You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by re...@apache.org on 2015/11/19 17:59:38 UTC
[3/6] git commit: updated refs/heads/master to 791f9df
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/vpc_portforwarding.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_portforwarding.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_portforwarding.sh
deleted file mode 100755
index 5aeaa70..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/vpc_portforwarding.sh
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage: %s: (-A|-D) -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code) -l <public ip address> -d <target port> -s <source cidrs> [-G] \n" $(basename $0) >&2
-}
-
-#set -x
-
-#Port (address translation) forwarding for tcp or udp
-tcp_or_udp_nat() {
- local op=$1
- local proto=$2
- local publicIp=$3
- local ports=$4
- local instIp=$5
- local dports=$6
-
- logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
- instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
-
- #if adding, this might be a duplicate, so delete the old one first
- [ "$op" == "-A" ] && tcp_or_udp_nat "-D" $proto $publicIp $ports $instIp $dports
- # the delete operation may have errored out but the only possible reason is
- # that the rules didn't exist in the first place
- # shortcircuit the process if error and it is an append operation
- # continue if it is delete
- local PROTO=""
- if [ "$proto" != "any" ]
- then
- PROTO="--proto $proto"
- fi
-
- local DEST_PORT=""
- if [ "$ports" != "any" ]
- then
- DEST_PORT="--destination-port $ports"
- fi
-
- local TO_DEST="--to-destination $instIp"
- if [ "$dports" != "any" ]
- then
- TO_DEST="--to-destination $instIp:$dports"
- fi
-
- sudo iptables -t nat $op PREROUTING $PROTO -d $publicIp $DEST_PORT -j DNAT \
- $TO_DEST &>> $OUTFILE
-
- local result=$?
- logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
- # the rule may not exist
- if [ "$op" == "-D" ]
- then
- return 0
- fi
- return $result
-}
-
-
-rflag=
-Pflag=
-pflag=
-lflag=
-dflag=
-op=""
-protocal="any"
-ports="any"
-dports="any"
-while getopts 'ADr:P:p:l:d:' OPTION
-do
- case $OPTION in
- A) op="-A"
- ;;
- D) op="-D"
- ;;
- r) rflag=1
- instanceIp="$OPTARG"
- ;;
- P) Pflag=1
- protocol="$OPTARG"
- ;;
- p) pflag=1
- ports="$OPTARG"
- ;;
- l) lflag=1
- publicIp="$OPTARG"
- ;;
- d) dflag=1
- dports="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-OUTFILE=$(mktemp)
-
-tcp_or_udp_nat $op $protocol $publicIp $ports $instanceIp $dports
-result=$?
-unlock_exit $result $lock $locked
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/vpc_privateGateway.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_privateGateway.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_privateGateway.sh
deleted file mode 100755
index 3635e1c..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/vpc_privateGateway.sh
+++ /dev/null
@@ -1,98 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage:\n %s -A -l <public-ip-address>\n" $(basename $0) >&2
- printf " %s -D -l <public-ip-address>\n" $(basename $0) >&2
-}
-
-
-add_snat() {
- logger -t cloud "$(basename $0):Added SourceNAT $pubIp on interface $ethDev"
- sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $pubIp
- sudo iptables -t nat -A POSTROUTING -j SNAT -o $ethDev --to-source $pubIp
- return $?
-}
-remove_snat() {
- logger -t cloud "$(basename $0):Removing SourceNAT $pubIp on interface $ethDev"
- sudo iptables -t nat -D POSTROUTING -j SNAT -o $ethDev --to-source $pubIp
- return $?
-}
-
-#set -x
-lflag=0
-cflag=0
-op=""
-
-while getopts 'ADl:c:' OPTION
-do
- case $OPTION in
- A) Aflag=1
- op="-A"
- ;;
- D) Dflag=1
- op="-D"
- ;;
- l) lflag=1
- pubIp="$OPTARG"
- ;;
- c) cflag=1
- ethDev="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-if [ "$Aflag$Dflag" != "1" ]
-then
- usage
- unlock_exit 2 $lock $locked
-fi
-
-if [ "$lflag$cflag" != "11" ]
-then
- usage
- unlock_exit 2 $lock $locked
-fi
-
-if [ "$Aflag" == "1" ]
-then
- add_snat $publicIp
- unlock_exit $? $lock $locked
-fi
-
-if [ "$Dflag" == "1" ]
-then
- remove_snat $publicIp
- unlock_exit $? $lock $locked
-fi
-
-unlock_exit 1 $lock $locked
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/vpc_privategw_acl.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_privategw_acl.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_privategw_acl.sh
deleted file mode 100755
index b585a36..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/vpc_privategw_acl.sh
+++ /dev/null
@@ -1,229 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# vpc_privategw_acl.sh_rule.sh -- allow/block some ports / protocols to vm instances
-# @VERSION@
-
-source /root/func.sh
-
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage: %s: -a <public ip address:protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
- printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
-}
-#set -x
-#FIXME: eating up the error code during execution of iptables
-
-acl_switch_to_new() {
- sudo iptables -D FORWARD -o $dev -j _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables-save | grep "\-j _ACL_INBOUND_$dev" | grep "\-A" | while read rule;
- do
- rule1=$(echo $rule | sed 's/\_ACL_INBOUND/ACL_INBOUND/')
- sudo iptables $rule1
- rule2=$(echo $rule | sed 's/\-A/\-D/')
- sudo iptables $rule2
- done
- sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -j _ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
-}
-
-acl_remove_backup() {
- sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -D FORWARD -o $dev -j _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -j _ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
-}
-
-acl_remove() {
- sudo iptables -F ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -D FORWARD -o $dev -j ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -X ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -j ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
-}
-
-acl_restore() {
- acl_remove
- sudo iptables -E _ACL_INBOUND_$dev ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -E _ACL_OUTBOUND_$dev ACL_OUTBOUND_$dev 2>/dev/null
-}
-
-acl_save() {
- acl_remove_backup
- sudo iptables -E ACL_INBOUND_$dev _ACL_INBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -E ACL_OUTBOUND_$dev _ACL_OUTBOUND_$dev 2>/dev/null
-}
-
-acl_chain_for_guest_network () {
- acl_save
- # inbound
- sudo iptables -N ACL_INBOUND_$dev 2>/dev/null
- # drop if no rules match (this will be the last rule in the chain)
- sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null
- sudo iptables -A FORWARD -o $dev -j ACL_INBOUND_$dev 2>/dev/null
- # outbound
- sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
- sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev -j ACL_OUTBOUND_$dev 2>/dev/null
-}
-
-
-
-acl_entry_for_guest_network() {
- local rule=$1
-
- local ttype=$(echo $rule | cut -d: -f1)
- local prot=$(echo $rule | cut -d: -f2)
- local sport=$(echo $rule | cut -d: -f3)
- local eport=$(echo $rule | cut -d: -f4)
- local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
- local action=$(echo $rule | cut -d: -f6)
- if [ "$sport" == "0" -a "$eport" == "0" ]
- then
- DPORT=""
- else
- DPORT="--dport $sport:$eport"
- fi
- logger -t cloud "$(basename $0): enter apply acl rules on private gateway interface : $dev, inbound:$inbound:$prot:$sport:$eport:$cidrs"
-
- # note that rules are inserted after the RELATED,ESTABLISHED rule
- # but before the DROP rule
- for lcidr in $cidrs
- do
- [ "$prot" == "reverted" ] && continue;
- if [ "$prot" == "icmp" ]
- then
- typecode="$sport/$eport"
- [ "$eport" == "-1" ] && typecode="$sport"
- [ "$sport" == "-1" ] && typecode="any"
- if [ "$ttype" == "Ingress" ]
- then
- sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
- --icmp-type $typecode -j $action
- else
- let egress++
- sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
- --icmp-type $typecode -j $action
- fi
- else
- if [ "$ttype" == "Ingress" ]
- then
- sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
- $DPORT -j $action
- else
- let egress++
- sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
- $DPORT -j $action
- fi
- fi
- result=$?
- [ $result -gt 0 ] &&
- logger -t cloud "Error adding iptables entry for private gateway interface : $dev,inbound:$inbound:$prot:$sport:$eport:$cidrs" &&
- break
- done
-
- logger -t cloud "$(basename $0): exit apply acl rules for private gw interface : $dev"
- return $result
-}
-
-
-dflag=0
-gflag=0
-aflag=0
-mflag=0
-rules=""
-rules_list=""
-dev=""
-mac=""
-while getopts 'd:a:M:' OPTION
-do
- case $OPTION in
- d) dflag=1
- dev="$OPTARG"
- ;;
- a) aflag=1
- rules="$OPTARG"
- ;;
- M) mflag=1
- mac="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-if [ "$dflag$aflag" != "11" ]
-then
- usage
- unlock_exit 2 $lock $locked
-fi
-
-if [ -n "$rules" ]
-then
- rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
-fi
-
-# rule format
-# protocal:sport:eport:cidr
-#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
-# if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
-# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:ACCEPT:,172.16.92.44:tcp:220:220:0.0.0.0/0:DROP,200.1.1.2:reverted:0:0:0
-
-success=0
-
-acl_chain_for_guest_network
-egress=0
-for r in $rules_list
-do
- acl_entry_for_guest_network $r
- success=$?
- if [ $success -gt 0 ]
- then
- logger -t cloud "$(basename $0): failure to apply acl rules on private gateway interface : $dev"
- break
- else
- logger -t cloud "$(basename $0): successful in applying acl rules on private gateway interface : $dev"
- fi
-done
-
-if [ $success -gt 0 ]
-then
- logger -t cloud "$(basename $0): restoring from backup on private gateway interface : $dev"
- acl_restore
-else
- logger -t cloud "$(basename $0): deleting backup on private gateway interface : $dev"
- if [ $egress -eq 0 ]
- then
- sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j ACCEPT 2>/dev/null
- else
- sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
- fi
- acl_switch_to_new
-fi
-unlock_exit $success $lock $locked
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6477bd8f/systemvm/patches/debian/config/opt/cloud/bin/vpc_staticnat.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_staticnat.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_staticnat.sh
deleted file mode 100755
index a98a262..0000000
--- a/systemvm/patches/debian/config/opt/cloud/bin/vpc_staticnat.sh
+++ /dev/null
@@ -1,124 +0,0 @@
-#!/usr/bin/env bash
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-# @VERSION@
-
-source /root/func.sh
-source /opt/cloud/bin/vpc_func.sh
-lock="biglock"
-locked=$(getLockFile $lock)
-if [ "$locked" != "1" ]
-then
- exit 1
-fi
-
-usage() {
- printf "Usage: %s: (-A|-D) -r <target-instance-ip> -l <public ip address> -d < eth device> \n" $(basename $0) >&2
-}
-
-#set -x
-
-vpnoutmark="0x525"
-
-static_nat() {
- local op=$1
- local publicIp=$2
- local instIp=$3
- local op2="-D"
- local tableNo=${ethDev:3}
-
- logger -t cloud "$(basename $0): static nat: public ip=$publicIp \
- instance ip=$instIp op=$op"
- #if adding, this might be a duplicate, so delete the old one first
- [ "$op" == "-A" ] && static_nat "-D" $publicIp $instIp
- # the delete operation may have errored out but the only possible reason is
- # that the rules didn't exist in the first place
- [ "$op" == "-A" ] && op2="-I"
- if [ "$op" == "-A" ]
- then
- # put static nat rule one rule after VPN no-NAT rule
- # rule chain can be used to improve it later
- iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
- if [ $? -eq 0 ]
- then
- rulenum=2
- else
- rulenum=1
- fi
- fi
-
- # shortcircuit the process if error and it is an append operation
- # continue if it is delete
- (sudo iptables -t nat $op PREROUTING -d $publicIp -j DNAT \
- --to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
- # add mark to force the package go out through the eth the public IP is on
- #(sudo iptables -t mangle $op PREROUTING -s $instIp -j MARK \
- # --set-mark $tableNo &> $OUTFILE || [ "$op" == "-D" ]) &&
- (sudo iptables -t nat $op2 POSTROUTING $rulenum -o $ethDev -s $instIp -j SNAT \
- --to-source $publicIp &>> $OUTFILE )
- result=$?
- logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"
- if [ "$op" == "-D" ]
- then
- return 0
- fi
- return $result
-}
-
-
-
-rflag=
-lflag=
-dflag=
-op=""
-while getopts 'ADr:l:' OPTION
-
-do
- case $OPTION in
- A) op="-A"
- ;;
- D) op="-D"
- ;;
- r) rflag=1
- instanceIp="$OPTARG"
- ;;
- l) lflag=1
- publicIp="$OPTARG"
- ;;
- ?) usage
- unlock_exit 2 $lock $locked
- ;;
- esac
-done
-
-ethDev=$(getEthByIp $publicIp)
-result=$?
-if [ $result -gt 0 ]
-then
- if [ "$op" == "-D" ]
- then
- removeRulesForIp $publicIp
- unlock_exit 0 $lock $locked
- else
- unlock_exit $result $lock $locked
- fi
-fi
-OUTFILE=$(mktemp)
-
-static_nat $op $publicIp $instanceIp
-result=$?
-unlock_exit $result $lock $locked