etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed rules for dhcp towards v, 

Fixed fw rules for a bunch of things
Bring public interface up if no tier has been defined
This commit is contained in:
Ian Southam 2015-02-04 17:44:05 +01:00 committed by wilderrodrigues
parent 4c9f4fcdd3
commit 9e82281cc1
3 changed files with 49 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
View File

@ -96,7 +96,6 @@ class CsAddress(CsDataBag):
if dev == "id":
continue
ip = CsIP(dev, self.config)
addcnt = 0
for address in self.dbag[dev]:
if not address["nw_type"] == "control":
CsRoute(dev).add(address)
@ -108,37 +107,6 @@ class CsAddress(CsDataBag):
logging.info("Address %s on device %s not configured", ip.ip(), dev)
if CsDevice(dev, self.config).waitfordevice():
ip.configure()
# This could go one level up but the ip type is stored in the
# ip address object and not in the device object
# Call only once
if addcnt == 0:
self.add_netstats(address)
addcnt += 1
def add_netstats(self, address):
# add in the network stats iptables rules
dev = "eth%s" % address['nic_dev_id']
if address["nw_type"] == "public":
self.fw.append(["", "front", "-A FORWARD -j NETWORK_STATS"])
self.fw.append(["", "front", "-A INPUT -j NETWORK_STATS"])
self.fw.append(["", "front", "-A OUTPUT -j NETWORK_STATS"])
# it is not possible to calculate these devices
# When the vrouter and the vpc router are combined this silliness can go
self.fw.append(["", "", "-A NETWORK_STATS -i %s -o eth0 -p tcp" % dev])
self.fw.append(["", "", "-A NETWORK_STATS -o %s -i eth0 -p tcp" % dev])
self.fw.append(["", "", "-A NETWORK_STATS -o %s ! -i eth0 -p tcp" % dev])
self.fw.append(["", "", "-A NETWORK_STATS -i %s ! -o eth0 -p tcp" % dev])
# Netstats per interface only used on VPC
if address["nw_type"] == "guest" and self.config.is_vpc():
self.fw.append(["", "front", "-A FORWARD -j NETWORK_STATS_%s" % dev])
self.fw.append(["", "front", "-A NETWORK_STATS_%s -o %s -s %s" % (dev, dev, address['network'])])
self.fw.append(["", "front", "-A NETWORK_STATS_%s -o %s -d %s" % (dev, dev, address['network'])])
# Only relevant if there is a VPN configured so will have to move
# at some stage
self.fw.append(["mangle", "", "-A FORWARD -j VPN_STATS_%s" % dev])
self.fw.append(["mangle", "", "-A VPN_STATS_%s -o %s -m mark --set-xmark 0x525/0xffffffff" % (dev, dev)])
self.fw.append(["mangle", "", "-A VPN_STATS_%s -i %s -m mark --set-xmark 0x524/0xffffffff" % (dev, dev)])
class CsInterface:
@ -298,7 +266,7 @@ class CsIP:
for i in CsHelper.execute(cmd):
if " DOWN " in i:
cmd2 = "ip link set %s up" % self.getDevice()
# If redundant do not bring up public interfaces
# If redundant do not bring up public interfaces
# master.py and keepalived deal with tham
if self.config.cmdline().is_redundant() and not self.is_public():
CsHelper.execute(cmd2)
@ -392,7 +360,46 @@ class CsIP:
def fw_vpcrouter(self):
if not self.config.is_vpc():
return
# TODO seperate out vpc rules
self.fw.append(["mangle", "front", "-A PREROUTING " +
"-m state --state RELATED,ESTABLISHED " +
"-j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff"])
if self.get_type() in ["guest"]:
self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 67 -j ACCEPT" % self.dev])
self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 53 -j ACCEPT" % self.dev])
self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -j ACCEPT" % self.dev])
self.fw.append(["mangle", "",
"-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
(self.dev, self.address['network'], self.address['gateway'], self.dev)
])
self.fw.append(["", "front", "-A NETWORK_STATS_%s -o %s -s %s" % ("eth1", "eth1", self.address['network'])])
self.fw.append(["", "front", "-A NETWORK_STATS_%s -o %s -d %s" % ("eth1", "eth1", self.address['network'])])
if self.get_type() in ["public"]:
self.fw.append(["nat", "front",
"-A POSTROUTING -o %s -j SNAT --to-source %s" %
(self.dev, self.address['public_ip'])
])
self.fw.append(["nat", "front",
"-A POSTROUTING -s %s -o %s -j SNAT --to-source %s" %
(self.address['network'], self.dev,
self.address['public_ip'])
])
self.fw.append(["", "front",
"-A FORWARD -o %s -d %s -j ACL_INBOUND_%s" % (self.dev, self.address['network'], self.dev)
])
self.fw.append(["mangle", "", "-A FORWARD -j VPN_STATS_%s" % self.dev])
self.fw.append(["mangle", "", "-A VPN_STATS_%s -o %s -m mark --mark 0x525/0xffffffff" % (self.dev, self.dev)])
self.fw.append(["mangle", "", "-A VPN_STATS_%s -i %s -m mark --mark 0x524/0xffffffff" % (self.dev, self.dev)])
self.fw.append(["", "front", "-A FORWARD -j NETWORK_STATS_%s" % self.dev])
self.fw.append(["", "front", "-A FORWARD -j NETWORK_STATS"])
self.fw.append(["", "front", "-A INPUT -j NETWORK_STATS"])
self.fw.append(["", "front", "-A OUTPUT -j NETWORK_STATS"])
self.fw.append(["", "", "-A NETWORK_STATS -i eth0 -o eth2 -p tcp"])
self.fw.append(["", "", "-A NETWORK_STATS -i eth2 -o eth0 -p tcp"])
self.fw.append(["", "", "-A NETWORK_STATS ! -i eth0 -o eth2 -p tcp"])
self.fw.append(["", "", "-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp"])
def post_config_change(self, method):
route = CsRoute(self.dev)
@ -402,24 +409,9 @@ class CsIP:
self.fw_vpcrouter()
# On deletion nw_type will no longer be known
if self.get_type() in ["guest"] and self.config.is_vpc():
devChain = self.config.get_ingress_chain(self.dev, self.address['public_ip'])
CsDevice(self.dev, self.config).configure_rp()
self.fw.append(["nat", "front",
"-A POSTROUTING -s %s -o %s -j SNAT --to-source %s" %
(self.address['network'], self.dev,
self.address['public_ip'])
])
self.fw.append(["mangle", "front", "-A %s -j ACCEPT" % devChain])
self.fw.append(["", "front",
"-A FORWARD -o %s -d %s -j %s" % (self.dev, self.address['network'], devChain)
])
self.fw.append(["", "", "-A %s -j DROP" % devChain])
self.fw.append(["mangle", "",
"-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j %s" %
(self.dev, self.address['network'], self.address['public_ip'], devChain)
])
logging.error("Not able to setup sourcenat for a regular router yet")
dns = CsDnsmasq(self)
dns.add_firewall_rules()

4
systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py
View File

@ -114,8 +114,8 @@ class CsCmdLine(CsDataBag):
def is_master(self):
if not self.is_redundant():
return False
if "redundant_master" in self.idata():
return self.idata()['redundant_master'] == "true"
if "redundant_state" in self.idata():
return self.idata()['redundant_state'] == "MASTER"
return False
def get_state(self):

8
systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py
View File

@ -82,6 +82,11 @@ class CsRedundant(object):
# No redundancy if there is no guest network
if guest is None:
self._redundant_off()
# Bring up the public Interface(s)
if self.cl.is_master():
for obj in [o for o in self.address.get_ips() if o.is_public()]:
print obj.get_device()
self.check_is_up(obj.get_device())
return
CsHelper.mkdir(self.CS_RAMDISK_DIR, 0755, False)
CsHelper.mount_tmpfs(self.CS_RAMDISK_DIR)
@ -113,8 +118,6 @@ class CsRedundant(object):
file.search(" router_id ", " router_id %s" % self.cl.get_name())
file.search(" priority ", " priority %s" % self.cl.get_priority())
file.search(" interface ", " interface %s" % guest.get_device())
#file.search(" weight ", " weight %s" % 2)
# file.search(" state ", " state %s" % self.cl.get_state())
file.search(" state ", " state %s" % "EQUAL")
file.search(" virtual_router_id ", " virtual_router_id %s" % self.cl.get_router_id())
file.greplace("[RROUTER_BIN_PATH]", self.CS_ROUTER_DIR)
@ -255,7 +258,6 @@ class CsRedundant(object):
if o.needs_vrrp():
str = " %s brd %s dev %s\n" % (o.get_gateway_cidr(), o.get_broadcast(), o.get_device())
lines.append(str)
# This is wrong set_master and set_backup need to do this
self.check_is_up(o.get_device())
return lines