You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by da...@apache.org on 2014/05/16 22:54:38 UTC
[2/3] git commit: updated refs/heads/4.4 to 99dc7e0
CLOUDSTACK-6685: OVS distributed firewall: source CIDR mismatch while
populating ingress & egress network ACL
fix ensures propoer values for nw_src and nw_dst are popoluated
depending on the ingress or egress acl
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/91c0c7ed
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/91c0c7ed
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/91c0c7ed
Branch: refs/heads/4.4
Commit: 91c0c7ed3eab3bb539ddfada8227b06ab123256b
Parents: ccd0e23
Author: Murali Reddy <mu...@gmail.com>
Authored: Thu May 15 16:37:40 2014 +0530
Committer: Daan Hoogland <da...@onecht.net>
Committed: Fri May 16 22:53:44 2014 +0200
----------------------------------------------------------------------
.../xenserver/cloudstack_pluginlib.py | 112 ++++++++++++++-----
1 file changed, 82 insertions(+), 30 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/91c0c7ed/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py b/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
index 215d556..d3d234f 100644
--- a/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
+++ b/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
@@ -634,6 +634,12 @@ def configure_vpc_bridge_for_routing_policies(bridge, json_config, sequence_no):
protocol = acl_item.protocol
if protocol == "all":
protocol = "*"
+ elif protocol == "tcp":
+ protocol = "6"
+ elif protocol == "udp":
+ protocol == "17"
+ elif protocol == "icmp":
+ protocol == "1"
source_cidrs = acl_item.sourcecidrs
acl_priority = 1000 + number
if direction == "ingress":
@@ -647,50 +653,96 @@ def configure_vpc_bridge_for_routing_policies(bridge, json_config, sequence_no):
if source_port_start is None and source_port_end is None:
if source_cidr.startswith('0.0.0.0'):
if action == "deny":
- ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
- " nw_dst=%s " %tier_cidr + " nw_proto=%s " %protocol +
- " actions=drop" + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_dst=%s " %tier_cidr + " nw_proto=%s " %protocol +
+ " actions=drop" + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_src=%s " %tier_cidr + " nw_proto=%s " %protocol +
+ " actions=drop" + "\n")
if action == "allow":
- ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
- " nw_dst=%s " %tier_cidr + " nw_proto=%s " %protocol +
- " actions=resubmit(,%s)"%resubmit_table + "\n")
-
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_dst=%s " %tier_cidr + " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_src=%s " %tier_cidr + " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
else:
if action == "deny":
- ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
- " nw_src=%s " %source_cidr + " nw_dst=%s " %tier_cidr +
- " nw_proto=%s " %protocol + " actions=drop" + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_src=%s " %source_cidr + " nw_dst=%s " %tier_cidr +
+ " nw_proto=%s " %protocol + " actions=drop" + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_src=%s " %tier_cidr + " nw_dst=%s " %source_cidr +
+ " nw_proto=%s " %protocol + " actions=drop" + "\n")
if action == "allow":
- ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
- " nw_src=%s "%source_cidr + " nw_dst=%s " %tier_cidr +
- " nw_proto=%s " %protocol +
- " actions=resubmit(,%s)"%resubmit_table + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_src=%s "%source_cidr + " nw_dst=%s " %tier_cidr +
+ " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " nw_src=%s "%tier_cidr + " nw_dst=%s " %source_cidr +
+ " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
continue
# add flow rule to do action (allow/deny) for flows where source IP of the packet is in
# source_cidr and destination ip is in tier_cidr
- port = source_port_start
- while (port < source_port_end):
+ port = int(source_port_start)
+ while (port <= int(source_port_end)):
if source_cidr.startswith('0.0.0.0'):
if action == "deny":
- ofspec.write("table=%s " %matching_table + " priority=%s " %acl_priority + " ip " +
- " tp_dst=%s " %port + " nw_dst=%s " %tier_cidr +
- " nw_proto=%s " %protocol + " actions=drop" + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_dst=%s " %tier_cidr +
+ " nw_proto=%s " %protocol + " actions=drop" + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_src=%s " %tier_cidr +
+ " nw_proto=%s " %protocol + " actions=drop" + "\n")
if action == "allow":
- ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
- " tp_dst=%s " %port + " nw_dst=%s " %tier_cidr +
- " nw_proto=%s " %protocol +
- " actions=resubmit(,%s)"%resubmit_table + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_dst=%s " %tier_cidr +
+ " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_src=%s " %tier_cidr +
+ " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
else:
if action == "deny":
- ofspec.write("table=%s " %matching_table + " priority=%s " %acl_priority + " ip " +
- " tp_dst=%s " %port + " nw_src=%s "%source_cidr + " nw_dst=%s "%tier_cidr +
- " nw_proto=%s " %protocol + " actions=drop" + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_src=%s " %source_cidr +
+ " nw_dst=%s " %tier_cidr +
+ " nw_proto=%s " %protocol + " actions=drop" + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_src=%s " %tier_cidr +
+ " nw_dst=%s " %source_cidr +
+ " nw_proto=%s " %protocol + " actions=drop" + "\n")
if action == "allow":
- ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
- " tp_dst=%s " %port + " nw_src=%s "%source_cidr + " nw_dst=%s "%tier_cidr +
- " nw_proto=%s " %protocol +
- " actions=resubmit(,%s)"%resubmit_table + "\n")
+ if direction == "ingress":
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_src=%s "%source_cidr +
+ " nw_dst=%s " %tier_cidr +
+ " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
+ else:
+ ofspec.write("table=%s "%matching_table + " priority=%s " %acl_priority + " ip " +
+ " tp_dst=%s " %port + " nw_src=%s "%tier_cidr +
+ " nw_dst=%s " %source_cidr +
+ " nw_proto=%s " %protocol +
+ " actions=resubmit(,%s)"%resubmit_table + "\n")
port = port + 1
# add a default rule in egress table to allow packets (so forward packet to L3 lookup table)