diff --git a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java index 1993981f253..4e427506a1d 100644 --- a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java +++ b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java @@ -1147,6 +1147,22 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra // This method re-programs the rules/ips for existing network protected boolean reprogramNetworkRules(long networkId, Account caller, Network network) throws ResourceUnavailableException { boolean success = true; + + //Apply egress rules first to effect the egress policy early on the guest traffic + List firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress); + NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId()); + DataCenter zone = _dcDao.findById(network.getDataCenterId()); + if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) + && (network.getGuestType() == Network.GuestType.Isolated || (network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced))) { + // add default egress rule to accept the traffic + _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), offering.getEgressDefaultPolicy(), true); + } + if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) { + s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart"); + success = false; + } + + // associate all ip addresses if (!_ipAddrMgr.applyIpAssociations(network, false)) { s_logger.warn("Failed to apply ip addresses as a part of network id" + networkId + " restart"); @@ -1166,20 +1182,6 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra success = false; } - List firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress); - NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId()); - //there are no egress rules then apply the default egress rule - DataCenter zone = _dcDao.findById(network.getDataCenterId()); - if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) - && (network.getGuestType() == Network.GuestType.Isolated || (network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced))) { - // add default egress rule to accept the traffic - _firewallMgr.applyDefaultEgressFirewallRule(network.getId(), offering.getEgressDefaultPolicy(), true); - } - if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) { - s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart"); - success = false; - } - // apply port forwarding rules if (!_rulesMgr.applyPortForwardingRulesForNetwork(networkId, false, caller)) { s_logger.warn("Failed to reapply port forwarding rule(s) as a part of network id=" + networkId + " restart"); diff --git a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java index 19919d7c78d..f01153f2dc3 100644 --- a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java +++ b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java @@ -572,6 +572,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe public ExecutionResult createFileInVR(String routerIp, String path, String filename, String content) { Connection conn = getConnection(); String rc = callHostPlugin(conn, "vmops", "createFileInDomr", "domrip", routerIp, "filepath", path + filename, "filecontents", content); + s_logger.debug ("VR Config file " + filename + " got created in VR with ip " + routerIp + " with content \n" + content); // Fail case would be start with "fail#" return new ExecutionResult(rc.startsWith("succ#"), rc.substring(5)); } diff --git a/server/src/com/cloud/network/element/VirtualRouterElement.java b/server/src/com/cloud/network/element/VirtualRouterElement.java index 546aab43f09..5d7f5256e40 100644 --- a/server/src/com/cloud/network/element/VirtualRouterElement.java +++ b/server/src/com/cloud/network/element/VirtualRouterElement.java @@ -260,9 +260,10 @@ public class VirtualRouterElement extends AdapterBase implements VirtualRouterEl } if (rules != null && rules.size() == 1) { - // for VR no need to add default egress rule to DENY traffic + // for VR no need to add default egress rule to ALLOW traffic + //The default allow rule is added from the router defalut iptables rules iptables-router if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System - && !_networkMdl.getNetworkEgressDefaultPolicy(network.getId())) { + && _networkMdl.getNetworkEgressDefaultPolicy(network.getId())) { return true; } } diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java index ba76e57bc08..fb1e8b847f8 100644 --- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java @@ -1918,7 +1918,7 @@ Configurable, StateListener { // construct rule when egress policy is true. In true case for VR we default allow rule need to be added - if (defaultEgressPolicy) { + if (!defaultEgressPolicy) { systemRule = String.valueOf(FirewallRule.FirewallRuleType.System); List sourceCidr = new ArrayList(); @@ -1928,6 +1928,9 @@ Configurable, StateListener { null, null, null, FirewallRule.TrafficType.Egress, FirewallRule.FirewallRuleType.System); rules.add(rule); + } else { + s_logger.debug(" Egress policy for the Network "+ networkId +" is "+defaultEgressPolicy + " So no need"+ + " of default rule is needed. "); } } diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-router b/systemvm/patches/debian/config/etc/iptables/iptables-router index 3f5bc5f736b..f16b942667d 100644 --- a/systemvm/patches/debian/config/etc/iptables/iptables-router +++ b/systemvm/patches/debian/config/etc/iptables/iptables-router @@ -24,6 +24,7 @@ COMMIT :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] +:FW_EGRESS_RULES - [0:0] :FW_OUTBOUND - [0:0] -A INPUT -d 224.0.0.18/32 -j ACCEPT -A INPUT -d 225.0.0.50/32 -j ACCEPT @@ -42,7 +43,9 @@ COMMIT -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT -A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND +-A FW_EGRESS_RULES -j ACCEPT -I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FW_OUTBOUND -j FW_EGRESS_RULES COMMIT *mangle :PREROUTING ACCEPT [0:0] diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh index b1e7a403520..767f17ed77b 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh +++ b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh @@ -145,11 +145,11 @@ fi success=0 -if [ "$pvalue" == "0" -o "$pvalue" == "2" ] +if [ "$pvalue" == "1" -o "$pvalue" == "2" ] then - target="ACCEPT" - else target="DROP" + else + target="ACCEPT" fi fw_egress_chain @@ -172,7 +172,7 @@ then fw_egress_backup_restore else logger -t cloud "deleting backup for guest network" - if [ "$pvalue" == "1" -o "$pvalue" == "2" ] + if [ "$pvalue" == "1" ] then #Adding default policy rule sudo iptables -A FW_EGRESS_RULES -j ACCEPT