You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by al...@apache.org on 2012/06/16 00:38:03 UTC
[36/51] [abbrv] git commit: VPC : move acl.sh ipassoc.sh to
/opt/cloud/bin/
VPC : move acl.sh ipassoc.sh to /opt/cloud/bin/
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/a08c9e78
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/a08c9e78
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/a08c9e78
Branch: refs/heads/vpc
Commit: a08c9e789022f8c55343344f6110a44810b78a26
Parents: 973ccda
Author: anthony <an...@cloud.com>
Authored: Wed Jun 6 14:22:06 2012 -0700
Committer: Alena Prokharchyk <al...@citrix.com>
Committed: Fri Jun 15 14:24:09 2012 -0700
----------------------------------------------------------------------
.../systemvm/debian/config/opt/cloud/bin/acl.sh | 197 +++++++
.../debian/config/opt/cloud/bin/ipassoc.sh | 400 +++++++++++++++
patches/systemvm/debian/config/root/acl.sh | 197 -------
patches/systemvm/debian/config/root/ipassoc.sh | 400 ---------------
scripts/network/domr/router_proxy.sh | 2 +-
wscript | 2 +-
6 files changed, 599 insertions(+), 599 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/a08c9e78/patches/systemvm/debian/config/opt/cloud/bin/acl.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/acl.sh b/patches/systemvm/debian/config/opt/cloud/bin/acl.sh
new file mode 100755
index 0000000..525dfe4
--- /dev/null
+++ b/patches/systemvm/debian/config/opt/cloud/bin/acl.sh
@@ -0,0 +1,197 @@
+#!/usr/bin/env bash
+# Copyright 2012 Citrix Systems, Inc. Licensed under the
+# Apache License, Version 2.0 (the "License"); you may not use this
+# file except in compliance with the License. Citrix Systems, Inc.
+# reserves all rights not expressly granted by the License.
+# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Automatically generated by addcopyright.py at 04/03/2012
+# firewall_rule.sh -- allow some ports / protocols to vm instances
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+ exit 1
+fi
+
+usage() {
+ printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
+ printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
+}
+#set -x
+#FIXME: eating up the error code during execution of iptables
+acl_remove_backup() {
+ sudo iptables -F _ACL_INBOUND_$ip 2>/dev/null
+ sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$ip 2>/dev/null
+ sudo iptables -X _ACL_INBOUND_$ip 2>/dev/null
+ sudo iptables -F _ACL_OUTBOUND_$ip 2>/dev/null
+ sudo iptables -D FORWARD -i $dev -s $gcidr -j _ACL_OUTBOUND_$ip 2>/dev/null
+ sudo iptables -X _ACL_OUTBOUND_$ip 2>/dev/null
+}
+
+acl_remove() {
+ sudo iptables -F ACL_INBOUND_$ip 2>/dev/null
+ sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$ip 2>/dev/null
+ sudo iptables -X ACL_INBOUND_$ip 2>/dev/null
+ sudo iptables -F ACL_OUTBOUND_$ip 2>/dev/null
+ sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$ip 2>/dev/null
+ sudo iptables -X ACL_OUTBOUND_$ip 2>/dev/null
+}
+
+acl_restore() {
+ acl_remove
+ sudo iptables -E _ACL_INBOUND_$ip ACL_INBOUND_$ip 2>/dev/null
+ sudo iptables -E _ACL_OUTBOUND_$ip ACL_OUTBOUND_$ip 2>/dev/null
+}
+
+acl_save() {
+ acl_remove_backup
+ sudo iptables -E ACL_INBOUND_$ip _ACL_INBOUND_$ip 2>/dev/null
+ sudo iptables -E ACL_OUTBOUND_$ip _ACL_OUTBOUND_$gGW 2>/dev/null
+}
+
+acl_chain_for_guest_network () {
+ acl_save
+ # inbound
+ sudo iptables -E ACL_INBOUND_$ip _ACL_INBOUND_$ip 2>/dev/null
+ sudo iptables -N ACL_INBOUND_$ip 2>/dev/null
+ # drop if no rules match (this will be the last rule in the chain)
+ sudo iptables -A ACL_INBOUND_$ip -j DROP 2>/dev/null
+ sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$ip 2>/dev/null
+ # outbound
+ sudo iptables -E ACL_OUTBOUND_$ip _ACL_OUTBOUND_$ip 2>/dev/null
+ sudo iptables -N ACL_OUTBOUND_$ip 2>/dev/null
+ sudo iptables -A ACL_OUTBOUND_$ip -j DROP 2>/dev/null
+ sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$ip 2>/dev/null
+}
+
+
+
+acl_entry_for_guest_network() {
+ local rule=$1
+
+ local inbound=$(echo $rule | cut -d: -f1)
+ local prot=$(echo $rules | cut -d: -f2)
+ local sport=$(echo $rules | cut -d: -f3)
+ local eport=$(echo $rules | cut -d: -f4)
+ local cidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
+
+ logger -t cloud "$(basename $0): enter apply acl rules for guest network: $gcidr, inbound:$inbound:$prot:$sport:$eport:$cidrs"
+
+ # note that rules are inserted after the RELATED,ESTABLISHED rule
+ # but before the DROP rule
+ for lcidr in $scidrs
+ do
+ [ "$prot" == "reverted" ] && continue;
+ if [ "$prot" == "icmp" ]
+ then
+ typecode="$sport/$eport"
+ [ "$eport" == "-1" ] && typecode="$sport"
+ [ "$sport" == "-1" ] && typecode="any"
+ if [ "$inbound" == "1" ]
+ then
+ sudo iptables -I ACL_INBOUND_$gGW -p $prot -s $lcidr \
+ --icmp-type $typecode -j ACCEPT
+ else
+ sudo iptables -I ACL_OUTBOUND_$gGW -p $prot -d $lcidr \
+ --icmp-type $typecode -j ACCEPT
+ fi
+ else
+ if [ "$inbound" == "1" ]
+ then
+ sudo iptables -I ACL_INBOUND_$gGW -p $prot -s $lcidr \
+ --dport $sport:$eport -j ACCEPT
+ else
+ sudo iptables -I ACL_OUTBOUND_$gGW -p $prot -d $lcidr \
+ --dport $sport:$eport -j ACCEP`T
+ fi
+ result=$?
+ [ $result -gt 0 ] &&
+ logger -t cloud "Error adding iptables entry for guest network : $gcidr,inbound:$inbound:$prot:$sport:$eport:$cidrs" &&
+ break
+ done
+
+ logger -t cloud "$(basename $0): exit apply acl rules for guest network : $gcidr"
+ return $result
+}
+
+
+shift
+dflag=0
+gflag=0
+aflag=0
+rules=""
+rules_list=""
+gcidr=""
+ip=""
+dev=""
+while getopts ':d:g:a:' OPTION
+do
+ case $OPTION in
+ d) dflag=1
+ dev="$OPTAGR"
+ g) gflag=1
+ gcidr="$OPTAGR"
+ a) aflag=1
+ rules="$OPTARG"
+ ;;
+ ?) usage
+ unlock_exit 2 $lock $locked
+ ;;
+ esac
+done
+
+if [ "$dflag$gflag$aflag" != "!11" ]
+then
+ usage()
+fi
+
+
+if [ -n "$rules" == "" ]
+then
+ rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
+fi
+
+# rule format
+# protocal:sport:eport:cidr
+#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
+# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
+# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
+
+success=0
+ip=$(echo $gcidr | awk -F'/' '{print $1}')
+
+acl_chain_for_guest_network
+
+for r in $rules_list
+do
+ acl_entry_for_guest_network $r
+ success=$?
+ if [ $success -gt 0 ]
+ then
+ logger -t cloud "$(basename $0): failure to apply fw rules for guest network: $gcidr"
+ break
+ else
+ logger -t cloud "$(basename $0): successful in applying fw rules for guest network: $gcidr"
+ fi
+done
+
+if [ $success -gt 0 ]
+then
+ logger -t cloud "$(basename $0): restoring from backup for guest network: $gcidr"
+ acl_restore
+else
+ logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr"
+ acl_remove_backup
+fi
+unlock_exit $success $lock $locked
+
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/a08c9e78/patches/systemvm/debian/config/opt/cloud/bin/ipassoc.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipassoc.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipassoc.sh
new file mode 100644
index 0000000..cfaa46f
--- /dev/null
+++ b/patches/systemvm/debian/config/opt/cloud/bin/ipassoc.sh
@@ -0,0 +1,400 @@
+#!/usr/bin/env bash
+# Copyright 2012 Citrix Systems, Inc. Licensed under the
+# Apache License, Version 2.0 (the "License"); you may not use this
+# file except in compliance with the License. Citrix Systems, Inc.
+# reserves all rights not expressly granted by the License.
+# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Automatically generated by addcopyright.py at 04/03/2012
+
+
+
+
+
+# $Id: ipassoc.sh 9804 2010-06-22 18:36:49Z alex $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/scripts/network/domr/ipassoc.sh $
+# ipassoc.sh -- associate/disassociate a public ip with an instance
+# @VERSION@
+
+source /root/func.sh
+
+lock="biglock"
+locked=$(getLockFile $lock)
+if [ "$locked" != "1" ]
+then
+ exit 1
+fi
+
+usage() {
+ printf "Usage:\n %s -A -l <public-ip-address> -c <dev> [-f] \n" $(basename $0) >&2
+ printf " %s -D -l <public-ip-address> -c <dev> [-f] \n" $(basename $0) >&2
+}
+
+add_fw_chain_for_ip () {
+ local pubIp=$(echo $1 | awk -F'/' '{print $1}')
+ if sudo iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
+ then
+ logger -t cloud "$(basename $0): created firewall chain for $pubIp"
+ sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null
+ #ensure outgoing connections are maintained (first rule in chain)
+ sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null
+ #ensure that this table is after VPN chain
+ sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp
+ return $?
+ fi
+ logger -t cloud "$(basename $0): firewall chain for $pubIp already exists"
+}
+
+add_vpn_chain_for_ip () {
+ local pubIp=$(echo $1 | awk -F'/' '{print $1}')
+ if sudo iptables -t mangle -N VPN_$pubIp &> /dev/null
+ then
+ logger -t cloud "$(basename $0): created VPN chain for $pubIp"
+ #ensure outgoing connections are maintained (first rule in chain)
+ sudo iptables -t mangle -I VPN_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT
+ sudo iptables -t mangle -A VPN_$pubIp -j RETURN
+ #ensure that this table is the first
+ sudo iptables -t mangle -I PREROUTING 1 -d $pubIp -j VPN_$pubIp
+ return $?
+ fi
+ logger -t cloud "$(basename $0): VPN chain for $pubIp already exists"
+}
+
+del_fw_chain_for_ip () {
+ local pubIp=$(echo $1 | awk -F'/' '{print $1}')
+ if ! sudo iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
+ then
+ logger -t cloud "$(basename $0): destroying firewall chain for $pubIp"
+ sudo iptables -t mangle -D PREROUTING -d $pubIp -j FIREWALL_$pubIp
+ sudo iptables -t mangle -F FIREWALL_$pubIp
+ sudo iptables -t mangle -X FIREWALL_$pubIp
+ return $?
+ fi
+ # firewall chain got created as a result of testing for the chain, cleanup
+ sudo iptables -t mangle -F FIREWALL_$pubIp
+ sudo iptables -t mangle -X FIREWALL_$pubIp
+ logger -t cloud "$(basename $0): firewall chain did not exist for $pubIp, cleaned up"
+}
+
+del_vpn_chain_for_ip () {
+ local pubIp=$(echo $1 | awk -F'/' '{print $1}')
+ if ! sudo iptables -t mangle -N VPN_$pubIp &> /dev/null
+ then
+ logger -t cloud "$(basename $0): destroying vpn chain for $pubIp"
+ sudo iptables -t mangle -D PREROUTING -d $pubIp -j VPN_$pubIp
+ sudo iptables -t mangle -F VPN_$pubIp
+ sudo iptables -t mangle -X VPN_$pubIp
+ return $?
+ fi
+ # vpn chain got created as a result of testing for the chain, cleanup
+ sudo iptables -t mangle -F VPN_$pubIp
+ sudo iptables -t mangle -X VPN_$pubIp
+ logger -t cloud "$(basename $0): vpn chain did not exist for $pubIp, cleaned up"
+}
+
+remove_routing() {
+ local pubIp=$1
+ logger -t cloud "$(basename $0):Remove routing $pubIp on interface $ethDev"
+ local ipNoMask=$(echo $pubIp | awk -F'/' '{print $1}')
+ local mask=$(echo $pubIp | awk -F'/' '{print $2}')
+ local tableNo=$(echo $ethDev | awk -F'eth' '{print $2}')
+
+ local tableName="Table_$ethDev"
+ local ethMask=$(ip route list scope link dev $ethDev | awk '{print $1}')
+ if [ "$ethMask" == "" ]
+ then
+# rules and routes will be deleted for the last ip of the interface.
+ sudo ip rule delete fwmark $tableNo table $tableName
+ sudo ip rule delete table $tableName
+ sudo ip route flush table $tableName
+ sudo ip route flush cache
+ logger -t cloud "$(basename $0):Remove routing $pubIp - routes and rules deleted"
+ fi
+}
+
+# copy eth0,eth1 and the current public interface
+copy_routes_from_main() {
+ local tableName=$1
+
+#get the network masks from the main table
+ local eth0Mask=$(ip route list scope link dev eth0 | awk '{print $1}')
+ local eth1Mask=$(ip route list scope link dev eth1 | awk '{print $1}')
+ local ethMask=$(ip route list scope link dev $ethDev | awk '{print $1}')
+
+# eth0,eth1 and other know routes will be skipped, so as main routing table will decide the route. This will be useful if the interface is down and up.
+ sudo ip route add throw $eth0Mask table $tableName proto static
+ sudo ip route add throw $eth1Mask table $tableName proto static
+ sudo ip route add throw $ethMask table $tableName proto static
+ return 0;
+}
+
+ip_addr_add() {
+ local dev="$1"
+ local ip="$2"
+ sudo ip addr add dev $dev $ip > /dev/null
+
+}
+
+add_routing() {
+ local pubIp=$1
+ logger -t cloud "$(basename $0):Add routing $pubIp on interface $ethDev"
+ local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
+ local mask=$(echo $1 | awk -F'/' '{print $2}')
+
+ local tableName="Table_$ethDev"
+ local tablePresent=$(grep $tableName /etc/iproute2/rt_tables)
+ local tableNo=$(echo $ethDev | awk -F'eth' '{print $2}')
+ if [ "$tablePresent" == "" ]
+ then
+ if [ "$tableNo" == ""]
+ then
+ return 0;
+ fi
+ sudo echo "$tableNo $tableName" >> /etc/iproute2/rt_tables
+ fi
+
+ copy_routes_from_main $tableName
+# NOTE: this entry will be deleted if the interface is down without knowing to Management server, in that case all the outside traffic will be send through main routing table or it will be the first public NIC.
+ sudo ip route add default via $defaultGwIP table $tableName proto static
+ sudo ip route flush cache
+
+ local ethMask=$(ip route list scope link dev $ethDev | awk '{print $1}')
+ local rulePresent=$(ip rule show | grep $ethMask)
+ if [ "$rulePresent" == "" ]
+ then
+# rules will be added while adding the first ip of the interface
+ sudo ip rule add from $ethMask table $tableName
+ sudo ip rule add fwmark $tableNo table $tableName
+ logger -t cloud "$(basename $0):Add routing $pubIp rules added"
+ fi
+ return 0;
+}
+add_snat() {
+ local pubIp=$1
+ local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
+ if [ "$sflag" == "0" ]
+ then
+ logger -t cloud "$(basename $0):Remove SourceNAT $pubIp on interface $ethDev if it is present"
+ sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $ipNoMask ;
+ return 0;
+ fi
+
+ logger -t cloud "$(basename $0):Added SourceNAT $pubIp on interface $ethDev"
+ sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $ipNoMask ;
+ sudo iptables -t nat -A POSTROUTING -j SNAT -o $ethDev --to-source $ipNoMask ;
+ return $?
+}
+remove_snat() {
+ if [ "$sflag" == "0" ]
+ then
+ return 0;
+ fi
+
+ local pubIp=$1
+ logger -t cloud "$(basename $0):Removing SourceNAT $pubIp on interface $ethDev"
+ sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $ipNoMask;
+ return $?
+}
+add_first_ip() {
+ local pubIp=$1
+ logger -t cloud "$(basename $0):Adding first ip $pubIp on interface $ethDev"
+ local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
+ local mask=$(echo $1 | awk -F'/' '{print $2}')
+ sudo ip link show $ethDev | grep "state DOWN" > /dev/null
+ local old_state=$?
+
+ ip_addr_add $ethDev $pubIp
+
+ sudo iptables -D FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+ sudo iptables -D FORWARD -i eth0 -o $ethDev -j ACCEPT
+ sudo iptables -A FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+ sudo iptables -A FORWARD -i eth0 -o $ethDev -j ACCEPT
+
+ add_snat $1
+ if [ $? -gt 0 -a $? -ne 2 ]
+ then
+ logger -t cloud "$(basename $0):Failed adding source nat entry for ip $pubIp on interface $ethDev"
+ return 1
+ fi
+
+ logger -t cloud "$(basename $0):Added first ip $pubIp on interface $ethDev"
+ if [ $if_keep_state -ne 1 -o $old_state -ne 0 ]
+ then
+ sudo ip link set $ethDev up
+ sudo arping -c 3 -I $ethDev -A -U -s $ipNoMask $ipNoMask;
+ fi
+ add_routing $1
+
+ return 0
+}
+
+remove_first_ip() {
+ local pubIp=$1
+ logger -t cloud "$(basename $0):Removing first ip $pubIp on interface $ethDev"
+ local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
+ local mask=$(echo $1 | awk -F'/' '{print $2}')
+
+ local existingIpMask=$(sudo ip addr show dev $ethDev | grep inet | awk '{print $2}' | grep -w $ipNoMask)
+ [ "$existingIpMask" == "" ] && return 0
+
+ [ "$mask" == "" ] && mask="32"
+
+ sudo iptables -D FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+ sudo iptables -D FORWARD -i eth0 -o $ethDev -j ACCEPT
+ remove_snat $1
+
+ sudo ip addr del dev $ethDev "$ipNoMask/$mask"
+ if [ $? -gt 0 -a $? -ne 2 ]
+ then
+ remove_routing $1
+ return 1
+ fi
+ remove_routing $1
+
+ return $?
+}
+
+
+add_an_ip () {
+ local pubIp=$1
+ logger -t cloud "$(basename $0):Adding ip $pubIp on interface $ethDev"
+ local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
+ sudo ip link show $ethDev | grep "state DOWN" > /dev/null
+ local old_state=$?
+
+ ip_addr_add $ethDev $pubIp
+ add_snat $1
+ if [ $if_keep_state -ne 1 -o $old_state -ne 0 ]
+ then
+ sudo ip link set $ethDev up
+ sudo arping -c 3 -I $ethDev -A -U -s $ipNoMask $ipNoMask;
+ fi
+ add_routing $1
+ return $?
+
+}
+
+remove_an_ip () {
+ local pubIp=$1
+ logger -t cloud "$(basename $0):Removing ip $pubIp on interface $ethDev"
+ remove_snat $1
+ local existingIpMask=$(sudo ip addr show dev $ethDev | grep "inet " | awk '{print $2}')
+
+ sudo ip addr del dev $ethDev $pubIp
+
+ for ipMask in $existingIpMask
+ do
+ if [ "$ipMask" == "$pubIp" ]
+ then
+ continue
+ fi
+ sudo ip addr add dev $ethDev $ipMask
+ done
+
+ remove_routing $1
+ return 0
+}
+
+#set -x
+sflag=0
+lflag=
+fflag=
+cflag=
+op=""
+
+is_master=0
+is_redundant=0
+if_keep_state=0
+grep "redundant_router=1" /var/cache/cloud/cmdline > /dev/null
+if [ $? -eq 0 ]
+then
+ is_redundant=1
+ sudo /root/checkrouter.sh --no-lock|grep "Status: MASTER" > /dev/null 2>&1
+ if [ $? -eq 0 ]
+ then
+ is_master=1
+ fi
+fi
+if [ $is_redundant -eq 1 -a $is_master -ne 1 ]
+then
+ if_keep_state=1
+fi
+
+while getopts 'sfADa:l:c:g:' OPTION
+do
+ case $OPTION in
+ A) Aflag=1
+ op="-A"
+ ;;
+ D) Dflag=1
+ op="-D"
+ ;;
+ f) fflag=1
+ ;;
+ s) sflag=1
+ ;;
+ l) lflag=1
+ publicIp="$OPTARG"
+ ;;
+ c) cflag=1
+ ethDev="$OPTARG"
+ ;;
+ g) gflag=1
+ defaultGwIP="$OPTARG"
+ ;;
+ ?) usage
+ unlock_exit 2 $lock $locked
+ ;;
+ esac
+done
+
+
+if [ "$Aflag$Dflag" != "1" ]
+then
+ usage
+ unlock_exit 2 $lock $locked
+fi
+
+if [ "$lflag$cflag" != "11" ]
+then
+ usage
+ unlock_exit 2 $lock $locked
+fi
+
+
+if [ "$fflag" == "1" ] && [ "$Aflag" == "1" ]
+then
+ add_first_ip $publicIp &&
+ add_vpn_chain_for_ip $publicIp &&
+ add_fw_chain_for_ip $publicIp
+ unlock_exit $? $lock $locked
+fi
+
+if [ "$Aflag" == "1" ]
+then
+ add_an_ip $publicIp &&
+ add_fw_chain_for_ip $publicIp
+ unlock_exit $? $lock $locked
+fi
+
+if [ "$fflag" == "1" ] && [ "$Dflag" == "1" ]
+then
+ remove_first_ip $publicIp &&
+ del_fw_chain_for_ip $publicIp &&
+ del_vpn_chain_for_ip $publicIp
+ unlock_exit $? $lock $locked
+fi
+
+if [ "$Dflag" == "1" ]
+then
+ remove_an_ip $publicIp &&
+ del_fw_chain_for_ip $publicIp
+ unlock_exit $? $lock $locked
+fi
+
+unlock_exit 0 $lock $locked
+
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/a08c9e78/patches/systemvm/debian/config/root/acl.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/root/acl.sh b/patches/systemvm/debian/config/root/acl.sh
deleted file mode 100755
index 525dfe4..0000000
--- a/patches/systemvm/debian/config/root/acl.sh
+++ /dev/null
@@ -1,197 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 2012 Citrix Systems, Inc. Licensed under the
-# Apache License, Version 2.0 (the "License"); you may not use this
-# file except in compliance with the License. Citrix Systems, Inc.
-# reserves all rights not expressly granted by the License.
-# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Automatically generated by addcopyright.py at 04/03/2012
-# firewall_rule.sh -- allow some ports / protocols to vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
- printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
-}
-#set -x
-#FIXME: eating up the error code during execution of iptables
-acl_remove_backup() {
- sudo iptables -F _ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -X _ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -F _ACL_OUTBOUND_$ip 2>/dev/null
- sudo iptables -D FORWARD -i $dev -s $gcidr -j _ACL_OUTBOUND_$ip 2>/dev/null
- sudo iptables -X _ACL_OUTBOUND_$ip 2>/dev/null
-}
-
-acl_remove() {
- sudo iptables -F ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -X ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -F ACL_OUTBOUND_$ip 2>/dev/null
- sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$ip 2>/dev/null
- sudo iptables -X ACL_OUTBOUND_$ip 2>/dev/null
-}
-
-acl_restore() {
- acl_remove
- sudo iptables -E _ACL_INBOUND_$ip ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -E _ACL_OUTBOUND_$ip ACL_OUTBOUND_$ip 2>/dev/null
-}
-
-acl_save() {
- acl_remove_backup
- sudo iptables -E ACL_INBOUND_$ip _ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -E ACL_OUTBOUND_$ip _ACL_OUTBOUND_$gGW 2>/dev/null
-}
-
-acl_chain_for_guest_network () {
- acl_save
- # inbound
- sudo iptables -E ACL_INBOUND_$ip _ACL_INBOUND_$ip 2>/dev/null
- sudo iptables -N ACL_INBOUND_$ip 2>/dev/null
- # drop if no rules match (this will be the last rule in the chain)
- sudo iptables -A ACL_INBOUND_$ip -j DROP 2>/dev/null
- sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$ip 2>/dev/null
- # outbound
- sudo iptables -E ACL_OUTBOUND_$ip _ACL_OUTBOUND_$ip 2>/dev/null
- sudo iptables -N ACL_OUTBOUND_$ip 2>/dev/null
- sudo iptables -A ACL_OUTBOUND_$ip -j DROP 2>/dev/null
- sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$ip 2>/dev/null
-}
-
-
-
-acl_entry_for_guest_network() {
- local rule=$1
-
- local inbound=$(echo $rule | cut -d: -f1)
- local prot=$(echo $rules | cut -d: -f2)
- local sport=$(echo $rules | cut -d: -f3)
- local eport=$(echo $rules | cut -d: -f4)
- local cidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g')
-
- logger -t cloud "$(basename $0): enter apply acl rules for guest network: $gcidr, inbound:$inbound:$prot:$sport:$eport:$cidrs"
-
- # note that rules are inserted after the RELATED,ESTABLISHED rule
- # but before the DROP rule
- for lcidr in $scidrs
- do
- [ "$prot" == "reverted" ] && continue;
- if [ "$prot" == "icmp" ]
- then
- typecode="$sport/$eport"
- [ "$eport" == "-1" ] && typecode="$sport"
- [ "$sport" == "-1" ] && typecode="any"
- if [ "$inbound" == "1" ]
- then
- sudo iptables -I ACL_INBOUND_$gGW -p $prot -s $lcidr \
- --icmp-type $typecode -j ACCEPT
- else
- sudo iptables -I ACL_OUTBOUND_$gGW -p $prot -d $lcidr \
- --icmp-type $typecode -j ACCEPT
- fi
- else
- if [ "$inbound" == "1" ]
- then
- sudo iptables -I ACL_INBOUND_$gGW -p $prot -s $lcidr \
- --dport $sport:$eport -j ACCEPT
- else
- sudo iptables -I ACL_OUTBOUND_$gGW -p $prot -d $lcidr \
- --dport $sport:$eport -j ACCEP`T
- fi
- result=$?
- [ $result -gt 0 ] &&
- logger -t cloud "Error adding iptables entry for guest network : $gcidr,inbound:$inbound:$prot:$sport:$eport:$cidrs" &&
- break
- done
-
- logger -t cloud "$(basename $0): exit apply acl rules for guest network : $gcidr"
- return $result
-}
-
-
-shift
-dflag=0
-gflag=0
-aflag=0
-rules=""
-rules_list=""
-gcidr=""
-ip=""
-dev=""
-while getopts ':d:g:a:' OPTION
-do
- case $OPTION in
- d) dflag=1
- dev="$OPTAGR"
- g) gflag=1
- gcidr="$OPTAGR"
- a) aflag=1
- rules="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-if [ "$dflag$gflag$aflag" != "!11" ]
-then
- usage()
-fi
-
-
-if [ -n "$rules" == "" ]
-then
- rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
-fi
-
-# rule format
-# protocal:sport:eport:cidr
-#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
-# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
-# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
-
-success=0
-ip=$(echo $gcidr | awk -F'/' '{print $1}')
-
-acl_chain_for_guest_network
-
-for r in $rules_list
-do
- acl_entry_for_guest_network $r
- success=$?
- if [ $success -gt 0 ]
- then
- logger -t cloud "$(basename $0): failure to apply fw rules for guest network: $gcidr"
- break
- else
- logger -t cloud "$(basename $0): successful in applying fw rules for guest network: $gcidr"
- fi
-done
-
-if [ $success -gt 0 ]
-then
- logger -t cloud "$(basename $0): restoring from backup for guest network: $gcidr"
- acl_restore
-else
- logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr"
- acl_remove_backup
-fi
-unlock_exit $success $lock $locked
-
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/a08c9e78/patches/systemvm/debian/config/root/ipassoc.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/root/ipassoc.sh b/patches/systemvm/debian/config/root/ipassoc.sh
deleted file mode 100644
index cfaa46f..0000000
--- a/patches/systemvm/debian/config/root/ipassoc.sh
+++ /dev/null
@@ -1,400 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 2012 Citrix Systems, Inc. Licensed under the
-# Apache License, Version 2.0 (the "License"); you may not use this
-# file except in compliance with the License. Citrix Systems, Inc.
-# reserves all rights not expressly granted by the License.
-# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Automatically generated by addcopyright.py at 04/03/2012
-
-
-
-
-
-# $Id: ipassoc.sh 9804 2010-06-22 18:36:49Z alex $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/scripts/network/domr/ipassoc.sh $
-# ipassoc.sh -- associate/disassociate a public ip with an instance
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage:\n %s -A -l <public-ip-address> -c <dev> [-f] \n" $(basename $0) >&2
- printf " %s -D -l <public-ip-address> -c <dev> [-f] \n" $(basename $0) >&2
-}
-
-add_fw_chain_for_ip () {
- local pubIp=$(echo $1 | awk -F'/' '{print $1}')
- if sudo iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
- then
- logger -t cloud "$(basename $0): created firewall chain for $pubIp"
- sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null
- #ensure outgoing connections are maintained (first rule in chain)
- sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null
- #ensure that this table is after VPN chain
- sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp
- return $?
- fi
- logger -t cloud "$(basename $0): firewall chain for $pubIp already exists"
-}
-
-add_vpn_chain_for_ip () {
- local pubIp=$(echo $1 | awk -F'/' '{print $1}')
- if sudo iptables -t mangle -N VPN_$pubIp &> /dev/null
- then
- logger -t cloud "$(basename $0): created VPN chain for $pubIp"
- #ensure outgoing connections are maintained (first rule in chain)
- sudo iptables -t mangle -I VPN_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT
- sudo iptables -t mangle -A VPN_$pubIp -j RETURN
- #ensure that this table is the first
- sudo iptables -t mangle -I PREROUTING 1 -d $pubIp -j VPN_$pubIp
- return $?
- fi
- logger -t cloud "$(basename $0): VPN chain for $pubIp already exists"
-}
-
-del_fw_chain_for_ip () {
- local pubIp=$(echo $1 | awk -F'/' '{print $1}')
- if ! sudo iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
- then
- logger -t cloud "$(basename $0): destroying firewall chain for $pubIp"
- sudo iptables -t mangle -D PREROUTING -d $pubIp -j FIREWALL_$pubIp
- sudo iptables -t mangle -F FIREWALL_$pubIp
- sudo iptables -t mangle -X FIREWALL_$pubIp
- return $?
- fi
- # firewall chain got created as a result of testing for the chain, cleanup
- sudo iptables -t mangle -F FIREWALL_$pubIp
- sudo iptables -t mangle -X FIREWALL_$pubIp
- logger -t cloud "$(basename $0): firewall chain did not exist for $pubIp, cleaned up"
-}
-
-del_vpn_chain_for_ip () {
- local pubIp=$(echo $1 | awk -F'/' '{print $1}')
- if ! sudo iptables -t mangle -N VPN_$pubIp &> /dev/null
- then
- logger -t cloud "$(basename $0): destroying vpn chain for $pubIp"
- sudo iptables -t mangle -D PREROUTING -d $pubIp -j VPN_$pubIp
- sudo iptables -t mangle -F VPN_$pubIp
- sudo iptables -t mangle -X VPN_$pubIp
- return $?
- fi
- # vpn chain got created as a result of testing for the chain, cleanup
- sudo iptables -t mangle -F VPN_$pubIp
- sudo iptables -t mangle -X VPN_$pubIp
- logger -t cloud "$(basename $0): vpn chain did not exist for $pubIp, cleaned up"
-}
-
-remove_routing() {
- local pubIp=$1
- logger -t cloud "$(basename $0):Remove routing $pubIp on interface $ethDev"
- local ipNoMask=$(echo $pubIp | awk -F'/' '{print $1}')
- local mask=$(echo $pubIp | awk -F'/' '{print $2}')
- local tableNo=$(echo $ethDev | awk -F'eth' '{print $2}')
-
- local tableName="Table_$ethDev"
- local ethMask=$(ip route list scope link dev $ethDev | awk '{print $1}')
- if [ "$ethMask" == "" ]
- then
-# rules and routes will be deleted for the last ip of the interface.
- sudo ip rule delete fwmark $tableNo table $tableName
- sudo ip rule delete table $tableName
- sudo ip route flush table $tableName
- sudo ip route flush cache
- logger -t cloud "$(basename $0):Remove routing $pubIp - routes and rules deleted"
- fi
-}
-
-# copy eth0,eth1 and the current public interface
-copy_routes_from_main() {
- local tableName=$1
-
-#get the network masks from the main table
- local eth0Mask=$(ip route list scope link dev eth0 | awk '{print $1}')
- local eth1Mask=$(ip route list scope link dev eth1 | awk '{print $1}')
- local ethMask=$(ip route list scope link dev $ethDev | awk '{print $1}')
-
-# eth0,eth1 and other know routes will be skipped, so as main routing table will decide the route. This will be useful if the interface is down and up.
- sudo ip route add throw $eth0Mask table $tableName proto static
- sudo ip route add throw $eth1Mask table $tableName proto static
- sudo ip route add throw $ethMask table $tableName proto static
- return 0;
-}
-
-ip_addr_add() {
- local dev="$1"
- local ip="$2"
- sudo ip addr add dev $dev $ip > /dev/null
-
-}
-
-add_routing() {
- local pubIp=$1
- logger -t cloud "$(basename $0):Add routing $pubIp on interface $ethDev"
- local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
- local mask=$(echo $1 | awk -F'/' '{print $2}')
-
- local tableName="Table_$ethDev"
- local tablePresent=$(grep $tableName /etc/iproute2/rt_tables)
- local tableNo=$(echo $ethDev | awk -F'eth' '{print $2}')
- if [ "$tablePresent" == "" ]
- then
- if [ "$tableNo" == ""]
- then
- return 0;
- fi
- sudo echo "$tableNo $tableName" >> /etc/iproute2/rt_tables
- fi
-
- copy_routes_from_main $tableName
-# NOTE: this entry will be deleted if the interface is down without knowing to Management server, in that case all the outside traffic will be send through main routing table or it will be the first public NIC.
- sudo ip route add default via $defaultGwIP table $tableName proto static
- sudo ip route flush cache
-
- local ethMask=$(ip route list scope link dev $ethDev | awk '{print $1}')
- local rulePresent=$(ip rule show | grep $ethMask)
- if [ "$rulePresent" == "" ]
- then
-# rules will be added while adding the first ip of the interface
- sudo ip rule add from $ethMask table $tableName
- sudo ip rule add fwmark $tableNo table $tableName
- logger -t cloud "$(basename $0):Add routing $pubIp rules added"
- fi
- return 0;
-}
-add_snat() {
- local pubIp=$1
- local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
- if [ "$sflag" == "0" ]
- then
- logger -t cloud "$(basename $0):Remove SourceNAT $pubIp on interface $ethDev if it is present"
- sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $ipNoMask ;
- return 0;
- fi
-
- logger -t cloud "$(basename $0):Added SourceNAT $pubIp on interface $ethDev"
- sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $ipNoMask ;
- sudo iptables -t nat -A POSTROUTING -j SNAT -o $ethDev --to-source $ipNoMask ;
- return $?
-}
-remove_snat() {
- if [ "$sflag" == "0" ]
- then
- return 0;
- fi
-
- local pubIp=$1
- logger -t cloud "$(basename $0):Removing SourceNAT $pubIp on interface $ethDev"
- sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $ipNoMask;
- return $?
-}
-add_first_ip() {
- local pubIp=$1
- logger -t cloud "$(basename $0):Adding first ip $pubIp on interface $ethDev"
- local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
- local mask=$(echo $1 | awk -F'/' '{print $2}')
- sudo ip link show $ethDev | grep "state DOWN" > /dev/null
- local old_state=$?
-
- ip_addr_add $ethDev $pubIp
-
- sudo iptables -D FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- sudo iptables -D FORWARD -i eth0 -o $ethDev -j ACCEPT
- sudo iptables -A FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- sudo iptables -A FORWARD -i eth0 -o $ethDev -j ACCEPT
-
- add_snat $1
- if [ $? -gt 0 -a $? -ne 2 ]
- then
- logger -t cloud "$(basename $0):Failed adding source nat entry for ip $pubIp on interface $ethDev"
- return 1
- fi
-
- logger -t cloud "$(basename $0):Added first ip $pubIp on interface $ethDev"
- if [ $if_keep_state -ne 1 -o $old_state -ne 0 ]
- then
- sudo ip link set $ethDev up
- sudo arping -c 3 -I $ethDev -A -U -s $ipNoMask $ipNoMask;
- fi
- add_routing $1
-
- return 0
-}
-
-remove_first_ip() {
- local pubIp=$1
- logger -t cloud "$(basename $0):Removing first ip $pubIp on interface $ethDev"
- local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
- local mask=$(echo $1 | awk -F'/' '{print $2}')
-
- local existingIpMask=$(sudo ip addr show dev $ethDev | grep inet | awk '{print $2}' | grep -w $ipNoMask)
- [ "$existingIpMask" == "" ] && return 0
-
- [ "$mask" == "" ] && mask="32"
-
- sudo iptables -D FORWARD -i $ethDev -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- sudo iptables -D FORWARD -i eth0 -o $ethDev -j ACCEPT
- remove_snat $1
-
- sudo ip addr del dev $ethDev "$ipNoMask/$mask"
- if [ $? -gt 0 -a $? -ne 2 ]
- then
- remove_routing $1
- return 1
- fi
- remove_routing $1
-
- return $?
-}
-
-
-add_an_ip () {
- local pubIp=$1
- logger -t cloud "$(basename $0):Adding ip $pubIp on interface $ethDev"
- local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
- sudo ip link show $ethDev | grep "state DOWN" > /dev/null
- local old_state=$?
-
- ip_addr_add $ethDev $pubIp
- add_snat $1
- if [ $if_keep_state -ne 1 -o $old_state -ne 0 ]
- then
- sudo ip link set $ethDev up
- sudo arping -c 3 -I $ethDev -A -U -s $ipNoMask $ipNoMask;
- fi
- add_routing $1
- return $?
-
-}
-
-remove_an_ip () {
- local pubIp=$1
- logger -t cloud "$(basename $0):Removing ip $pubIp on interface $ethDev"
- remove_snat $1
- local existingIpMask=$(sudo ip addr show dev $ethDev | grep "inet " | awk '{print $2}')
-
- sudo ip addr del dev $ethDev $pubIp
-
- for ipMask in $existingIpMask
- do
- if [ "$ipMask" == "$pubIp" ]
- then
- continue
- fi
- sudo ip addr add dev $ethDev $ipMask
- done
-
- remove_routing $1
- return 0
-}
-
-#set -x
-sflag=0
-lflag=
-fflag=
-cflag=
-op=""
-
-is_master=0
-is_redundant=0
-if_keep_state=0
-grep "redundant_router=1" /var/cache/cloud/cmdline > /dev/null
-if [ $? -eq 0 ]
-then
- is_redundant=1
- sudo /root/checkrouter.sh --no-lock|grep "Status: MASTER" > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- is_master=1
- fi
-fi
-if [ $is_redundant -eq 1 -a $is_master -ne 1 ]
-then
- if_keep_state=1
-fi
-
-while getopts 'sfADa:l:c:g:' OPTION
-do
- case $OPTION in
- A) Aflag=1
- op="-A"
- ;;
- D) Dflag=1
- op="-D"
- ;;
- f) fflag=1
- ;;
- s) sflag=1
- ;;
- l) lflag=1
- publicIp="$OPTARG"
- ;;
- c) cflag=1
- ethDev="$OPTARG"
- ;;
- g) gflag=1
- defaultGwIP="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-
-if [ "$Aflag$Dflag" != "1" ]
-then
- usage
- unlock_exit 2 $lock $locked
-fi
-
-if [ "$lflag$cflag" != "11" ]
-then
- usage
- unlock_exit 2 $lock $locked
-fi
-
-
-if [ "$fflag" == "1" ] && [ "$Aflag" == "1" ]
-then
- add_first_ip $publicIp &&
- add_vpn_chain_for_ip $publicIp &&
- add_fw_chain_for_ip $publicIp
- unlock_exit $? $lock $locked
-fi
-
-if [ "$Aflag" == "1" ]
-then
- add_an_ip $publicIp &&
- add_fw_chain_for_ip $publicIp
- unlock_exit $? $lock $locked
-fi
-
-if [ "$fflag" == "1" ] && [ "$Dflag" == "1" ]
-then
- remove_first_ip $publicIp &&
- del_fw_chain_for_ip $publicIp &&
- del_vpn_chain_for_ip $publicIp
- unlock_exit $? $lock $locked
-fi
-
-if [ "$Dflag" == "1" ]
-then
- remove_an_ip $publicIp &&
- del_fw_chain_for_ip $publicIp
- unlock_exit $? $lock $locked
-fi
-
-unlock_exit 0 $lock $locked
-
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/a08c9e78/scripts/network/domr/router_proxy.sh
----------------------------------------------------------------------
diff --git a/scripts/network/domr/router_proxy.sh b/scripts/network/domr/router_proxy.sh
index 175cb6b..ac0c9cb 100755
--- a/scripts/network/domr/router_proxy.sh
+++ b/scripts/network/domr/router_proxy.sh
@@ -41,7 +41,7 @@ shift
check_gw "$domRIp"
-ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/root/$script $*"
+ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/opt/cloud/bin/$script $*"
exit $?
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/a08c9e78/wscript
----------------------------------------------------------------------
diff --git a/wscript b/wscript
index a566a97..4a6c389 100644
--- a/wscript
+++ b/wscript
@@ -4,7 +4,7 @@
# the following two variables are used by the target "waf dist"
# if you change 'em here, you need to change it also in cloud.spec, add a %changelog entry there, and add an entry in debian/changelog
-VERSION = '3.0.3.2012-06-06T18:22:16Z'
+VERSION = '3.0.3.2012-06-06T19:22:49Z'
APPNAME = 'cloud'
import shutil,os