etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-6432: Blocking DHCP server to service DNS outside network 

This would cover only DHCP only network since in basic and shared network, the
private IP used by VR and network may expose to outside.

(cherry picked from commit a554ebdf75)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

Conflicts:
	server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
This commit is contained in:
Sheng Yang 2014-04-16 18:40:26 -07:00 committed by Rohit Yadav
parent 83df80b715
commit 76f5f3048e
2 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
View File

@ -2239,12 +2239,14 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
if (domain != null) {
buf.append(" domain=" + domain);
}
long cidrSize = 0;
//setup dhcp range
if (dc.getNetworkType() == NetworkType.Basic) {
if (guestNic.isDefaultNic()) {
long cidrSize = NetUtils.getCidrSize(guestNic.getNetmask());
String cidr = NetUtils.getCidrSubNet(guestNic.getGateway(), cidrSize);
cidrSize = NetUtils.getCidrSize(guestNic.getNetmask());
final String cidr = NetUtils.getCidrSubNet(guestNic.getGateway(), cidrSize);
if (cidr != null) {
dhcpRange = NetUtils.getIpRangeStartIpFromCidr(cidr, cidrSize);
}
@ -2252,11 +2254,14 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
} else if (dc.getNetworkType() == NetworkType.Advanced) {
String cidr = guestNetwork.getCidr();
if (cidr != null) {
cidrSize = NetUtils.getCidrSize(NetUtils.getCidrNetmask(cidr));
dhcpRange = NetUtils.getDhcpRange(cidr);
}
}
if (dhcpRange != null) {
// To limit DNS to the cidr range
buf.append(" cidrsize=" + String.valueOf(cidrSize));
buf.append(" dhcprange=" + dhcpRange);
}

11
systemvm/patches/debian/config/etc/init.d/cloud-early-config
View File

@ -1083,8 +1083,16 @@ setup_dhcpsrvr() {
enable_svc cloud 0
enable_fwding 0
chkconfig nfs-common off
cp /etc/iptables/iptables-router /etc/iptables/rules.v4
cp /etc/iptables/iptables-router /etc/iptables/rules
#Only allow DNS service for current network
sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
if [ "$SSHONGUEST" == "true" ]
then
setup_sshd $ETH0_IP "eth0"
@ -1425,6 +1433,9 @@ for i in $CMDLINE
vpccidr)
VPCCIDR=$VALUE
;;
cidrsize)
CIDR_SIZE=$VALUE
;;
esac
done