New code for ACLs (VPN configuration) failed functional tests

Some corrections
2014-09-10 12:38:46 +02:00 · 2014-09-10 12:38:46 +02:00 · a01e9082cd
parent f7d0a11a34
commit a01e9082cd
2 changed files with 19 additions and 11 deletions
--- a/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
@ -211,7 +211,7 @@ class CsNetfilter(object):
        # Order is important 
        order = ['-A', '-s', '-d', '!_-d', '-i', '!_-i', '-p', '-m', '-m2', '--icmp-type', '--state', 
                '--dport', '--destination-port', '-o', '!_-o', '-j', '--set-xmark', '--checksum',
-                 '--to-source', '--to-destination']
+                 '--to-source', '--to-destination', '--mark' ]
        str = ''
        for k in order:
            if k in self.rule.keys():
@ -229,13 +229,21 @@ class CsNetfilter(object):
    def __eq__(self, rule):
        if rule.get_table() != self.get_table():
            return False
+        #if '-j' in self.get_rule().keys() and self.get_rule()['-j'] == "MARK" and self.get_rule()['--set-xmark'] == '0x524/0xffffffff' and \
+                #'-j' in rule.get_rule().keys() and rule.get_rule()['-j'] == "MARK" and rule.get_rule()['--set-xmark'] == '0x524/0xffffffff':
+            #pprint(self.get_rule())
+            #pprint(rule.get_rule())
+            #pprint(self.get_chain())
+            #pprint(rule.get_chain())
        if rule.get_chain() != self.get_chain():
            return False
        if len(rule.get_rule().items()) != len(self.get_rule().items()):
            return False
-        #if '--checksum' in self.get_rule().keys() and self.get_rule()['--checksum'] == "fill":
-            #pprint(self.get_rule())
        common = set(rule.get_rule().items()) & set(self.get_rule().items())
+        #if '-j' in self.get_rule().keys() and self.get_rule()['-j'] == "MARK" and self.get_rule()['--set-xmark'] == '0x524/0xffffffff':
+            #pprint(self.get_rule())
+            #pprint(rule.get_rule())
+            #pprint(common)
        if len(common) != len(rule.get_rule()):
            return False
        return True
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@ -802,8 +802,8 @@ class CsAddress(CsDataBag):
            # Only relevant if there is a VPN configured so will have to move
            # at some stage
            fw.append(["mangle", "", "-A FORWARD -j VPN_STATS_%s" % dev])
-            fw.append(["mangle", "", "-A VPN_STATS_%s -o %s -m mark --mark 0x525/0xffffffff" % (dev, dev)])
-            fw.append(["mangle", "", "-A VPN_STATS_%s -i %s -m mark --mark 0x524/0xffffffff" % (dev, dev)])
+            fw.append(["mangle", "", "-A VPN_STATS_%s -o %s -m mark --set-xmark 0x525/0xffffffff" % (dev, dev)])
+            fw.append(["mangle", "", "-A VPN_STATS_%s -i %s -m mark --set-xmark 0x524/0xffffffff" % (dev, dev)])

 class CsSite2SiteVpn(CsDataBag):
    """
@ -850,13 +850,13 @@ class CsSite2SiteVpn(CsDataBag):
    def configure_iptables(self, dev, obj):
        fw.append([ "", "front", "-A INPUT -i %s -p udp -m udp --dport 500 -j ACCEPT" % dev ])
        fw.append([ "", "front", "-A INPUT -i %s -p udp -m udp --dport 4500 -j ACCEPT" % dev ])
-        fw.append([ "", "front", "-A INPUT -i %s -p 50 -j ACCEPT" % dev ])
-        fw.append([ "", "front", "-t nat -I POSTROUTING -t nat -o %s-m mark --mark 0x525/0xffffffff -j ACCEPT" % dev ])
+        fw.append([ "", "front", "-A INPUT -i %s -p esp -j ACCEPT" % dev ])
+        fw.append([ "nat", "front", "-A POSTROUTING -t nat -o %s-m mark --set-xmark 0x525/0xffffffff -j ACCEPT" % dev ])
        for net in obj['peer_guest_cidr_list'].lstrip().rstrip().split(','):
-            fw.append([ "mangle", "front", "-I FORWARD -t mangle -s %s -d %s -j MARK --set-mark 0x525/0xffffffff" % (obj['local_guest_cidr'], net)])
-            fw.append([ "mangle", "", "-A OUTPUT -s %s -d %s -j MARK --set-mark 0x525/0xffffffff" % (obj['local_guest_cidr'], net)])
-            fw.append([ "mangle", "front", "-I FORWARD -s %s -d %s -j MARK --set-mark 0x524/0xffffffff" % (net, obj['local_guest_cidr'])])
-            fw.append([ "mangle", "", "-A INPUT -s %s -d %s -j MARK --set-mark 0x524/0xffffffff"  % (net, obj['local_guest_cidr']) ])
+            fw.append([ "mangle", "front", "-A FORWARD -s %s -d %s -j MARK --set-xmark 0x525/0xffffffff" % (obj['local_guest_cidr'], net)])
+            fw.append([ "mangle", "", "-A OUTPUT -s %s -d %s -j MARK --set-xmark 0x525/0xffffffff" % (obj['local_guest_cidr'], net)])
+            fw.append([ "mangle", "front", "-A FORWARD -s %s -d %s -j MARK --set-xmark 0x524/0xffffffff" % (net, obj['local_guest_cidr'])])
+            fw.append([ "mangle", "", "-A INPUT -s %s -d %s -j MARK --set-xmark 0x524/0xffffffff"  % (net, obj['local_guest_cidr']) ])

    def configure_ipsec(self, obj):
        leftpeer  = obj['local_public_ip']