You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by re...@apache.org on 2015/10/13 22:39:17 UTC
[3/5] git commit: updated refs/heads/master to be41921
CLOUDSTACK-8934 - Fix default EGRESS rules for isolated networks
- The default is Accept and will be changed based on the configuration of the offering.
CLOUDSTACK-8934 - The default egress is set as Deny in the router.
- We had to change it on the Java side in order to make the apply it once the default is defined as allowed on the net offering
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/b4dc392b
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/b4dc392b
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/b4dc392b
Branch: refs/heads/master
Commit: b4dc392bfdf4fb93e1652203b7d4027651cca5ac
Parents: 5d1cdc6
Author: Wilder Rodrigues <wr...@schubergphilis.com>
Authored: Fri Oct 9 14:32:35 2015 +0200
Committer: Wilder Rodrigues <wr...@schubergphilis.com>
Committed: Sun Oct 11 14:57:32 2015 +0200
----------------------------------------------------------------------
.../VirtualNetworkApplianceManagerImpl.java | 26 +++++++-------------
.../debian/config/opt/cloud/bin/configure.py | 11 ++++++---
2 files changed, 17 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b4dc392b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index c32aeba..9eda2a2 100644
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -629,7 +629,7 @@ Configurable, StateListener<State, VirtualMachine.Event, VirtualMachine> {
_agentMgr.registerForHostEvents(new SshKeysDistriMonitor(_agentMgr, _hostDao, _configDao), true, false, false);
- List<ServiceOfferingVO> offerings = _serviceOfferingDao.createSystemServiceOfferings("System Offering For Software Router",
+ final List<ServiceOfferingVO> offerings = _serviceOfferingDao.createSystemServiceOfferings("System Offering For Software Router",
ServiceOffering.routerDefaultOffUniqueName, 1, _routerRamSize, _routerCpuMHz, null,
null, true, null, ProvisioningType.THIN, true, null, true, VirtualMachine.Type.DomainRouter, true);
// this can sometimes happen, if DB is manually or programmatically manipulated
@@ -1971,18 +1971,12 @@ Configurable, StateListener<State, VirtualMachine.Event, VirtualMachine> {
}
private void createDefaultEgressFirewallRule(final List<FirewallRule> rules, final long networkId) {
- String systemRule = null;
-
- Boolean defaultEgressPolicy = false;
final NetworkVO network = _networkDao.findById(networkId);
final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
- defaultEgressPolicy = offering.getEgressDefaultPolicy();
-
-
- // construct rule when egress policy is true. In true case for VR we default allow rule need to be added
- if (!defaultEgressPolicy) {
- systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
+ final Boolean defaultEgressPolicy = offering.getEgressDefaultPolicy();
+ // The default on the router is set to Deny all. So, if the default configuration in the offering is set to treu (Allow), we change the Egress here
+ if (defaultEgressPolicy) {
final List<String> sourceCidr = new ArrayList<String>();
sourceCidr.add(NetUtils.ALL_CIDRS);
@@ -1991,12 +1985,10 @@ Configurable, StateListener<State, VirtualMachine.Event, VirtualMachine> {
rules.add(rule);
} else {
- s_logger.debug(" Egress policy for the Network "+ networkId +" is "+defaultEgressPolicy + " So no need"+
- " of default rule is needed. ");
+ s_logger.debug("Egress policy for the Network " + networkId + " is already defined as Deny. So, no need to default the rule to Allow. ");
}
}
-
private void removeRevokedIpAliasFromDb(final List<NicIpAliasVO> revokedIpAliasVOs) {
for (final NicIpAliasVO ipalias : revokedIpAliasVOs) {
_nicIpAliasDao.expunge(ipalias.getId());
@@ -2616,10 +2608,10 @@ Configurable, StateListener<State, VirtualMachine.Event, VirtualMachine> {
final State newState = transition.getToState();
final VirtualMachine.Event event = transition.getEvent();
if (vo.getType() == VirtualMachine.Type.DomainRouter &&
- event == VirtualMachine.Event.FollowAgentPowerOnReport &&
- newState == State.Running &&
- isOutOfBandMigrated(opaque)) {
- s_logger.debug("Virtual router " + vo.getInstanceName() + " is powered-on out-of-band");
+ event == VirtualMachine.Event.FollowAgentPowerOnReport &&
+ newState == State.Running &&
+ isOutOfBandMigrated(opaque)) {
+ s_logger.debug("Virtual router " + vo.getInstanceName() + " is powered-on out-of-band");
}
return true;
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b4dc392b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index ae24ac5..c3c4cae 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -123,24 +123,29 @@ class CsAcl(CsDataBag):
" -p %s " % rule['protocol'] +
" -m %s " % rule['protocol'] +
" --dport %s -j RETURN" % rnge])
+
+ logging.debug("Current ACL IP direction is ==> %s", self.direction)
if self.direction == 'egress':
- self.fw.append(["filter", "", " -A FW_OUTBOUND -j FIREWALL_EGRESS_RULES"])
+ self.fw.append(["filter", "", " -A FW_OUTBOUND -j FW_EGRESS_RULES"])
if rule['protocol'] == "icmp":
self.fw.append(["filter", "front",
- " -A FIREWALL_EGRESS_RULES" +
+ " -A FW_EGRESS_RULES" +
" -s %s " % cidr +
" -p %s " % rule['protocol'] +
" -m %s " % rule['protocol'] +
" --icmp-type %s -j %s" % (icmp_type, self.rule['action'])])
else:
- fwr = " -A FIREWALL_EGRESS_RULES" + \
+ fwr = " -A FW_EGRESS_RULES" + \
" -s %s " % cidr
if rule['protocol'] != "all":
fwr += "-p %s " % rule['protocol'] + \
" -m %s " % rule['protocol'] + \
" --dport %s" % rnge
+
self.fw.append(["filter", "front", "%s -j %s" % (fwr, rule['action'])])
+ logging.debug("EGRESS rule configured for protocol ==> %s, action ==> %s", rule['protocol'], rule['action'])
+
class AclDevice():
""" A little class for each list of acls per device """