You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ya...@apache.org on 2013/12/10 02:32:27 UTC

git commit: updated refs/heads/master to 3ccdf67

Updated Branches:
  refs/heads/master fe83dd621 -> 3ccdf67df


CLOUDSTACK-5297: Fix ACL rules on VPN for VPC

Insert a new iptables chain for FORWARD chain, in order to let following ACL
rules being executed as well.


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/3ccdf67d
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/3ccdf67d
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/3ccdf67d

Branch: refs/heads/master
Commit: 3ccdf67dfbb5cc1985e127de6138503edacb78df
Parents: fe83dd6
Author: Sheng Yang <sh...@citrix.com>
Authored: Mon Dec 9 17:28:53 2013 -0800
Committer: Sheng Yang <sh...@citrix.com>
Committed: Mon Dec 9 17:32:04 2013 -0800

----------------------------------------------------------------------
 .../debian/vpn/opt/cloud/bin/vpn_l2tp.sh        | 28 +++++++++++++++++---
 1 file changed, 24 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/3ccdf67d/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh b/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
index 5afe009..83d5272 100755
--- a/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
+++ b/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
@@ -35,21 +35,41 @@ get_intf_ip() {
 iptables_() {
    local op=$1
    local public_ip=$2
+   local is_vpc=false
+   local forward_action="ACCEPT"
+   if grep "vpcrouter" /var/cache/cloud/cmdline &> /dev/null
+   then
+	is_vpc=true
+   fi
 
    sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 500 -j ACCEPT
    sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 4500 -j ACCEPT
    sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 1701 -j ACCEPT
    sudo iptables $op INPUT -i $dev -p ah -j ACCEPT
    sudo iptables $op INPUT -i $dev -p esp -j ACCEPT
-   sudo iptables $op FORWARD -i ppp+ -d $cidr -j ACCEPT
-   sudo iptables $op FORWARD -s $cidr -o ppp+ -j ACCEPT
-   sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT
+   if $is_vpc
+   then
+       # Need to apply the following ACL rules as well.
+       if sudo iptables -N VPN_FORWARD &> /dev/null
+       then
+           sudo iptables -I FORWARD -i ppp+ -j VPN_FORWARD
+           sudo iptables -I FORWARD -o ppp+ -j VPN_FORWARD
+           sudo iptables -A VPN_FORWARD -j DROP
+       fi
+       sudo iptables $op VPN_FORWARD -i ppp+ -o ppp+ -j RETURN
+       sudo iptables $op VPN_FORWARD -i ppp+ -d $cidr -j RETURN
+       sudo iptables $op VPN_FORWARD -s $cidr -o ppp+ -j RETURN
+   else
+       sudo iptables $op FORWARD -i ppp+ -d $cidr -j ACCEPT
+       sudo iptables $op FORWARD -s $cidr -o ppp+ -j ACCEPT
+       sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT
+   fi
    sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT
    sudo iptables $op INPUT -i ppp+ -m tcp -p tcp --dport 53 -j ACCEPT
    sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp -m tcp --dport 53 -j  DNAT --to-destination $local_ip
    sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j  DNAT --to-destination $local_ip
 
-   if grep "vpcrouter" /var/cache/cloud/cmdline &> /dev/null
+   if $is_vpc
    then
        return
    fi