git commit: CS-15536: Insert VPN mangle policy to FORWARD and OUTPUT

[ya...@apache.org]

Updated Branches:
  refs/heads/vpc 14fa5279e -> a1333649d


CS-15536: Insert VPN mangle policy to FORWARD and OUTPUT

In order to get traffic tagged while ACL chain involved in PREROUTING chain.

Also using more generic tag checking in nat table.


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/a1333649
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/a1333649
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/a1333649

Branch: refs/heads/vpc
Commit: a1333649dbf1c6521d671bfd900cf7ba89efe270
Parents: 14fa527
Author: Sheng Yang <sh...@citrix.com>
Authored: Tue Jul 17 16:47:37 2012 -0700
Committer: Sheng Yang <sh...@citrix.com>
Committed: Tue Jul 17 17:23:11 2012 -0700

----------------------------------------------------------------------
 .../debian/config/opt/cloud/bin/ipsectunnel.sh     |   13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/a1333649/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
index 7426d4b..470fca9 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
@@ -40,16 +40,21 @@ enable_iptable() {
   sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
   for net in $rightnets
   do
-    sudo iptables -A PREROUTING -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark
+    sudo iptables -A FORWARD -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark
+    sudo iptables -A OUTPUT -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark
   done
+  # Prevent NAT on "marked" VPN traffic, so need to be the first one on POSTROUTING chain
+  sudo iptables -t nat -I POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
 }
 
 disable_iptable() {
   sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
   for net in $rightnets
   do
-    sudo iptables -D PREROUTING -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark
+    sudo iptables -D FORWARD -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark
+    sudo iptables -D OUTPUT -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark
   done
+  sudo iptables -t nat -D POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
 }
 
 ipsec_tunnel_del() {
@@ -107,10 +112,6 @@ ipsec_tunnel_add() {
     sudo ipsec auto --rereadall
     sudo ipsec auto --add vpn-$rightpeer
     sudo ipsec auto --up vpn-$rightpeer
-    # Prevent NAT on "marked" VPN traffic
-    sudo iptables -D POSTROUTING -t nat -o $outIf -j SNAT --to-source $outIp
-    sudo iptables -D POSTROUTING -t nat -o $outIf -m mark ! --mark $vpnoutmark -j SNAT --to-source $outIp
-    sudo iptables -A POSTROUTING -t nat -o $outIf -m mark ! --mark $vpnoutmark -j SNAT --to-source $outIp
 
   logger -t cloud "$(basename $0): done ipsec tunnel entry for right peer=$rightpeer right networks=$rightnets"