You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by re...@apache.org on 2015/09/27 14:11:20 UTC
[01/21] git commit: updated refs/heads/master to 3ded3e9
Repository: cloudstack
Updated Branches:
refs/heads/master 415631ab5 -> 3ded3e900
CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VR
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a15df056
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a15df056
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a15df056
Branch: refs/heads/master
Commit: a15df0569fa0e56b14a9a119858c53e8ae6085c3
Parents: 1525ac0
Author: Jayapal <ja...@apache.org>
Authored: Wed Sep 16 15:22:33 2015 +0530
Committer: Jayapal <ja...@apache.org>
Committed: Wed Sep 16 15:24:34 2015 +0530
----------------------------------------------------------------------
systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py | 2 ++
1 file changed, 2 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a15df056/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
index 6c1d091..a1de596 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
@@ -176,6 +176,8 @@ class CsNetfilters(object):
These standard firewall rules vary according to the device type
"""
type = CsCmdLine("cmdline").get_type()
+ if type == 'dhcpsrvr':
+ type = 'router'
try:
table = ''
[15/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Formatting the router_proxy.sh script
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/e72a79c1
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/e72a79c1
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/e72a79c1
Branch: refs/heads/master
Commit: e72a79c1ce8634d8e9e6576041ec186860a78619
Parents: 4c8f4ac
Author: Wilder Rodrigues <wr...@schubergphilis.com>
Authored: Fri Sep 25 16:09:27 2015 +0200
Committer: Wilder Rodrigues <wr...@schubergphilis.com>
Committed: Fri Sep 25 16:09:27 2015 +0200
----------------------------------------------------------------------
scripts/network/domr/router_proxy.sh | 11 -----------
1 file changed, 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e72a79c1/scripts/network/domr/router_proxy.sh
----------------------------------------------------------------------
diff --git a/scripts/network/domr/router_proxy.sh b/scripts/network/domr/router_proxy.sh
index bcac412..f9cb7ca 100755
--- a/scripts/network/domr/router_proxy.sh
+++ b/scripts/network/domr/router_proxy.sh
@@ -16,8 +16,6 @@
# specific language governing permissions and limitations
# under the License.
-
-
# used as a proxy to call script inside virtual router
#set -x
@@ -47,12 +45,3 @@ check_gw "$domRIp"
ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "/opt/cloud/bin/$script $*"
exit $?
-
-
-
-
-
-
-
-
-
[12/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Merge pull request #881 from jayapalu/CLOUDSTACK-8905
CLOUDSTACK-8905: Fixed hooking egress rulesAdded hooking the FIREWALL_EGRESS_RULES chain into FW_OUTBOUND chain.
With this egress rules will effective.
* pr/881:
CLOUDSTACK-8905: Fixed hooking egress rules
Signed-off-by: Remi Bergsma <gi...@remi.nl>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/649a4bdc
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/649a4bdc
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/649a4bdc
Branch: refs/heads/master
Commit: 649a4bdc7633298ceba39d30857d147f17952a84
Parents: 4018d47 2bf7fb4
Author: Remi Bergsma <gi...@remi.nl>
Authored: Thu Sep 24 15:36:03 2015 +0200
Committer: Remi Bergsma <gi...@remi.nl>
Committed: Thu Sep 24 15:36:04 2015 +0200
----------------------------------------------------------------------
systemvm/patches/debian/config/opt/cloud/bin/configure.py | 1 +
1 file changed, 1 insertion(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/649a4bdc/systemvm/patches/debian/config/opt/cloud/bin/configure.py
----------------------------------------------------------------------
[03/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
CLOUDSTACK-8864: Not able to add TCP port forwarding rule in VPN for specific ports
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/96c38bf4
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/96c38bf4
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/96c38bf4
Branch: refs/heads/master
Commit: 96c38bf491d81e41975dddbfc3c87716293c7bdf
Parents: 6e426fa
Author: SudharmaJain <su...@citrix.com>
Authored: Sat Sep 19 23:40:21 2015 +0530
Committer: SudharmaJain <su...@citrix.com>
Committed: Sat Sep 19 23:40:21 2015 +0530
----------------------------------------------------------------------
.../network/firewall/FirewallManagerImpl.java | 3 +-
.../network/firewall/FirewallManagerTest.java | 83 +++++++++++++++++---
2 files changed, 76 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96c38bf4/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
index b4e3bc3..39fc33c 100644
--- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
@@ -426,7 +426,8 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
// we allow port forwarding rules with the same parameters but different protocols
boolean allowPf =
(rule.getPurpose() == Purpose.PortForwarding && newRule.getPurpose() == Purpose.PortForwarding && !newRule.getProtocol().equalsIgnoreCase(
- rule.getProtocol()));
+ rule.getProtocol())) || (rule.getPurpose() == Purpose.Vpn && newRule.getPurpose() == Purpose.PortForwarding && !newRule.getProtocol().equalsIgnoreCase(
+ rule.getProtocol()));
boolean allowStaticNat =
(rule.getPurpose() == Purpose.StaticNat && newRule.getPurpose() == Purpose.StaticNat && !newRule.getProtocol().equalsIgnoreCase(rule.getProtocol()));
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/96c38bf4/server/test/com/cloud/network/firewall/FirewallManagerTest.java
----------------------------------------------------------------------
diff --git a/server/test/com/cloud/network/firewall/FirewallManagerTest.java b/server/test/com/cloud/network/firewall/FirewallManagerTest.java
index 084bac0..823b495 100644
--- a/server/test/com/cloud/network/firewall/FirewallManagerTest.java
+++ b/server/test/com/cloud/network/firewall/FirewallManagerTest.java
@@ -22,20 +22,28 @@ import static org.mockito.Matchers.anyBoolean;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.spy;
import java.util.ArrayList;
import java.util.List;
-import javax.inject.Inject;
-
+import com.cloud.exception.NetworkRuleConflictException;
+import com.cloud.network.NetworkModel;
+import com.cloud.network.dao.FirewallRulesDao;
+import com.cloud.network.vpc.VpcManager;
+import com.cloud.user.AccountManager;
+import com.cloud.user.DomainManager;
import junit.framework.Assert;
import org.apache.log4j.Logger;
+import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
import org.junit.runner.RunWith;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+import org.mockito.runners.MockitoJUnitRunner;
import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
@@ -52,9 +60,9 @@ import com.cloud.network.rules.FirewallRule.Purpose;
import com.cloud.network.rules.FirewallRuleVO;
import com.cloud.utils.component.ComponentContext;
-@Ignore("Requires database to be set up")
-@RunWith(SpringJUnit4ClassRunner.class)
-@ContextConfiguration(locations = "classpath:/testContext.xml")
+//@Ignore("Requires database to be set up")
+@RunWith(MockitoJUnitRunner.class)
+//@ContextConfiguration(locations = "classpath:/testContext.xml")
//@ComponentSetup(managerName="management-server", setupXml="network-mgr-component.xml")
public class FirewallManagerTest {
private static final Logger s_logger = Logger.getLogger(FirewallManagerTest.class);
@@ -71,6 +79,7 @@ public class FirewallManagerTest {
// super.setUp();
// }
+ @Ignore("Requires database to be set up")
@Test
public void testInjected() {
@@ -100,9 +109,30 @@ public class FirewallManagerTest {
}
- @Inject
- FirewallManager _firewallMgr;
+ @Mock
+ AccountManager _accountMgr;
+ @Mock
+ NetworkOrchestrationService _networkMgr;
+ @Mock
+ NetworkModel _networkModel;
+ @Mock
+ DomainManager _domainMgr;
+ @Mock
+ VpcManager _vpcMgr;
+ @Mock
+ IpAddressManager _ipAddrMgr;
+ @Mock
+ FirewallRulesDao _firewallDao;
+
+ @InjectMocks
+ FirewallManager _firewallMgr = new FirewallManagerImpl();
+
+ @Before
+ public void initMocks() {
+ MockitoAnnotations.initMocks(this);
+ }
+ @Ignore("Requires database to be set up")
@Test
public void testApplyRules() {
List<FirewallRuleVO> ruleList = new ArrayList<FirewallRuleVO>();
@@ -123,6 +153,7 @@ public class FirewallManagerTest {
}
}
+ @Ignore("Requires database to be set up")
@Test
public void testApplyFWRules() {
List<FirewallRuleVO> ruleList = new ArrayList<FirewallRuleVO>();
@@ -151,4 +182,38 @@ public class FirewallManagerTest {
}
}
+ @Test
+ public void testDetectRulesConflict() {
+ List<FirewallRuleVO> ruleList = new ArrayList<FirewallRuleVO>();
+ FirewallRuleVO rule1 = spy(new FirewallRuleVO("rule1", 3, 500, "UDP", 1, 2, 1, Purpose.Vpn, null, null, null, null));
+ FirewallRuleVO rule2 = spy(new FirewallRuleVO("rule2", 3, 1701, "UDP", 1, 2, 1, Purpose.Vpn, null, null, null, null));
+ FirewallRuleVO rule3 = spy(new FirewallRuleVO("rule3", 3, 4500, "UDP", 1, 2, 1, Purpose.Vpn, null, null, null, null));
+
+ ruleList.add(rule1);
+ ruleList.add(rule2);
+ ruleList.add(rule3);
+
+ FirewallManagerImpl firewallMgr = (FirewallManagerImpl)_firewallMgr;
+
+ when(firewallMgr._firewallDao.listByIpAndPurposeAndNotRevoked(3,null)).thenReturn(ruleList);
+ when(rule1.getId()).thenReturn(1L);
+ when(rule2.getId()).thenReturn(2L);
+ when(rule3.getId()).thenReturn(3L);
+
+ FirewallRule newRule1 = new FirewallRuleVO("newRule1", 3, 500, "TCP", 1, 2, 1, Purpose.PortForwarding, null, null, null, null);
+ FirewallRule newRule2 = new FirewallRuleVO("newRule2", 3, 1701, "TCP", 1, 2, 1, Purpose.PortForwarding, null, null, null, null);
+ FirewallRule newRule3 = new FirewallRuleVO("newRule3", 3, 4500, "TCP", 1, 2, 1, Purpose.PortForwarding, null, null, null, null);
+
+ try {
+ firewallMgr.detectRulesConflict(newRule1);
+ firewallMgr.detectRulesConflict(newRule2);
+ firewallMgr.detectRulesConflict(newRule3);
+ }
+ catch (NetworkRuleConflictException ex) {
+ Assert.fail();
+ }
+ }
+
+
+
}
[13/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Merge pull request #882 from jayapalu/CLOUDSTACK-8881
CLOUDSTACK-8881: Fixed Static and PF configuration issue1. For static nat filter rules are not configured in VR.
2. Corrected vm ip in PF rule.
* pr/882:
CLOUDSTACK-8881: Fixed Static and PF configuration issue
Signed-off-by: Remi Bergsma <gi...@remi.nl>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/4420f48e
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/4420f48e
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/4420f48e
Branch: refs/heads/master
Commit: 4420f48e3e0378c440806fad0a2dcebaaa17b511
Parents: 649a4bd 40138d2
Author: Remi Bergsma <gi...@remi.nl>
Authored: Thu Sep 24 15:36:18 2015 +0200
Committer: Remi Bergsma <gi...@remi.nl>
Committed: Thu Sep 24 15:36:18 2015 +0200
----------------------------------------------------------------------
.../debian/config/opt/cloud/bin/configure.py | 24 +++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4420f48e/systemvm/patches/debian/config/opt/cloud/bin/configure.py
----------------------------------------------------------------------
[16/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Fixing the dhcpsrvr iptables file
- Instead of changing the router type in a local variable, lets have a dedicated file for the dhcpsrvr routers
- The file is called iptables-dhcpsrvr, just like we have iptables-vpcrouter and iptables-router
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/3cfc4cff
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/3cfc4cff
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/3cfc4cff
Branch: refs/heads/master
Commit: 3cfc4cff80b5e6613bb503a9d2d44ee6f8236260
Parents: e72a79c
Author: Wilder Rodrigues <wr...@schubergphilis.com>
Authored: Fri Sep 25 16:10:43 2015 +0200
Committer: Wilder Rodrigues <wr...@schubergphilis.com>
Committed: Fri Sep 25 16:10:43 2015 +0200
----------------------------------------------------------------------
.../config/etc/iptables/iptables-dhcpsrvr | 58 ++++++++++++++++++++
.../config/opt/cloud/bin/cs/CsNetfilter.py | 2 -
2 files changed, 58 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/3cfc4cff/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr b/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr
new file mode 100644
index 0000000..b49b6b2
--- /dev/null
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-dhcpsrvr
@@ -0,0 +1,58 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:FW_EGRESS_RULES - [0:0]
+:FW_OUTBOUND - [0:0]
+-A INPUT -d 224.0.0.18/32 -j ACCEPT
+-A INPUT -d 225.0.0.50/32 -j ACCEPT
+-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
+-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp -m state --state NEW,ESTABLISHED --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
+-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
+-A FW_EGRESS_RULES -j ACCEPT
+-I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FW_OUTBOUND -j FW_EGRESS_RULES
+COMMIT
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
+-A POSTROUTING -p udp -m udp --dport bootpc -j CHECKSUM --checksum-fill
+COMMIT
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/3cfc4cff/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
index a72e53d..99c1501 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
@@ -177,8 +177,6 @@ class CsNetfilters(object):
These standard firewall rules vary according to the device type
"""
type = CsCmdLine("cmdline").get_type()
- if type == 'dhcpsrvr':
- type = 'router'
try:
table = ''
[20/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Fixing the index out of bounds error in the check_if_link_up() function
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/09e05f2a
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/09e05f2a
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/09e05f2a
Branch: refs/heads/master
Commit: 09e05f2a06335f0413f423bfb1180e549dcf57aa
Parents: d83995e
Author: Wilder Rodrigues <wr...@schubergphilis.com>
Authored: Sat Sep 26 20:43:15 2015 +0200
Committer: Remi Bergsma <gi...@remi.nl>
Committed: Sat Sep 26 20:43:15 2015 +0200
----------------------------------------------------------------------
.../patches/debian/config/opt/cloud/bin/cs/CsAddress.py | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/09e05f2a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
index f0b85f9..e3fa1bc 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@@ -97,21 +97,20 @@ class CsAddress(CsDataBag):
def check_if_link_exists(self,dev):
cmd="ip link show dev %s"%dev
- result=CsHelper.execute(cmd)
- if(len(result)!=0):
+ result = CsHelper.execute(cmd)
+ if(len(result) != 0):
return True
else:
return False
def check_if_link_up(self,dev):
cmd="ip link show dev %s | tr '\n' ' ' | cut -d ' ' -f 9"%dev
- result=CsHelper.execute(cmd)
- if(result[0].lower()=="up"):
+ result = CsHelper.execute(cmd)
+ if(result and result[0].lower() == "up"):
return True
else:
return False
-
def process(self):
route = CsRoute()
found_defaultroute = False
[18/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Fixing the defaut route for VPC routers
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a8fa3374
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a8fa3374
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a8fa3374
Branch: refs/heads/master
Commit: a8fa3374dae1a935c336cbc01d21a3f237d6b0f4
Parents: 595fa50
Author: Wilder Rodrigues <wr...@schubergphilis.com>
Authored: Sat Sep 26 20:29:04 2015 +0200
Committer: Remi Bergsma <gi...@remi.nl>
Committed: Sat Sep 26 20:30:49 2015 +0200
----------------------------------------------------------------------
.../debian/config/opt/cloud/bin/cs/CsAddress.py | 25 ++++++++++++--------
1 file changed, 15 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a8fa3374/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
index 26836bc..f0b85f9 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@@ -114,6 +114,7 @@ class CsAddress(CsDataBag):
def process(self):
route = CsRoute()
+ found_defaultroute = False
for dev in self.dbag:
if dev == "id":
@@ -121,17 +122,12 @@ class CsAddress(CsDataBag):
ip = CsIP(dev, self.config)
for address in self.dbag[dev]:
- # if(address["nw_type"]!="public"):
- # continue
-
#check if link is up
- if (not self.check_if_link_exists(dev)):
- logging.info("link %s does not exist, so not processing"%dev)
- continue
if not self.check_if_link_up(dev):
cmd="ip link set %s up"%dev
CsHelper.execute(cmd)
+ gateway = str(address["gateway"])
network = str(address["network"])
ip.setAddress(address)
@@ -147,17 +143,25 @@ class CsAddress(CsDataBag):
"Address %s on device %s not configured", ip.ip(), dev)
if CsDevice(dev, self.config).waitfordevice():
ip.configure()
+
route.add_route(dev, network)
+ # The code looks redundant here, but we actually have to cater for routers and
+ # VPC routers in a different manner. Please do not remove this block otherwise
+ # The VPC default route will be broken.
+ if address["nw_type"] == "public" and not found_defaultroute:
+ if not route.defaultroute_exists():
+ if route.add_defaultroute(gateway):
+ found_defaultroute = True
+
# once we start processing public ip's we need to verify there
# is a default route and add if needed
if not route.defaultroute_exists():
- cmdline=self.config.get_cmdline_instance()
+ cmdline = self.config.cmdline()
if(cmdline.get_gateway()):
route.add_defaultroute(cmdline.get_gateway())
-
class CsInterface:
""" Hold one single ip """
@@ -516,9 +520,10 @@ class CsIP:
self.fw.append(["", "", "-A NETWORK_STATS -i eth2 -o eth0 -p tcp"])
self.fw.append(["", "", "-A NETWORK_STATS ! -i eth0 -o eth2 -p tcp"])
self.fw.append(["", "", "-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp"])
-
+
+ self.fw.append(["filter", "", "-A INPUT -p icmp -j ACCEPT"])
self.fw.append(["filter", "", "-A INPUT -i eth0 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT"])
-
+
self.fw.append(["filter", "", "-P INPUT DROP"])
self.fw.append(["filter", "", "-P FORWARD DROP"])
[04/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Configured dnsmasq to listen on all interfaces so that vpn client gets dns
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/dbedfe25
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/dbedfe25
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/dbedfe25
Branch: refs/heads/master
Commit: dbedfe2557839332c394c44deb6c376f386681d9
Parents: d543e2a
Author: Jayapal <ja...@apache.org>
Authored: Thu Sep 17 11:34:27 2015 +0530
Committer: Jayapal <ja...@apache.org>
Committed: Tue Sep 22 14:10:48 2015 +0530
----------------------------------------------------------------------
systemvm/patches/debian/config/etc/dnsmasq.conf.tmpl | 4 ++--
systemvm/patches/debian/config/etc/init.d/cloud-early-config | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/dbedfe25/systemvm/patches/debian/config/etc/dnsmasq.conf.tmpl
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/dnsmasq.conf.tmpl b/systemvm/patches/debian/config/etc/dnsmasq.conf.tmpl
index 28b598c..403e204 100644
--- a/systemvm/patches/debian/config/etc/dnsmasq.conf.tmpl
+++ b/systemvm/patches/debian/config/etc/dnsmasq.conf.tmpl
@@ -87,7 +87,7 @@ local=/2.vmops-test.vmops.com/
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
-interface=eth0
+#interface=eth0
# Or you can specify which interface _not_ to listen on
except-interface=eth1
except-interface=eth2
@@ -108,7 +108,7 @@ no-dhcp-interface=eth2
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
-bind-interfaces
+#bind-interfaces
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/dbedfe25/systemvm/patches/debian/config/etc/init.d/cloud-early-config
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/init.d/cloud-early-config b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
index 934ba9c..fec5ecf 100755
--- a/systemvm/patches/debian/config/etc/init.d/cloud-early-config
+++ b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
@@ -706,7 +706,7 @@ setup_dnsmasq() {
sed -i -e "s/^dhcp-range_ip6=.*$//" /etc/dnsmasq.conf
fi
- sed -i -e "s/^[#]*listen-address=.*$/listen-address=$LOCAL_ADDRS/" /etc/dnsmasq.conf
+ #sed -i -e "s/^[#]*listen-address=.*$/listen-address=$LOCAL_ADDRS/" /etc/dnsmasq.conf
if [ "$RROUTER" == "1" ]
then
[19/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
small cleanups
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/d83995e2
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/d83995e2
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/d83995e2
Branch: refs/heads/master
Commit: d83995e23c868f6a1b50b4768ba95d3e2d2dbb1e
Parents: a8fa337
Author: Remi Bergsma <gi...@remi.nl>
Authored: Fri Sep 25 19:17:38 2015 +0200
Committer: Remi Bergsma <gi...@remi.nl>
Committed: Sat Sep 26 20:33:21 2015 +0200
----------------------------------------------------------------------
systemvm/patches/debian/config/etc/init.d/cloud-early-config | 2 --
systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh | 2 +-
2 files changed, 1 insertion(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d83995e2/systemvm/patches/debian/config/etc/init.d/cloud-early-config
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/init.d/cloud-early-config b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
index fec5ecf..79a85e7 100755
--- a/systemvm/patches/debian/config/etc/init.d/cloud-early-config
+++ b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
@@ -706,8 +706,6 @@ setup_dnsmasq() {
sed -i -e "s/^dhcp-range_ip6=.*$//" /etc/dnsmasq.conf
fi
- #sed -i -e "s/^[#]*listen-address=.*$/listen-address=$LOCAL_ADDRS/" /etc/dnsmasq.conf
-
if [ "$RROUTER" == "1" ]
then
DEFAULT_GW=$GUEST_GW
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d83995e2/systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh b/systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh
index dcc71ed..d0eb1fc 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh
@@ -100,7 +100,7 @@ if [ $? -eq 0 ]; then
conntrackd -F
conntrackd -k
else
- conntrackd -F
+ conntrackd -F
fi
log_it "VR config: Flushing conntrack table completed"
[08/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Merge pull request #836 from SudharmaJain/cs-8863
CLOUDSTACK-8863: VM doesn't reconnect to internet post VR RESTART/STOP-START/RECREATE
The ongoing ICMP request reply session is broken when the VR is down, the expectation is that it would resume once the VR is up. Investigations revealed that the ongoing ICMP packets are sent out of eth2 without being NATed post VR stop/start or restart or recreate.
TCPDUMP output from VR post restart/stop-start/recreate on eth2:
root@r-4-VM:~# tcpdump -i eth2 icmp -n -vvv
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
06:22:52.749770 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.200.67 > 173.194.33.163: ICMP echo request, id 30996, seq 81, length 64
06:22:53.749782 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.200.67 > 173.194.33.163: ICMP echo request, id 30996, seq 82, length 64
06:22:54.749771 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.200.67 > 173.194.33.163: ICMP echo request, id 30996, seq 83, length 64
06:22:55.749775 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.200.67 > 173.194.33.163: ICMP echo request, id 30996, seq 84, length 64
06:22:56.749765 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.200.67 > 173.194.33.163: ICMP echo request, id 30996, seq 85, length 64
06:22:57.749776 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.200.67 > 173.194.33.163: ICMP echo request, id 30996, seq 86, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
root@r-4-VM:~#
root@r-4-VM:~# grep icmp /proc/net/ip_conntrack
icmp 1 29 src=192.168.200.67 dst=173.194.33.163 type=8 code=0 id=30996 [UNREPLIED] src=173.194.33.163 dst=192.168.200.67 type=0 code=0 id=30996 mark=0 use=2
This get fixed after flushing the conntrack table.
Screenshots:
Before fix (ping session doesn't resume, stop and starting the ping works, 120 packets lost):
After fix(ping session resumes, 27 packets lost):
* pr/836:
CLOUDSTACK-8863: VM doesn't reconnect to internet post VR RESTART/STOP-START/RECREATE
Signed-off-by: Remi Bergsma <gi...@remi.nl>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/8367911e
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/8367911e
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/8367911e
Branch: refs/heads/master
Commit: 8367911ef7f502eb760ca57d0a018d96620fdbed
Parents: 13b29ba 56d4429
Author: Remi Bergsma <gi...@remi.nl>
Authored: Thu Sep 24 15:35:00 2015 +0200
Committer: Remi Bergsma <gi...@remi.nl>
Committed: Thu Sep 24 15:35:00 2015 +0200
----------------------------------------------------------------------
systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh | 11 +++++++++++
1 file changed, 11 insertions(+)
----------------------------------------------------------------------
[06/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
CLOUDSTACK-8905: Fixed hooking egress rules
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/2bf7fb4b
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/2bf7fb4b
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/2bf7fb4b
Branch: refs/heads/master
Commit: 2bf7fb4b63932d80f641462073c751f07ab0c3ea
Parents: 13b29ba
Author: Jayapal <ja...@apache.org>
Authored: Thu Sep 24 17:06:11 2015 +0530
Committer: Jayapal <ja...@apache.org>
Committed: Thu Sep 24 17:06:11 2015 +0530
----------------------------------------------------------------------
systemvm/patches/debian/config/opt/cloud/bin/configure.py | 1 +
1 file changed, 1 insertion(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/2bf7fb4b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index 49dbb9c..54d6c17 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -124,6 +124,7 @@ class CsAcl(CsDataBag):
" -m %s " % rule['protocol'] +
" --dport %s -j RETURN" % rnge])
if self.direction == 'egress':
+ self.fw.append(["filter", "", " -A FW_OUTBOUND -j FIREWALL_EGRESS_RULES"])
if rule['protocol'] == "icmp":
self.fw.append(["filter", "front",
" -A FIREWALL_EGRESS_RULES" +
[07/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
CLOUDSTACK-8881: Fixed Static and PF configuration issue
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/40138d2e
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/40138d2e
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/40138d2e
Branch: refs/heads/master
Commit: 40138d2e994458250b8db706be993d4b040f95ca
Parents: 13b29ba
Author: Jayapal <ja...@apache.org>
Authored: Thu Sep 24 17:22:29 2015 +0530
Committer: Jayapal <ja...@apache.org>
Committed: Thu Sep 24 17:22:29 2015 +0530
----------------------------------------------------------------------
.../debian/config/opt/cloud/bin/configure.py | 24 +++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/40138d2e/systemvm/patches/debian/config/opt/cloud/bin/configure.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index 49dbb9c..2fc1295 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -662,6 +662,20 @@ class CsForwardingRules(CsDataBag):
elif rule["type"] == "staticnat":
self.processStaticNatRule(rule)
+ #return the VR guest interface ipo
+ def getGuestIp(self):
+ ipr = []
+ ipAddr = None
+ for ip in self.config.address().get_ips():
+ if ip.is_guest():
+ ipr.append(ip)
+ if len(ipr) > 0:
+ ipAddr = sorted(ipr)[-1]
+ if ipAddr:
+ return ipAddr.get_ip()
+
+ return None
+
def getDeviceByIp(self, ipa):
for ip in self.config.address().get_ips():
if ip.ip_in_subnet(ipa):
@@ -725,7 +739,7 @@ class CsForwardingRules(CsDataBag):
)
fw4 = "-j SNAT --to-source %s -A POSTROUTING -s %s -d %s/32 -o %s -p %s -m %s --dport %s" % \
(
- self.getGatewayByIp(rule['internal_ip']),
+ self.getGuestIp(),
self.getNetworkByIp(rule['internal_ip']),
rule['internal_ip'],
self.getDeviceByIp(rule['internal_ip']),
@@ -809,6 +823,14 @@ class CsForwardingRules(CsDataBag):
"-A POSTROUTING -o %s -s %s/32 -j SNAT --to-source %s" % (device, rule["internal_ip"], rule["public_ip"])])
self.fw.append(["nat", "front",
"-A OUTPUT -d %s/32 -j DNAT --to-destination %s" % (rule["public_ip"], rule["internal_ip"])])
+ self.fw.append(["filter", "",
+ "-A FORWARD -i %s -o eth0 -d %s -m state --state NEW -j ACCEPT " % (device, rule["internal_ip"])])
+
+ #configure the hairpin nat
+ self.fw.append(["nat", "front",
+ "-A PREROUTING -d %s -i eth0 -j DNAT --to-destination %s" % (rule["public_ip"], rule["internal_ip"])])
+
+ self.fw.append(["nat", "front", "-A POSTROUTING -s %s -d %s -j SNAT -o eth0 --to-source %s" % (self.getNetworkByIp(rule['internal_ip']),rule["internal_ip"], self.getGuestIp())])
def main(argv):
[21/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Merge pull request #887 from schubergphilis/vr_fixes_combined
[BLOCKER] Combined PRs that fix VR issuesTonight I worked with @wilderrodrigues to figure out what is wrong with the virtual router. As we couldn't test single PRs any more (because of other issues with them causing tests to fail) we added all VR related PRs in a separate branch and started testing from there.
We combined the following PRs into this PR:
#836 #851 #867 #870 #881 #882 #842
After that, one issue remains: the VPC does not get a default gateway. Which is strange, because we already solved it in PR #738. When I look back, it was fixed again in PR #784. It could very well be that either one fixed one specific case, but also breaking the other. We need to investigate this, and make sure there will be a fix that works both for VPCs and VRs.
When we manually add the default gateway on the VPC, most tests pass and also spinning up two VPCs with one tier each, having a VM and them using s2s to VPN them together works fine. See for more details the report Wilder sent earlier.
Tomorrow we'll try to figure out how to fix the default gateway and merge this. Then we should have a base to work from again. Any PR that fixes another blocker, should at least then be rebased against the fixed master so we can run the tests against the PR branch. I'm not saying everything is fixed, I'm just saying that we can spin up a cloud that has working VMs.
When, in the mean time, someone has the time to checkout this branch and make the default route work for both VPC and VR that would be awesome. After that we should double check and verify the test results.
Pinging @karuturi to let her know the current status.
Regards,
Wilder / Remi
* pr/887:
Fixing the index out of bounds error in the check_if_link_up() function
small cleanups
Fixing the defaut route for VPC routers
Formatting the get_gateway() method in the CsDatabag.py file
Fixing the dhcpsrvr iptables file
Formatting the router_proxy.sh script
CLOUDSTACK-8881: Fixed Static and PF configuration issue
CLOUDSTACK-8905: Fixed hooking egress rules
CLOUDSTACK-8891: Fixed default iptables rules on VR for guest traffic
Configured dnsmasq to listen on all interfaces so that vpn client gets dns
CLOUDSTACK-8864: Not able to add TCP port forwarding rule in VPN for specific ports
CLOUDSTACK-8863: VM doesn't reconnect to internet post VR RESTART/STOP-START/RECREATE
CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VR
Signed-off-by: Remi Bergsma <gi...@remi.nl>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/3ded3e90
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/3ded3e90
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/3ded3e90
Branch: refs/heads/master
Commit: 3ded3e90007d08fa98465f2b8c68b7fb075557c0
Parents: 415631a 09e05f2
Author: Remi Bergsma <gi...@remi.nl>
Authored: Sun Sep 27 14:09:48 2015 +0200
Committer: Remi Bergsma <gi...@remi.nl>
Committed: Sun Sep 27 14:09:48 2015 +0200
----------------------------------------------------------------------
scripts/network/domr/router_proxy.sh | 11 ---
.../network/firewall/FirewallManagerImpl.java | 3 +-
.../network/firewall/FirewallManagerTest.java | 83 +++++++++++++++++---
.../patches/debian/config/etc/dnsmasq.conf.tmpl | 4 +-
.../debian/config/etc/init.d/cloud-early-config | 2 -
.../config/etc/iptables/iptables-dhcpsrvr | 58 ++++++++++++++
.../debian/config/opt/cloud/bin/configure.py | 40 +++++++++-
.../debian/config/opt/cloud/bin/cs/CsAddress.py | 34 ++++----
.../debian/config/opt/cloud/bin/cs/CsDatabag.py | 1 +
.../config/opt/cloud/bin/cs/CsNetfilter.py | 6 +-
.../debian/config/opt/cloud/bin/vr_cfg.sh | 11 +++
11 files changed, 210 insertions(+), 43 deletions(-)
----------------------------------------------------------------------
[14/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Merge pull request #842 from jayapalu/shareNwVR
CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VROn basic zone share network VR default iptables rules are not applied correctly. Due to this ssh to VR got failed.
In shared network the VR type is 'dhcpsrvr' not router. So corrected it in the ''del_standard' method to select the correct type.
Testing:
1. VR is deployed correctly.
2. Tested restart, stop, start VR.
3. New VM deployment is success.
4. ssh to VR from the host is successful.
5. iptables rules on the VR came up correctly.
below is the output from the VR:
iptables -L INPUT -nv
Chain INPUT (policy DROP 16 packets, 1056 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18
0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50
104 9800 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
281 36500 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 504 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 656 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
13 780 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3922 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
0 0 ACCEPT tcp -- eth0 * 10.147.40.0/23 0.0.0.0/0 state NEW tcp dpt:8080
* pr/842:
CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VR
Signed-off-by: Remi Bergsma <gi...@remi.nl>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/4c8f4ac3
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/4c8f4ac3
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/4c8f4ac3
Branch: refs/heads/master
Commit: 4c8f4ac3417f60962abfc2cb0f1439bb78a44d4d
Parents: 4420f48 a15df05
Author: Remi Bergsma <gi...@remi.nl>
Authored: Thu Sep 24 16:42:41 2015 +0200
Committer: Remi Bergsma <gi...@remi.nl>
Committed: Thu Sep 24 16:42:42 2015 +0200
----------------------------------------------------------------------
systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py | 2 ++
1 file changed, 2 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4c8f4ac3/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
----------------------------------------------------------------------
[17/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Formatting the get_gateway() method in the CsDatabag.py file
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/595fa50b
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/595fa50b
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/595fa50b
Branch: refs/heads/master
Commit: 595fa50b3baaa8fbf6627e2748c336e1f6a1432c
Parents: 3cfc4cf
Author: Wilder Rodrigues <wr...@schubergphilis.com>
Authored: Fri Sep 25 16:11:32 2015 +0200
Committer: Wilder Rodrigues <wr...@schubergphilis.com>
Committed: Fri Sep 25 16:11:32 2015 +0200
----------------------------------------------------------------------
systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py | 1 +
1 file changed, 1 insertion(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/595fa50b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py
index 84e31a7..e29aa36 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py
@@ -143,6 +143,7 @@ class CsCmdLine(CsDataBag):
md5 = hashlib.md5()
md5.update(passwd)
return md5.hexdigest()
+
def get_gateway(self):
if "gateway" in self.idata():
return self.idata()['gateway']
[02/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
CLOUDSTACK-8863: VM doesn't reconnect to internet post VR RESTART/STOP-START/RECREATE
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/56d44295
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/56d44295
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/56d44295
Branch: refs/heads/master
Commit: 56d4429500d0d3da7334b3f1c559d1eca8ee85a4
Parents: 6e426fa
Author: SudharmaJain <su...@citrix.com>
Authored: Wed Sep 16 14:40:31 2015 +0530
Committer: SudharmaJain <su...@citrix.com>
Committed: Thu Sep 17 11:50:21 2015 +0530
----------------------------------------------------------------------
systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh | 11 +++++++++++
1 file changed, 11 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/56d44295/systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh b/systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh
index 7ed7d6b..dcc71ed 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vr_cfg.sh
@@ -93,4 +93,15 @@ done < $cfg
#remove the configuration file, log file should have all the records as well
rm -f $cfg
+# Flush kernel conntrack table
+log_it "VR config: Flushing conntrack table"
+conntrackd -d 2> /dev/null
+if [ $? -eq 0 ]; then
+ conntrackd -F
+ conntrackd -k
+else
+ conntrackd -F
+fi
+log_it "VR config: Flushing conntrack table completed"
+
exit 0
[10/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Merge pull request #867 from jayapalu/CLOUDSTACK-8891
CLOUDSTACK-8891: Fixed default iptables rules on VR for guest trafficVR default iptables rules in INPUT chain are configured partially.
In CsAddress.py rules are configured while configuring public interface, guest interface post configuration is missed. Fixed to configure guest post configuration so that iptables rules are configured.
Testing:
1. Deployed vm in the network.
2.iptables rules on the VR configured correctly.
3.VM got the dhcp ip address from the VR.
* pr/867:
CLOUDSTACK-8891: Fixed default iptables rules on VR for guest traffic
Signed-off-by: Remi Bergsma <gi...@remi.nl>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a5a5f612
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a5a5f612
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a5a5f612
Branch: refs/heads/master
Commit: a5a5f612ea4fbdb37b6dc5c708fd042b00902f84
Parents: 7d55554 746a5dc
Author: Remi Bergsma <gi...@remi.nl>
Authored: Thu Sep 24 15:35:33 2015 +0200
Committer: Remi Bergsma <gi...@remi.nl>
Committed: Thu Sep 24 15:35:33 2015 +0200
----------------------------------------------------------------------
.../patches/debian/config/opt/cloud/bin/configure.py | 15 +++++++++++++++
.../debian/config/opt/cloud/bin/cs/CsAddress.py | 4 ++--
.../debian/config/opt/cloud/bin/cs/CsNetfilter.py | 6 ++++--
3 files changed, 21 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
[09/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Merge pull request #851 from SudharmaJain/cs-8864
CLOUDSTACK-8864: Not able to add TCP port forwarding rule in VPN for specific ports
Setting port forwarding rules for port 500,1701 and 4500 after enabling VPN, gives the error message "The range specified, xxxx, conflicts with rule xxxx which has xxxx." This happens because the rules added for vpn doesn't have a matching condition to allow port forwarding rules.
Added a unit test to verify the detectRulesConflict function of FirewallManagerImpl.
* pr/851:
CLOUDSTACK-8864: Not able to add TCP port forwarding rule in VPN for specific ports
Signed-off-by: Remi Bergsma <gi...@remi.nl>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/7d555542
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/7d555542
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/7d555542
Branch: refs/heads/master
Commit: 7d5555429b90fcb9e1456ea858d5163b41ee41ab
Parents: 8367911 96c38bf
Author: Remi Bergsma <gi...@remi.nl>
Authored: Thu Sep 24 15:35:16 2015 +0200
Committer: Remi Bergsma <gi...@remi.nl>
Committed: Thu Sep 24 15:35:16 2015 +0200
----------------------------------------------------------------------
.../network/firewall/FirewallManagerImpl.java | 3 +-
.../network/firewall/FirewallManagerTest.java | 83 +++++++++++++++++---
2 files changed, 76 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
[11/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
Merge pull request #870 from jayapalu/CLOUDSTACK-8874
Configured dnsmasq to listen on all interfaces so that vpn client gets dns1. Dnsmasq is not listening on the ppp+ interfaces due to this remote access vpn clients dns requests are dropped.
2. Configured the dnsmasq to listen on all the interfaces except public. There is firewall to allow only specific cidr to allow the dns requests.
Tested from windows client nslookup.
* pr/870:
Configured dnsmasq to listen on all interfaces so that vpn client gets dns
Signed-off-by: Remi Bergsma <gi...@remi.nl>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/4018d47e
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/4018d47e
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/4018d47e
Branch: refs/heads/master
Commit: 4018d47ef8ea3be780f27d6558275f19b70e5ef0
Parents: a5a5f61 dbedfe2
Author: Remi Bergsma <gi...@remi.nl>
Authored: Thu Sep 24 15:35:48 2015 +0200
Committer: Remi Bergsma <gi...@remi.nl>
Committed: Thu Sep 24 15:35:48 2015 +0200
----------------------------------------------------------------------
systemvm/patches/debian/config/etc/dnsmasq.conf.tmpl | 4 ++--
systemvm/patches/debian/config/etc/init.d/cloud-early-config | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
[05/21] git commit: updated refs/heads/master to 3ded3e9
Posted by re...@apache.org.
CLOUDSTACK-8891: Fixed default iptables rules on VR for guest traffic
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/746a5dc4
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/746a5dc4
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/746a5dc4
Branch: refs/heads/master
Commit: 746a5dc48e01cc07cbd4b319755d45e414c49504
Parents: 13b29ba
Author: Jayapal <ja...@apache.org>
Authored: Thu Sep 24 12:44:15 2015 +0530
Committer: Jayapal <ja...@apache.org>
Committed: Thu Sep 24 12:49:43 2015 +0530
----------------------------------------------------------------------
.../patches/debian/config/opt/cloud/bin/configure.py | 15 +++++++++++++++
.../debian/config/opt/cloud/bin/cs/CsAddress.py | 4 ++--
.../debian/config/opt/cloud/bin/cs/CsNetfilter.py | 6 ++++--
3 files changed, 21 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/746a5dc4/systemvm/patches/debian/config/opt/cloud/bin/configure.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index 49dbb9c..3ac741c 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -818,51 +818,66 @@ def main(argv):
format=config.get_format())
config.set_address()
+ logging.debug("Configuring ip addresses")
# IP configuration
config.address().compare()
config.address().process()
+ logging.debug("Configuring vmpassword")
password = CsPassword("vmpassword", config)
password.process()
+ logging.debug("Configuring vmdata")
metadata = CsVmMetadata('vmdata', config)
metadata.process()
+ logging.debug("Configuring networkacl")
acls = CsAcl('networkacl', config)
acls.process()
+ logging.debug("Configuring firewall rules")
acls = CsAcl('firewallrules', config)
acls.process()
+ logging.debug("Configuring PF rules")
fwd = CsForwardingRules("forwardingrules", config)
fwd.process()
red = CsRedundant(config)
red.set()
+ logging.debug("Configuring s2s vpn")
vpns = CsSite2SiteVpn("site2sitevpn", config)
vpns.process()
+ logging.debug("Configuring remote access vpn")
#remote access vpn
rvpn = CsRemoteAccessVpn("remoteaccessvpn", config)
rvpn.process()
+ logging.debug("Configuring vpn users list")
#remote access vpn users
vpnuser = CsVpnUser("vpnuserlist", config)
vpnuser.process()
+ logging.debug("Configuring dhcp entry")
dhcp = CsDhcp("dhcpentry", config)
dhcp.process()
+ logging.debug("Configuring load balancer")
lb = CsLoadBalancer("loadbalancer", config)
lb.process()
+ logging.debug("Configuring monitor service")
mon = CsMonitor("monitorservice", config)
mon.process()
+ logging.debug("Configuring iptables rules .....")
nf = CsNetfilters()
nf.compare(config.get_fw())
+ logging.debug("Configuring iptables rules done ...saving rules")
+
# Save iptables configuration - will be loaded on reboot by the iptables-restore that is configured on /etc/rc.local
CsHelper.save_iptables("iptables-save", "/etc/iptables/router_rules.v4")
CsHelper.save_iptables("ip6tables-save", "/etc/iptables/router_rules.v6")
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/746a5dc4/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
index e97abac..26836bc 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@@ -121,8 +121,8 @@ class CsAddress(CsDataBag):
ip = CsIP(dev, self.config)
for address in self.dbag[dev]:
- if(address["nw_type"]!="public"):
- continue
+ # if(address["nw_type"]!="public"):
+ # continue
#check if link is up
if (not self.check_if_link_exists(dev)):
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/746a5dc4/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
index 6c1d091..99c1501 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
@@ -126,6 +126,7 @@ class CsNetfilters(object):
del_list = [x for x in self.rules if x.unseen()]
for r in del_list:
cmd = "iptables -t %s %s" % (r.get_table(), r.to_str(True))
+ logging.debug("unseen cmd: %s ", cmd)
CsHelper.execute(cmd)
# print "Delete rule %s from table %s" % (r.to_str(True), r.get_table())
logging.info("Delete rule %s from table %s", r.to_str(True), r.get_table())
@@ -150,10 +151,10 @@ class CsNetfilters(object):
if isinstance(fw[1], int):
new_rule.set_count(fw[1])
if self.has_rule(new_rule):
- logging.debug("rule %s exists in table %s", fw[2], new_rule.get_table())
+ logging.debug("Exists: rule=%s table=%s", fw[2], new_rule.get_table())
else:
# print "Add rule %s in table %s" % ( fw[2], new_rule.get_table())
- logging.info("Add rule %s in table %s", fw[2], new_rule.get_table())
+ logging.info("Add: rule=%s table=%s", fw[2], new_rule.get_table())
# front means insert instead of append
cpy = fw[2]
if fw[1] == "front":
@@ -185,6 +186,7 @@ class CsNetfilters(object):
if i.startswith('-A'): # Rule
self.del_rule(table, i.strip())
except IOError:
+ logging.debug("Exception in del_standard, returning")
# Nothing can be done
return