mirror of https://github.com/apache/cloudstack.git
typo fix
This commit is contained in:
anthony
parent
0be4382bf1
commit
e682f10fc8
|
|
@ -30,48 +30,48 @@ usage() {
|
|||
#set -x
|
||||
#FIXME: eating up the error code during execution of iptables
|
||||
acl_remove_backup() {
|
||||
sudo iptables -F _ACL_INBOND_$gGW 2>/dev/null
|
||||
sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOND_$gGW 2>/dev/null
|
||||
sudo iptables -X _ACL_INBOND_$gGW 2>/dev/null
|
||||
sudo iptables -F _ACL_OUTBOND_$gGW 2>/dev/null
|
||||
sudo iptables -D FORWARD -i $dev -s $gcidr -j _ACL_OUTBOND_$gGW 2>/dev/null
|
||||
sudo iptables -X _ACL_OUTBOND_$gGW 2>/dev/null
|
||||
sudo iptables -F _ACL_INBOUND_$ip 2>/dev/null
|
||||
sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$ip 2>/dev/null
|
||||
sudo iptables -X _ACL_INBOUND_$ip 2>/dev/null
|
||||
sudo iptables -F _ACL_OUTBOUND_$ip 2>/dev/null
|
||||
sudo iptables -D FORWARD -i $dev -s $gcidr -j _ACL_OUTBOUND_$ip 2>/dev/null
|
||||
sudo iptables -X _ACL_OUTBOUND_$ip 2>/dev/null
|
||||
}
|
||||
|
||||
acl_remove() {
|
||||
sudo iptables -F ACL_INBOND_$gGW 2>/dev/null
|
||||
sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOND_$gGW 2>/dev/null
|
||||
sudo iptables -X ACL_INBOND_$gGW 2>/dev/null
|
||||
sudo iptables -F ACL_OUTBOND_$gGW 2>/dev/null
|
||||
sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOND_$gGW 2>/dev/null
|
||||
sudo iptables -X ACL_OUTBOND_$gGW 2>/dev/null
|
||||
sudo iptables -F ACL_INBOUND_$ip 2>/dev/null
|
||||
sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$ip 2>/dev/null
|
||||
sudo iptables -X ACL_INBOUND_$ip 2>/dev/null
|
||||
sudo iptables -F ACL_OUTBOUND_$ip 2>/dev/null
|
||||
sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$ip 2>/dev/null
|
||||
sudo iptables -X ACL_OUTBOUND_$ip 2>/dev/null
|
||||
}
|
||||
|
||||
acl_restore() {
|
||||
acl_remove
|
||||
sudo iptables -E _ACL_INBOND_$gGW ACL_INBOND_$gGW 2>/dev/null
|
||||
sudo iptables -E _ACL_OUTBOND_$gGW ACL_OUTBOND_$gGW 2>/dev/null
|
||||
sudo iptables -E _ACL_INBOUND_$ip ACL_INBOUND_$ip 2>/dev/null
|
||||
sudo iptables -E _ACL_OUTBOUND_$ip ACL_OUTBOUND_$ip 2>/dev/null
|
||||
}
|
||||
|
||||
acl_save() {
|
||||
acl_remove_backup
|
||||
sudo iptables -E ACL_INBOND_$gGW _ACL_INBOND_$gGW 2>/dev/null
|
||||
sudo iptables -E ACL_OUTBOND_$gGW _ACL_OUTBOND_$gGW 2>/dev/null
|
||||
sudo iptables -E ACL_INBOUND_$ip _ACL_INBOUND_$ip 2>/dev/null
|
||||
sudo iptables -E ACL_OUTBOUND_$ip _ACL_OUTBOUND_$gGW 2>/dev/null
|
||||
}
|
||||
|
||||
acl_chain_for_guest_network () {
|
||||
acl_save
|
||||
# inbond
|
||||
sudo iptables -E ACL_INBOND_$gGW _ACL_INBOND_$gGW 2>/dev/null
|
||||
sudo iptables -N ACL_INBOND_$gGW 2>/dev/null
|
||||
# inbound
|
||||
sudo iptables -E ACL_INBOUND_$ip _ACL_INBOUND_$ip 2>/dev/null
|
||||
sudo iptables -N ACL_INBOUND_$ip 2>/dev/null
|
||||
# drop if no rules match (this will be the last rule in the chain)
|
||||
sudo iptables -A ACL_INBOND_$gGW -j DROP 2>/dev/null
|
||||
sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOND_$gGW 2>/dev/null
|
||||
# outbond
|
||||
sudo iptables -E ACL_OUTBOND_$gGW _ACL_OUTBOND_$gGW 2>/dev/null
|
||||
sudo iptables -N ACL_OUTBOND_$gGW 2>/dev/null
|
||||
sudo iptables -A ACL_OUTBOND_$gGW -j DROP 2>/dev/null
|
||||
sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOND_$gGW 2>/dev/null
|
||||
sudo iptables -A ACL_INBOUND_$ip -j DROP 2>/dev/null
|
||||
sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$ip 2>/dev/null
|
||||
# outbound
|
||||
sudo iptables -E ACL_OUTBOUND_$ip _ACL_OUTBOUND_$ip 2>/dev/null
|
||||
sudo iptables -N ACL_OUTBOUND_$ip 2>/dev/null
|
||||
sudo iptables -A ACL_OUTBOUND_$ip -j DROP 2>/dev/null
|
||||
sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$ip 2>/dev/null
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -79,13 +79,13 @@ acl_chain_for_guest_network () {
|
|||
acl_entry_for_guest_network() {
|
||||
local rule=$1
|
||||
|
||||
local inbond=$(echo $rule | cut -d: -f1)
|
||||
local inbound=$(echo $rule | cut -d: -f1)
|
||||
local prot=$(echo $rules | cut -d: -f2)
|
||||
local sport=$(echo $rules | cut -d: -f3)
|
||||
local eport=$(echo $rules | cut -d: -f4)
|
||||
local cidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
|
||||
|
||||
logger -t cloud "$(basename $0): enter apply firewall rules for guest network: $gcidr inbond:$inbond:$prot:$sport:$eport:$cidrs"
|
||||
logger -t cloud "$(basename $0): enter apply acl rules for guest network: $gcidr, inbound:$inbound:$prot:$sport:$eport:$cidrs"
|
||||
|
||||
# note that rules are inserted after the RELATED,ESTABLISHED rule
|
||||
# but before the DROP rule
|
||||
|
|
@ -97,30 +97,30 @@ acl_entry_for_guest_network() {
|
|||
typecode="$sport/$eport"
|
||||
[ "$eport" == "-1" ] && typecode="$sport"
|
||||
[ "$sport" == "-1" ] && typecode="any"
|
||||
if [ "$inbond" == "1" ]
|
||||
if [ "$inbound" == "1" ]
|
||||
then
|
||||
sudo iptables -I ACL_INBOND_$gGW -p $prot -s $lcidr \
|
||||
sudo iptables -I ACL_INBOUND_$gGW -p $prot -s $lcidr \
|
||||
--icmp-type $typecode -j ACCEPT
|
||||
else
|
||||
sudo iptables -I ACL_OUTBOND_$gGW -p $prot -d $lcidr \
|
||||
sudo iptables -I ACL_OUTBOUND_$gGW -p $prot -d $lcidr \
|
||||
--icmp-type $typecode -j ACCEPT
|
||||
fi
|
||||
else
|
||||
if [ "$inbond" == "1" ]
|
||||
if [ "$inbound" == "1" ]
|
||||
then
|
||||
sudo iptables -I ACL_INBOND_$gGW -p $prot -s $lcidr \
|
||||
sudo iptables -I ACL_INBOUND_$gGW -p $prot -s $lcidr \
|
||||
--dport $sport:$eport -j ACCEPT
|
||||
else
|
||||
sudo iptables -I ACL_OUTBOND_$gGW -p $prot -d $lcidr \
|
||||
sudo iptables -I ACL_OUTBOUND_$gGW -p $prot -d $lcidr \
|
||||
--dport $sport:$eport -j ACCEP`T
|
||||
fi
|
||||
result=$?
|
||||
[ $result -gt 0 ] &&
|
||||
logger -t cloud "Error adding iptables entry for $pubIp:$prot:$sport:$eport:$src" &&
|
||||
logger -t cloud "Error adding iptables entry for guest network : $gcidr,inbound:$inbound:$prot:$sport:$eport:$cidrs" &&
|
||||
break
|
||||
done
|
||||
|
||||
logger -t cloud "$(basename $0): exit apply firewall rules for public ip $pubIp"
|
||||
logger -t cloud "$(basename $0): exit apply acl rules for guest network : $gcidr"
|
||||
return $result
|
||||
}
|
||||
|
||||
|
|
@ -132,7 +132,7 @@ aflag=0
|
|||
rules=""
|
||||
rules_list=""
|
||||
gcidr=""
|
||||
gGW=""
|
||||
ip=""
|
||||
dev=""
|
||||
while getopts ':d:g:a:' OPTION
|
||||
do
|
||||
|
|
@ -150,9 +150,7 @@ do
|
|||
esac
|
||||
done
|
||||
|
||||
VIF_LIST=$(get_vif_list)
|
||||
|
||||
if [ "$gflag$aflag" != "11" ]
|
||||
if [ "$dflag$gflag$aflag" != "!11" ]
|
||||
then
|
||||
usage()
|
||||
fi
|
||||
|
|
@ -170,7 +168,7 @@ fi
|
|||
# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
|
||||
|
||||
success=0
|
||||
gGW=$(echo $gcidr | awk -F'/' '{print $1}')
|
||||
ip=$(echo $gcidr | awk -F'/' '{print $1}')
|
||||
|
||||
acl_chain_for_guest_network
|
||||
|
||||
|
|
|
|||
|
|
@ -31,64 +31,71 @@ usage() {
|
|||
|
||||
|
||||
setup_dnsmasq() {
|
||||
loger -t cloud "Setting up dnsmasq for network $gwIP "
|
||||
loger -t cloud "Setting up dnsmasq for network $ip/$mask "
|
||||
|
||||
sed -i -e "/^[#]*dhcp-range=interface:$ethDev/d" /etc/dnsmasq.d/cloud.conf
|
||||
sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf
|
||||
|
||||
echo "dhcp-range=interface:$ethDev,$gwIP,static/" >> /etc/dnsmasq.d/cloud.conf
|
||||
echo "dhcp-range=interface:$dev,set:interface-$dev,$ip,static/" >> /etc/dnsmasq.d/cloud.conf
|
||||
|
||||
sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,option:router.*$/d" /etc/dnsmasq.d/cloud.conf
|
||||
if [ -n "$gw" ]
|
||||
then
|
||||
echo "dhcp-option=tag:interface-$dev,option:router,$gw" >> /etc/dnsmasq.d/cloud.conf
|
||||
fi
|
||||
sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,6.*$/d" /etc/dnsmasq.d/cloud.conf
|
||||
if [ -n "$NS" ]
|
||||
then
|
||||
echo "dhcp-option=tag:interface-$dev,6,$NS" >> /etc/dnsmasq.d/cloud.conf
|
||||
fi
|
||||
service dnsmasq restart
|
||||
sleep 1
|
||||
}
|
||||
|
||||
desetup_dnsmasq() {
|
||||
loger -t cloud "Setting up dnsmasq for network $gwIP "
|
||||
loger -t cloud "Setting up dnsmasq for network $ip/$mask "
|
||||
|
||||
sed -i -e "/^[#]*dhcp-range=interface:$ethDev/d" /etc/dnsmasq.d/cloud.conf
|
||||
|
||||
sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,option:router.*$/d" /etc/dnsmasq.d/cloud.conf
|
||||
sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,6.*$/d" /etc/dnsmasq.d/cloud.conf
|
||||
sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf
|
||||
service dnsmasq restart
|
||||
sleep 1
|
||||
}
|
||||
|
||||
|
||||
create_network() {
|
||||
logger -t cloud " $(basename $0): Create network on interface $ethDev, gateway $gwIP, network $network, cidr $cidr "
|
||||
create_guest_network() {
|
||||
logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask "
|
||||
|
||||
sudo ip addr add $ethDev $gwIP/$cidr
|
||||
sudo ip addr add $dev $ip/$mask
|
||||
|
||||
# create inbond acl chain
|
||||
if sudo iptables -N ACL_INBOND_$gwIP 2>/dev/null
|
||||
# create inbound acl chain
|
||||
if sudo iptables -N ACL_INBOUND_$ip 2>/dev/null
|
||||
then
|
||||
logger -t cloud "$(basename $0): create VPC inbond acl chain for network $gwIP"
|
||||
logger -t cloud "$(basename $0): create VPC inbound acl chain for network $ip/$mask"
|
||||
# policy drop
|
||||
sudo iptables -A ACL_INBOND_$gwIP DROP >/dev/null
|
||||
sudo iptables -A FORWARD -o $dev -d $gwIP/$cidr -j ACL_INBOND_$gwIP
|
||||
sudo iptables -A ACL_INBOUND_$ip DROP >/dev/null
|
||||
sudo iptables -A FORWARD -o $dev -d $ip/$mask -j ACL_INBOUND_$ip
|
||||
fi
|
||||
# create outbond acl chain
|
||||
if sudo iptables -N ACL_OUTBOND_$gwIP 2>/dev/null
|
||||
# create outbound acl chain
|
||||
if sudo iptables -N ACL_OUTBOUND_$ip 2>/dev/null
|
||||
then
|
||||
logger -t cloud "$(basename $0): create VPC outbond acl chain for network $gwIP"
|
||||
sudo iptables -A ACL_OUTBOND_$gwIP DROP >/dev/null
|
||||
sudo iptables -A FORWARD -i $dev -s $gwIP/$cidr -j ACL_OUTBOND_$gwIP
|
||||
logger -t cloud "$(basename $0): create VPC outbound acl chain for network $ip/$mask"
|
||||
sudo iptables -A ACL_OUTBOUND_$ip DROP >/dev/null
|
||||
sudo iptables -A FORWARD -i $dev -s $ip/$mask -j ACL_OUTBOUND_$ip
|
||||
fi
|
||||
|
||||
setup_dnsmasq
|
||||
}
|
||||
|
||||
destroy_network() {
|
||||
logger -t cloud " $(basename $0): Create network on interface $ethDev, gateway $gwIP, network $network, cidr $cidr "
|
||||
|
||||
|
||||
# destroy egress firewall chain
|
||||
sudo iptables -t mangle -D PREROUTING -s $gwIP/$cidr -j FIREWALL_EGRESS_$gwIP
|
||||
sudo iptables -t mangle -F FIREWALL_EGRESS_$gwIP
|
||||
sudo iptables -t mangle -X FIREWALL_EGRESS_$gwIP
|
||||
|
||||
# destroy ingress firewall chain
|
||||
|
||||
sudo iptables -t mangle -D POSTROUTING -o $devDev-d $gwIP/$cidr -j FIREWALL_IEGRESS_$gwIP
|
||||
sudo iptables -t mangle -F FIREWALL_INGRESS_$gwIP
|
||||
sudo iptables -t mangle -X FIREWALL_INGRESS_$gwIP
|
||||
destroy_guest_network() {
|
||||
logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask "
|
||||
# destroy inbound acl chain
|
||||
sudo iptables -F ACL_INBOUND_$ip 2>/dev/null
|
||||
sudo iptables -D FORWARD -o $dev -d $ip/$mask -j ACL_INBOUND_$ip 2>/dev/null
|
||||
sudo iptables -X ACL_INBOUND_$ip 2>/dev/null
|
||||
# destroy outbound acl chain
|
||||
sudo iptables -F ACL_OUTBOUND_$ip 2>/dev/null
|
||||
sudo iptables -D FORWARD -i $dev -s $ip/$mask -j ACL_OUTBOUND_$ip 2>/dev/null
|
||||
sudo iptables -X ACL_OUTBOUND_$ip 2>/dev/null
|
||||
|
||||
desetup_dnsmasq
|
||||
}
|
||||
|
|
@ -116,18 +123,20 @@ do
|
|||
n) nflag=1
|
||||
network="$OPTAGR"
|
||||
;;
|
||||
c) cflag=1
|
||||
cidr="$OPTARG"
|
||||
c) mflag=1
|
||||
mask="$OPTARG"
|
||||
;;
|
||||
d) dflag=1
|
||||
ethDev="$OPTARG"
|
||||
dev="$OPTARG"
|
||||
;;
|
||||
v) vflag=1
|
||||
vcidr="$OPTARG"
|
||||
v) iflag=1
|
||||
ip="$OPTARG"
|
||||
;;
|
||||
|
||||
g) gflag=1
|
||||
gwIP="$OPTARG"
|
||||
gw="$OPTARG"
|
||||
;;
|
||||
s) sflag=1
|
||||
DNS="$OPTARG"
|
||||
;;
|
||||
?) usage
|
||||
unlock_exit 2 $lock $locked
|
||||
|
|
@ -142,7 +151,7 @@ then
|
|||
unlock_exit 2 $lock $locked
|
||||
fi
|
||||
|
||||
if [ "$Cflag" == "1" ] && ["$nflag$mflag$gflag$vflag" != "1111" ]
|
||||
if [ "$Cflag" == "1" ] && ["$dflag$iflag$gflag$mflag" != "1111" ]
|
||||
then
|
||||
usage
|
||||
unlock_exit 2 $lock $locked
|
||||
|
|
|
|||
2
wscript
2
wscript
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
# the following two variables are used by the target "waf dist"
|
||||
# if you change 'em here, you need to change it also in cloud.spec, add a %changelog entry there, and add an entry in debian/changelog
|
||||
VERSION = '3.0.3.2012-05-25T20:59:05Z'
|
||||
VERSION = '3.0.3.2012-06-04T23:35:51Z'
|
||||
APPNAME = 'cloud'
|
||||
|
||||
import shutil,os
|
||||
|
|
|
|||
Loading…
Reference in New Issue