diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java index cf11a75a8b2..ff467db2190 100755 --- a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java +++ b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java @@ -594,6 +594,9 @@ public class VirtualRoutingResource implements Manager { String publicNic = "eth" + nicNum; command.add("-c", publicNic); + + command.add("-g", vlanGateway); + return command.execute(); } diff --git a/core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java b/core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java index f8be5a7691d..2c6380160f5 100755 --- a/core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java +++ b/core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java @@ -740,7 +740,10 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa } args += " -c "; - args += "eth" + publicNicInfo.first(); + args += "eth" + publicNicInfo.first(); + + args += " -g "; + args += vlanGateway; if (s_logger.isDebugEnabled()) { s_logger.debug("Run command on domain router " + privateIpAddress + ", /root/ipassoc.sh " + args); diff --git a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java index 433ae3ed6fe..70b3beb90ee 100755 --- a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java +++ b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java @@ -1599,6 +1599,9 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe args += " -c "; args += "eth" + correctVif.getDevice(conn); + args += " -g "; + args += vlanGateway; + String result = callHostPlugin(conn, "vmops", "ipassoc", "args", args); if (result == null || result.isEmpty()) { diff --git a/patches/systemvm/debian/config/etc/iptables/iptables-router b/patches/systemvm/debian/config/etc/iptables/iptables-router index 9b56209159e..f50eebe584f 100644 --- a/patches/systemvm/debian/config/etc/iptables/iptables-router +++ b/patches/systemvm/debian/config/etc/iptables/iptables-router @@ -23,4 +23,8 @@ COMMIT -A FORWARD -i eth0 -o eth2 -j ACCEPT -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT +*mangle +-A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark +COMMIT + diff --git a/patches/systemvm/debian/config/root/firewall.sh b/patches/systemvm/debian/config/root/firewall.sh index d16e539a862..9bc72869eb3 100755 --- a/patches/systemvm/debian/config/root/firewall.sh +++ b/patches/systemvm/debian/config/root/firewall.sh @@ -62,6 +62,7 @@ tcp_or_udp_entry() { local op=$5 local proto=$6 local cidrs=$7 + logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \ instance ip=$instIp proto=$proto port=$port dport=$dport op=$op" @@ -70,11 +71,16 @@ tcp_or_udp_entry() { # the delete operation may have errored out but the only possible reason is # that the rules didn't exist in the first place local dev=$(ip_to_dev $publicIp) + local tableNo=$(echo $dev | awk -F'eth' '{print $2}') # shortcircuit the process if error and it is an append operation # continue if it is delete (sudo iptables -t nat $op PREROUTING --proto $proto -i $dev -d $publicIp \ --destination-port $port -j DNAT \ --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) && + (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \ + --destination-port $port -j MARK --set-mark $tableNo) && + (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \ + --destination-port $port -m state --state NEW -j CONNMARK --save-mark) && (sudo iptables -t nat $op OUTPUT --proto $proto -d $publicIp \ --destination-port $port -j DNAT \ --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) && diff --git a/patches/systemvm/debian/config/root/ipassoc.sh b/patches/systemvm/debian/config/root/ipassoc.sh index 17278a3fd9b..5b7acc05622 100644 --- a/patches/systemvm/debian/config/root/ipassoc.sh +++ b/patches/systemvm/debian/config/root/ipassoc.sh @@ -137,6 +137,72 @@ convert_primary_to_32() { done } +remove_routing() { + local pubIp=$1 + local ipNoMask=$(echo $pubIp | awk -F'/' '{print $1}') + local mask=$(echo $pubIp | awk -F'/' '{print $2}') + local tableNo=$(echo $ethDev | awk -F'eth' '{print $2}') + + local tableName="Table_$ethDev" + local ethMask=$(ip route show | grep $ethDev | grep src | awk '{print $1}') + if [ "$ethMask" != "" ] + then +# rules and routes will be deleted for the last ip of the interface. + sudo ip route delete throw $ethMask table $tableName proto static + sudo ip rule delete from $ethMask table $tableName + sudo ip rule delete fwmark $tableNo table $tableName + sudo ip route flush cache + fi +} + +# copy eth0,eth1 and the current public interface +copy_routes_from_main() { + local tableName=$1 + +#get the network masks from the main table + local eth0Mask=$(ip route show | grep eth0 | grep src | awk '{print $1}') + local eth1Mask=$(ip route show | grep eth1 | grep src | awk '{print $1}') + local ethMask=$(ip route show | grep $ethDev | grep src | awk '{print $1}') + +# eth0,eth1 and other know routes will be skipped, so as main routing table will decide the route. This will be useful if the interface is down and up. + sudo ip route add throw $eth0Mask table $tableName proto static + sudo ip route add throw $eth1Mask table $tableName proto static + sudo ip route add throw $ethMask table $tableName proto static + return 0; +} + +add_routing() { + local pubIp=$1 + local ipNoMask=$(echo $1 | awk -F'/' '{print $1}') + local mask=$(echo $1 | awk -F'/' '{print $2}') + + local tableName="Table_$ethDev" + local tablePresent=$(grep $tableName /etc/iproute2/rt_tables) + local tableNo=$(echo $ethDev | awk -F'eth' '{print $2}') + if [ "$tablePresent" == "" ] + then + if [ "$tableNo" == ""] + then + return 0; + fi + echo "$tableNo $tableName" >> /etc/iproute2/rt_tables + fi + + copy_routes_from_main $tableName +# NOTE: this entry will be deleted if the interface is down without knowing to Management server, in that case all the outside traffic will be send through main routing table or it will be the first public NIC. + sudo ip route add default via $defaultGwIP table $tableName proto static + sudo ip route flush cache + + local ethMask=$(ip route show | grep $ethDev | grep src | awk '{print $1}') + local rulePresent=$(ip rule show | grep $ethMask) + if [ "$rulePresent" == "" ] + then +# rules will be added while adding the first ip of the interface + sudo ip rule add from $ethMask table $tableName + sudo ip rule add fwmark $tableNo table $tableName + fi + return 0; +} add_nat_entry() { local pubIp=$1 @@ -170,6 +236,7 @@ add_nat_entry() { sudo ip link set $ethDev up sudo arping -c 3 -I $ethDev -A -U -s $ipNoMask $ipNoMask; fi + add_routing $1 return 0 } @@ -185,6 +252,7 @@ del_nat_entry() { sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $ipNoMask; sudo ip addr del dev $ethDev "$ipNoMask/$mask" + remove_routing $1 if [ $? -gt 0 -a $? -ne 2 ] then return 1 @@ -208,7 +276,7 @@ add_an_ip () { sudo ip link set $ethDev up sudo arping -c 3 -I $ethDev -A -U -s $ipNoMask $ipNoMask; fi - + add_routing $1 return $? } @@ -239,6 +307,7 @@ remove_an_ip () { fi result=$? fi + remove_routing $1 if [ $result -gt 0 -a $result -ne 2 ] then return 1 @@ -271,7 +340,7 @@ then if_keep_state=1 fi -while getopts 'fADa:l:c:' OPTION +while getopts 'fADa:l:c:g:' OPTION do case $OPTION in A) Aflag=1 @@ -288,6 +357,9 @@ do c) cflag=1 ethDev="$OPTARG" ;; + g) gflag=1 + defaultGwIP="$OPTARG" + ;; ?) usage unlock_exit 2 $lock $locked ;;