip_forward\n" >&2 - printf "To make this permanent, set net.ipv4.ip_forward = 1 in /etc/sysctl.conf\n" >&2 - echo 1 > /proc/sys/net/ipv4/ip_forward - fi - #if [ $(cat /proc/sys/net/ipv4/conf/eth0/proxy_arp) != 1 ]; - #then - #printf "Warning. Dom0 not set up to do proxy ARP.\n" - #printf "Executing: echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp\n" - #printf "To make this permanent, set net.ipv4.conf.eth0.proxy_arp = 1 in /etc/sysctl.conf\n" - #echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp - #fi -} +domRIp=$1 +shift # check if gateway domain is up and running @@ -50,226 +25,15 @@ check_gw() { return $?; } -#Add 1:1 NAT entry -add_one_to_one_nat_entry() { - local guestIp=$1 - local publicIp=$2 - local dIp=$3 - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dIp "\ - iptables -t nat -A PREROUTING -i eth2 -d $publicIp -j DNAT --to-destination $guestIp - iptables -t nat -A POSTROUTING -o eth2 -s $guestIp -j SNAT --to-source $publicIp - iptables -P FORWARD DROP - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -i eth2 -o eth0 -d $guestIp -m state --state NEW -j ACCEPT - iptables -A FORWARD -i eth0 -o eth2 -s $guestIp -m state --state NEW -j ACCEPT - " - return $? -} -#Add the NAT entries into iptables in the routing domain -add_nat_entry() { - local dRIp=$1 - local pubIp=$2 - local ipNoMask=$(echo $2 | awk -F'/' '{print $1}') - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - ip addr add dev $correctVif $pubIp - iptables -A FORWARD -i $correctVif -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -i eth0 -o $correctVif -j ACCEPT - iptables -t nat -I POSTROUTING -j SNAT -o $correctVif --to-source $ipNoMask ; - arping -c 3 -I $correctVif -A -U -s $ipNoMask $ipNoMask; - " - if [ $? -gt 0 -a $? -ne 2 ] - then - return 1 - fi - - return 0 -} - -#remove the NAT entries into iptables in the routing domain -del_nat_entry() { - local dRIp=$1 - local pubIp=$2 - local ipNoMask=$(echo $2 | awk -F'/' '{print $1}') - local mask=$(echo $2 | awk -F'/' '{print $2}') - [ "$mask" == "" ] && mask="32" - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - iptables -D FORWARD -i $correctVif -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -D FORWARD -i eth0 -o $correctVif -j ACCEPT - iptables -t nat -D POSTROUTING -j SNAT -o $correctVif --to-source $ipNoMask; - ip addr del dev $correctVif "$ipNoMask/$mask" - " - - if [ $? -gt 0 -a $? -ne 2 ] - then - return 1 - fi - - return $? -} - - -add_an_ip () { - local dRIp=$1 - local pubIp=$2 - local ipNoMask=$(echo $2 | awk -F'/' '{print $1}') - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - ifconfig $correctVif up; - ip addr add dev $correctVif $pubIp ; - arping -c 3 -I $correctVif -A -U -s $ipNoMask $ipNoMask; - " - return $? -} - -remove_an_ip () { - local dRIp=$1 - local pubIp=$2 - local ipNoMask=$(echo $2 | awk -F'/' '{print $1}') - local mask=$(echo $2 | awk -F'/' '{print $2}') - local existingIpMask=$(ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp " - ip addr show dev $correctVif | grep inet | awk '{print \$2}' | grep -w $ipNoMask - ") - [ "$existingIpMask" == "" ] && return 0 - local existingMask=$(echo $existingIpMask | awk -F'/' '{print $2}') - if [ "$existingMask" == "32" ] - then - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp " - ip addr del dev $correctVif $existingIpMask - " - result=$? - fi - if [ "$existingMask" != "32" ] - then - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp " - replaceIpMask=\`ip addr show dev $correctVif | grep inet | grep -v $existingIpMask | awk '{print \$2}' | sort -t/ -k2 -n|tail -1\` - ip addr del dev $correctVif $existingIpMask; - if [ -n \"\$replaceIpMask\" ]; then - ip addr del dev $correctVif \$replaceIpMask; - replaceIp=\`echo \$replaceIpMask | awk -F/ '{print \$1}'\`; - ip addr add dev $correctVif \$replaceIp/$existingMask; - iptables -t nat -D POSTROUTING -j SNAT -o $correctVif --to-source $ipNoMask ; - iptables -t nat -A POSTROUTING -j SNAT -o $correctVif --to-source \$replaceIp ; - fi - " - result=$? - fi - if [ $result -gt 0 -a $result -ne 2 ] - then - return 1 - fi -} - -#set -x - -rflag= -iflag= -lflag= -aflag= -nflag= -fflag= -vflag= -gflag= -nflag= -cflag= -Gflag= -op="" - -while getopts 'fADr:i:a:l:v:g:n:c:G:' OPTION -do - case $OPTION in - A) Aflag=1 - op="-A" - ;; - D) Dflag=1 - op="-D" - ;; - f) fflag=1 - ;; - r) rflag=1 - domRname="$OPTARG" - ;; - i) iflag=1 - domRIp="$OPTARG" - ;; - l) lflag=1 - publicIp="$OPTARG" - ;; - a) aflag=1 - eth2mac="$OPTARG" - ;; - v) vflag=1 - vlanId="$OPTARG" - ;; - g) gflag=1 - gateway="$OPTARG" - ;; - n) nflag=1 - netmask="$OPTARG" - ;; - c) cflag=1 - correctVif="$OPTARG" - ;; - G) Gflag=1 - guestIp="$OPTARG" - ;; - ?) usage - exit 2 - ;; - esac -done - -#1:1 NAT -if [ "$Gflag" == "1" ] +# Check if DomR is up and running. If not, exit with error code 1. +check_gw "$domRIp" +if [ $? -gt 0 ] then - add_nat_entry $domRIp $publicIp - if [ $? -eq 0 ] - then - add_one_to_one_nat_entry $guestIp $publicIp $domRIp - fi - exit $? + exit 1 fi -#Either the A flag or the D flag but not both -if [ "$Aflag$Dflag" != "1" ] -then - usage - exit 2 -fi -if [ "$Aflag$lflag$iflag$cflag" != "1111" ] && [ "$Dflag$lflag$iflag$cflag" != "1111" ] -then - exit 2 -fi +ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/ipassoc.sh $*" +exit $? -# check if gateway domain is up and running -if ! check_gw "$domRIp" -then - printf "Unable to ping the routing domain, exiting\n" >&2 - exit 3 -fi - -if [ "$fflag" == "1" ] && [ "$Aflag" == "1" ] -then - add_nat_entry $domRIp $publicIp - exit $? -fi - -if [ "$Aflag" == "1" ] -then - add_an_ip $domRIp $publicIp - exit $? -fi - -if [ "$fflag" == "1" ] && [ "$Dflag" == "1" ] -then - del_nat_entry $domRIp $publicIp - exit $? -fi - -if [ "$Dflag" == "1" ] -then - remove_an_ip $domRIp $publicIp - exit $? -fi - -exit 0 diff --git a/scripts/network/domr/ipassoc_vlan.sh b/scripts/network/domr/ipassoc_vlan.sh deleted file mode 100755 index 5ce94cde0e6..00000000000 --- a/scripts/network/domr/ipassoc_vlan.sh +++ /dev/null @@ -1,560 +0,0 @@ -#!/usr/bin/env bash -# $Id: ipassoc_vlan.sh 9804 2010-06-22 18:36:49Z alex $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/scripts/network/domr/ipassoc_vlan.sh $ -# ipassoc.sh -- associate/disassociate a public ip with an instance -# -# -# @VERSION@ - -# set -x -usage() { - printf "Usage:\n %s -A -i -l -r [-f] \n" $(basename $0) >&2 - printf " %s -D -i -l -r [-f] \n" $(basename $0) >&2 - printf "If associating first IP in vlan or disassociating last IP in vlan, the following are required: -v -g -n \n" $(basename $0) >&2 -} - -cert="/root/.ssh/id_rsa.cloud" - -get_value() { - local filename=$1 - local keyname=$2 - grep -i $keyname= $filename | cut -d= -f2 -} - -#verify if supplied ip is indeed in the public domain -check_public_ip() { - if [[ $(expr match $1 "10.") -gt 0 ]] - then - echo "Public IP ($1) cannot be a private IP address!\n" - exit 1 - fi -} - -#ensure that dom0 is set up to do routing and proxy arp -check_ip_fw () { - if [ $(cat /proc/sys/net/ipv4/ip_forward) != 1 ]; - then - printf "Warning. Dom0 not set up to do forwarding.\n" >&2 - printf "Executing: echo 1 > /proc/sys/net/ipv4/ip_forward\n" >&2 - printf "To make this permanent, set net.ipv4.ip_forward = 1 in /etc/sysctl.conf\n" >&2 - echo 1 > /proc/sys/net/ipv4/ip_forward - fi - #if [ $(cat /proc/sys/net/ipv4/conf/eth0/proxy_arp) != 1 ]; - #then - #printf "Warning. Dom0 not set up to do proxy ARP.\n" - #printf "Executing: echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp\n" - #printf "To make this permanent, set net.ipv4.conf.eth0.proxy_arp = 1 in /etc/sysctl.conf\n" - #echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp - #fi -} - - -# check if gateway domain is up and running -check_gw() { - ping -c 1 -n -q $1 > /dev/null - if [ $? -gt 0 ] - then - sleep 1 - ping -c 1 -n -q $1 > /dev/null - fi - return $?; -} - -#Add the NAT entries into iptables in the routing domain -add_nat_entry() { - local dRIp=$1 - local pubIp=$2 - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - ip addr add dev eth2 $pubIp - iptables -t nat -I POSTROUTING -j SNAT -o eth2 --to-source $pubIp ; - /sbin/arping -c 3 -I eth2 -A -U -s $pubIp $pubIp; - " - if [ $? -gt 0 -a $? -ne 2 ] - then - return 1 - fi - - return 0 -} - -#remove the NAT entries into iptables in the routing domain -del_nat_entry() { - local dRIp=$1 - local pubIp=$2 - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - iptables -t nat -D POSTROUTING -j SNAT -o eth2 --to-source $pubIp; - ip addr del dev eth2 $pubIp/32 - " - - if [ $? -gt 0 -a $? -ne 2 ] - then - return 1 - fi - - return $? -} - -_vifname() { - local vmname=$1 - local domid=$(xm domid $vmname) - echo vif${domid} -} - -add_acct_rule() { - local vmname=$1 - local intf=$2 - local dstip=$3 - - local vifname=$(_vifname $vmname) - - iptables -A FORWARD -m physdev --physdev-out $vifname.$intf -d $dstip -j ACCEPT - - return $? -} - -remove_acct_rule() { - local vmname=$1 - local intf=$2 - local dstip=$3 - - local vifname=$(_vifname $vmname) - - iptables -D FORWARD -m physdev --physdev-out $vifname.$intf -d $dstip -j ACCEPT - - return $? -} - -add_first_ip() { - local domRname=$1 - local domRIp=$2 - local publicIp=$3 - local eth2mac=$4 - local vifname="" - local domid=0 - - if ! xm list $domRname &>/dev/null - then - printf "Error: routing domain $domRname does not exist\n" >&2 - exit 2 - fi - - - #check_public_ip "$publicIp" - - - # Ensure that dom0 is set up to do routing - #check_ip_fw - - - #program ip tables in domR and route in dom0 - if ! add_nat_entry $domRIp $publicIp - then - printf "Unable add nat entry on gateway, exiting\n" >&2 - return 4 - fi - - return 0 -} - -check_if_ip_assigned_to_vif() { - local domRIp=$1 - local vif=$2 - local ip=$3 - - local vifIp=$(ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp "\ - text=\$(ifconfig $vif | grep \"inet addr\" | cut -d: -f2); \ - ip="none"; \ - for i in \$text; do ip=\$i; break; done; \ - echo \$ip;") - - if [ "$ip" == "$vifIp" ] - then - return 0 - else - return 1 - fi -} - - -add_an_ip () { - local dRIp=$1 - local pubIp=$2 - local vif=$3 - local vflag=$4 - local vlanNetmask=$5 - - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - ip addr add dev $vif $pubIp; \ - if [ "$vflag" == "1" ]; then ifconfig $vif netmask $vlanNetmask up; fi; \ - /sbin/arping -c 3 -I $vif -A -U -s $pubIp $pubIp; \ - " - return $? -} - -number_of_bits() { - local decNum=$1 - - local bits=0 - while [ $decNum -gt 0 ] - do - local lastBit=$(expr $decNum % 2) - if [ "$lastBit" == "1" ] - then - let bits+=1 - fi - let decNum=$decNum/2 - done - - echo $bits -} - -netmask_to_cidr() { - local netmask=$1 - - local cidr=0 - local IFS=. - for octet in $netmask - do - local octetBits=$(number_of_bits $octet) - let cidr+=$octetBits - done - - echo $cidr -} - - -remove_an_ip () { - local dRIp=$1 - local pubIp=$2 - local vif=$3 - local vlanNetmask=$4 - - # Check if the public IP is assigned to the VIF itself - check_if_ip_assigned_to_vif $dRIp $vif $pubIp - - if [ $? -eq 0 ] - then - # Convert the VLAN netmask to a CIDR - local cidr=$(netmask_to_cidr $vlanNetmask) - - # Delete the IP address by providing the correct CIDR (not 32 in this case) - # Then, set the correct netmask on the VIF, since at this point it will have a netmask of 255.255.255.255 - # Finally, detect what the new IP address on the VIF is, and correct the ifcfg-VIF file to reflect this - - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - ip addr del dev $vif $pubIp/$cidr; \ - ifconfig $vif netmask $vlanNetmask up; \ - text=\$(ifconfig $vif | grep \"inet addr\" | cut -d: -f2); \ - ip="none"; \ - for i in \$text; do ip=\$i; break; done; \ - sed -i /IPADDR/d /etc/sysconfig/network-scripts/ifcfg-$vif; \ - echo "IPADDR=\$ip" >> /etc/sysconfig/network-scripts/ifcfg-$vif; \ - " - else - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - ip addr del dev $vif $pubIp/32 - " - fi - - if [ $? -gt 0 -a $? -ne 2 ] - then - return 1 - fi -} - -attach_bridge_to_domr() { - local domRName=$1 - local domRIp=$2 - local vlanId=$3 - local vlanGateway=$4 - local vlanNetmask=$5 - local publicIp=$6 - - local bridgeName=xenbr1.$vlanId - - xm network-attach $domRName bridge=$bridgeName - - if [ $? -gt 0 ] - then - return 1 - fi - - # Figure out what VIF we just added! It will be the only VIF that does not have an IP address assigned in ifcfg-eth*, since we haven't created any ifcfg-eth* file yet. - local newVif="none" - local vifList=$(get_vif_list $domRIp) - - for i in $vifList - do - local vif=$(echo $i | cut -d: -f1) - local vifIp=$(echo $i | cut -d: -f2) - - if [ "$vifIp" == "" ] - then - newVif="$vif" - break - fi - done - - if [ "$newVif" == "none" ] - then - echo "Could not detect newly added VIF" - exit 1 - fi - - local ifcfgFilePath="/etc/sysconfig/network-scripts/ifcfg-$newVif" - - # Via SSH: Create ifcfg-eth* file and add vlanGateway to /etc/sysconfig/network - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp "\ - touch $ifcfgFilePath; \ - echo "DEVICE=$newVif" >> $ifcfgFilePath; \ - echo "ONBOOT=yes" >> $ifcfgFilePath; \ - echo "TYPE=Ethernet" >> $ifcfgFilePath; \ - echo "IPADDR=$publicIp" >> $ifcfgFilePath; \ - echo "NETMASK=$vlanNetmask" >> $ifcfgFilePath; \ - echo "GATEWAY=$vlanGateway" >> /etc/sysconfig/network; \ - " - - if [ $? -gt 0 ] - then - echo "Could not create ifcfg-eth* file for newly added VIF" - exit 1 - fi - - return $? -} - -get_vif_id() { - local domRIp=$1 - local domRName=$2 - local vifName=$3 - - # First get the MAC address of the VIF from DomR - local command="\ - macAddrOfVif=\"none\"; \ - for i in \$(ifconfig $vifName | grep HWaddr); do macAddrOfVif=\$i; done; \ - echo \$macAddrOfVif;" - - local macAddr=$(ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp "$command") - - if [ "$macAddr" == "none" ] - then - echo "none" - return - fi - - # Do xm network-list and find the vif ID that corresponds to the MAC address - local vifId="none" - local networkList=$(xm network-list $domRName | grep -i "$macAddr") - for i in $networkList; do vifId=$i; break; done; - - echo $vifId -} - -detach_bridge_from_domr() { - local domRName=$1 - local domRIp=$2 - local vlanGateway=$3 - local correctVif=$4 - - local vifId=$(get_vif_id $domRIp $domRName $correctVif) - - xm network-detach $domRName $vifId - - if [ $? -gt 0 ] - then - return 1 - fi - - # Remove ifcfg-eth* file and vlanGateway from /etc/sysconfig/network via SSH - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp "\ - rm /etc/sysconfig/network-scripts/ifcfg-$correctVif; - sed -i /"GATEWAY=$vlanGateway"/d /etc/sysconfig/network; - " - - return $? -} - -get_subnet() { - local ip=$1 - local netmask=$2 - - local ip1=($(echo $ip | awk -F"." '{print $1,$2,$3,$4}')) - local netmask1=($(echo $netmask | awk -F"." '{print $1,$2,$3,$4}')) - local subnet=$((${ip1[0]} & ${netmask1[0]})).$((${ip1[1]} & ${netmask1[1]})).$((${ip1[2]} & ${netmask1[2]})).$((${ip1[3]} & ${netmask1[3]})) - - echo $subnet -} - -get_vif_list() { - local domRIp=$1 - - local command=" vifListDomR=\"\"; \ - for i in /sys/class/net/eth*; do \ - vif=\$(basename \$i); \ - vifIp=\$(grep -i IPADDR= /etc/sysconfig/network-scripts/ifcfg-\$vif | cut -d= -f2); \ - vifNetmask=\$(grep -i NETMASK= /etc/sysconfig/network-scripts/ifcfg-\$vif | cut -d= -f2); \ - vifListDomR=\$vifListDomR\" \$vif:\$vifIp:\$vifNetmask\"; \ - done; \ - echo \$vifListDomR;" - - local vifList=$(ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp $command) - - echo $vifList -} - -find_correct_vif() { - local domRIp=$1 - local publicIp=$2 - local vlanNetmask=$3 - - local correctVif="none" - - local vlanSubnet=$(get_subnet $publicIp $vlanNetmask) - local vifList=$(get_vif_list $domRIp) - - for i in $vifList - do - local vif=$(echo $i | cut -d: -f1) - local vifIp=$(echo $i | cut -d: -f2) - local vifNetmask=$(echo $i | cut -d: -f3) - local vifSubnet=$(get_subnet $vifIp $vifNetmask) - - if [ "$vlanSubnet" == "$vifSubnet" ] - then - correctVif="$vif" - break - fi - done - - echo $correctVif -} - -#set -x - -fflag= -Aflag= -Dflag= -rflag= -iflag= -aflag= -lflag= -vflag=0 -gflag= -nflag= -op="" - -while getopts 'fADr:i:a:l:v:g:n:' OPTION -do - case $OPTION in - A) Aflag=1 - op="-A" - ;; - D) Dflag=1 - op="-D" - ;; - f) fflag=1 - ;; - r) rflag=1 - domRname="$OPTARG" - ;; - i) iflag=1 - domRIp="$OPTARG" - ;; - l) lflag=1 - publicIp="$OPTARG" - ;; - a) aflag=1 - eth2mac="$OPTARG" - ;; - v) vflag=1 - vlanId="$OPTARG" - ;; - g) gflag=1 - gateway="$OPTARG" - ;; - n) nflag=1 - netmask="$OPTARG" - ;; - ?) usage - exit 2 - ;; - esac -done - -#Either the A flag or the D flag but not both -if [ "$Aflag$Dflag" != "1" ] -then - usage - exit 2 -fi - -if [ "$Aflag$lflag$iflag$rflag$nflag" != "11111" ] && [ "$Dflag$lflag$iflag$rflag$nflag" != "11111" ] -then - exit 2 -fi - -# If a vlanId is passed in, then a vlanGateway must be passed in -if [ "$vflag" == "1" ] && [ "$gflag" != "1" ] -then - usage - exit 2 -fi - -# check if gateway domain is up and running -if ! check_gw "$domRIp" -then - printf "Unable to ping the routing domain, exiting\n" >&2 - exit 3 -fi - -# If this is an add and a vlanId was passed in, hotplug a new vif on DomR -if [ "$Aflag" == "1" ] && [ "$vflag" == "1" ] -then - attach_bridge_to_domr $domRname $domRIp $vlanId $gateway $netmask $publicIp - - if [ $? -gt 0 ] - then - exit 1 - fi -fi - -# Find the VIF that we need to use on DomR -correctVif=$(find_correct_vif $domRIp $publicIp $netmask) - -if [ "$fflag" == "1" ] && [ "$Aflag" == "1" ] -then - add_nat_entry $domRIp $publicIp - exit $? -fi - -if [ "$Aflag" == "1" ] -then - add_an_ip $domRIp $publicIp $correctVif $vflag $netmask - exit $? -fi - -if [ "$fflag" == "1" ] && [ "$Dflag" == "1" ] -then - del_nat_entry $domRIp $publicIp - exit $? -fi - -if [ "$Dflag" == "1" ] -then - remove_an_ip $domRIp $publicIp $correctVif $netmask - - # If a vlanId was passed in, remove the vlan's vif from DomR - if [ "$vflag" == "1" ] - then - detach_bridge_from_domr $domRname $domRIp $gateway $correctVif - - if [ $? -gt 0 ] - then - exit 1 - fi - fi - - exit $? -fi - -exit 0 - diff --git a/scripts/network/domr/loadbalancer_vlan.sh b/scripts/network/domr/loadbalancer_vlan.sh deleted file mode 100755 index 9a29c884e6c..00000000000 --- a/scripts/network/domr/loadbalancer_vlan.sh +++ /dev/null @@ -1,275 +0,0 @@ -#!/usr/bin/env bash -# $Id: loadbalancer_vlan.sh 9804 2010-06-22 18:36:49Z alex $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/scripts/network/domr/loadbalancer_vlan.sh $ -# loadbalancer.sh -- reconfigure loadbalancer rules -# -# -# @VERSION@ - -usage() { - printf "Usage: %s: -i -a -d -f \n" $(basename $0) >&2 -} - -# set -x -cert="/root/.ssh/id_rsa.cloud" - -# check if gateway domain is up and running -check_gw() { - ping -c 1 -n -q $1 > /dev/null - if [ $? -gt 0 ] - then - sleep 1 - ping -c 1 -n -q $1 > /dev/null - fi - return $?; -} - -get_value() { - local filename=$1 - local keyname=$2 - grep -i $keyname= $filename | cut -d= -f2 -} - -get_subnet() { - local ip=$1 - local netmask=$2 - - local ip1=($(echo $ip | awk -F"." '{print $1,$2,$3,$4}')) - local netmask1=($(echo $netmask | awk -F"." '{print $1,$2,$3,$4}')) - local subnet=$((${ip1[0]} & ${netmask1[0]})).$((${ip1[1]} & ${netmask1[1]})).$((${ip1[2]} & ${netmask1[2]})).$((${ip1[3]} & ${netmask1[3]})) - - echo $subnet -} - -get_vif_list() { - local domRIp=$1 - - local command=" vifListDomR=\"\"; \ - for i in /sys/class/net/eth*; do \ - vif=\$(basename \$i); \ - vifIp=\$(grep -i IPADDR= /etc/sysconfig/network-scripts/ifcfg-\$vif | cut -d= -f2); \ - vifNetmask=\$(grep -i NETMASK= /etc/sysconfig/network-scripts/ifcfg-\$vif | cut -d= -f2); \ - vifListDomR=\$vifListDomR\" \$vif:\$vifIp:\$vifNetmask\"; \ - done; \ - echo \$vifListDomR;" - - local vifList=$(ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$domRIp $command) - - echo $vifList -} - -find_correct_vif() { - local domRIp=$1 - local publicIp=$2 - local vlanNetmask=$3 - - local correctVif="none" - - local vlanSubnet=$(get_subnet $publicIp $vlanNetmask) - local vifList=$(get_vif_list $domRIp) - - for i in $vifList - do - local vif=$(echo $i | cut -d: -f1) - local vifIp=$(echo $i | cut -d: -f2) - local vifNetmask=$(echo $i | cut -d: -f3) - local vifSubnet=$(get_subnet $vifIp $vifNetmask) - - if [ "$vlanSubnet" == "$vifSubnet" ] - then - correctVif="$vif" - break - fi - done - - echo $correctVif -} - -#firewall entry to ensure that haproxy can receive on specified port -fw_entry() { - local domRIp=$1 - local added=$2 - local removed=$3 - - if [ "$added" == "none" ] - then - added="" - fi - - if [ "$removed" == "none" ] - then - removed="" - fi - - local a=$(echo $added | cut -d, -f1- --output-delimiter=" ") - local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ") - - for i in $a - do - local pubIp=$(echo $i | cut -d: -f1) - local dport=$(echo $i | cut -d: -f2) - local vlanNetmask=$(echo $i | cut -d: -f3) - - local vif=$(find_correct_vif $domRIp $pubIp $vlanNetmask) - - if [ "$domRIp" != "none" ] - then - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\ - iptables -D INPUT -i $vif -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null - " - - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\ - iptables -A INPUT -i $vif -p tcp -d $pubIp --dport $dport -j ACCEPT - " - - if [ $? -gt 0 ] - then - exit 1 - fi - fi - - done - - for i in $r - do - local pubIp=$(echo $i | cut -d: -f1) - local dport=$(echo $i | cut -d: -f2) - local vlanNetmask=$(echo $i | cut -d: -f3) - - local vif=$(find_correct_vif $domRIp $pubIp $vlanNetmask) - - if [ "$domRIp" != "none" ] - then - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\ - iptables -D INPUT -i $vif -p tcp -d $pubIp --dport $dport -j ACCEPT - " - fi - - done - - return 0 -} - - -#Hot reconfigure HA Proxy in the routing domain -reconfig_lb() { - local domRIp=$1 - local cfg=$2 - - scp -P 3922 -q -o StrictHostKeyChecking=no -i $cert $cfg root@$domRIp:/etc/haproxy/haproxy.cfg.new - - if [ $? -eq 0 ] - then - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp /root/reconfigLB.sh - fi - - return $? -} - -# Restore the HA Proxy to its previous state, and revert iptables rules on DomR -restore_lb() { - local domRIp=$1 - - # Copy the old version of haproxy.cfg into the file that reconfigLB.sh uses - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\ - cp /etc/haproxy/haproxy.cfg.old /etc/haproxy/haproxy.cfg.new - " - - # Run reconfigLB.sh again - if [ $? -eq 0 ] - then - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp /root/reconfigLB.sh - fi -} - - -mflag= -iflag= -aflag= -dflag= -fflag= -op="" -addedIps="" -removedIps="" - -while getopts 'i:a:d:f:' OPTION -do - case $OPTION in - i) iflag=1 - domRIp="$OPTARG" - ;; - a) aflag=1 - addedIps="$OPTARG" - ;; - d) dflag=1 - removedIps="$OPTARG" - ;; - f) fflag=1 - cfgfile="$OPTARG" - ;; - ?) usage - exit 2 - ;; - esac -done - -# At this point, $domRIp is guaranteed to be either an IP address (if the DomR is running in the Management Server database), or "none" - -# If a DomR IP was passed in, check if DomR is up and running. If it isn't, exit 1. -if [ "$domRIp" != "none" ] -then - check_gw "$domRIp" - if [ $? -gt 0 ] - then - exit 1 - fi -fi - -# If a DomR IP was passed in, reconfigure the HA Proxy. -if [ "$domRIp" != "none" ] -then - if [ "$iflag$fflag" != "11" ] - then - usage - exit 2 - fi - - #hot reconfigure haproxy - reconfig_lb $domRIp $cfgfile - - if [ $? -gt 0 ] - then - printf "Reconfiguring loadbalancer failed\n" - exit 1 - fi - -fi - -if [ "$addedIps" == "" ] -then - addedIps="none" -fi - -if [ "$removedIps" == "" ] -then - removedIps="none" -fi - -# iptables entry to ensure that haproxy receives traffic -fw_entry $domRIp $addedIps $removedIps - -if [ $? -gt 0 ] -then - if [ "$domRIp" != "none" ] - then - # Restore the LB - restore_lb $domRIp - # Revert iptables rules on DomR, with addedIps and removedIps swapped - fw_entry $domRIp $removedIps $addedIps - fi - - exit 1 -fi - -exit 0 - - diff --git a/utils/src/com/cloud/utils/net/NetUtils.java b/utils/src/com/cloud/utils/net/NetUtils.java index eca437daabc..6888f3e1de0 100755 --- a/utils/src/com/cloud/utils/net/NetUtils.java +++ b/utils/src/com/cloud/utils/net/NetUtils.java @@ -787,6 +787,10 @@ public class NetUtils { return getIpRangeEndIpFromCidr(cidr, 32 - Long.parseLong(cidrPair[1])); } + + public static String portRangeToString(int portRange[]){ + return Integer.toString(portRange[0]) + ":" + Integer.toString(portRange[1]); + } // test only private static void configLog4j() {