You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ya...@apache.org on 2012/07/28 03:49:59 UTC
git commit: CS-15731: Make S2S VPN no-nat rule the top of POSTROUTING
Updated Branches:
refs/heads/vpc b410cbff5 -> dd50bdf38
CS-15731: Make S2S VPN no-nat rule the top of POSTROUTING
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/dd50bdf3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/dd50bdf3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/dd50bdf3
Branch: refs/heads/vpc
Commit: dd50bdf38e01f699d37f32fdd551cbca6e9edeec
Parents: b410cbf
Author: Sheng Yang <sh...@citrix.com>
Authored: Fri Jul 27 18:38:28 2012 -0700
Committer: Sheng Yang <sh...@citrix.com>
Committed: Fri Jul 27 18:49:25 2012 -0700
----------------------------------------------------------------------
.../debian/config/opt/cloud/bin/vpc_staticnat.sh | 17 +++++++++++++-
patches/systemvm/debian/config/root/firewall.sh | 15 ++++++++++++-
2 files changed, 29 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/dd50bdf3/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
index 15ecc6c..1a21274 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
@@ -28,6 +28,8 @@ usage() {
#set -x
+vpnoutmark="0x525"
+
static_nat() {
local op=$1
local publicIp=$2
@@ -41,8 +43,19 @@ static_nat() {
[ "$op" == "-A" ] && static_nat "-D" $publicIp $instIp
# the delete operation may have errored out but the only possible reason is
# that the rules didn't exist in the first place
- [ "$op" == "-A" ] && rulenum=1
[ "$op" == "-A" ] && op2="-I"
+ if [ "$op" == "-A" ]
+ then
+ # put static nat rule one rule after VPN no-NAT rule
+ # rule chain can be used to improve it later
+ iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
+ if [ $? -eq 0 ]
+ then
+ rulenum=2
+ else
+ rulenum=1
+ fi
+ fi
# shortcircuit the process if error and it is an append operation
# continue if it is delete
@@ -51,7 +64,7 @@ static_nat() {
# add mark to force the package go out through the eth the public IP is on
#(sudo iptables -t mangle $op PREROUTING -s $instIp -j MARK \
# --set-mark $tableNo &> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t nat $op2 POSTROUTING -o $ethDev -s $instIp -j SNAT \
+ (sudo iptables -t nat $op2 POSTROUTING $rulenum -o $ethDev -s $instIp -j SNAT \
--to-source $publicIp &>> $OUTFILE )
result=$?
logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/dd50bdf3/patches/systemvm/debian/config/root/firewall.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/root/firewall.sh b/patches/systemvm/debian/config/root/firewall.sh
index 73b8247..ea4065a 100755
--- a/patches/systemvm/debian/config/root/firewall.sh
+++ b/patches/systemvm/debian/config/root/firewall.sh
@@ -24,6 +24,8 @@ then
exit 1
fi
+vpnoutmark="0x525"
+
usage() {
printf "Usage: %s: (-A|-D) -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code) -l <public ip address> -d <target port> -s <source cidrs> [-G] \n" $(basename $0) >&2
}
@@ -204,8 +206,19 @@ static_nat() {
[ "$op" == "-A" ] && static_nat $publicIp $instIp "-D"
# the delete operation may have errored out but the only possible reason is
# that the rules didn't exist in the first place
- [ "$op" == "-A" ] && rulenum=1
[ "$op" == "-A" ] && op2="-I"
+ if [ "$op" == "-A" ]
+ then
+ # put static nat rule one rule after VPN no-NAT rule
+ # rule chain can be used to improve it later
+ iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
+ if [ $? -eq 0 ]
+ then
+ rulenum=2
+ else
+ rulenum=1
+ fi
+ fi
local dev=$(ip_to_dev $publicIp)
[ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1