From 94a146a43eeb08d5141458385b7c1f45acb2cfdf Mon Sep 17 00:00:00 2001
From: Sheng Yang <sheng.yang@citrix.com>
Date: Wed, 16 Apr 2014 18:40:26 -0700
Subject: [PATCH] CLOUDSTACK-6432: Blocking DHCP server to service DNS outside
 network

This would cover only DHCP only network since in basic and shared network, the
private IP used by VR and network may expose to outside.
---
 .../router/VirtualNetworkApplianceManagerImpl.java    |  7 ++++++-
 .../debian/config/etc/init.d/cloud-early-config       | 11 +++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index 3cd3e807f62..8e97793caac 100755
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -2347,10 +2347,12 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
             buf.append(" domain=" + domain);
         }
 
+        long cidrSize = 0;
+
         //setup dhcp range
         if (dc.getNetworkType() == NetworkType.Basic) {
             if (guestNic.isDefaultNic()) {
-                final long cidrSize = NetUtils.getCidrSize(guestNic.getNetmask());
+                cidrSize = NetUtils.getCidrSize(guestNic.getNetmask());
                 final String cidr = NetUtils.getCidrSubNet(guestNic.getGateway(), cidrSize);
                 if (cidr != null) {
                     dhcpRange = NetUtils.getIpRangeStartIpFromCidr(cidr, cidrSize);
@@ -2359,11 +2361,14 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
         } else if (dc.getNetworkType() == NetworkType.Advanced) {
             final String cidr = guestNetwork.getCidr();
             if (cidr != null) {
+                cidrSize = NetUtils.getCidrSize(NetUtils.getCidrNetmask(cidr));
                 dhcpRange = NetUtils.getDhcpRange(cidr);
             }
         }
 
         if (dhcpRange != null) {
+            // To limit DNS to the cidr range
+            buf.append(" cidrsize=" + String.valueOf(cidrSize));
             buf.append(" dhcprange=" + dhcpRange);
         }
 
diff --git a/systemvm/patches/debian/config/etc/init.d/cloud-early-config b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
index 3c47f1396ac..f8ba8a16878 100755
--- a/systemvm/patches/debian/config/etc/init.d/cloud-early-config
+++ b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
@@ -1073,8 +1073,16 @@ setup_dhcpsrvr() {
   enable_svc cloud 0
   enable_fwding 0
   chkconfig nfs-common off
+
   cp /etc/iptables/iptables-router /etc/iptables/rules.v4
   cp /etc/iptables/iptables-router /etc/iptables/rules
+
+  #Only allow DNS service for current network
+  sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
+  sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
+  sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
+  sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
+
   if [ "$SSHONGUEST" == "true" ]
   then
     setup_sshd $ETH0_IP "eth0"
@@ -1420,6 +1428,9 @@ for i in $CMDLINE
       vpccidr)
         VPCCIDR=$VALUE
         ;;
+      cidrsize)
+        CIDR_SIZE=$VALUE
+        ;;
     esac
 done