You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ya...@apache.org on 2012/07/28 03:49:59 UTC

git commit: CS-15731: Make S2S VPN no-nat rule the top of POSTROUTING

Updated Branches:
  refs/heads/vpc b410cbff5 -> dd50bdf38


CS-15731: Make S2S VPN no-nat rule the top of POSTROUTING


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/dd50bdf3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/dd50bdf3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/dd50bdf3

Branch: refs/heads/vpc
Commit: dd50bdf38e01f699d37f32fdd551cbca6e9edeec
Parents: b410cbf
Author: Sheng Yang <sh...@citrix.com>
Authored: Fri Jul 27 18:38:28 2012 -0700
Committer: Sheng Yang <sh...@citrix.com>
Committed: Fri Jul 27 18:49:25 2012 -0700

----------------------------------------------------------------------
 .../debian/config/opt/cloud/bin/vpc_staticnat.sh   |   17 +++++++++++++-
 patches/systemvm/debian/config/root/firewall.sh    |   15 ++++++++++++-
 2 files changed, 29 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/dd50bdf3/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
index 15ecc6c..1a21274 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
@@ -28,6 +28,8 @@ usage() {
 
 #set -x
 
+vpnoutmark="0x525"
+
 static_nat() {
   local op=$1
   local publicIp=$2
@@ -41,8 +43,19 @@ static_nat() {
   [ "$op" == "-A" ] && static_nat "-D" $publicIp $instIp 
   # the delete operation may have errored out but the only possible reason is 
   # that the rules didn't exist in the first place
-  [ "$op" == "-A" ] && rulenum=1
   [ "$op" == "-A" ] && op2="-I"
+  if [ "$op" == "-A" ]
+  then
+    # put static nat rule one rule after VPN no-NAT rule
+    # rule chain can be used to improve it later
+    iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
+    if [ $? -eq 0 ]
+    then
+      rulenum=2
+    else
+      rulenum=1
+    fi
+  fi
 
   # shortcircuit the process if error and it is an append operation
   # continue if it is delete
@@ -51,7 +64,7 @@ static_nat() {
   # add mark to force the package go out through the eth the public IP is on
   #(sudo iptables -t mangle $op PREROUTING -s $instIp -j MARK \
   #         --set-mark $tableNo &> $OUTFILE ||  [ "$op" == "-D" ]) &&
-  (sudo iptables -t nat $op2 POSTROUTING -o $ethDev -s $instIp -j SNAT \
+  (sudo iptables -t nat $op2 POSTROUTING $rulenum -o $ethDev -s $instIp -j SNAT \
            --to-source $publicIp &>> $OUTFILE )
   result=$?
   logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/dd50bdf3/patches/systemvm/debian/config/root/firewall.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/root/firewall.sh b/patches/systemvm/debian/config/root/firewall.sh
index 73b8247..ea4065a 100755
--- a/patches/systemvm/debian/config/root/firewall.sh
+++ b/patches/systemvm/debian/config/root/firewall.sh
@@ -24,6 +24,8 @@ then
     exit 1
 fi
 
+vpnoutmark="0x525"
+
 usage() {
   printf "Usage: %s: (-A|-D)   -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code)  -l <public ip address> -d <target port> -s <source cidrs> [-G]   \n" $(basename $0) >&2
 }
@@ -204,8 +206,19 @@ static_nat() {
   [ "$op" == "-A" ] && static_nat $publicIp $instIp  "-D" 
   # the delete operation may have errored out but the only possible reason is 
   # that the rules didn't exist in the first place
-  [ "$op" == "-A" ] && rulenum=1
   [ "$op" == "-A" ] && op2="-I"
+  if [ "$op" == "-A" ]
+  then
+    # put static nat rule one rule after VPN no-NAT rule
+    # rule chain can be used to improve it later
+    iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
+    if [ $? -eq 0 ]
+    then
+      rulenum=2
+    else
+      rulenum=1
+    fi
+  fi
 
   local dev=$(ip_to_dev $publicIp)
   [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1