Use mangle table PREROUTING chain to ensure traffic from any public interface on VPC VR

is connection marked. Traffic from RELATED, ESTABLISHED connectinso on guest network interfaces on VPC VR connection marking is restored.
2016-09-06 03:32:35 +05:30 · 2016-09-06 03:32:35 +05:30 · c803daec17
parent 88721b2f3c
commit c803daec17
2 changed files with 31 additions and 14 deletions
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@ -285,7 +285,9 @@ class CsIP:

            CsRule(self.dev).addMark()
            self.check_is_up()
-            if self.dnum != '0':
+            if not self.config.is_vpc() and self.dnum != '0':
+                self.set_mark()
+            if self.config.is_vpc():
                self.set_mark()
            self.arpPing()

@ -435,10 +437,10 @@ class CsIP:
    def fw_vpcrouter(self):
        if not self.config.is_vpc():
            return
-        self.fw.append(["mangle", "front", "-A PREROUTING " +
-                        "-m state --state RELATED,ESTABLISHED " +
-                        "-j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff"])
        if self.get_type() in ["guest"]:
+            self.fw.append(["mangle", "front", "-A PREROUTING " +
+                            " -i %s -m state --state RELATED,ESTABLISHED "  % self.dev +
+                            "-j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff"])
            self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
                            (self.address['network'], self.dev, self.dev)])
            self.fw.append(
@ -512,20 +514,26 @@ class CsIP:
        tableName = "Table_" + self.dev

        if method == "add":
-            # treat the first IP on a interface as special case to set up the routing rules
-            if self.get_type() in ["public"] and (not self.config.is_vpc()) and (len(self.iplist) == 1):
-                CsHelper.execute("sudo ip route add throw " + self.config.address().dbag['eth0'][0]['network'] + " table " + tableName + " proto static")
-                CsHelper.execute("sudo ip route add throw " + self.config.address().dbag['eth1'][0]['network'] + " table " + tableName + " proto static")
+            if not self.config.is_vpc():
+                # treat the first IP on a interface as special case to set up the routing rules
+                if self.get_type() in ["public"] and (len(self.iplist) == 1):
+                    CsHelper.execute("sudo ip route add throw " + self.config.address().dbag['eth0'][0]['network'] + " table " + tableName + " proto static")
+                    CsHelper.execute("sudo ip route add throw " + self.config.address().dbag['eth1'][0]['network'] + " table " + tableName + " proto static")

-            # add 'defaul via gateway' rule in the device specific routing table
-            if "gateway" in self.address and self.address["gateway"] != "None":
-                route.add_route(self.dev, self.address["gateway"])
+                # add 'defaul via gateway' rule in the device specific routing table
+                if "gateway" in self.address and self.address["gateway"] != "None":
+                    route.add_route(self.dev, self.address["gateway"])
+
+                if self.get_type() in ["public"]:
+                    CsRule(self.dev).addRule("from " + str(self.address["network"]))
+
+            if self.config.is_vpc():
+                if self.get_type() in ["public"] and "gateway" in self.address and self.address["gateway"] != "None":
+                    route.add_route(self.dev, self.address["gateway"])
+                route.add_network_route(self.dev, str(self.address["network"]))

            CsHelper.execute("sudo ip route flush cache")

-            if self.get_type() in ["public"]:
-                CsRule(self.dev).addRule("from " + str(self.address["network"]))
-
        elif method == "delete":
            # treat the last IP to be dis-associated with interface as special case to clean up the routing rules
            if self.get_type() in ["public"] and (not self.config.is_vpc()) and (len(self.iplist) == 0):
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py
@ -57,6 +57,15 @@ class CsRoute:
        cmd = "default via %s table %s proto static" % (address, table)
        self.set_route(cmd)

+    def add_network_route(self, dev, address):
+        """ Wrapper method that adds table name and device to route statement """
+        # ip route add dev eth1 table Table_eth1 10.0.2.0/24
+        table = self.get_tablename(dev)
+        logging.info("Adding route: dev " + dev + " table: " +
+                     table + " network: " + address + " if not present")
+        cmd = "dev %s table %s %s" % (dev, table, address)
+        self.set_route(cmd)
+
    def set_route(self, cmd, method="add"):
        """ Add a route if it is not already defined """
        found = False