You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ya...@apache.org on 2013/12/10 02:32:27 UTC
git commit: updated refs/heads/master to 3ccdf67
Updated Branches:
refs/heads/master fe83dd621 -> 3ccdf67df
CLOUDSTACK-5297: Fix ACL rules on VPN for VPC
Insert a new iptables chain for FORWARD chain, in order to let following ACL
rules being executed as well.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/3ccdf67d
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/3ccdf67d
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/3ccdf67d
Branch: refs/heads/master
Commit: 3ccdf67dfbb5cc1985e127de6138503edacb78df
Parents: fe83dd6
Author: Sheng Yang <sh...@citrix.com>
Authored: Mon Dec 9 17:28:53 2013 -0800
Committer: Sheng Yang <sh...@citrix.com>
Committed: Mon Dec 9 17:32:04 2013 -0800
----------------------------------------------------------------------
.../debian/vpn/opt/cloud/bin/vpn_l2tp.sh | 28 +++++++++++++++++---
1 file changed, 24 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/3ccdf67d/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh b/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
index 5afe009..83d5272 100755
--- a/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
+++ b/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
@@ -35,21 +35,41 @@ get_intf_ip() {
iptables_() {
local op=$1
local public_ip=$2
+ local is_vpc=false
+ local forward_action="ACCEPT"
+ if grep "vpcrouter" /var/cache/cloud/cmdline &> /dev/null
+ then
+ is_vpc=true
+ fi
sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 500 -j ACCEPT
sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 4500 -j ACCEPT
sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 1701 -j ACCEPT
sudo iptables $op INPUT -i $dev -p ah -j ACCEPT
sudo iptables $op INPUT -i $dev -p esp -j ACCEPT
- sudo iptables $op FORWARD -i ppp+ -d $cidr -j ACCEPT
- sudo iptables $op FORWARD -s $cidr -o ppp+ -j ACCEPT
- sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT
+ if $is_vpc
+ then
+ # Need to apply the following ACL rules as well.
+ if sudo iptables -N VPN_FORWARD &> /dev/null
+ then
+ sudo iptables -I FORWARD -i ppp+ -j VPN_FORWARD
+ sudo iptables -I FORWARD -o ppp+ -j VPN_FORWARD
+ sudo iptables -A VPN_FORWARD -j DROP
+ fi
+ sudo iptables $op VPN_FORWARD -i ppp+ -o ppp+ -j RETURN
+ sudo iptables $op VPN_FORWARD -i ppp+ -d $cidr -j RETURN
+ sudo iptables $op VPN_FORWARD -s $cidr -o ppp+ -j RETURN
+ else
+ sudo iptables $op FORWARD -i ppp+ -d $cidr -j ACCEPT
+ sudo iptables $op FORWARD -s $cidr -o ppp+ -j ACCEPT
+ sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT
+ fi
sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT
sudo iptables $op INPUT -i ppp+ -m tcp -p tcp --dport 53 -j ACCEPT
sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp -m tcp --dport 53 -j DNAT --to-destination $local_ip
sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j DNAT --to-destination $local_ip
- if grep "vpcrouter" /var/cache/cloud/cmdline &> /dev/null
+ if $is_vpc
then
return
fi