You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by re...@apache.org on 2015/09/27 14:11:35 UTC

[16/21] git commit: updated refs/heads/master to 3ded3e9

Fixing the dhcpsrvr iptables file

   - Instead of changing the router type in a local variable, lets have a dedicated file for the dhcpsrvr routers
   - The file is called iptables-dhcpsrvr, just like we have iptables-vpcrouter and iptables-router


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/3cfc4cff
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/3cfc4cff
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/3cfc4cff

Branch: refs/heads/master
Commit: 3cfc4cff80b5e6613bb503a9d2d44ee6f8236260
Parents: e72a79c
Author: Wilder Rodrigues <wr...@schubergphilis.com>
Authored: Fri Sep 25 16:10:43 2015 +0200
Committer: Wilder Rodrigues <wr...@schubergphilis.com>
Committed: Fri Sep 25 16:10:43 2015 +0200

----------------------------------------------------------------------
 .../config/etc/iptables/iptables-dhcpsrvr       | 58 ++++++++++++++++++++
 .../config/opt/cloud/bin/cs/CsNetfilter.py      |  2 -
 2 files changed, 58 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/3cfc4cff/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr b/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr
new file mode 100644
index 0000000..b49b6b2
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr
@@ -0,0 +1,58 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:FW_EGRESS_RULES - [0:0]
+:FW_OUTBOUND - [0:0]
+-A INPUT -d 224.0.0.18/32 -j ACCEPT
+-A INPUT -d 225.0.0.50/32 -j ACCEPT
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp -m state --state NEW,ESTABLISHED --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
+-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
+-A FW_EGRESS_RULES -j ACCEPT
+-I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FW_OUTBOUND -j FW_EGRESS_RULES
+COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
+-A POSTROUTING -p udp -m udp --dport bootpc -j CHECKSUM --checksum-fill
+COMMIT

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/3cfc4cff/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
index a72e53d..99c1501 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
@@ -177,8 +177,6 @@ class CsNetfilters(object):
         These standard firewall rules vary according to the device type
         """
         type = CsCmdLine("cmdline").get_type()
-        if type == 'dhcpsrvr':
-            type = 'router'
 
         try:
             table = ''