etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

bug 10561: Allowing ICMP traffic through static NAT

This commit is contained in:
Naredula Janardhana Reddy 2011-08-03 18:12:30 +05:30
parent c73f5da276
commit 954d8673c7
2 changed files with 55 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
patches/systemvm/debian/config/root/firewall.sh
View File

@ -126,12 +126,22 @@ one_to_one_fw_entry() {
# shortcircuit the process if error and it is an append operation
# continue if it is delete
(sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
if [ $proto == "icmp" ]
then
(sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
-j DNAT \
--to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
-m state \
--state NEW -j ACCEPT &>> $OUTFILE )
else
(sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
--destination-port $portRange -j DNAT \
--to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
(sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
--destination-port $portRange -m state \
--state NEW -j ACCEPT &>> $OUTFILE )
fi
result=$?
logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result"

44
server/src/com/cloud/network/rules/RulesManagerImpl.java
View File

@ -424,8 +424,28 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager {
ipAddress.setOneToOneNat(true);
ipAddress.setAssociatedWithVmId(vmId);
return _ipAddressDao.update(ipAddress.getId(), ipAddress);
if ( _ipAddressDao.update(ipAddress.getId(), ipAddress))
{
List<StaticNatRule> staticNatRules = new ArrayList<StaticNatRule>();
FirewallRuleVO ruleVO = new FirewallRuleVO(null, ipAddress.getId(), 0, 0, "icmp",
networkId,vm.getAccountId(), vm.getDomainId(), Purpose.StaticNat);
staticNatRules.add(new StaticNatRuleImpl(ruleVO, guestNic.getIp4Address()));
try {
if (!applyRules(staticNatRules, true)) {
return false;
}
} catch (ResourceUnavailableException ex) {
s_logger.warn("Failed to apply icmp firewall rules due to ", ex);
return false;
}
return true;
}
return false;
}
@DB
@ -1101,7 +1121,29 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager {
s_logger.warn("Unable to revoke all static nat rules for ip " + ipAddress);
success = false;
}
if (success)
{
long vmId = ipAddress.getAssociatedWithVmId();
Nic guestNic = _networkMgr.getNicInNetwork(vmId, ipAddress.getAssociatedWithNetworkId());
if (guestNic == null) {
throw new InvalidParameterValueException("Vm doesn't belong to the network " + ipAddress.getAssociatedWithNetworkId());
}
List<StaticNatRule> staticNatRules = new ArrayList<StaticNatRule>();
FirewallRuleVO ruleVO = new FirewallRuleVO(null, ipAddress.getId(), 0, 0, "icmp",
ipAddress.getAssociatedWithNetworkId(),ipAddress.getAccountId(), ipAddress.getDomainId(), Purpose.StaticNat);
ruleVO.setState(State.Revoke);
staticNatRules.add(new StaticNatRuleImpl(ruleVO, guestNic.getIp4Address()));
try {
if (!applyRules(staticNatRules, true)) {
return false;
}
} catch (ResourceUnavailableException ex) {
s_logger.warn("Failed to apply icmp firewall rules due to ", ex);
return false;
}
}
if (success) {
ipAddress.setOneToOneNat(false);
ipAddress.setAssociatedWithVmId(null);