From 9e9ae52dbfad61aa0c15b3724a7ea6bec644e64f Mon Sep 17 00:00:00 2001 From: Naredula Janardhana Reddy Date: Tue, 9 Aug 2011 00:08:07 +0530 Subject: [PATCH] Revert "bug 10561: Allowing ICMP traffic through static NAT" This reverts commit 5e74e24bb359456967866cb2c6cc0f6f73570f97. --- .../systemvm/debian/config/root/firewall.sh | 14 +----- .../cloud/network/rules/RulesManagerImpl.java | 44 +------------------ 2 files changed, 3 insertions(+), 55 deletions(-) diff --git a/patches/systemvm/debian/config/root/firewall.sh b/patches/systemvm/debian/config/root/firewall.sh index 201aa45ac74..84cbab75d5f 100755 --- a/patches/systemvm/debian/config/root/firewall.sh +++ b/patches/systemvm/debian/config/root/firewall.sh @@ -126,22 +126,12 @@ one_to_one_fw_entry() { # shortcircuit the process if error and it is an append operation # continue if it is delete - if [ $proto == "icmp" ] - then - (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \ - -j DNAT \ - --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) && - (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \ - -m state \ - --state NEW -j ACCEPT &>> $OUTFILE ) - else - (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \ + (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \ --destination-port $portRange -j DNAT \ --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) && - (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \ + (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \ --destination-port $portRange -m state \ --state NEW -j ACCEPT &>> $OUTFILE ) - fi result=$? logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result" diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java index 698894298fa..b7fed50a783 100755 --- a/server/src/com/cloud/network/rules/RulesManagerImpl.java +++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java @@ -424,28 +424,8 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { ipAddress.setOneToOneNat(true); ipAddress.setAssociatedWithVmId(vmId); - if ( _ipAddressDao.update(ipAddress.getId(), ipAddress)) - { - List staticNatRules = new ArrayList(); - - FirewallRuleVO ruleVO = new FirewallRuleVO(null, ipAddress.getId(), 0, 0, "icmp", - networkId,vm.getAccountId(), vm.getDomainId(), Purpose.StaticNat); + return _ipAddressDao.update(ipAddress.getId(), ipAddress); - staticNatRules.add(new StaticNatRuleImpl(ruleVO, guestNic.getIp4Address())); - - try { - if (!applyRules(staticNatRules, true)) { - return false; - } - - } catch (ResourceUnavailableException ex) { - s_logger.warn("Failed to apply icmp firewall rules due to ", ex); - return false; - } - return true; - - } - return false; } @DB @@ -1121,29 +1101,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { s_logger.warn("Unable to revoke all static nat rules for ip " + ipAddress); success = false; } - if (success) - { - long vmId = ipAddress.getAssociatedWithVmId(); - Nic guestNic = _networkMgr.getNicInNetwork(vmId, ipAddress.getAssociatedWithNetworkId()); - if (guestNic == null) { - throw new InvalidParameterValueException("Vm doesn't belong to the network " + ipAddress.getAssociatedWithNetworkId()); - } - List staticNatRules = new ArrayList(); - FirewallRuleVO ruleVO = new FirewallRuleVO(null, ipAddress.getId(), 0, 0, "icmp", - ipAddress.getAssociatedWithNetworkId(),ipAddress.getAccountId(), ipAddress.getDomainId(), Purpose.StaticNat); - ruleVO.setState(State.Revoke); - staticNatRules.add(new StaticNatRuleImpl(ruleVO, guestNic.getIp4Address())); - - try { - if (!applyRules(staticNatRules, true)) { - return false; - } - } catch (ResourceUnavailableException ex) { - s_logger.warn("Failed to apply icmp firewall rules due to ", ex); - return false; - } - } if (success) { ipAddress.setOneToOneNat(false); ipAddress.setAssociatedWithVmId(null);