You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2016/11/08 09:36:17 UTC
[1/2] git commit: updated refs/heads/4.9 to 6f609e6
Repository: cloudstack
Updated Branches:
refs/heads/4.9 f19a1631a -> 6f609e694
CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic Networking
Allow DNS queries over TCP when egress filtering is configured.
When using DNSSEC more and more queries are done over TCP and this
requires 53/TCP to be allowed.
Signed-off-by: Wido den Hollander <wi...@widodh.nl>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/8ea75f1a
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/8ea75f1a
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/8ea75f1a
Branch: refs/heads/4.9
Commit: 8ea75f1a85b53908f97a6397637ecb346b821387
Parents: fcee71f
Author: Wido den Hollander <wi...@widodh.nl>
Authored: Thu Oct 20 10:14:36 2016 +0200
Committer: Wido den Hollander <wi...@widodh.nl>
Committed: Mon Oct 31 09:57:25 2016 +0100
----------------------------------------------------------------------
scripts/vm/network/security_group.py | 1 +
1 file changed, 1 insertion(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8ea75f1a/scripts/vm/network/security_group.py
----------------------------------------------------------------------
diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index e459a29..8283256 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -493,6 +493,7 @@ def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname, sec_ips):
if vm_ip is not None:
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set ! --set " + vmipsetName + " src -j DROP")
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53 -j RETURN ")
+ execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -p tcp --dport 53 -j RETURN ")
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress)
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain)
execute("iptables -A " + vmchain + " -j DROP")
[2/2] git commit: updated refs/heads/4.9 to 6f609e6
Posted by bh...@apache.org.
Merge pull request #1713 from wido/CLOUDSTACK-9552
CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic NetworkingAllow DNS queries over TCP when egress filtering is configured.
When using DNSSEC more and more queries are done over TCP and this
requires 53/TCP to be allowed.
Signed-off-by: Wido den Hollander wido@widodh.nl
* pr/1713:
CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic Networking
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6f609e69
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6f609e69
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6f609e69
Branch: refs/heads/4.9
Commit: 6f609e6946e5099c09f649f26da5ef2a2103d889
Parents: f19a163 8ea75f1
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Tue Nov 8 15:01:23 2016 +0530
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Tue Nov 8 15:01:51 2016 +0530
----------------------------------------------------------------------
scripts/vm/network/security_group.py | 1 +
1 file changed, 1 insertion(+)
----------------------------------------------------------------------