VPC : move egress chain to PREROUTING

2012-07-06 19:05:01 -07:00 · 2012-07-06 19:05:01 -07:00 · c18da90355
parent f737a21881
commit c18da90355
2 changed files with 29 additions and 14 deletions
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
@ -33,30 +33,30 @@ acl_remove_backup() {
  sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
  sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$dev  2>/dev/null
  sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
-  sudo iptables -F _ACL_OUTBOUND_$dev 2>/dev/null
-  sudo iptables -D FORWARD -i $dev -s $gcidr -j _ACL_OUTBOUND_$dev  2>/dev/null
-  sudo iptables -X _ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -D PREROUTING -i $dev -s $gcidr ! -d $ip -j _ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
 }

 acl_remove() {
  sudo iptables -F ACL_INBOUND_$dev 2>/dev/null
  sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$dev  2>/dev/null
  sudo iptables -X ACL_INBOUND_$dev 2>/dev/null
-  sudo iptables -F ACL_OUTBOUND_$dev 2>/dev/null
-  sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$dev  2>/dev/null
-  sudo iptables -X ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -D PREROUTING -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
 }

 acl_restore() {
  acl_remove
  sudo iptables -E _ACL_INBOUND_$dev ACL_INBOUND_$dev 2>/dev/null
-  sudo iptables -E _ACL_OUTBOUND_$dev ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -E _ACL_OUTBOUND_$dev ACL_OUTBOUND_$dev 2>/dev/null
 }

 acl_save() {
  acl_remove_backup
  sudo iptables -E ACL_INBOUND_$dev _ACL_INBOUND_$dev 2>/dev/null
-  sudo iptables -E ACL_OUTBOUND_$dev _ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -E ACL_OUTBOUND_$dev _ACL_OUTBOUND_$dev 2>/dev/null
 }

 acl_chain_for_guest_network () {
@ -67,9 +67,9 @@ acl_chain_for_guest_network () {
  sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null
  sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$dev  2>/dev/null
  # outbound
-  sudo iptables -N ACL_OUTBOUND_$dev 2>/dev/null
-  sudo iptables -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
-  sudo iptables -A FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
+  sudo iptables -t mangle -A PREROUTING -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
 }


@ -105,7 +105,7 @@ acl_entry_for_guest_network() {
        sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr  \
                    --icmp-type $typecode  -j ACCEPT
      else
-        sudo iptables -I ACL_OUTBOUND_$dev -p $prot -d $lcidr  \
+        sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr  \
                    --icmp-type $typecode  -j ACCEPT
      fi
    else
@ -114,7 +114,7 @@ acl_entry_for_guest_network() {
        sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
                    $DPORT -j ACCEPT
      else
-        sudo iptables -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
+        sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
                    $DPORT -j ACCEPT
      fi
    fi
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
@ -31,6 +31,20 @@ usage() {
 }


+destroy_acl_outbound_chain() {
+  sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -D PREROUTING -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+create_acl_outbound_chain() {
+  destroy_acl_outbound_chain
+  sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
+  sudo iptables -t mangle -A PREROUTING -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
+}
+
+
 setup_apache2() {
  logger_it "Setting up apache web server for $dev"
  cp /etc/apache2/vhostexample.conf /etc/apache2/conf.d/vhost$dev.conf
@ -119,7 +133,7 @@ create_guest_network() {
  sudo iptables -t mangle -A PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
  # set up hairpin
  sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
-
+  create_acl_outbound_chain
  setup_usage
  setup_dnsmasq
  setup_apache2
@ -133,6 +147,7 @@ destroy_guest_network() {
  sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
  sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
  sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
+  destroy_acl_outbound_chain
  desetup_usage
  desetup_dnsmasq
  desetup_apache2