From 10dc1c75d83f6f43b5fadb6fd97b55a092e5fc02 Mon Sep 17 00:00:00 2001 From: Chiradeep Vittal Date: Tue, 8 Feb 2011 16:39:51 -0800 Subject: [PATCH] bug 8370: pass in original params when calling delete during add status 8370: resolved fixed --- .../systemvm/debian/config/root/firewall.sh | 21 +- scripts/network/domr/firewall.sh | 234 ------------------ scripts/network/domr/loadbalancer.sh | 213 ---------------- 3 files changed, 14 insertions(+), 454 deletions(-) delete mode 100755 scripts/network/domr/firewall.sh delete mode 100755 scripts/network/domr/loadbalancer.sh diff --git a/patches/systemvm/debian/config/root/firewall.sh b/patches/systemvm/debian/config/root/firewall.sh index 8927c791870..e7abb84a429 100755 --- a/patches/systemvm/debian/config/root/firewall.sh +++ b/patches/systemvm/debian/config/root/firewall.sh @@ -36,11 +36,11 @@ tcp_or_udp_entry() { local port=$4 local op=$5 local proto=$6 - logger -t cloud "$(basename $0): port fwd entry for PAT: public ip=$publicIp + logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \ instance ip=$instIp proto=$proto port=$port dport=$dport op=$op" #if adding, this might be a duplicate, so delete the old one first - [ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport $publicIp $port "-D" $proto + [ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport0 $publicIp $port "-D" $proto # the delete operation may have errored out but the only possible reason is # that the rules didn't exist in the first place local dev=$(ip_to_dev $publicIp) @@ -57,7 +57,10 @@ tcp_or_udp_entry() { (sudo iptables $op FORWARD -p $proto -s 0/0 -d $instIp \ --destination-port $dport0 -m state --state NEW -j ACCEPT &>> $OUTFILE) - return $? + + local result=$? + logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result" + return $result } @@ -68,7 +71,7 @@ icmp_entry() { local publicIp=$3 local op=$4 - logger -t cloud "$(basename $0): port fwd entry for PAT: public ip=$publicIp \ + logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \ instance ip=$instIp proto=icmp port=$port dport=$dport op=$op" #if adding, this might be a duplicate, so delete the old one first [ "$op" == "-A" ] && icmp_entry $instIp $icmpType $publicIp "-D" @@ -80,7 +83,9 @@ icmp_entry() { sudo iptables -t nat $op OUTPUT --proto icmp -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE sudo iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype -j ACCEPT &>> $OUTFILE - return $? + result=$? + logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result" + return $result } @@ -91,7 +96,7 @@ one_to_one_fw_entry() { local proto=$3 local portRange=$4 local op=$5 - logger -t cloud "$(basename $0): firewall entry for static nat: public ip=$publicIp \ + logger -t cloud "$(basename $0): create firewall entry for static nat: public ip=$publicIp \ instance ip=$instIp proto=$proto portRange=$portRange op=$op" #if adding, this might be a duplicate, so delete the old one first @@ -111,7 +116,9 @@ one_to_one_fw_entry() { --destination-port $portRange -m state \ --state NEW -j ACCEPT &>> $OUTFILE ) - return $? + result=$? + logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result" + return $result } diff --git a/scripts/network/domr/firewall.sh b/scripts/network/domr/firewall.sh deleted file mode 100755 index 91cf622c051..00000000000 --- a/scripts/network/domr/firewall.sh +++ /dev/null @@ -1,234 +0,0 @@ -#!/usr/bin/env bash -# $Id: firewall.sh 9804 2010-06-22 18:36:49Z alex $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/scripts/network/domr/firewall.sh $ -# firewall.sh -- allow some ports / protocols to vm instances -# -# -# @VERSION@ - -usage() { - printf "Usage: %s: (-A|-D) -i -r -P protocol (-p port_range | -t icmp_type_code) -l -d [-f -u -y -z ] \n" $(basename $0) >&2 -} - -cert="/root/.ssh/id_rsa.cloud" - -# set -x - -# check if gateway domain is up and running -check_gw() { - ping -c 1 -n -q $1 > /dev/null - if [ $? -gt 0 ] - then - sleep 1 - ping -c 1 -n -q $1 > /dev/null - fi - return $?; -} - -get_dom0_ip () { - eval "$1=$(ifconfig eth0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}')" - return 0 -} - - -#Add the tcp firewall entries into iptables in the routing domain -tcp_entry() { - local dRIp=$1 - local instIp=$2 - local dport=$3 - local pubIp=$4 - local port=$5 - local op=$6 - - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - iptables -t nat $op PREROUTING --proto tcp -i eth2 -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables -t nat $op OUTPUT --proto tcp -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables $op FORWARD -p tcp -s 0/0 -d $instIp -m state --state ESTABLISHED,RELATED -j ACCEPT > /dev/null; - iptables $op FORWARD -p tcp -s 0/0 -d $instIp --destination-port $dport --syn -j ACCEPT > /dev/null; - " - - return $? - -} - -#Add the udp firewall entries into iptables in the routing domain -udp_entry() { - local dRIp=$1 - local instIp=$2 - local dport=$3 - local pubIp=$4 - local port=$5 - local op=$6 - - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - iptables -t nat $op PREROUTING --proto udp -i eth2 -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables -t nat $op OUTPUT --proto udp -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables $op FORWARD -p udp -s 0/0 -d $instIp --destination-port $dport -j ACCEPT > /dev/null; - " - - return $? - -} - -#Add the icmp firewall entries into iptables in the routing domain -icmp_entry() { - local dRIp=$1 - local instIp=$2 - local icmptype=$3 - local pubIp=$4 - local op=$5 - - ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\ - iptables -t nat $op PREROUTING --proto icmp -i eth2 -d $pubIp --icmp-type $icmptype -j DNAT --to-destination $instIp >/dev/null; - iptables -t nat $op OUTPUT --proto icmp -d $pubIp --icmp-type $icmptype -j DNAT --to-destination $instIp:$dport >/dev/null; - iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype -j ACCEPT > /dev/null; - " - - return $? - -} - -reverse_op() { - local op=$1 - - if [ "$op" == "-A" ] - then - echo "-D" - else - echo "-A" - fi -} - -rflag= -iflag= -Pflag= -pflag= -tflag= -lflag= -dflag= -oflag= -wflag= -xflag= -nflag= -Nflag= -op="" -oldPrivateIP="" -oldPrivatePort="" - -while getopts 'ADr:i:P:p:t:l:d:w:x:n:N:' OPTION -do - case $OPTION in - A) Aflag=1 - op="-A" - ;; - D) Dflag=1 - op="-D" - ;; - i) iflag=1 - domRIp="$OPTARG" - ;; - r) rflag=1 - instanceIp="$OPTARG" - ;; - P) Pflag=1 - protocol="$OPTARG" - ;; - p) pflag=1 - ports="$OPTARG" - ;; - t) tflag=1 - icmptype="$OPTARG" - ;; - l) lflag=1 - publicIp="$OPTARG" - ;; - d) dflag=1 - dport="$OPTARG" - ;; - w) wflag=1 - oldPrivateIP="$OPTARG" - ;; - x) xflag=1 - oldPrivatePort="$OPTARG" - ;; - n) nflag=1 - domRName="$OPTARG" - ;; - N) Nflag=1 - netmask="$OPTARG" - ;; - ?) usage - exit 2 - ;; - esac -done - -# domRIp is guaranteed to be present at this point - -# Check if DomR is up and running. If not, exit with error code 1. -check_gw "$domRIp" -if [ $? -gt 0 ] -then - exit 1 -fi - -#Either the A flag or the D flag but not both -if [ "$Aflag$Dflag" != "1" ] -then - usage - exit 2 -fi - -#Either the tflag or the p flag but not both -if [ "$rflag$iflag$Pflag$pflag$tflag$lflag" != "11111" ] -then - usage - exit 2 -fi - -#Require -d with -p -if [ "$pflag$dflag" != 11 -a "$pflag$dflag" != "" ] -then - usage - exit 2 -fi - -reverseOp=$(reverse_op $op) - -case $protocol in - "tcp") - # If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. - if [ "$oldPrivateIP" != "" ] - then - tcp_entry $domRIp $oldPrivateIP $oldPrivatePort $publicIp $ports "-D" - fi - - # Add/delete the new rule - tcp_entry $domRIp $instanceIp $dport $publicIp $ports $op - ;; - "udp") - # If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. - if [ "$oldPrivateIP" != "" ] - then - udp_entry $domRIp $oldPrivateIP $oldPrivatePort $publicIp $ports "-D" - fi - - # Add/delete the new rule - udp_entry $domRIp $instanceIp $dport $publicIp $ports $op - ;; - "icmp") - # If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR. - if [ "$oldPrivateIP" != "" ] - then - icmp_entry $domRIp $oldPrivateIp $icmptype $publicIp "-D" - fi - - # Add/delete the new rule - icmp_entry $domRIp $instanceIp $icmptype $publicIp $op - ;; - *) - printf "Invalid protocol-- must be tcp, udp or icmp\n" >&2 - exit 5 - ;; -esac - -exit 0 \ No newline at end of file diff --git a/scripts/network/domr/loadbalancer.sh b/scripts/network/domr/loadbalancer.sh deleted file mode 100755 index 9cc3b71c1d1..00000000000 --- a/scripts/network/domr/loadbalancer.sh +++ /dev/null @@ -1,213 +0,0 @@ -#!/usr/bin/env bash -# $Id: loadbalancer.sh 9804 2010-06-22 18:36:49Z alex $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/scripts/network/domr/loadbalancer.sh $ -# loadbalancer.sh -- reconfigure loadbalancer rules -# -# -# @VERSION@ - -usage() { - printf "Usage: %s: -i -a -d -f -r -u -y -z \n" $(basename $0) >&2 -} - - -# set -x -cert="/root/.ssh/id_rsa.cloud" - - -# check if gateway domain is up and running -check_gw() { - ping -c 1 -n -q $1 > /dev/null - if [ $? -gt 0 ] - then - sleep 1 - ping -c 1 -n -q $1 > /dev/null - fi - return $?; -} - - -#firewall entry to ensure that haproxy can receive on specified port -fw_entry() { - local domRIp=$1 - local added=$2 - local removed=$3 - - if [ "$added" == "none" ] - then - added="" - fi - - if [ "$removed" == "none" ] - then - removed="" - fi - - local a=$(echo $added | cut -d, -f1- --output-delimiter=" ") - local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ") - - for i in $a - do - local pubIp=$(echo $i | cut -d: -f1) - local dport=$(echo $i | cut -d: -f2) - local vlanNetmask=$(echo $i | cut -d: -f3) - - if [ "$domRIp" != "none" ] - then - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\ - iptables -D INPUT -i eth2 -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null - " - - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\ - iptables -A INPUT -i eth2 -p tcp -d $pubIp --dport $dport -j ACCEPT - " - - if [ $? -gt 0 ] - then - exit 1 - fi - fi - - done - - for i in $r - do - local pubIp=$(echo $i | cut -d: -f1) - local dport=$(echo $i | cut -d: -f2) - local vlanNetmask=$(echo $i | cut -d: -f3) - - if [ "$domRIp" != "none" ] - then - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\ - iptables -D INPUT -i eth2 -p tcp -d $pubIp --dport $dport -j ACCEPT - " - fi - - done - - return 0 -} - - -#Hot reconfigure HA Proxy in the routing domain -reconfig_lb() { - local domRIp=$1 - local cfg=$2 - - scp -P 3922 -q -o StrictHostKeyChecking=no -i $cert $cfg root@$domRIp:/etc/haproxy/haproxy.cfg.new - - if [ $? -eq 0 ] - then - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp /root/reconfigLB.sh - fi - - return $? -} - -# Restore the HA Proxy to its previous state, and revert iptables rules on DomR -restore_lb() { - local domRIp=$1 - - # Copy the old version of haproxy.cfg into the file that reconfigLB.sh uses - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\ - cp /etc/haproxy/haproxy.cfg.old /etc/haproxy/haproxy.cfg.new - " - - # Run reconfigLB.sh again - if [ $? -eq 0 ] - then - ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp /root/reconfigLB.sh - fi -} - - -mflag= -iflag= -aflag= -dflag= -fflag= -op="" -addedIps="" -removedIps="" - -while getopts 'i:a:d:f:' OPTION -do - case $OPTION in - i) iflag=1 - domRIp="$OPTARG" - ;; - a) aflag=1 - addedIps="$OPTARG" - ;; - d) dflag=1 - removedIps="$OPTARG" - ;; - f) fflag=1 - cfgfile="$OPTARG" - ;; - ?) usage - exit 2 - ;; - esac -done - -# At this point, $domRIp is guaranteed to be either an IP address (if the DomR is running in the Management Server database), or "none" - -# If a DomR IP was passed in, check if DomR is up and running. If it isn't, exit 1. -if [ "$domRIp" != "none" ] -then - check_gw "$domRIp" - if [ $? -gt 0 ] - then - exit 1 - fi -fi - -# If a DomR IP was passed in, reconfigure the HA Proxy. -if [ "$domRIp" != "none" ] -then - if [ "$iflag$fflag" != "11" ] - then - usage - exit 2 - fi - - #hot reconfigure haproxy - reconfig_lb $domRIp $cfgfile - - if [ $? -gt 0 ] - then - printf "Reconfiguring loadbalancer failed\n" - exit 1 - fi - -fi - -if [ "$addedIps" == "" ] -then - addedIps="none" -fi - -if [ "$removedIps" == "" ] -then - removedIps="none" -fi - -# iptables entry to ensure that haproxy receives traffic -fw_entry $domRIp $addedIps $removedIps - -if [ $? -gt 0 ] -then - if [ "$domRIp" != "none" ] - then - # Restore the LB - restore_lb $domRIp - # Revert iptables rules on DomR, with addedIps and removedIps swapped (don't pass in firewall related values, since we only want to revert DomR) - fw_entry $domRIp $removedIps $addedIps - fi - - exit 1 -fi - -exit 0 - -