apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

bug 8370: pass in original params when calling delete during add

Browse Source 
status 8370: resolved fixed
This commit is contained in:
Chiradeep Vittal 2011-02-08 16:39:51 -08:00
parent 691a18340e
commit 10dc1c75d8
3 changed files with 14 additions and 454 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
patches/systemvm/debian/config/root/firewall.sh
View File

@ -36,11 +36,11 @@ tcp_or_udp_entry() {
local port=$4 local port=$4
local op=$5 local op=$5
local proto=$6 local proto=$6
logger -t cloud "$(basename $0): port fwd entry for PAT: public ip=$publicIp logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
instance ip=$instIp proto=$proto port=$port dport=$dport op=$op" instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
#if adding, this might be a duplicate, so delete the old one first #if adding, this might be a duplicate, so delete the old one first
[ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport $publicIp $port "-D" $proto [ "$op" == "-A" ] && tcp_or_udp_entry $instIp $dport0 $publicIp $port "-D" $proto
# the delete operation may have errored out but the only possible reason is # the delete operation may have errored out but the only possible reason is
# that the rules didn't exist in the first place # that the rules didn't exist in the first place
local dev=$(ip_to_dev $publicIp) local dev=$(ip_to_dev $publicIp)
@ -57,7 +57,10 @@ tcp_or_udp_entry() {
(sudo iptables $op FORWARD -p $proto -s 0/0 -d $instIp \ (sudo iptables $op FORWARD -p $proto -s 0/0 -d $instIp \
--destination-port $dport0 -m state --state NEW -j ACCEPT &>> $OUTFILE) --destination-port $dport0 -m state --state NEW -j ACCEPT &>> $OUTFILE)
return $?
local result=$?
logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
return $result
} }
@ -68,7 +71,7 @@ icmp_entry() {
local publicIp=$3 local publicIp=$3
local op=$4 local op=$4
logger -t cloud "$(basename $0): port fwd entry for PAT: public ip=$publicIp \ logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
instance ip=$instIp proto=icmp port=$port dport=$dport op=$op" instance ip=$instIp proto=icmp port=$port dport=$dport op=$op"
#if adding, this might be a duplicate, so delete the old one first #if adding, this might be a duplicate, so delete the old one first
[ "$op" == "-A" ] && icmp_entry $instIp $icmpType $publicIp "-D" [ "$op" == "-A" ] && icmp_entry $instIp $icmpType $publicIp "-D"
@ -80,7 +83,9 @@ icmp_entry() {
sudo iptables -t nat $op OUTPUT --proto icmp -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE sudo iptables -t nat $op OUTPUT --proto icmp -d $publicIp --icmp-type $icmptype -j DNAT --to-destination $instIp &>> $OUTFILE
sudo iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype -j ACCEPT &>> $OUTFILE sudo iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype -j ACCEPT &>> $OUTFILE
return $? result=$?
logger -t cloud "$(basename $0): done port fwd entry for PAT: public ip=$publicIp op=$op result=$result"
return $result
} }
@ -91,7 +96,7 @@ one_to_one_fw_entry() {
local proto=$3 local proto=$3
local portRange=$4 local portRange=$4
local op=$5 local op=$5
logger -t cloud "$(basename $0): firewall entry for static nat: public ip=$publicIp \ logger -t cloud "$(basename $0): create firewall entry for static nat: public ip=$publicIp \
instance ip=$instIp proto=$proto portRange=$portRange op=$op" instance ip=$instIp proto=$proto portRange=$portRange op=$op"
#if adding, this might be a duplicate, so delete the old one first #if adding, this might be a duplicate, so delete the old one first
@ -111,7 +116,9 @@ one_to_one_fw_entry() {
--destination-port $portRange -m state \ --destination-port $portRange -m state \
--state NEW -j ACCEPT &>> $OUTFILE ) --state NEW -j ACCEPT &>> $OUTFILE )
return $? result=$?
logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result"
return $result
} }

234
scripts/network/domr/firewall.sh
View File

@ -1,234 +0,0 @@
#!/usr/bin/env bash
# $Id: firewall.sh 9804 2010-06-22 18:36:49Z alex $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/scripts/network/domr/firewall.sh $
# firewall.sh -- allow some ports / protocols to vm instances
#
#
# @VERSION@
usage() {
printf "Usage: %s: (-A|-D) -i <domR eth1 ip> -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code) -l <public ip address> -d <target port> [-f <firewall ip> -u <firewall user> -y <firewall password> -z <firewall enable password> ] \n" $(basename $0) >&2
}
cert="/root/.ssh/id_rsa.cloud"
# set -x
# check if gateway domain is up and running
check_gw() {
ping -c 1 -n -q $1 > /dev/null
if [ $? -gt 0 ]
then
sleep 1
ping -c 1 -n -q $1 > /dev/null
fi
return $?;
}
get_dom0_ip () {
eval "$1=$(ifconfig eth0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}')"
return 0
}
#Add the tcp firewall entries into iptables in the routing domain
tcp_entry() {
local dRIp=$1
local instIp=$2
local dport=$3
local pubIp=$4
local port=$5
local op=$6
ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
iptables -t nat $op PREROUTING --proto tcp -i eth2 -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null;
iptables -t nat $op OUTPUT --proto tcp -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null;
iptables $op FORWARD -p tcp -s 0/0 -d $instIp -m state --state ESTABLISHED,RELATED -j ACCEPT > /dev/null;
iptables $op FORWARD -p tcp -s 0/0 -d $instIp --destination-port $dport --syn -j ACCEPT > /dev/null;
"
return $?
}
#Add the udp firewall entries into iptables in the routing domain
udp_entry() {
local dRIp=$1
local instIp=$2
local dport=$3
local pubIp=$4
local port=$5
local op=$6
ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
iptables -t nat $op PREROUTING --proto udp -i eth2 -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null;
iptables -t nat $op OUTPUT --proto udp -d $pubIp --destination-port $port -j DNAT --to-destination $instIp:$dport >/dev/null;
iptables $op FORWARD -p udp -s 0/0 -d $instIp --destination-port $dport -j ACCEPT > /dev/null;
"
return $?
}
#Add the icmp firewall entries into iptables in the routing domain
icmp_entry() {
local dRIp=$1
local instIp=$2
local icmptype=$3
local pubIp=$4
local op=$5
ssh -p 3922 -o StrictHostKeyChecking=no -i $cert root@$dRIp "\
iptables -t nat $op PREROUTING --proto icmp -i eth2 -d $pubIp --icmp-type $icmptype -j DNAT --to-destination $instIp >/dev/null;
iptables -t nat $op OUTPUT --proto icmp -d $pubIp --icmp-type $icmptype -j DNAT --to-destination $instIp:$dport >/dev/null;
iptables $op FORWARD -p icmp -s 0/0 -d $instIp --icmp-type $icmptype -j ACCEPT > /dev/null;
"
return $?
}
reverse_op() {
local op=$1
if [ "$op" == "-A" ]
then
echo "-D"
else
echo "-A"
fi
}
rflag=
iflag=
Pflag=
pflag=
tflag=
lflag=
dflag=
oflag=
wflag=
xflag=
nflag=
Nflag=
op=""
oldPrivateIP=""
oldPrivatePort=""
while getopts 'ADr:i:P:p:t:l:d:w:x:n:N:' OPTION
do
case $OPTION in
A) Aflag=1
op="-A"
;;
D) Dflag=1
op="-D"
;;
i) iflag=1
domRIp="$OPTARG"
;;
r) rflag=1
instanceIp="$OPTARG"
;;
P) Pflag=1
protocol="$OPTARG"
;;
p) pflag=1
ports="$OPTARG"
;;
t) tflag=1
icmptype="$OPTARG"
;;
l) lflag=1
publicIp="$OPTARG"
;;
d) dflag=1
dport="$OPTARG"
;;
w) wflag=1
oldPrivateIP="$OPTARG"
;;
x) xflag=1
oldPrivatePort="$OPTARG"
;;
n) nflag=1
domRName="$OPTARG"
;;
N) Nflag=1
netmask="$OPTARG"
;;
?) usage
exit 2
;;
esac
done
# domRIp is guaranteed to be present at this point
# Check if DomR is up and running. If not, exit with error code 1.
check_gw "$domRIp"
if [ $? -gt 0 ]
then
exit 1
fi
#Either the A flag or the D flag but not both
if [ "$Aflag$Dflag" != "1" ]
then
usage
exit 2
fi
#Either the tflag or the p flag but not both
if [ "$rflag$iflag$Pflag$pflag$tflag$lflag" != "11111" ]
then
usage
exit 2
fi
#Require -d with -p
if [ "$pflag$dflag" != 11 -a "$pflag$dflag" != "" ]
then
usage
exit 2
fi
reverseOp=$(reverse_op $op)
case $protocol in
"tcp")
# If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR.
if [ "$oldPrivateIP" != "" ]
then
tcp_entry $domRIp $oldPrivateIP $oldPrivatePort $publicIp $ports "-D"
fi
# Add/delete the new rule
tcp_entry $domRIp $instanceIp $dport $publicIp $ports $op
;;
"udp")
# If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR.
if [ "$oldPrivateIP" != "" ]
then
udp_entry $domRIp $oldPrivateIP $oldPrivatePort $publicIp $ports "-D"
fi
# Add/delete the new rule
udp_entry $domRIp $instanceIp $dport $publicIp $ports $op
;;
"icmp")
# If oldPrivateIP was passed in, this is an update. Delete the old rule from DomR.
if [ "$oldPrivateIP" != "" ]
then
icmp_entry $domRIp $oldPrivateIp $icmptype $publicIp "-D"
fi
# Add/delete the new rule
icmp_entry $domRIp $instanceIp $icmptype $publicIp $op
;;
*)
printf "Invalid protocol-- must be tcp, udp or icmp\n" >&2
exit 5
;;
esac
exit 0

213
scripts/network/domr/loadbalancer.sh
View File

@ -1,213 +0,0 @@
#!/usr/bin/env bash
# $Id: loadbalancer.sh 9804 2010-06-22 18:36:49Z alex $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/scripts/network/domr/loadbalancer.sh $
# loadbalancer.sh -- reconfigure loadbalancer rules
#
#
# @VERSION@
usage() {
printf "Usage: %s: -i <domR eth1 ip> -a <added public ip address> -d <removed> -f <load balancer config> -r <firewall IP> -u <firewall username> -y <firewall password> -z <firewall enable password> \n" $(basename $0) >&2
}
# set -x
cert="/root/.ssh/id_rsa.cloud"
# check if gateway domain is up and running
check_gw() {
ping -c 1 -n -q $1 > /dev/null
if [ $? -gt 0 ]
then
sleep 1
ping -c 1 -n -q $1 > /dev/null
fi
return $?;
}
#firewall entry to ensure that haproxy can receive on specified port
fw_entry() {
local domRIp=$1
local added=$2
local removed=$3
if [ "$added" == "none" ]
then
added=""
fi
if [ "$removed" == "none" ]
then
removed=""
fi
local a=$(echo $added | cut -d, -f1- --output-delimiter=" ")
local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ")
for i in $a
do
local pubIp=$(echo $i | cut -d: -f1)
local dport=$(echo $i | cut -d: -f2)
local vlanNetmask=$(echo $i | cut -d: -f3)
if [ "$domRIp" != "none" ]
then
ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\
iptables -D INPUT -i eth2 -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null
"
ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\
iptables -A INPUT -i eth2 -p tcp -d $pubIp --dport $dport -j ACCEPT
"
if [ $? -gt 0 ]
then
exit 1
fi
fi
done
for i in $r
do
local pubIp=$(echo $i | cut -d: -f1)
local dport=$(echo $i | cut -d: -f2)
local vlanNetmask=$(echo $i | cut -d: -f3)
if [ "$domRIp" != "none" ]
then
ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\
iptables -D INPUT -i eth2 -p tcp -d $pubIp --dport $dport -j ACCEPT
"
fi
done
return 0
}
#Hot reconfigure HA Proxy in the routing domain
reconfig_lb() {
local domRIp=$1
local cfg=$2
scp -P 3922 -q -o StrictHostKeyChecking=no -i $cert $cfg root@$domRIp:/etc/haproxy/haproxy.cfg.new
if [ $? -eq 0 ]
then
ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp /root/reconfigLB.sh
fi
return $?
}
# Restore the HA Proxy to its previous state, and revert iptables rules on DomR
restore_lb() {
local domRIp=$1
# Copy the old version of haproxy.cfg into the file that reconfigLB.sh uses
ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp "\
cp /etc/haproxy/haproxy.cfg.old /etc/haproxy/haproxy.cfg.new
"
# Run reconfigLB.sh again
if [ $? -eq 0 ]
then
ssh -p 3922 -q -o StrictHostKeyChecking=no -i $cert root@$domRIp /root/reconfigLB.sh
fi
}
mflag=
iflag=
aflag=
dflag=
fflag=
op=""
addedIps=""
removedIps=""
while getopts 'i:a:d:f:' OPTION
do
case $OPTION in
i) iflag=1
domRIp="$OPTARG"
;;
a) aflag=1
addedIps="$OPTARG"
;;
d) dflag=1
removedIps="$OPTARG"
;;
f) fflag=1
cfgfile="$OPTARG"
;;
?) usage
exit 2
;;
esac
done
# At this point, $domRIp is guaranteed to be either an IP address (if the DomR is running in the Management Server database), or "none"
# If a DomR IP was passed in, check if DomR is up and running. If it isn't, exit 1.
if [ "$domRIp" != "none" ]
then
check_gw "$domRIp"
if [ $? -gt 0 ]
then
exit 1
fi
fi
# If a DomR IP was passed in, reconfigure the HA Proxy.
if [ "$domRIp" != "none" ]
then
if [ "$iflag$fflag" != "11" ]
then
usage
exit 2
fi
#hot reconfigure haproxy
reconfig_lb $domRIp $cfgfile
if [ $? -gt 0 ]
then
printf "Reconfiguring loadbalancer failed\n"
exit 1
fi
fi
if [ "$addedIps" == "" ]
then
addedIps="none"
fi
if [ "$removedIps" == "" ]
then
removedIps="none"
fi
# iptables entry to ensure that haproxy receives traffic
fw_entry $domRIp $addedIps $removedIps
if [ $? -gt 0 ]
then
if [ "$domRIp" != "none" ]
then
# Restore the LB
restore_lb $domRIp
# Revert iptables rules on DomR, with addedIps and removedIps swapped (don't pass in firewall related values, since we only want to revert DomR)
fw_entry $domRIp $removedIps $addedIps
fi
exit 1
fi
exit 0