You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ki...@apache.org on 2012/10/17 10:50:11 UTC
[43/50] [abbrv] git commit: CS-16049 : VPC,
VR provides metadata and user data through port 80,
this port should be only open for targeting to this VR ip
CS-16049 : VPC, VR provides metadata and user data through port 80, this port should be only open for targeting to this VR ip
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/87e62787
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/87e62787
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/87e62787
Branch: refs/heads/regions
Commit: 87e6278725af07905f267f35a4b36be68f1c00ca
Parents: ca49814
Author: Anthony Xu <an...@cloud.com>
Authored: Thu Sep 27 14:28:06 2012 -0700
Committer: Anthony Xu <an...@cloud.com>
Committed: Mon Oct 1 10:27:42 2012 -0700
----------------------------------------------------------------------
.../debian/config/opt/cloud/bin/vpc_guestnw.sh | 26 +++++++-------
1 files changed, 13 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/87e62787/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
index 90de218..ca03679 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
@@ -66,6 +66,7 @@ setup_apache2() {
sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/conf.d/vhost$dev.conf
sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/conf.d/vhost$dev.conf
service apache2 restart
+ sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
}
@@ -103,11 +104,14 @@ desetup_dnsmasq() {
setup_passwdsvcs() {
logger -t cloud "Setting up password service for network $ip/$mask, eth $dev "
+ sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
+ sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
nohup bash /opt/cloud/bin/vpc_passwd_server $ip >/dev/null 2>&1 &
}
desetup_passwdsvcs() {
logger -t cloud "Desetting up password service for network $ip/$mask, eth $dev "
+ sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
pid=`ps -ef | grep socat | grep $ip | grep -v grep | awk '{print $2}'`
if [ -n "$pid" ]
then
@@ -122,17 +126,15 @@ create_guest_network() {
sudo ip link set $dev up
sudo arping -c 3 -I $dev -A -U -s $ip $ip
# setup rules to allow dhcp/dns request
- sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
- sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
- sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
- sudo iptables -A INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
- sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT
- sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT
- sudo iptables -A INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT
- sudo iptables -A INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT
+ sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 67 -j ACCEPT
+ sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
+ sudo iptables -A INPUT -i $dev -d $ip -p udp -m udp --dport 67 -j ACCEPT
+ sudo iptables -A INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
# restore mark from connection mark
local tableName="Table_$dev"
sudo ip route add $subnet/$mask dev $dev table $tableName proto static
+ sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
+ sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
sudo iptables -t mangle -A PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
# set up hairpin
sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
@@ -146,12 +148,10 @@ destroy_guest_network() {
logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask "
sudo ip addr del dev $dev $ip/$mask
- sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
- sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
- sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT
- sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT
+ sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 67 -j ACCEPT
+ sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
- sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
+ sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
destroy_acl_chain
desetup_dnsmasq
desetup_apache2