You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mu...@apache.org on 2014/05/15 13:13:00 UTC
[1/2] git commit: updated refs/heads/4.4-forward to 4e72ec9
Repository: cloudstack
Updated Branches:
refs/heads/4.4-forward 4e44ac56c -> 4e72ec998
CLOUDSTACK-6686:NetworkACLItemCidrsDaoImpl uses firewallRuleId instead
of networkAclItemId
fix uses networkAclItemId instead of firewallRuleId
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/4e72ec99
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/4e72ec99
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/4e72ec99
Branch: refs/heads/4.4-forward
Commit: 4e72ec99838685a60cee792ce94d206105331942
Parents: 5dcc34c
Author: Murali Reddy <mu...@gmail.com>
Authored: Thu May 15 16:41:34 2014 +0530
Committer: Murali Reddy <mu...@gmail.com>
Committed: Thu May 15 16:42:49 2014 +0530
----------------------------------------------------------------------
.../com/cloud/network/vpc/dao/NetworkACLItemCidrsDaoImpl.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4e72ec99/engine/schema/src/com/cloud/network/vpc/dao/NetworkACLItemCidrsDaoImpl.java
----------------------------------------------------------------------
diff --git a/engine/schema/src/com/cloud/network/vpc/dao/NetworkACLItemCidrsDaoImpl.java b/engine/schema/src/com/cloud/network/vpc/dao/NetworkACLItemCidrsDaoImpl.java
index 23c1fa7..7c02f8b 100644
--- a/engine/schema/src/com/cloud/network/vpc/dao/NetworkACLItemCidrsDaoImpl.java
+++ b/engine/schema/src/com/cloud/network/vpc/dao/NetworkACLItemCidrsDaoImpl.java
@@ -70,7 +70,7 @@ public class NetworkACLItemCidrsDaoImpl extends GenericDaoBase<NetworkACLItemCid
@Override
public List<String> getCidrs(long networkACLItemId) {
SearchCriteria<NetworkACLItemCidrsVO> sc = cidrsSearch.create();
- sc.setParameters("firewallRuleId", networkACLItemId);
+ sc.setParameters("networkAclItemId", networkACLItemId);
List<NetworkACLItemCidrsVO> results = search(sc, null);
List<String> cidrs = new ArrayList<String>(results.size());
@@ -84,7 +84,7 @@ public class NetworkACLItemCidrsDaoImpl extends GenericDaoBase<NetworkACLItemCid
@Override
public List<NetworkACLItemCidrsVO> listByNetworkACLItemId(long networkACLItemId) {
SearchCriteria<NetworkACLItemCidrsVO> sc = cidrsSearch.create();
- sc.setParameters("firewallRuleId", networkACLItemId);
+ sc.setParameters("networkAclItemId", networkACLItemId);
List<NetworkACLItemCidrsVO> results = search(sc, null);
[2/2] git commit: updated refs/heads/4.4-forward to 4e72ec9
Posted by mu...@apache.org.
CLOUDSTACK-6685: OVS distributed firewall: source CIDR mismatch while
populating ingress & egress network ACL
fix ensures propoer values for nw_src and nw_dst are popoluated
depending on the ingress or egress acl
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/5dcc34cb
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/5dcc34cb
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/5dcc34cb
Branch: refs/heads/4.4-forward
Commit: 5dcc34cb655ebfff996c629dc0eeeb3d54657480
Parents: 4e44ac5
Author: Murali Reddy <mu...@gmail.com>
Authored: Thu May 15 16:37:40 2014 +0530
Committer: Murali Reddy <mu...@gmail.com>
Committed: Thu May 15 16:42:49 2014 +0530
----------------------------------------------------------------------
.../xenserver/cloudstack_pluginlib.py | 112 ++++++++++++++-----
1 file changed, 82 insertions(+), 30 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5dcc34cb/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py b/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
index 215d556..d3d234f 100644
--- a/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
+++ b/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
@@ -634,6 +634,12 @@ def configure_vpc_bridge_for_routing_policies(bridge, json_config, sequence_no):
protocol = acl_item.protocol
if protocol == "all":
protocol = "*"
+ elif protocol == "tcp":
+ protocol = "6"
+ elif protocol == "udp":
+ protocol == "17"
+ elif protocol == "icmp":
+ protocol == "1"
source_cidrs = acl_item.sourcecidrs
acl_priority = 1000 + number
if direction == "ingress":
@@ -647,50 +653,96 @@ def configure_vpc_bridge_for_routing_policies(bridge, json_config, sequence_no):
if source_port_start is None and source_port_end is None:
if source_cidr.startswith('0.0.0.0'):
if action == "deny":
- ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
- " nw_dst=%s " %tier_cidr + " nw_proto=%s " %protocol +
- " actions=drop" + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_dst=%s " %tier_cidr + " nw_proto=%s " %protocol +
+ " actions=drop" + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_src=%s " %tier_cidr + " nw_proto=%s " %protocol +
+ " actions=drop" + "\n")
if action == "allow":
- ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
- " nw_dst=%s " %tier_cidr + " nw_proto=%s " %protocol +
- " actions=resubmit(,%s)"%resubmit_table + "\n")
-
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_dst=%s " %tier_cidr + " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_src=%s " %tier_cidr + " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
else:
if action == "deny":
- ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
- " nw_src=%s " %source_cidr + " nw_dst=%s " %tier_cidr +
- " nw_proto=%s " %protocol + " actions=drop" + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_src=%s " %source_cidr + " nw_dst=%s " %tier_cidr +
+ " nw_proto=%s " %protocol + " actions=drop" + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_src=%s " %tier_cidr + " nw_dst=%s " %source_cidr +
+ " nw_proto=%s " %protocol + " actions=drop" + "\n")
if action == "allow":
- ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
- " nw_src=%s "%source_cidr + " nw_dst=%s " %tier_cidr +
- " nw_proto=%s " %protocol +
- " actions=resubmit(,%s)"%resubmit_table + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_src=%s "%source_cidr + " nw_dst=%s " %tier_cidr +
+ " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_src=%s "%tier_cidr + " nw_dst=%s " %source_cidr +
+ " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
continue
# add flow rule to do action (allow/deny) for flows where source IP of the packet is in
# source_cidr and destination ip is in tier_cidr
- port = source_port_start
- while (port < source_port_end):
+ port = int(source_port_start)
+ while (port <= int(source_port_end)):
if source_cidr.startswith('0.0.0.0'):
if action == "deny":
- ofspec.write("table=%s " %matching_table + " priority=%s " %acl_priority + " ip " +
- " tp_dst=%s " %port + " nw_dst=%s " %tier_cidr +
- " nw_proto=%s " %protocol + " actions=drop" + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_dst=%s " %tier_cidr +
+ " nw_proto=%s " %protocol + " actions=drop" + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_src=%s " %tier_cidr +
+ " nw_proto=%s " %protocol + " actions=drop" + "\n")
if action == "allow":
- ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
- " tp_dst=%s " %port + " nw_dst=%s " %tier_cidr +
- " nw_proto=%s " %protocol +
- " actions=resubmit(,%s)"%resubmit_table + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_dst=%s " %tier_cidr +
+ " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_src=%s " %tier_cidr +
+ " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
else:
if action == "deny":
- ofspec.write("table=%s " %matching_table + " priority=%s " %acl_priority + " ip " +
- " tp_dst=%s " %port + " nw_src=%s "%source_cidr + " nw_dst=%s "%tier_cidr +
- " nw_proto=%s " %protocol + " actions=drop" + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_src=%s " %source_cidr +
+ " nw_dst=%s " %tier_cidr +
+ " nw_proto=%s " %protocol + " actions=drop" + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_src=%s " %tier_cidr +
+ " nw_dst=%s " %source_cidr +
+ " nw_proto=%s " %protocol + " actions=drop" + "\n")
if action == "allow":
- ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
- " tp_dst=%s " %port + " nw_src=%s "%source_cidr + " nw_dst=%s "%tier_cidr +
- " nw_proto=%s " %protocol +
- " actions=resubmit(,%s)"%resubmit_table + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_src=%s "%source_cidr +
+ " nw_dst=%s " %tier_cidr +
+ " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_src=%s "%tier_cidr +
+ " nw_dst=%s " %source_cidr +
+ " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
port = port + 1
# add a default rule in egress table to allow packets (so forward packet to L3 lookup table)