From 76f5f3048e115c5ba25ec09a44e4947b5b290ebb Mon Sep 17 00:00:00 2001 From: Sheng Yang Date: Wed, 16 Apr 2014 18:40:26 -0700 Subject: [PATCH] CLOUDSTACK-6432: Blocking DHCP server to service DNS outside network This would cover only DHCP only network since in basic and shared network, the private IP used by VR and network may expose to outside. (cherry picked from commit a554ebdf750be2ff2fd02fda38713b40313fcca8) Signed-off-by: Rohit Yadav Conflicts: server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java --- .../router/VirtualNetworkApplianceManagerImpl.java | 11 ++++++++--- .../debian/config/etc/init.d/cloud-early-config | 11 +++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java index bab14194a0c..b0e12283cea 100755 --- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java @@ -2239,12 +2239,14 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V if (domain != null) { buf.append(" domain=" + domain); } - + + long cidrSize = 0; + //setup dhcp range if (dc.getNetworkType() == NetworkType.Basic) { if (guestNic.isDefaultNic()) { - long cidrSize = NetUtils.getCidrSize(guestNic.getNetmask()); - String cidr = NetUtils.getCidrSubNet(guestNic.getGateway(), cidrSize); + cidrSize = NetUtils.getCidrSize(guestNic.getNetmask()); + final String cidr = NetUtils.getCidrSubNet(guestNic.getGateway(), cidrSize); if (cidr != null) { dhcpRange = NetUtils.getIpRangeStartIpFromCidr(cidr, cidrSize); } @@ -2252,11 +2254,14 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V } else if (dc.getNetworkType() == NetworkType.Advanced) { String cidr = guestNetwork.getCidr(); if (cidr != null) { + cidrSize = NetUtils.getCidrSize(NetUtils.getCidrNetmask(cidr)); dhcpRange = NetUtils.getDhcpRange(cidr); } } if (dhcpRange != null) { + // To limit DNS to the cidr range + buf.append(" cidrsize=" + String.valueOf(cidrSize)); buf.append(" dhcprange=" + dhcpRange); } diff --git a/systemvm/patches/debian/config/etc/init.d/cloud-early-config b/systemvm/patches/debian/config/etc/init.d/cloud-early-config index 77cb05a547c..4783ec2ecba 100755 --- a/systemvm/patches/debian/config/etc/init.d/cloud-early-config +++ b/systemvm/patches/debian/config/etc/init.d/cloud-early-config @@ -1083,8 +1083,16 @@ setup_dhcpsrvr() { enable_svc cloud 0 enable_fwding 0 chkconfig nfs-common off + cp /etc/iptables/iptables-router /etc/iptables/rules.v4 cp /etc/iptables/iptables-router /etc/iptables/rules + + #Only allow DNS service for current network + sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4 + sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules + sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4 + sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules + if [ "$SSHONGUEST" == "true" ] then setup_sshd $ETH0_IP "eth0" @@ -1425,6 +1433,9 @@ for i in $CMDLINE vpccidr) VPCCIDR=$VALUE ;; + cidrsize) + CIDR_SIZE=$VALUE + ;; esac done