You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mu...@apache.org on 2014/03/28 12:39:13 UTC
git commit: updated refs/heads/4.4 to 89c6f00
Repository: cloudstack
Updated Branches:
refs/heads/4.4 14796783f -> 89c6f0087
OVS distributed routing: fix the issues related to applying network
ACL's on OVS. OVS OF rules does not accept 0.0.0.0/0 so while applying
ACL dont include source CIDR in the OF rule if source CIDR is 0.0.0.0/0
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/89c6f008
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/89c6f008
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/89c6f008
Branch: refs/heads/4.4
Commit: 89c6f0087c832a05ed55256a394aee7541ac83d4
Parents: 1479678
Author: Murali Reddy <mu...@gmail.com>
Authored: Fri Mar 28 17:06:02 2014 +0530
Committer: Murali Reddy <mu...@gmail.com>
Committed: Fri Mar 28 17:08:22 2014 +0530
----------------------------------------------------------------------
.../xenserver/cloudstack_pluginlib.py | 86 ++++++++++++++------
scripts/vm/hypervisor/xenserver/ovstunnel | 4 +-
2 files changed, 62 insertions(+), 28 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/89c6f008/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py b/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
index 4ebb435..50a1fa2 100644
--- a/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
+++ b/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
@@ -358,7 +358,7 @@ def configure_bridge_for_network_topology(bridge, this_host_id, json_config):
for host in vpc_spanning_hosts:
if str(this_host_id) == str(host.hostid):
continue
- other_host_vms = get_vms_on_host(vpconfig, host.hostid)
+ other_host_vms = get_vms_on_host(vpconfig, str(host.hostid))
for vm in other_host_vms:
for nic in vm.nics:
mac_addr = nic.macaddress
@@ -397,8 +397,9 @@ def configure_ovs_bridge_for_routing_policies(bridge, json_config):
return "FAILURE:IMPROPER_JSON_CONFG_FILE"
try:
- # First flush current egress ACL's before re-applying the ACL's
+ # First flush current ingress and egress ACL's before re-applying the ACL's
del_flows(bridge, table=3)
+ del_flows(bridge, table=5)
egress_rules_added = False
ingress_rules_added = False
@@ -419,15 +420,22 @@ def configure_ovs_bridge_for_routing_policies(bridge, json_config):
source_cidrs = acl_item.sourcecidrs
acl_priority = 1000 + number
for source_cidr in source_cidrs:
- if direction is "ingress":
+ if direction == "ingress":
ingress_rules_added = True
-
if source_port_start is None and source_port_end is None:
- if action is "deny":
- add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr,
+ if source_cidr.startswith('0.0.0.0'):
+ if action == "deny":
+ add_flow(bridge, priority= acl_priority, table=5, nw_dst=tier_cidr,
+ nw_proto=protocol, actions='drop')
+ if action == "allow":
+ add_flow(bridge, priority= acl_priority,table=5, nw_dst=tier_cidr,
+ nw_proto=protocol, actions='resubmit(,1)')
+ else:
+ if action == "deny":
+ add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr,
nw_proto=protocol, actions='drop')
- if action is "allow":
- add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr,
+ if action == "allow":
+ add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr,
nw_proto=protocol, actions='resubmit(,1)')
continue
@@ -435,36 +443,59 @@ def configure_ovs_bridge_for_routing_policies(bridge, json_config):
# source_cidr and destination ip is in tier_cidr
port = source_port_start
while (port < source_port_end):
- if action is "deny":
- add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port,
+ if source_cidr.startswith('0.0.0.0'):
+ if action == "deny":
+ add_flow(bridge, priority= acl_priority, table=5, nw_dst=tier_cidr, tp_dst=port,
nw_proto=protocol, actions='drop')
- if action is "allow":
- add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port,
+ if action == "allow":
+ add_flow(bridge, priority= acl_priority,table=5, nw_dst=tier_cidr, tp_dst=port,
+ nw_proto=protocol, actions='resubmit(,1)')
+ else:
+ if action == "deny":
+ add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port,
+ nw_proto=protocol, actions='drop')
+ if action == "allow":
+ add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port,
nw_proto=protocol, actions='resubmit(,1)')
port = port + 1
- elif direction in "egress":
+ elif direction == "egress":
egress_rules_added = True
-
if source_port_start is None and source_port_end is None:
- if action is "deny":
- add_flow(bridge, priority= acl_priority, table=3, nw_src=source_cidr, nw_dst=tier_cidr,
+ if source_cidr.startswith('0.0.0.0'):
+ if action == "deny":
+ add_flow(bridge, priority= acl_priority, table=3, nw_dst=tier_cidr,
nw_proto=protocol, actions='drop')
- if action is "allow":
- add_flow(bridge, priority= acl_priority,table=3, nw_src=source_cidr, nw_dst=tier_cidr,
- nw_proto=protocol, actions='resubmit(,1)')
+ if action == "allow":
+ add_flow(bridge, priority= acl_priority,table=3, nw_dst=tier_cidr,
+ nw_proto=protocol, actions='resubmit(,4)')
+ else:
+ if action == "deny":
+ add_flow(bridge, priority= acl_priority, table=3, nw_src=source_cidr, nw_dst=tier_cidr,
+ nw_proto=protocol, actions='drop')
+ if action == "allow":
+ add_flow(bridge, priority= acl_priority,table=3, nw_src=source_cidr, nw_dst=tier_cidr,
+ nw_proto=protocol, actions='resubmit(,4)')
continue
# add flow rule to do action (allow/deny) for flows where destination IP of the packet is in
# source_cidr and source ip is in tier_cidr
port = source_port_start
while (port < source_port_end):
- if action is "deny":
- add_flow(bridge, priority= acl_priority, table=3, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port,
- nw_proto=protocol, actions='drop')
- if action is "allow":
- add_flow(bridge, priority= acl_priority, table=3, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port,
- nw_proto=protocol, actions='resubmit(,1)')
+ if source_cidr.startswith('0.0.0.0'):
+ if action == "deny":
+ add_flow(bridge, priority= acl_priority, table=3, nw_dst=source_cidr, tp_dst=port,
+ nw_proto=protocol, actions='drop')
+ if action == "allow":
+ add_flow(bridge, priority= acl_priority, table=3, nw_dst=source_cidr, tp_dst=port,
+ nw_proto=protocol, actions='resubmit(,4)')
+ else:
+ if action == "deny":
+ add_flow(bridge, priority= acl_priority, table=3, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port,
+ nw_proto=protocol, actions='drop')
+ if action == "allow":
+ add_flow(bridge, priority= acl_priority, table=3, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port,
+ nw_proto=protocol, actions='resubmit(,4)')
port = port + 1
if egress_rules_added is False:
@@ -472,8 +503,11 @@ def configure_ovs_bridge_for_routing_policies(bridge, json_config):
add_flow(bridge, priority=0, table=3, actions='resubmit(,4)')
if ingress_rules_added is False:
- # add a default rule in egress table drop packets
+ # add a default rule in ingress table drop packets
add_flow(bridge, priority=0, table=5, actions='drop')
+
+ return "SUCCESS: successfully configured bridge as per the later routing policies of the VPC"
+
except:
logging.debug("An unexpected error occurred while configuring bridge as per VPC's routing policies.")
raise
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/89c6f008/scripts/vm/hypervisor/xenserver/ovstunnel
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/ovstunnel b/scripts/vm/hypervisor/xenserver/ovstunnel
index 068f89f..3e17360 100755
--- a/scripts/vm/hypervisor/xenserver/ovstunnel
+++ b/scripts/vm/hypervisor/xenserver/ovstunnel
@@ -402,7 +402,7 @@ def configure_ovs_bridge_for_routing_policies(session, args):
bridge = args.pop("bridge")
json_config = args.pop("config")
- return lib.configure_ovs_bridge_for_router_policies(bridge, json_config)
+ return lib.configure_ovs_bridge_for_routing_policies(bridge, json_config)
if __name__ == "__main__":
XenAPIPlugin.dispatch({"create_tunnel": create_tunnel,
@@ -413,4 +413,4 @@ if __name__ == "__main__":
"getLabel": getLabel,
"setup_ovs_bridge_for_distributed_routing": setup_ovs_bridge_for_distributed_routing,
"configure_ovs_bridge_for_network_topology": configure_ovs_bridge_for_network_topology,
- "configure_ovs_bridge_for_routing_policies": "configure_ovs_bridge_for_routing_policies"})
+ "configure_ovs_bridge_for_routing_policies": configure_ovs_bridge_for_routing_policies})