You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ml...@apache.org on 2012/11/26 17:21:28 UTC
git commit: Summary: Add TCP to DNS firewall settings for virtual
routers
Updated Branches:
refs/heads/master ac1920ee9 -> 82a7e49fa
Summary: Add TCP to DNS firewall settings for virtual routers
Detail: TCP is occasionally used for certain DNS query types
BUG-ID: CLOUDSTACK-535
Bugfix-for: 4.0.1
Reported-by: Tamas Monos
Signed-off-by: Marcus Sorensen <ma...@betterservers.com> 1353946670 -0700
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/82a7e49f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/82a7e49f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/82a7e49f
Branch: refs/heads/master
Commit: 82a7e49fad81b001410b66d151743b112d0daa65
Parents: ac1920e
Author: Marcus Sorensen <ma...@betterservers.com>
Authored: Mon Nov 26 09:21:32 2012 -0700
Committer: Marcus Sorensen <ma...@betterservers.com>
Committed: Mon Nov 26 09:21:32 2012 -0700
----------------------------------------------------------------------
.../debian/config/etc/iptables/iptables-router | 1 +
patches/systemvm/debian/config/etc/iptables/rules | 1 +
.../debian/config/opt/cloud/bin/vpc_guestnw.sh | 2 ++
.../debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh | 2 ++
.../systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh | 3 ++-
5 files changed, 8 insertions(+), 1 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/82a7e49f/patches/systemvm/debian/config/etc/iptables/iptables-router
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/etc/iptables/iptables-router b/patches/systemvm/debian/config/etc/iptables/iptables-router
index 59d2e46..28469fb 100644
--- a/patches/systemvm/debian/config/etc/iptables/iptables-router
+++ b/patches/systemvm/debian/config/etc/iptables/iptables-router
@@ -33,6 +33,7 @@ COMMIT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/82a7e49f/patches/systemvm/debian/config/etc/iptables/rules
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/etc/iptables/rules b/patches/systemvm/debian/config/etc/iptables/rules
index 614c3f9..7c57761 100644
--- a/patches/systemvm/debian/config/etc/iptables/rules
+++ b/patches/systemvm/debian/config/etc/iptables/rules
@@ -31,6 +31,7 @@ COMMIT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 8080 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/82a7e49f/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
index faf62c6..d20ed5a 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
@@ -83,8 +83,10 @@ setup_dnsmasq() {
# setup rules to allow dhcp/dns request
sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
+ sudo iptables -D INPUT -i $dev -d $ip -p tcp -m tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
sudo iptables -A INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
+ sudo iptables -A INPUT -i $dev -d $ip -p tcp -m tcp --dport 53 -j ACCEPT
# setup static
sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf
echo "dhcp-range=interface:$dev,set:interface-$dev,$ip,static" >> /etc/dnsmasq.d/cloud.conf
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/82a7e49f/patches/systemvm/debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh b/patches/systemvm/debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh
index 9277bc7..0595869 100755
--- a/patches/systemvm/debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh
+++ b/patches/systemvm/debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh
@@ -40,7 +40,9 @@ iptables_() {
sudo iptables $op FORWARD -i ppp+ -d $zcidr -j ACCEPT
sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT
sudo iptables $op INPUT -i ppp+ -p udp --dport 53 -j ACCEPT
+ sudo iptables $op INPUT -i ppp+ -p tcp --dport 53 -j ACCEPT
sudo iptables -t nat $op PREROUTING -i ppp+ -p udp --dport 53 -j DNAT --to-destination $local_ip
+ sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp --dport 53 -j DNAT --to-destination $local_ip
}
ipsec_server() {
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/82a7e49f/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh b/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
index 7eb8b00..79661c8 100755
--- a/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
+++ b/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
@@ -49,7 +49,8 @@ iptables_() {
sudo iptables $op FORWARD -i $subnet_if -o ppp+ -j ACCEPT
sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT
sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT
- sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j DNAT --to-destination $subnet_ip
+ sudo iptables $op INPUT -i ppp+ -m tcp -p tcp --dport 53 -j ACCEPT
+ sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp -m tcp --dport 53 -j DNAT --to-destination $subnet_ip
if sudo iptables -t mangle -N VPN_$public_ip &> /dev/null
then