You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by re...@apache.org on 2015/10/13 22:39:17 UTC
[3/5] git commit: updated refs/heads/master to be41921

CLOUDSTACK-8934 - Fix default EGRESS rules for isolated networks

   - The default is Accept and will be changed based on the configuration of the offering.

CLOUDSTACK-8934 - The default egress is set as Deny in the router.

   - We had to change it on the Java side in order to make the apply it once the default is defined as allowed on the net offering


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/b4dc392b
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/b4dc392b
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/b4dc392b

Branch: refs/heads/master
Commit: b4dc392bfdf4fb93e1652203b7d4027651cca5ac
Parents: 5d1cdc6
Author: Wilder Rodrigues <wr...@schubergphilis.com>
Authored: Fri Oct 9 14:32:35 2015 +0200
Committer: Wilder Rodrigues <wr...@schubergphilis.com>
Committed: Sun Oct 11 14:57:32 2015 +0200

----------------------------------------------------------------------
 .../VirtualNetworkApplianceManagerImpl.java     | 26 +++++++-------------
 .../debian/config/opt/cloud/bin/configure.py    | 11 ++++++---
 2 files changed, 17 insertions(+), 20 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b4dc392b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index c32aeba..9eda2a2 100644
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -629,7 +629,7 @@ Configurable, StateListener<State, VirtualMachine.Event, VirtualMachine> {
 
         _agentMgr.registerForHostEvents(new SshKeysDistriMonitor(_agentMgr, _hostDao, _configDao), true, false, false);
 
-        List<ServiceOfferingVO> offerings = _serviceOfferingDao.createSystemServiceOfferings("System Offering For Software Router",
+        final List<ServiceOfferingVO> offerings = _serviceOfferingDao.createSystemServiceOfferings("System Offering For Software Router",
                 ServiceOffering.routerDefaultOffUniqueName, 1, _routerRamSize, _routerCpuMHz, null,
                 null, true, null, ProvisioningType.THIN, true, null, true, VirtualMachine.Type.DomainRouter, true);
         // this can sometimes happen, if DB is manually or programmatically manipulated
@@ -1971,18 +1971,12 @@ Configurable, StateListener<State, VirtualMachine.Event, VirtualMachine> {
     }
 
     private void createDefaultEgressFirewallRule(final List<FirewallRule> rules, final long networkId) {
-        String systemRule = null;
-
-        Boolean defaultEgressPolicy = false;
         final NetworkVO network = _networkDao.findById(networkId);
         final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
-        defaultEgressPolicy = offering.getEgressDefaultPolicy();
-
-
-        // construct rule when egress policy is true. In true case for VR we default allow rule need to be added
-        if (!defaultEgressPolicy) {
-            systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
+        final Boolean defaultEgressPolicy = offering.getEgressDefaultPolicy();
 
+        // The default on the router is set to Deny all. So, if the default configuration in the offering is set to treu (Allow), we change the Egress here
+        if (defaultEgressPolicy) {
             final List<String> sourceCidr = new ArrayList<String>();
 
             sourceCidr.add(NetUtils.ALL_CIDRS);
@@ -1991,12 +1985,10 @@ Configurable, StateListener<State, VirtualMachine.Event, VirtualMachine> {
 
             rules.add(rule);
         } else {
-            s_logger.debug(" Egress policy for the Network "+ networkId +" is "+defaultEgressPolicy + " So no need"+
-                    " of default rule is needed. ");
+            s_logger.debug("Egress policy for the Network " + networkId + " is already defined as Deny. So, no need to default the rule to Allow. ");
         }
     }
 
-
     private void removeRevokedIpAliasFromDb(final List<NicIpAliasVO> revokedIpAliasVOs) {
         for (final NicIpAliasVO ipalias : revokedIpAliasVOs) {
             _nicIpAliasDao.expunge(ipalias.getId());
@@ -2616,10 +2608,10 @@ Configurable, StateListener<State, VirtualMachine.Event, VirtualMachine> {
         final State newState = transition.getToState();
         final VirtualMachine.Event event = transition.getEvent();
         if (vo.getType() == VirtualMachine.Type.DomainRouter &&
-            event == VirtualMachine.Event.FollowAgentPowerOnReport &&
-            newState == State.Running &&
-            isOutOfBandMigrated(opaque)) {
-                s_logger.debug("Virtual router " + vo.getInstanceName() + " is powered-on out-of-band");
+                event == VirtualMachine.Event.FollowAgentPowerOnReport &&
+                newState == State.Running &&
+                isOutOfBandMigrated(opaque)) {
+            s_logger.debug("Virtual router " + vo.getInstanceName() + " is powered-on out-of-band");
         }
 
         return true;

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b4dc392b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index ae24ac5..c3c4cae 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -123,24 +123,29 @@ class CsAcl(CsDataBag):
                                     " -p %s " % rule['protocol'] +
                                     " -m %s " % rule['protocol'] +
                                     " --dport %s -j RETURN" % rnge])
+
+            logging.debug("Current ACL IP direction is ==> %s", self.direction)
             if self.direction == 'egress':
-                self.fw.append(["filter", "", " -A FW_OUTBOUND -j FIREWALL_EGRESS_RULES"])
+                self.fw.append(["filter", "", " -A FW_OUTBOUND -j FW_EGRESS_RULES"])
                 if rule['protocol'] == "icmp":
                     self.fw.append(["filter", "front",
-                                    " -A FIREWALL_EGRESS_RULES" +
+                                    " -A FW_EGRESS_RULES" +
                                     " -s %s " % cidr +
                                     " -p %s " % rule['protocol'] +
                                     " -m %s " % rule['protocol'] +
                                     " --icmp-type %s -j %s" % (icmp_type, self.rule['action'])])
                 else:
-                    fwr = " -A FIREWALL_EGRESS_RULES" + \
+                    fwr = " -A FW_EGRESS_RULES" + \
                           " -s %s " % cidr
                     if rule['protocol'] != "all":
                         fwr += "-p %s " % rule['protocol'] + \
                                " -m %s " % rule['protocol'] + \
                                " --dport %s" % rnge
+                    
                     self.fw.append(["filter", "front", "%s -j %s" % (fwr, rule['action'])])
 
+                logging.debug("EGRESS rule configured for protocol ==> %s, action ==> %s", rule['protocol'], rule['action'])
+
     class AclDevice():
         """ A little class for each list of acls per device """