You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by an...@apache.org on 2012/07/28 01:04:17 UTC
[16/16] git commit: VPC : vpc_acl.sh is for VPC access control list
VPC : vpc_acl.sh is for VPC access control list
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/165a21c6
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/165a21c6
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/165a21c6
Branch: refs/heads/vpc
Commit: 165a21c62a745db672455732bcdde28d455498c1
Parents: 05dc92c
Author: anthony <an...@cloud.com>
Authored: Thu Jul 26 14:10:25 2012 -0700
Committer: anthony <an...@cloud.com>
Committed: Fri Jul 27 15:04:40 2012 -0700
----------------------------------------------------------------------
.../systemvm/debian/config/opt/cloud/bin/acl.sh | 197 -------------
.../debian/config/opt/cloud/bin/vpc_acl.sh | 221 +++++++++++++++
2 files changed, 221 insertions(+), 197 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/165a21c6/patches/systemvm/debian/config/opt/cloud/bin/acl.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/acl.sh b/patches/systemvm/debian/config/opt/cloud/bin/acl.sh
deleted file mode 100755
index 525dfe4..0000000
--- a/patches/systemvm/debian/config/opt/cloud/bin/acl.sh
+++ /dev/null
@@ -1,197 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 2012 Citrix Systems, Inc. Licensed under the
-# Apache License, Version 2.0 (the "License"); you may not use this
-# file except in compliance with the License. Citrix Systems, Inc.
-# reserves all rights not expressly granted by the License.
-# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Automatically generated by addcopyright.py at 04/03/2012
-# firewall_rule.sh -- allow some ports / protocols to vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
- printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
-}
-#set -x
-#FIXME: eating up the error code during execution of iptables
-acl_remove_backup() {
- sudo iptables -F _ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -X _ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -F _ACL_OUTBOUND_$ip 2>/dev/null
- sudo iptables -D FORWARD -i $dev -s $gcidr -j _ACL_OUTBOUND_$ip 2>/dev/null
- sudo iptables -X _ACL_OUTBOUND_$ip 2>/dev/null
-}
-
-acl_remove() {
- sudo iptables -F ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -X ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -F ACL_OUTBOUND_$ip 2>/dev/null
- sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$ip 2>/dev/null
- sudo iptables -X ACL_OUTBOUND_$ip 2>/dev/null
-}
-
-acl_restore() {
- acl_remove
- sudo iptables -E _ACL_INBOUND_$ip ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -E _ACL_OUTBOUND_$ip ACL_OUTBOUND_$ip 2>/dev/null
-}
-
-acl_save() {
- acl_remove_backup
- sudo iptables -E ACL_INBOUND_$ip _ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -E ACL_OUTBOUND_$ip _ACL_OUTBOUND_$gGW 2>/dev/null
-}
-
-acl_chain_for_guest_network () {
- acl_save
- # inbound
- sudo iptables -E ACL_INBOUND_$ip _ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -N ACL_INBOUND_$ip 2>/dev/null
- # drop if no rules match (this will be the last rule in the chain)
- sudo iptables -A ACL_INBOUND_$ip -j DROP 2>/dev/null
- sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$ip 2>/dev/null
- # outbound
- sudo iptables -E ACL_OUTBOUND_$ip _ACL_OUTBOUND_$ip 2>/dev/null
- sudo iptables -N ACL_OUTBOUND_$ip 2>/dev/null
- sudo iptables -A ACL_OUTBOUND_$ip -j DROP 2>/dev/null
- sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$ip 2>/dev/null
-}
-
-
-
-acl_entry_for_guest_network() {
- local rule=$1
-
- local inbound=$(echo $rule | cut -d: -f1)
- local prot=$(echo $rules | cut -d: -f2)
- local sport=$(echo $rules | cut -d: -f3)
- local eport=$(echo $rules | cut -d: -f4)
- local cidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
-
- logger -t cloud "$(basename $0): enter apply acl rules for guest network: $gcidr, inbound:$inbound:$prot:$sport:$eport:$cidrs"
-
- # note that rules are inserted after the RELATED,ESTABLISHED rule
- # but before the DROP rule
- for lcidr in $scidrs
- do
- [ "$prot" == "reverted" ] && continue;
- if [ "$prot" == "icmp" ]
- then
- typecode="$sport/$eport"
- [ "$eport" == "-1" ] && typecode="$sport"
- [ "$sport" == "-1" ] && typecode="any"
- if [ "$inbound" == "1" ]
- then
- sudo iptables -I ACL_INBOUND_$gGW -p $prot -s $lcidr \
- --icmp-type $typecode -j ACCEPT
- else
- sudo iptables -I ACL_OUTBOUND_$gGW -p $prot -d $lcidr \
- --icmp-type $typecode -j ACCEPT
- fi
- else
- if [ "$inbound" == "1" ]
- then
- sudo iptables -I ACL_INBOUND_$gGW -p $prot -s $lcidr \
- --dport $sport:$eport -j ACCEPT
- else
- sudo iptables -I ACL_OUTBOUND_$gGW -p $prot -d $lcidr \
- --dport $sport:$eport -j ACCEP`T
- fi
- result=$?
- [ $result -gt 0 ] &&
- logger -t cloud "Error adding iptables entry for guest network : $gcidr,inbound:$inbound:$prot:$sport:$eport:$cidrs" &&
- break
- done
-
- logger -t cloud "$(basename $0): exit apply acl rules for guest network : $gcidr"
- return $result
-}
-
-
-shift
-dflag=0
-gflag=0
-aflag=0
-rules=""
-rules_list=""
-gcidr=""
-ip=""
-dev=""
-while getopts ':d:g:a:' OPTION
-do
- case $OPTION in
- d) dflag=1
- dev="$OPTAGR"
- g) gflag=1
- gcidr="$OPTAGR"
- a) aflag=1
- rules="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-if [ "$dflag$gflag$aflag" != "!11" ]
-then
- usage()
-fi
-
-
-if [ -n "$rules" == "" ]
-then
- rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
-fi
-
-# rule format
-# protocal:sport:eport:cidr
-#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
-# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
-# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
-
-success=0
-ip=$(echo $gcidr | awk -F'/' '{print $1}')
-
-acl_chain_for_guest_network
-
-for r in $rules_list
-do
- acl_entry_for_guest_network $r
- success=$?
- if [ $success -gt 0 ]
- then
- logger -t cloud "$(basename $0): failure to apply fw rules for guest network: $gcidr"
- break
- else
- logger -t cloud "$(basename $0): successful in applying fw rules for guest network: $gcidr"
- fi
-done
-
-if [ $success -gt 0 ]
-then
- logger -t cloud "$(basename $0): restoring from backup for guest network: $gcidr"
- acl_restore
-else
- logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr"
- acl_remove_backup
-fi
-unlock_exit $success $lock $locked
-
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/165a21c6/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
new file mode 100755
index 0000000..0d20247
--- /dev/null
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
@@ -0,0 +1,221 @@
+#!/usr/bin/env bash
+# Copyright 2012 Citrix Systems, Inc. Licensed under the
+# Apache License, Version 2.0 (the "License"); you may not use this
+# file except in compliance with the License. Citrix Systems, Inc.
+# reserves all rights not expressly granted by the License.
+# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Automatically generated by addcopyright.py at 04/03/2012
+# firewall_rule.sh -- allow some ports / protocols to vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+ exit 1
+fi
+
+usage() {
+ printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
+ printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
+}
+#set -x
+#FIXME: eating up the error code during execution of iptables
+
+acl_switch_to_new() {
+ sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$dev 2>/dev/null
+ sudo iptables-save | grep "\-j _ACL_INBOUND_$dev" | grep "\-A" | while read rule;
+ do
+ rule1=$(echo $rule | sed 's/\_ACL_INBOUND/ACL_INBOUND/')
+ sudo iptables $rule1
+ rule2=$(echo $rule | sed 's/\-A/\-D/')
+ sudo iptables $rule2
+ done
+ sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
+ sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
+ sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
+ sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j _ACL_OUTBOUND_$dev 2>/dev/null
+ sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+acl_remove_backup() {
+ sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
+ sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$dev 2>/dev/null
+ sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
+ sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
+ sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j _ACL_OUTBOUND_$dev 2>/dev/null
+ sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+acl_remove() {
+ sudo iptables -F ACL_INBOUND_$dev 2>/dev/null
+ sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$dev 2>/dev/null
+ sudo iptables -X ACL_INBOUND_$dev 2>/dev/null
+ sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
+ sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null
+ sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+acl_restore() {
+ acl_remove
+ sudo iptables -E _ACL_INBOUND_$dev ACL_INBOUND_$dev 2>/dev/null
+ sudo iptables -t mangle -E _ACL_OUTBOUND_$dev ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+acl_save() {
+ acl_remove_backup
+ sudo iptables -E ACL_INBOUND_$dev _ACL_INBOUND_$dev 2>/dev/null
+ sudo iptables -t mangle -E ACL_OUTBOUND_$dev _ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+acl_chain_for_guest_network () {
+ acl_save
+ # inbound
+ sudo iptables -N ACL_INBOUND_$dev 2>/dev/null
+ # drop if no rules match (this will be the last rule in the chain)
+ sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null
+ sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$dev 2>/dev/null
+ # outbound
+ sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
+ sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
+ sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+
+
+acl_entry_for_guest_network() {
+ local rule=$1
+
+ local ttype=$(echo $rule | cut -d: -f1)
+ local prot=$(echo $rule | cut -d: -f2)
+ local sport=$(echo $rule | cut -d: -f3)
+ local eport=$(echo $rule | cut -d: -f4)
+ local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
+ if [ "$sport" == "0" -a "$eport" == "0" ]
+ then
+ DPORT=""
+ else
+ DPORT="--dport $sport:$eport"
+ fi
+ logger -t cloud "$(basename $0): enter apply acl rules for guest network: $gcidr, inbound:$inbound:$prot:$sport:$eport:$cidrs"
+
+ # note that rules are inserted after the RELATED,ESTABLISHED rule
+ # but before the DROP rule
+ for lcidr in $cidrs
+ do
+ [ "$prot" == "reverted" ] && continue;
+ if [ "$prot" == "icmp" ]
+ then
+ typecode="$sport/$eport"
+ [ "$eport" == "-1" ] && typecode="$sport"
+ [ "$sport" == "-1" ] && typecode="any"
+ if [ "$ttype" == "Ingress" ]
+ then
+ sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
+ --icmp-type $typecode -j ACCEPT
+ else
+ sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
+ --icmp-type $typecode -j ACCEPT
+ fi
+ else
+ if [ "$ttype" == "Ingress" ]
+ then
+ sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
+ $DPORT -j ACCEPT
+ else
+ sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
+ $DPORT -j ACCEPT
+ fi
+ fi
+ result=$?
+ [ $result -gt 0 ] &&
+ logger -t cloud "Error adding iptables entry for guest network : $gcidr,inbound:$inbound:$prot:$sport:$eport:$cidrs" &&
+ break
+ done
+
+ logger -t cloud "$(basename $0): exit apply acl rules for guest network : $gcidr"
+ return $result
+}
+
+
+dflag=0
+gflag=0
+aflag=0
+rules=""
+rules_list=""
+ip=""
+dev=""
+while getopts 'd:i:m:a:' OPTION
+do
+ case $OPTION in
+ d) dflag=1
+ dev="$OPTARG"
+ ;;
+ i) iflag=1
+ ip="$OPTARG"
+ ;;
+ m) mflag=1
+ mask="$OPTARG"
+ ;;
+ a) aflag=1
+ rules="$OPTARG"
+ ;;
+ ?) usage
+ unlock_exit 2 $lock $locked
+ ;;
+ esac
+done
+
+if [ "$dflag$iflag$mflag$aflag" != "1111" ]
+then
+ usage
+ unlock_exit 2 $lock $locked
+fi
+
+gcidr="$ip/$mask"
+if [ -n "$rules" ]
+then
+ rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
+fi
+
+# rule format
+# protocal:sport:eport:cidr
+#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
+# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
+# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
+
+success=0
+
+acl_chain_for_guest_network
+
+for r in $rules_list
+do
+ acl_entry_for_guest_network $r
+ success=$?
+ if [ $success -gt 0 ]
+ then
+ logger -t cloud "$(basename $0): failure to apply fw rules for guest network: $gcidr"
+ break
+ else
+ logger -t cloud "$(basename $0): successful in applying fw rules for guest network: $gcidr"
+ fi
+done
+
+if [ $success -gt 0 ]
+then
+ logger -t cloud "$(basename $0): restoring from backup for guest network: $gcidr"
+ acl_restore
+else
+ logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr"
+ acl_switch_to_new
+fi
+unlock_exit $success $lock $locked
+