You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mc...@apache.org on 2014/01/22 20:27:41 UTC
[16/53] [abbrv] git commit: updated refs/heads/rbac to 33cd1ab
CLOUDSTACK-5779: Move firewall to use routerProxy
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/0ea1c7df
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/0ea1c7df
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/0ea1c7df
Branch: refs/heads/rbac
Commit: 0ea1c7dfc411db0d3710ac2c4fb238111cbec328
Parents: ce67e24
Author: Sheng Yang <sh...@citrix.com>
Authored: Fri Jan 17 11:51:42 2014 -0800
Committer: Sheng Yang <sh...@citrix.com>
Committed: Fri Jan 17 12:36:42 2014 -0800
----------------------------------------------------------------------
.../virtualnetwork/VirtualRoutingResource.java | 82 ++---
.../vmware/resource/VmwareResource.java | 16 +-
.../xen/resource/CitrixResourceBase.java | 16 +-
scripts/network/domr/call_firewall.sh | 70 ----
scripts/vm/hypervisor/xenserver/vmops | 19 +-
.../config/opt/cloud/bin/firewall_egress.sh | 187 ++++++++++
.../config/opt/cloud/bin/firewall_ingress.sh | 202 +++++++++++
.../debian/config/opt/cloud/bin/firewall_nat.sh | 358 +++++++++++++++++++
systemvm/patches/debian/config/root/firewall.sh | 358 -------------------
.../debian/config/root/firewallRule_egress.sh | 187 ----------
.../patches/debian/config/root/firewall_rule.sh | 202 -----------
11 files changed, 803 insertions(+), 894 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
----------------------------------------------------------------------
diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
index 20cc0cc..c66b9cb 100755
--- a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
+++ b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java
@@ -102,7 +102,6 @@ import java.util.Map;
public class VirtualRoutingResource implements Manager {
private static final Logger s_logger = Logger.getLogger(VirtualRoutingResource.class);
private String _publicIpAddress;
- private String _firewallPath;
private String _loadbPath;
private String _publicEthIf;
private String _privateEthIf;
@@ -232,18 +231,16 @@ public class VirtualRoutingResource implements Manager {
FirewallRule.TrafficType trafficType = allrules[0].getTrafficType();
String[][] rules = cmd.generateFwRules();
- final Script command = new Script(_firewallPath, _timeout, s_logger);
- command.add(routerIp);
- command.add("-F");
+ String args = " -F";
if (trafficType == FirewallRule.TrafficType.Egress) {
- command.add("-E");
+ args += "-E";
if (egressDefault.equals("true")) {
- command.add("-P ", "1");
+ args += " -P 1";
} else if (egressDefault.equals("System")) {
- command.add("-P ", "2");
+ args += " -P 2";
} else {
- command.add("-P ", "0");
+ args += " -P 0";
}
}
@@ -253,10 +250,17 @@ public class VirtualRoutingResource implements Manager {
for (int i = 0; i < fwRules.length; i++) {
sb.append(fwRules[i]).append(',');
}
- command.add("-a", sb.toString());
+ args += " -a " + sb.toString();
+ }
+
+ String result = null;
+
+ if (trafficType == FirewallRule.TrafficType.Egress) {
+ result = routerProxy("firewall_egress.sh", routerIp, args);
+ } else {
+ result = routerProxy("firewall_ingress.sh", routerIp, args);
}
- String result = command.execute();
if (result != null) {
return new SetFirewallRulesAnswer(cmd, false, results);
}
@@ -270,22 +274,21 @@ public class VirtualRoutingResource implements Manager {
int i = 0;
boolean endResult = true;
for (PortForwardingRuleTO rule : cmd.getRules()) {
- String result = null;
- final Script command = new Script(_firewallPath, _timeout, s_logger);
-
- command.add(routerIp);
- command.add(rule.revoked() ? "-D" : "-A");
- command.add("-P ", rule.getProtocol().toLowerCase());
- command.add("-l ", rule.getSrcIp());
- command.add("-p ", rule.getStringSrcPortRange());
- command.add("-r ", rule.getDstIp());
- command.add("-d ", rule.getStringDstPortRange());
- result = command.execute();
- if (result == null) {
- results[i++] = null;
- } else {
+ StringBuilder args = new StringBuilder();
+ args.append(rule.revoked() ? " -D " : " -A ");
+ args.append(" -P ").append(rule.getProtocol().toLowerCase());
+ args.append(" -l ").append(rule.getSrcIp());
+ args.append(" -p ").append(rule.getStringSrcPortRange());
+ args.append(" -r ").append(rule.getDstIp());
+ args.append(" -d ").append(rule.getStringDstPortRange());
+
+ String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
+
+ if (result == null || result.isEmpty()) {
results[i++] = "Failed";
endResult = false;
+ } else {
+ results[i++] = null;
}
}
@@ -325,28 +328,26 @@ public class VirtualRoutingResource implements Manager {
int i = 0;
boolean endResult = true;
for (StaticNatRuleTO rule : cmd.getRules()) {
- String result = null;
- final Script command = new Script(_firewallPath, _timeout, s_logger);
- command.add(routerIp);
- command.add(rule.revoked() ? "-D" : "-A");
-
//1:1 NAT needs instanceip;publicip;domrip;op
- command.add(" -l ", rule.getSrcIp());
- command.add(" -r ", rule.getDstIp());
+ StringBuilder args = new StringBuilder();
+ args.append(rule.revoked() ? " -D " : " -A ");
+ args.append(" -l ").append(rule.getSrcIp());
+ args.append(" -r ").append(rule.getDstIp());
if (rule.getProtocol() != null) {
- command.add(" -P ", rule.getProtocol().toLowerCase());
+ args.append(" -P ").append(rule.getProtocol().toLowerCase());
}
- command.add(" -d ", rule.getStringSrcPortRange());
- command.add(" -G ");
+ args.append(" -d ").append(rule.getStringSrcPortRange());
+ args.append(" -G ");
- result = command.execute();
- if (result == null) {
- results[i++] = null;
- } else {
+ String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
+
+ if (result == null || result.isEmpty()) {
results[i++] = "Failed";
endResult = false;
+ } else {
+ results[i++] = null;
}
}
@@ -1105,11 +1106,6 @@ public class VirtualRoutingResource implements Manager {
s_logger.warn("Incoming public ip address is overriden. Will always be using the same ip address: " + _publicIpAddress);
}
- _firewallPath = findScript("call_firewall.sh");
- if (_firewallPath == null) {
- throw new ConfigurationException("Unable to find the call_firewall.sh");
- }
-
_loadbPath = findScript("call_loadbalancer.sh");
if (_loadbPath == null) {
throw new ConfigurationException("Unable to find the call_loadbalancer.sh");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java b/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
index 817fdec..1a0b97b 100755
--- a/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
+++ b/plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java
@@ -847,10 +847,10 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
try {
VmwareManager mgr = getServiceContext().getStockObject(VmwareManager.CONTEXT_STOCK_NAME);
- Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall.sh " + args);
+ Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_nat.sh " + args);
if (s_logger.isDebugEnabled())
- s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall.sh " + args);
+ s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_nat.sh " + args);
if (!result.first()) {
s_logger.error("SetPortForwardingRulesCommand failure on setting one rule. args: " + args);
@@ -905,16 +905,16 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
Pair<Boolean, String> result = null;
if (trafficType == FirewallRule.TrafficType.Egress) {
- result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewallRule_egress.sh " + args);
+ result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_egress.sh " + args);
} else {
- result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall_rule.sh " + args);
+ result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_ingress.sh " + args);
}
if (s_logger.isDebugEnabled()) {
if (trafficType == FirewallRule.TrafficType.Egress) {
- s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewallRule_egress.sh " + args);
+ s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_egress.sh " + args);
} else {
- s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall_rule.sh " + args);
+ s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_ingress.sh " + args);
}
}
@@ -1012,10 +1012,10 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
try {
VmwareManager mgr = getServiceContext().getStockObject(VmwareManager.CONTEXT_STOCK_NAME);
String controlIp = getRouterSshControlIp(cmd);
- Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall.sh " + args);
+ Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_nat.sh " + args);
if (s_logger.isDebugEnabled())
- s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall.sh " + args);
+ s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_nat.sh " + args);
if (!result.first()) {
s_logger.error("SetStaticNatRulesCommand failure on setting one rule. args: " + args);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
index ddb7912..e7e4ee3 100644
--- a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
+++ b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
@@ -2047,7 +2047,6 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
boolean endResult = true;
for (PortForwardingRuleTO rule : cmd.getRules()) {
StringBuilder args = new StringBuilder();
- args.append(routerIp);
args.append(rule.revoked() ? " -D " : " -A ");
args.append(" -P ").append(rule.getProtocol().toLowerCase());
args.append(" -l ").append(rule.getSrcIp());
@@ -2055,7 +2054,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
args.append(" -r ").append(rule.getDstIp());
args.append(" -d ").append(rule.getStringDstPortRange());
- String result = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args.toString());
+ String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
if (result == null || result.isEmpty()) {
results[i++] = "Failed";
@@ -2096,14 +2095,12 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
Connection conn = getConnection();
String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP);
- //String args = routerIp;
String[] results = new String[cmd.getRules().length];
int i = 0;
boolean endResult = true;
for (StaticNatRuleTO rule : cmd.getRules()) {
//1:1 NAT needs instanceip;publicip;domrip;op
StringBuilder args = new StringBuilder();
- args.append(routerIp);
args.append(rule.revoked() ? " -D " : " -A ");
args.append(" -l ").append(rule.getSrcIp());
args.append(" -r ").append(rule.getDstIp());
@@ -2115,7 +2112,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
args.append(" -d ").append(rule.getStringSrcPortRange());
args.append(" -G ");
- String result = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args.toString());
+ String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
if (result == null || result.isEmpty()) {
results[i++] = "Failed";
@@ -7606,8 +7603,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
}
String[][] rules = cmd.generateFwRules();
- String args = "";
- args += routerIp + " -F";
+ String args = " -F";
if (trafficType == FirewallRule.TrafficType.Egress) {
args += " -E";
if (egressDefault.equals("true")) {
@@ -7627,7 +7623,11 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
args += " -a " + sb.toString();
}
- callResult = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args);
+ if (trafficType == FirewallRule.TrafficType.Egress) {
+ callResult = routerProxy("firewall_egress.sh", routerIp, args);
+ } else {
+ callResult = routerProxy("firewall_ingress.sh", routerIp, args);
+ }
if (callResult == null || callResult.isEmpty()) {
//FIXME - in the future we have to process each rule separately; now we temporarily set every rule to be false if single rule fails
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/scripts/network/domr/call_firewall.sh
----------------------------------------------------------------------
diff --git a/scripts/network/domr/call_firewall.sh b/scripts/network/domr/call_firewall.sh
deleted file mode 100755
index f6ad0be..0000000
--- a/scripts/network/domr/call_firewall.sh
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-
-# $Id: call_firewall.sh 9132 2010-06-04 20:17:43Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/branches/2.0.0/java/scripts/vm/hypervisor/xenserver/patch/call_firewall.sh $
-# firewall.sh -- allow some ports / protocols to vm instances
-usage() {
- printf "Usage for Firewall rule : %s: <domR eth1 ip> -F " $(basename $0) >&2
- printf "Usage for other purposes : %s: <domR eth1 ip> (-A|-D) -i <domR eth1 ip> -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code) -l <public ip address> -d <target port> [-f <firewall ip> -u <firewall user> -y <firewall password> -z <firewall enable password> ] \n" $(basename $0) >&2
-}
-
-#set -x
-
-check_gw() {
- ping -c 1 -n -q $1 > /dev/null
- if [ $? -gt 0 ]
- then
- sleep 1
- ping -c 1 -n -q $1 > /dev/null
- fi
- return $?;
-}
-
-cert="/root/.ssh/id_rsa.cloud"
-domRIp=$1
-shift
-
-check_gw "$domRIp"
-if [ $? -gt 0 ]
-then
- exit 1
-fi
-fflag=
-eflag=
-while getopts ':FE' OPTION
-do
- case $OPTION in
- F) fflag=1
- ;;
- E) eflag=1
- ;;
- \?) ;;
- esac
-done
-
-if [ -n "$eflag" ]
-then
- ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewallRule_egress.sh $*"
-elif [ -n "$fflag" ]
-then
- ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewall_rule.sh $*"
-else
- ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/firewall.sh $*"
-fi
-exit $?
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/scripts/vm/hypervisor/xenserver/vmops
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index 53a0002..82d4a9f 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -222,23 +222,6 @@ def setLinkLocalIP(session, args):
txt = 'success'
return txt
-
-
-@echo
-def setFirewallRule(session, args):
- sargs = args['args']
- cmd = sargs.split(' ')
- cmd.insert(0, "/opt/cloud/bin/call_firewall.sh")
- cmd.insert(0, "/bin/bash")
- try:
- txt = util.pread2(cmd)
- txt = 'success'
- except:
- logging.debug(" set firewall rule failed " )
- txt = ''
-
- return txt
-
@echo
def routerProxy(session, args):
sargs = args['args']
@@ -1556,7 +1539,7 @@ if __name__ == "__main__":
"getgateway": getgateway, "preparemigration": preparemigration,
"setIptables": setIptables, "pingdomr": pingdomr, "pingxenserver": pingxenserver,
"savePassword": savePassword,
- "setFirewallRule": setFirewallRule, "routerProxy": routerProxy,
+ "routerProxy": routerProxy,
"setLoadBalancerRule": setLoadBalancerRule, "createFile": createFile, "deleteFile": deleteFile,
"network_rules":network_rules,
"can_bridge_firewall":can_bridge_firewall, "default_network_rules":default_network_rules,
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
new file mode 100755
index 0000000..b1e7a40
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
@@ -0,0 +1,187 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# $Id: firewallRule_egress.sh 9947 2013-01-17 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewallRule_egress.sh $
+# firewallRule_egress.sh -- allow some ports / protocols from vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+ exit 1
+fi
+#set -x
+usage() {
+ printf "Usage: %s: -a protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
+ printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
+}
+
+fw_egress_remove_backup() {
+ sudo iptables -D FW_OUTBOUND -j _FW_EGRESS_RULES
+ sudo iptables -F _FW_EGRESS_RULES
+ sudo iptables -X _FW_EGRESS_RULES
+}
+
+fw_egress_save() {
+ sudo iptables -E FW_EGRESS_RULES _FW_EGRESS_RULES
+}
+
+fw_egress_chain () {
+#supress errors 2>/dev/null
+ fw_egress_remove_backup
+ fw_egress_save
+ sudo iptables -N FW_EGRESS_RULES
+ sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
+}
+
+fw_egress_backup_restore() {
+ sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
+ sudo iptables -E _FW_EGRESS_RULES FW_EGRESS_RULES
+ fw_egress_remove_backup
+}
+
+
+fw_entry_for_egress() {
+ local rule=$1
+
+ local prot=$(echo $rule | cut -d: -f2)
+ local sport=$(echo $rule | cut -d: -f3)
+ local eport=$(echo $rule | cut -d: -f4)
+ local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
+ if [ "$sport" == "0" -a "$eport" == "0" ]
+ then
+ DPORT=""
+ else
+ DPORT="--dport $sport:$eport"
+ fi
+ logger -t cloud "$(basename $0): enter apply fw egress rules for guest $prot:$sport:$eport:$cidrs"
+
+ for lcidr in $cidrs
+ do
+ [ "$prot" == "reverted" ] && continue;
+ if [ "$prot" == "icmp" ]
+ then
+ typecode="$sport/$eport"
+ [ "$eport" == "-1" ] && typecode="$sport"
+ [ "$sport" == "-1" ] && typecode="any"
+ sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
+ -j $target
+ result=$?
+ elif [ "$prot" == "all" ]
+ then
+ sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j $target
+ result=$?
+ else
+ sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr $DPORT -j $target
+ result=$?
+ fi
+
+ [ $result -gt 0 ] &&
+ logger -t cloud "Error adding iptables entry for guest network $prot:$sport:$eport:$cidrs" &&
+ break
+ done
+
+ logger -t cloud "$(basename $0): exit apply egress firewall rules for guest network"
+ return $result
+}
+
+
+aflag=0
+rules=""
+rules_list=""
+ip=""
+dev=""
+pflag=0
+shift
+shift
+while getopts 'a:P:' OPTION
+do
+ case $OPTION in
+ a) aflag=1
+ rules="$OPTARG"
+ ;;
+ P) pflag=1
+ pvalue="$OPTARG"
+ ;;
+ ?) usage
+ unlock_exit 2 $lock $locked
+ ;;
+ esac
+done
+
+if [ "$aflag" != "1" ]
+then
+ usage
+ unlock_exit 2 $lock $locked
+fi
+
+if [ -n "$rules" ]
+then
+ rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
+fi
+
+# rule format
+# protocal:sport:eport:cidr
+#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
+# if any entry is reverted , entry will be in the format reverted:0:0:0
+# example : tcp:80:80:0.0.0.0/0:, tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
+
+success=0
+
+if [ "$pvalue" == "0" -o "$pvalue" == "2" ]
+ then
+ target="ACCEPT"
+ else
+ target="DROP"
+ fi
+
+fw_egress_chain
+for r in $rules_list
+do
+ fw_entry_for_egress $r
+ success=$?
+ if [ $success -gt 0 ]
+ then
+ logger -t cloud "failure to apply fw egress rules "
+ break
+ else
+ logger -t cloud "successful in applying fw egress rules"
+ fi
+done
+
+if [ $success -gt 0 ]
+then
+ logger -t cloud "restoring from backup for guest network"
+ fw_egress_backup_restore
+else
+ logger -t cloud "deleting backup for guest network"
+ if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
+ then
+ #Adding default policy rule
+ sudo iptables -A FW_EGRESS_RULES -j ACCEPT
+ fi
+
+fi
+
+fw_egress_remove_backup
+
+unlock_exit $success $lock $locked
+
+
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh
new file mode 100755
index 0000000..9e459f0
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh
@@ -0,0 +1,202 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# firewall_rule.sh -- allow some ports / protocols to vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+ exit 1
+fi
+
+usage() {
+ printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
+ printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
+}
+#set -x
+#FIXME: eating up the error code during execution of iptables
+fw_remove_backup() {
+ local pubIp=$1
+ sudo iptables -t mangle -F _FIREWALL_$pubIp 2> /dev/null
+ sudo iptables -t mangle -D PREROUTING -d $pubIp -j _FIREWALL_$pubIp 2> /dev/null
+ sudo iptables -t mangle -X _FIREWALL_$pubIp 2> /dev/null
+}
+
+fw_restore() {
+ local pubIp=$1
+ sudo iptables -t mangle -F FIREWALL_$pubIp 2> /dev/null
+ sudo iptables -t mangle -D PREROUTING -d $pubIp -j FIREWALL_$pubIp 2> /dev/null
+ sudo iptables -t mangle -X FIREWALL_$pubIp 2> /dev/null
+ sudo iptables -t mangle -E _FIREWALL_$pubIp FIREWALL_$pubIp 2> /dev/null
+}
+
+fw_chain_for_ip () {
+ local pubIp=$1
+ fw_remove_backup $1
+ sudo iptables -t mangle -E FIREWALL_$pubIp _FIREWALL_$pubIp 2> /dev/null
+ sudo iptables -t mangle -N FIREWALL_$pubIp 2> /dev/null
+ # drop if no rules match (this will be the last rule in the chain)
+ sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null
+ # ensure outgoing connections are maintained (first rule in chain)
+ sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null
+ #ensure that this table is after VPN chain
+ sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp
+ success=$?
+ if [ $success -gt 0 ]
+ then
+ # if VPN chain is not present for various reasons, try to add in to the first slot */
+ sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp
+ fi
+}
+
+fw_entry_for_public_ip() {
+ local rules=$1
+
+ local pubIp=$(echo $rules | cut -d: -f1)
+ local prot=$(echo $rules | cut -d: -f2)
+ local sport=$(echo $rules | cut -d: -f3)
+ local eport=$(echo $rules | cut -d: -f4)
+ local scidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
+
+ logger -t cloud "$(basename $0): enter apply firewall rules for public ip $pubIp:$prot:$sport:$eport:$scidrs"
+
+
+ # note that rules are inserted after the RELATED,ESTABLISHED rule
+ # but before the DROP rule
+ for src in $scidrs
+ do
+ [ "$prot" == "reverted" ] && continue;
+ if [ "$prot" == "icmp" ]
+ then
+ typecode="$sport/$eport"
+ [ "$eport" == "-1" ] && typecode="$sport"
+ [ "$sport" == "-1" ] && typecode="any"
+ sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
+ --icmp-type $typecode -j RETURN
+ else
+ sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
+ --dport $sport:$eport -j RETURN
+ fi
+ result=$?
+ [ $result -gt 0 ] &&
+ logger -t cloud "Error adding iptables entry for $pubIp:$prot:$sport:$eport:$src" &&
+ break
+ done
+
+ logger -t cloud "$(basename $0): exit apply firewall rules for public ip $pubIp"
+ return $result
+}
+
+get_vif_list() {
+ local vif_list=""
+ for i in /sys/class/net/eth*; do
+ vif=$(basename $i);
+ if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ]
+ then
+ vif_list="$vif_list $vif";
+ fi
+ done
+ if [ "$vif_list" == "" ]
+ then
+ vif_list="eth0"
+ fi
+
+ logger -t cloud "FirewallRule public interfaces = $vif_list"
+ echo $vif_list
+}
+
+shift
+rules=
+while getopts 'a:' OPTION
+do
+ case $OPTION in
+ a) aflag=1
+ rules="$OPTARG"
+ ;;
+ ?) usage
+ unlock_exit 2 $lock $locked
+ ;;
+ esac
+done
+
+VIF_LIST=$(get_vif_list)
+
+if [ "$rules" == "" ]
+then
+ rules="none"
+fi
+
+#-a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
+# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
+# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
+# The reverted entries will fix the following partially
+#FIXME: rule leak: when there are multiple ip address, there will chance that entry will be left over if the ipadress does not appear in the current execution when compare to old one
+# example : In the below first transaction have 2 ip's whereas in second transaction it having one ip, so after the second trasaction 200.1.2.3 ip will have rules in mangle table.
+# 1) -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,200.16.92.44:tcp:220:220:0.0.0.0/0:,
+# 2) -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,
+
+
+success=0
+publicIps=
+rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
+for r in $rules_list
+do
+ pubIp=$(echo $r | cut -d: -f1)
+ publicIps="$pubIp $publicIps"
+done
+
+unique_ips=$(echo $publicIps| tr " " "\n" | sort | uniq | tr "\n" " ")
+
+for u in $unique_ips
+do
+ fw_chain_for_ip $u
+done
+
+for r in $rules_list
+do
+ pubIp=$(echo $r | cut -d: -f1)
+ fw_entry_for_public_ip $r
+ success=$?
+ if [ $success -gt 0 ]
+ then
+ logger -t cloud "$(basename $0): failure to apply fw rules for ip $pubIp"
+ break
+ else
+ logger -t cloud "$(basename $0): successful in applying fw rules for ip $pubIp"
+ fi
+done
+
+if [ $success -gt 0 ]
+then
+ for p in $unique_ips
+ do
+ logger -t cloud "$(basename $0): restoring from backup for ip: $p"
+ fw_restore $p
+ done
+fi
+for p in $unique_ips
+do
+ logger -t cloud "$(basename $0): deleting backup for ip: $p"
+ fw_remove_backup $p
+done
+
+unlock_exit $success $lock $locked
+
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh b/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh
new file mode 100755
index 0000000..8c0e0fc
--- /dev/null
+++ b/systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh
@@ -0,0 +1,358 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# $Id: firewall.sh 9947 2010-06-25 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewall.sh $
+# firewall.sh -- allow some ports / protocols to vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+ exit 1
+fi
+
+vpnoutmark="0x525"
+
+usage() {
+ printf "Usage: %s: (-A|-D) -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code) -l <public ip address> -d <target port> -s <source cidrs> [-G] \n" $(basename $0) >&2
+}
+
+#set -x
+
+get_dev_list() {
+ ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}'
+ ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}'
+}
+
+ip_to_dev() {
+ local ip=$1
+
+ for dev in $DEV_LIST; do
+ ip addr show dev $dev | grep inet | grep $ip &>> /dev/null
+ [ $? -eq 0 ] && echo $dev && return 0
+ done
+ return 1
+}
+
+doHairpinNat () {
+ local vrGuestIPNetwork=$(sudo ip addr show dev eth0 | grep inet | grep eth0 | awk '{print $2}' | head -1)
+ local vrGuestIP=$(echo $vrGuestIPNetwork | awk -F'/' '{print $1}')
+
+ local publicIp=$1
+ local prot=$2
+ local port=$3
+ local guestVmIp=$4
+ local guestPort=$(echo $5 | sed 's/:/-/')
+ local op=$6
+ local destPort=$5
+ logger -t cloud "$(basename $0): create HairPin entry : public ip=$publicIp \
+ instance ip=$guestVmIp proto=$proto portRange=$guestPort op=$op"
+
+ if [ "$prot" == "all" ]
+ then
+ logger -t cloud "creating hairpin nat rules for static nat"
+ (sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -j DNAT --to-destination $guestVmIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
+ else
+ (sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -p $prot --dport $port -j DNAT --to-destination $guestVmIp:$guestPort &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -p $prot --dport $destPort -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
+ fi
+}
+
+#Port (address translation) forwarding for tcp or udp
+tcp_or_udp_entry() {
+ local instIp=$1
+ local dport0=$2
+ local dport=$(echo $2 | sed 's/:/-/')
+ local publicIp=$3
+ local port=$4
+ local op=$5
+ local proto=$6
+ local cidrs=$7
+
+ logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
+ instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
+
+ #if adding, this might be a duplicate, so delete the old one first
+ [ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport0 $publicIp $port "-D" $proto $cidrs
+ # the delete operation may have errored out but the only possible reason is
+ # that the rules didn't exist in the first place
+ local dev=$(ip_to_dev $publicIp)
+ local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
+ # shortcircuit the process if error and it is an append operation
+ # continue if it is delete
+ (sudo iptables -t nat $op PREROUTING --proto $proto -i $dev -d $publicIp \
+ --destination-port $port -j DNAT \
+ --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
+ --destination-port $port -j MARK --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
+ --destination-port $port -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (doHairpinNat $publicIp $proto $port $instIp $dport0 $op) &&
+ (sudo iptables -t nat $op OUTPUT --proto $proto -d $publicIp \
+ --destination-port $port -j DNAT \
+ --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp -m state \
+ --state ESTABLISHED,RELATED -m comment --comment "$publicIp:$port" -j ACCEPT &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp \
+ --destination-port $dport0 -m state --state NEW -m comment --comment "$publicIp:$port" -j ACCEPT &>> $OUTFILE)
+
+
+ local result=$?
+ logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
+ return $result
+}
+
+
+#Forward icmp
+icmp_entry() {
+ local instIp=$1
+ local icmptype=$2
+ local publicIp=$3
+ local op=$4
+
+ logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
+ instance ip=$instIp proto=icmp port=$port dport=$dport op=$op"
+ #if adding, this might be a duplicate, so delete the old one first
+ [ "$op" == "-A" ] && icmp_entry $instIp $icmpType $publicIp "-D"
+ # the delete operation may have errored out but the only possible reason is
+ # that the rules didn't exist in the first place
+ local dev=$(ip_to_dev $publicIp)
+ sudo iptables -t nat $op PREROUTING --proto icmp -i $dev -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE
+
+ sudo iptables -t nat $op OUTPUT --proto icmp -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE
+ sudo iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype -j ACCEPT &>> $OUTFILE
+
+ result=$?
+ logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
+ return $result
+}
+
+
+
+one_to_one_fw_entry() {
+ local publicIp=$1
+ local instIp=$2
+ local proto=$3
+ local portRange=$4
+ local op=$5
+ logger -t cloud "$(basename $0): create firewall entry for static nat: public ip=$publicIp \
+ instance ip=$instIp proto=$proto portRange=$portRange op=$op"
+
+ #if adding, this might be a duplicate, so delete the old one first
+ [ "$op" == "-A" ] && one_to_one_fw_entry $publicIp $instIp $proto $portRange "-D"
+ # the delete operation may have errored out but the only possible reason is
+ # that the rules didn't exist in the first place
+
+ local dev=$(ip_to_dev $publicIp)
+ [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
+
+ # shortcircuit the process if error and it is an append operation
+ # continue if it is delete
+ (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
+ --destination-port $portRange -j DNAT \
+ --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (doHairpinNat $publicIp $proto $portRange $instIp $portRange $op) &&
+ (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
+ --destination-port $portRange -m state \
+ --state NEW -j ACCEPT &>> $OUTFILE )
+
+ result=$?
+ logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result"
+ return $result
+}
+
+fw_chain_for_ip() {
+ local pubIp=$1
+ if iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
+ then
+ logger -t cloud "$(basename $0): created a firewall chain for $pubIp"
+ (sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP) &&
+ (sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT ) &&
+ (sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp)
+ return $?
+ fi
+ logger -t cloud "fw chain for $pubIp already exists"
+ return 0
+}
+
+static_nat() {
+ local publicIp=$1
+ local instIp=$2
+ local op=$3
+ local op2="-D"
+ local rulenum=
+ local proto="all"
+
+ logger -t cloud "$(basename $0): static nat: public ip=$publicIp \
+ instance ip=$instIp op=$op"
+
+ #TODO check error below
+ fw_chain_for_ip $publicIp
+
+ #if adding, this might be a duplicate, so delete the old one first
+ [ "$op" == "-A" ] && static_nat $publicIp $instIp "-D"
+ # the delete operation may have errored out but the only possible reason is
+ # that the rules didn't exist in the first place
+ [ "$op" == "-A" ] && op2="-I"
+ if [ "$op" == "-A" ]
+ then
+ # put static nat rule one rule after VPN no-NAT rule
+ # rule chain can be used to improve it later
+ iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
+ if [ $? -eq 0 ]
+ then
+ rulenum=2
+ else
+ rulenum=1
+ fi
+ fi
+
+ local dev=$(ip_to_dev $publicIp)
+ [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
+ local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
+
+ # shortcircuit the process if error and it is an append operation
+ # continue if it is delete
+ (sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
+ -j MARK -m state --state NEW --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
+ -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (sudo iptables -t mangle $op PREROUTING -s $instIp -i eth0 \
+ -j MARK -m state --state NEW --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (sudo iptables -t mangle $op PREROUTING -s $instIp -i eth0 \
+ -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp -j DNAT \
+ --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp -m state \
+ --state NEW -j ACCEPT &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (sudo iptables -t nat $op2 POSTROUTING $rulenum -s $instIp -j SNAT \
+ -o $dev --to-source $publicIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
+ (doHairpinNat $publicIp $proto "all" $instIp "0:65535" $op)
+
+ result=$?
+ logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
+ return $result
+}
+
+
+
+rflag=
+Pflag=
+pflag=
+tflag=
+lflag=
+dflag=
+sflag=
+Gflag=
+op=""
+
+while getopts 'ADr:P:p:t:l:d:s:G' OPTION
+do
+ case $OPTION in
+ A) op="-A"
+ ;;
+ D) op="-D"
+ ;;
+ r) rflag=1
+ instanceIp="$OPTARG"
+ ;;
+ P) Pflag=1
+ protocol="$OPTARG"
+ ;;
+ p) pflag=1
+ ports="$OPTARG"
+ ;;
+ t) tflag=1
+ icmptype="$OPTARG"
+ ;;
+ l) lflag=1
+ publicIp="$OPTARG"
+ ;;
+ s) sflag=1
+ cidrs="$OPTARG"
+ ;;
+ d) dflag=1
+ dport="$OPTARG"
+ ;;
+ G) Gflag=1
+ ;;
+ ?) usage
+ unlock_exit 2 $lock $locked
+ ;;
+ esac
+done
+
+DEV_LIST=$(get_dev_list)
+OUTFILE=$(mktemp)
+
+#Firewall ports for one-to-one/static NAT
+if [ "$Gflag" == "1" ]
+then
+ if [ "$protocol" == "" ]
+ then
+ static_nat $publicIp $instanceIp $op
+ else
+ one_to_one_fw_entry $publicIp $instanceIp $protocol $dport $op
+ fi
+ result=$?
+ if [ "$result" -ne 0 ] && [ "$op" != "-D" ]; then
+ cat $OUTFILE >&2
+ fi
+ rm -f $OUTFILE
+ if [ "$op" == "-D" ];then
+ result=0
+ fi
+ unlock_exit $result $lock $locked
+fi
+
+if [ "$sflag" != "1" ]
+then
+ cidrs="0/0"
+fi
+
+case $protocol in
+ tcp|udp)
+ tcp_or_udp_entry $instanceIp $dport $publicIp $ports $op $protocol $cidrs
+ result=$?
+ if [ "$result" -ne 0 ] && [ "$op" != "-D" ];then
+ cat $OUTFILE >&2
+ fi
+ rm -f $OUTFILE
+ if [ "$op" == "-D" ];then
+ result=0
+ fi
+ unlock_exit $result $lock $locked
+ ;;
+ "icmp")
+
+ icmp_entry $instanceIp $icmptype $publicIp $op
+ if [ "$op" == "-D" ];then
+ result=0
+ fi
+ unlock_exit $? $lock $locked
+ ;;
+ *)
+ printf "Invalid protocol-- must be tcp, udp or icmp\n" >&2
+ unlock_exit 5 $lock $locked
+ ;;
+esac
+
+unlock_exit 0 $lock $locked
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/systemvm/patches/debian/config/root/firewall.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/firewall.sh b/systemvm/patches/debian/config/root/firewall.sh
deleted file mode 100755
index 8c0e0fc..0000000
--- a/systemvm/patches/debian/config/root/firewall.sh
+++ /dev/null
@@ -1,358 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# $Id: firewall.sh 9947 2010-06-25 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewall.sh $
-# firewall.sh -- allow some ports / protocols to vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-vpnoutmark="0x525"
-
-usage() {
- printf "Usage: %s: (-A|-D) -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code) -l <public ip address> -d <target port> -s <source cidrs> [-G] \n" $(basename $0) >&2
-}
-
-#set -x
-
-get_dev_list() {
- ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}'
- ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}'
-}
-
-ip_to_dev() {
- local ip=$1
-
- for dev in $DEV_LIST; do
- ip addr show dev $dev | grep inet | grep $ip &>> /dev/null
- [ $? -eq 0 ] && echo $dev && return 0
- done
- return 1
-}
-
-doHairpinNat () {
- local vrGuestIPNetwork=$(sudo ip addr show dev eth0 | grep inet | grep eth0 | awk '{print $2}' | head -1)
- local vrGuestIP=$(echo $vrGuestIPNetwork | awk -F'/' '{print $1}')
-
- local publicIp=$1
- local prot=$2
- local port=$3
- local guestVmIp=$4
- local guestPort=$(echo $5 | sed 's/:/-/')
- local op=$6
- local destPort=$5
- logger -t cloud "$(basename $0): create HairPin entry : public ip=$publicIp \
- instance ip=$guestVmIp proto=$proto portRange=$guestPort op=$op"
-
- if [ "$prot" == "all" ]
- then
- logger -t cloud "creating hairpin nat rules for static nat"
- (sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -j DNAT --to-destination $guestVmIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
- else
- (sudo iptables -t nat $op PREROUTING -d $publicIp -i eth0 -p $prot --dport $port -j DNAT --to-destination $guestVmIp:$guestPort &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t nat $op POSTROUTING -s $vrGuestIPNetwork -p $prot --dport $destPort -d $guestVmIp -j SNAT -o eth0 --to-source $vrGuestIP &>> $OUTFILE || [ "$op" == "-D" ])
- fi
-}
-
-#Port (address translation) forwarding for tcp or udp
-tcp_or_udp_entry() {
- local instIp=$1
- local dport0=$2
- local dport=$(echo $2 | sed 's/:/-/')
- local publicIp=$3
- local port=$4
- local op=$5
- local proto=$6
- local cidrs=$7
-
- logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
- instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
-
- #if adding, this might be a duplicate, so delete the old one first
- [ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport0 $publicIp $port "-D" $proto $cidrs
- # the delete operation may have errored out but the only possible reason is
- # that the rules didn't exist in the first place
- local dev=$(ip_to_dev $publicIp)
- local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
- # shortcircuit the process if error and it is an append operation
- # continue if it is delete
- (sudo iptables -t nat $op PREROUTING --proto $proto -i $dev -d $publicIp \
- --destination-port $port -j DNAT \
- --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
- --destination-port $port -j MARK --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
- --destination-port $port -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (doHairpinNat $publicIp $proto $port $instIp $dport0 $op) &&
- (sudo iptables -t nat $op OUTPUT --proto $proto -d $publicIp \
- --destination-port $port -j DNAT \
- --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp -m state \
- --state ESTABLISHED,RELATED -m comment --comment "$publicIp:$port" -j ACCEPT &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables $op FORWARD -p $proto -s $cidrs -d $instIp \
- --destination-port $dport0 -m state --state NEW -m comment --comment "$publicIp:$port" -j ACCEPT &>> $OUTFILE)
-
-
- local result=$?
- logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
- return $result
-}
-
-
-#Forward icmp
-icmp_entry() {
- local instIp=$1
- local icmptype=$2
- local publicIp=$3
- local op=$4
-
- logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
- instance ip=$instIp proto=icmp port=$port dport=$dport op=$op"
- #if adding, this might be a duplicate, so delete the old one first
- [ "$op" == "-A" ] && icmp_entry $instIp $icmpType $publicIp "-D"
- # the delete operation may have errored out but the only possible reason is
- # that the rules didn't exist in the first place
- local dev=$(ip_to_dev $publicIp)
- sudo iptables -t nat $op PREROUTING --proto icmp -i $dev -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE
-
- sudo iptables -t nat $op OUTPUT --proto icmp -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE
- sudo iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype -j ACCEPT &>> $OUTFILE
-
- result=$?
- logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
- return $result
-}
-
-
-
-one_to_one_fw_entry() {
- local publicIp=$1
- local instIp=$2
- local proto=$3
- local portRange=$4
- local op=$5
- logger -t cloud "$(basename $0): create firewall entry for static nat: public ip=$publicIp \
- instance ip=$instIp proto=$proto portRange=$portRange op=$op"
-
- #if adding, this might be a duplicate, so delete the old one first
- [ "$op" == "-A" ] && one_to_one_fw_entry $publicIp $instIp $proto $portRange "-D"
- # the delete operation may have errored out but the only possible reason is
- # that the rules didn't exist in the first place
-
- local dev=$(ip_to_dev $publicIp)
- [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
-
- # shortcircuit the process if error and it is an append operation
- # continue if it is delete
- (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
- --destination-port $portRange -j DNAT \
- --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (doHairpinNat $publicIp $proto $portRange $instIp $portRange $op) &&
- (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
- --destination-port $portRange -m state \
- --state NEW -j ACCEPT &>> $OUTFILE )
-
- result=$?
- logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result"
- return $result
-}
-
-fw_chain_for_ip() {
- local pubIp=$1
- if iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
- then
- logger -t cloud "$(basename $0): created a firewall chain for $pubIp"
- (sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP) &&
- (sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT ) &&
- (sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp)
- return $?
- fi
- logger -t cloud "fw chain for $pubIp already exists"
- return 0
-}
-
-static_nat() {
- local publicIp=$1
- local instIp=$2
- local op=$3
- local op2="-D"
- local rulenum=
- local proto="all"
-
- logger -t cloud "$(basename $0): static nat: public ip=$publicIp \
- instance ip=$instIp op=$op"
-
- #TODO check error below
- fw_chain_for_ip $publicIp
-
- #if adding, this might be a duplicate, so delete the old one first
- [ "$op" == "-A" ] && static_nat $publicIp $instIp "-D"
- # the delete operation may have errored out but the only possible reason is
- # that the rules didn't exist in the first place
- [ "$op" == "-A" ] && op2="-I"
- if [ "$op" == "-A" ]
- then
- # put static nat rule one rule after VPN no-NAT rule
- # rule chain can be used to improve it later
- iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
- if [ $? -eq 0 ]
- then
- rulenum=2
- else
- rulenum=1
- fi
- fi
-
- local dev=$(ip_to_dev $publicIp)
- [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1
- local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
-
- # shortcircuit the process if error and it is an append operation
- # continue if it is delete
- (sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
- -j MARK -m state --state NEW --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t mangle $op PREROUTING -i $dev -d $publicIp \
- -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t mangle $op PREROUTING -s $instIp -i eth0 \
- -j MARK -m state --state NEW --set-mark $tableNo &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t mangle $op PREROUTING -s $instIp -i eth0 \
- -m state --state NEW -j CONNMARK --save-mark &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp -j DNAT \
- --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp -m state \
- --state NEW -j ACCEPT &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t nat $op2 POSTROUTING $rulenum -s $instIp -j SNAT \
- -o $dev --to-source $publicIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
- (doHairpinNat $publicIp $proto "all" $instIp "0:65535" $op)
-
- result=$?
- logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
- return $result
-}
-
-
-
-rflag=
-Pflag=
-pflag=
-tflag=
-lflag=
-dflag=
-sflag=
-Gflag=
-op=""
-
-while getopts 'ADr:P:p:t:l:d:s:G' OPTION
-do
- case $OPTION in
- A) op="-A"
- ;;
- D) op="-D"
- ;;
- r) rflag=1
- instanceIp="$OPTARG"
- ;;
- P) Pflag=1
- protocol="$OPTARG"
- ;;
- p) pflag=1
- ports="$OPTARG"
- ;;
- t) tflag=1
- icmptype="$OPTARG"
- ;;
- l) lflag=1
- publicIp="$OPTARG"
- ;;
- s) sflag=1
- cidrs="$OPTARG"
- ;;
- d) dflag=1
- dport="$OPTARG"
- ;;
- G) Gflag=1
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-DEV_LIST=$(get_dev_list)
-OUTFILE=$(mktemp)
-
-#Firewall ports for one-to-one/static NAT
-if [ "$Gflag" == "1" ]
-then
- if [ "$protocol" == "" ]
- then
- static_nat $publicIp $instanceIp $op
- else
- one_to_one_fw_entry $publicIp $instanceIp $protocol $dport $op
- fi
- result=$?
- if [ "$result" -ne 0 ] && [ "$op" != "-D" ]; then
- cat $OUTFILE >&2
- fi
- rm -f $OUTFILE
- if [ "$op" == "-D" ];then
- result=0
- fi
- unlock_exit $result $lock $locked
-fi
-
-if [ "$sflag" != "1" ]
-then
- cidrs="0/0"
-fi
-
-case $protocol in
- tcp|udp)
- tcp_or_udp_entry $instanceIp $dport $publicIp $ports $op $protocol $cidrs
- result=$?
- if [ "$result" -ne 0 ] && [ "$op" != "-D" ];then
- cat $OUTFILE >&2
- fi
- rm -f $OUTFILE
- if [ "$op" == "-D" ];then
- result=0
- fi
- unlock_exit $result $lock $locked
- ;;
- "icmp")
-
- icmp_entry $instanceIp $icmptype $publicIp $op
- if [ "$op" == "-D" ];then
- result=0
- fi
- unlock_exit $? $lock $locked
- ;;
- *)
- printf "Invalid protocol-- must be tcp, udp or icmp\n" >&2
- unlock_exit 5 $lock $locked
- ;;
-esac
-
-unlock_exit 0 $lock $locked
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/systemvm/patches/debian/config/root/firewallRule_egress.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/firewallRule_egress.sh b/systemvm/patches/debian/config/root/firewallRule_egress.sh
deleted file mode 100755
index b1e7a40..0000000
--- a/systemvm/patches/debian/config/root/firewallRule_egress.sh
+++ /dev/null
@@ -1,187 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# $Id: firewallRule_egress.sh 9947 2013-01-17 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewallRule_egress.sh $
-# firewallRule_egress.sh -- allow some ports / protocols from vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-#set -x
-usage() {
- printf "Usage: %s: -a protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
- printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
-}
-
-fw_egress_remove_backup() {
- sudo iptables -D FW_OUTBOUND -j _FW_EGRESS_RULES
- sudo iptables -F _FW_EGRESS_RULES
- sudo iptables -X _FW_EGRESS_RULES
-}
-
-fw_egress_save() {
- sudo iptables -E FW_EGRESS_RULES _FW_EGRESS_RULES
-}
-
-fw_egress_chain () {
-#supress errors 2>/dev/null
- fw_egress_remove_backup
- fw_egress_save
- sudo iptables -N FW_EGRESS_RULES
- sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
-}
-
-fw_egress_backup_restore() {
- sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
- sudo iptables -E _FW_EGRESS_RULES FW_EGRESS_RULES
- fw_egress_remove_backup
-}
-
-
-fw_entry_for_egress() {
- local rule=$1
-
- local prot=$(echo $rule | cut -d: -f2)
- local sport=$(echo $rule | cut -d: -f3)
- local eport=$(echo $rule | cut -d: -f4)
- local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
- if [ "$sport" == "0" -a "$eport" == "0" ]
- then
- DPORT=""
- else
- DPORT="--dport $sport:$eport"
- fi
- logger -t cloud "$(basename $0): enter apply fw egress rules for guest $prot:$sport:$eport:$cidrs"
-
- for lcidr in $cidrs
- do
- [ "$prot" == "reverted" ] && continue;
- if [ "$prot" == "icmp" ]
- then
- typecode="$sport/$eport"
- [ "$eport" == "-1" ] && typecode="$sport"
- [ "$sport" == "-1" ] && typecode="any"
- sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
- -j $target
- result=$?
- elif [ "$prot" == "all" ]
- then
- sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j $target
- result=$?
- else
- sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr $DPORT -j $target
- result=$?
- fi
-
- [ $result -gt 0 ] &&
- logger -t cloud "Error adding iptables entry for guest network $prot:$sport:$eport:$cidrs" &&
- break
- done
-
- logger -t cloud "$(basename $0): exit apply egress firewall rules for guest network"
- return $result
-}
-
-
-aflag=0
-rules=""
-rules_list=""
-ip=""
-dev=""
-pflag=0
-shift
-shift
-while getopts 'a:P:' OPTION
-do
- case $OPTION in
- a) aflag=1
- rules="$OPTARG"
- ;;
- P) pflag=1
- pvalue="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-if [ "$aflag" != "1" ]
-then
- usage
- unlock_exit 2 $lock $locked
-fi
-
-if [ -n "$rules" ]
-then
- rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
-fi
-
-# rule format
-# protocal:sport:eport:cidr
-#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
-# if any entry is reverted , entry will be in the format reverted:0:0:0
-# example : tcp:80:80:0.0.0.0/0:, tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
-
-success=0
-
-if [ "$pvalue" == "0" -o "$pvalue" == "2" ]
- then
- target="ACCEPT"
- else
- target="DROP"
- fi
-
-fw_egress_chain
-for r in $rules_list
-do
- fw_entry_for_egress $r
- success=$?
- if [ $success -gt 0 ]
- then
- logger -t cloud "failure to apply fw egress rules "
- break
- else
- logger -t cloud "successful in applying fw egress rules"
- fi
-done
-
-if [ $success -gt 0 ]
-then
- logger -t cloud "restoring from backup for guest network"
- fw_egress_backup_restore
-else
- logger -t cloud "deleting backup for guest network"
- if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
- then
- #Adding default policy rule
- sudo iptables -A FW_EGRESS_RULES -j ACCEPT
- fi
-
-fi
-
-fw_egress_remove_backup
-
-unlock_exit $success $lock $locked
-
-
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/0ea1c7df/systemvm/patches/debian/config/root/firewall_rule.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/root/firewall_rule.sh b/systemvm/patches/debian/config/root/firewall_rule.sh
deleted file mode 100755
index 9e459f0..0000000
--- a/systemvm/patches/debian/config/root/firewall_rule.sh
+++ /dev/null
@@ -1,202 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# firewall_rule.sh -- allow some ports / protocols to vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
- printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
-}
-#set -x
-#FIXME: eating up the error code during execution of iptables
-fw_remove_backup() {
- local pubIp=$1
- sudo iptables -t mangle -F _FIREWALL_$pubIp 2> /dev/null
- sudo iptables -t mangle -D PREROUTING -d $pubIp -j _FIREWALL_$pubIp 2> /dev/null
- sudo iptables -t mangle -X _FIREWALL_$pubIp 2> /dev/null
-}
-
-fw_restore() {
- local pubIp=$1
- sudo iptables -t mangle -F FIREWALL_$pubIp 2> /dev/null
- sudo iptables -t mangle -D PREROUTING -d $pubIp -j FIREWALL_$pubIp 2> /dev/null
- sudo iptables -t mangle -X FIREWALL_$pubIp 2> /dev/null
- sudo iptables -t mangle -E _FIREWALL_$pubIp FIREWALL_$pubIp 2> /dev/null
-}
-
-fw_chain_for_ip () {
- local pubIp=$1
- fw_remove_backup $1
- sudo iptables -t mangle -E FIREWALL_$pubIp _FIREWALL_$pubIp 2> /dev/null
- sudo iptables -t mangle -N FIREWALL_$pubIp 2> /dev/null
- # drop if no rules match (this will be the last rule in the chain)
- sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null
- # ensure outgoing connections are maintained (first rule in chain)
- sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null
- #ensure that this table is after VPN chain
- sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp
- success=$?
- if [ $success -gt 0 ]
- then
- # if VPN chain is not present for various reasons, try to add in to the first slot */
- sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp
- fi
-}
-
-fw_entry_for_public_ip() {
- local rules=$1
-
- local pubIp=$(echo $rules | cut -d: -f1)
- local prot=$(echo $rules | cut -d: -f2)
- local sport=$(echo $rules | cut -d: -f3)
- local eport=$(echo $rules | cut -d: -f4)
- local scidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
-
- logger -t cloud "$(basename $0): enter apply firewall rules for public ip $pubIp:$prot:$sport:$eport:$scidrs"
-
-
- # note that rules are inserted after the RELATED,ESTABLISHED rule
- # but before the DROP rule
- for src in $scidrs
- do
- [ "$prot" == "reverted" ] && continue;
- if [ "$prot" == "icmp" ]
- then
- typecode="$sport/$eport"
- [ "$eport" == "-1" ] && typecode="$sport"
- [ "$sport" == "-1" ] && typecode="any"
- sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
- --icmp-type $typecode -j RETURN
- else
- sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot \
- --dport $sport:$eport -j RETURN
- fi
- result=$?
- [ $result -gt 0 ] &&
- logger -t cloud "Error adding iptables entry for $pubIp:$prot:$sport:$eport:$src" &&
- break
- done
-
- logger -t cloud "$(basename $0): exit apply firewall rules for public ip $pubIp"
- return $result
-}
-
-get_vif_list() {
- local vif_list=""
- for i in /sys/class/net/eth*; do
- vif=$(basename $i);
- if [ "$vif" != "eth0" ] && [ "$vif" != "eth1" ]
- then
- vif_list="$vif_list $vif";
- fi
- done
- if [ "$vif_list" == "" ]
- then
- vif_list="eth0"
- fi
-
- logger -t cloud "FirewallRule public interfaces = $vif_list"
- echo $vif_list
-}
-
-shift
-rules=
-while getopts 'a:' OPTION
-do
- case $OPTION in
- a) aflag=1
- rules="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-VIF_LIST=$(get_vif_list)
-
-if [ "$rules" == "" ]
-then
- rules="none"
-fi
-
-#-a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
-# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
-# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
-# The reverted entries will fix the following partially
-#FIXME: rule leak: when there are multiple ip address, there will chance that entry will be left over if the ipadress does not appear in the current execution when compare to old one
-# example : In the below first transaction have 2 ip's whereas in second transaction it having one ip, so after the second trasaction 200.1.2.3 ip will have rules in mangle table.
-# 1) -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,200.16.92.44:tcp:220:220:0.0.0.0/0:,
-# 2) -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,
-
-
-success=0
-publicIps=
-rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
-for r in $rules_list
-do
- pubIp=$(echo $r | cut -d: -f1)
- publicIps="$pubIp $publicIps"
-done
-
-unique_ips=$(echo $publicIps| tr " " "\n" | sort | uniq | tr "\n" " ")
-
-for u in $unique_ips
-do
- fw_chain_for_ip $u
-done
-
-for r in $rules_list
-do
- pubIp=$(echo $r | cut -d: -f1)
- fw_entry_for_public_ip $r
- success=$?
- if [ $success -gt 0 ]
- then
- logger -t cloud "$(basename $0): failure to apply fw rules for ip $pubIp"
- break
- else
- logger -t cloud "$(basename $0): successful in applying fw rules for ip $pubIp"
- fi
-done
-
-if [ $success -gt 0 ]
-then
- for p in $unique_ips
- do
- logger -t cloud "$(basename $0): restoring from backup for ip: $p"
- fw_restore $p
- done
-fi
-for p in $unique_ips
-do
- logger -t cloud "$(basename $0): deleting backup for ip: $p"
- fw_remove_backup $p
-done
-
-unlock_exit $success $lock $locked
-