apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-11-02 20:02:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Revert "bug 10561: Allowing ICMP traffic through static NAT"

Browse Source 
This reverts commit 5e74e24bb359456967866cb2c6cc0f6f73570f97.
This commit is contained in:
Naredula Janardhana Reddy 2011-08-09 00:08:07 +05:30 committed by Chiradeep Vittal
parent 94861ecf4a
commit 12cadca538
2 changed files with 3 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
patches/systemvm/debian/config/root/firewall.sh
View File

@ -126,22 +126,12 @@ one_to_one_fw_entry() {
# shortcircuit the process if error and it is an append operation
# continue if it is delete
if [ $proto == "icmp" ]
then
(sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
-j DNAT \
--to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
-m state \
--state NEW -j ACCEPT &>> $OUTFILE )
else
(sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
(sudo iptables -t nat $op PREROUTING -i $dev -d $publicIp --proto $proto \
--destination-port $portRange -j DNAT \
--to-destination $instIp &>> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
(sudo iptables $op FORWARD -i $dev -o eth0 -d $instIp --proto $proto \
--destination-port $portRange -m state \
--state NEW -j ACCEPT &>> $OUTFILE )
fi
result=$?
logger -t cloud "$(basename $0): done firewall entry public ip=$publicIp op=$op result=$result"

44
server/src/com/cloud/network/rules/RulesManagerImpl.java
View File

@ -424,28 +424,8 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager {
ipAddress.setOneToOneNat(true);
ipAddress.setAssociatedWithVmId(vmId);
if ( _ipAddressDao.update(ipAddress.getId(), ipAddress))
{
List<StaticNatRule> staticNatRules = new ArrayList<StaticNatRule>();
FirewallRuleVO ruleVO = new FirewallRuleVO(null, ipAddress.getId(), 0, 0, "icmp",
networkId,vm.getAccountId(), vm.getDomainId(), Purpose.StaticNat);
return _ipAddressDao.update(ipAddress.getId(), ipAddress);
staticNatRules.add(new StaticNatRuleImpl(ruleVO, guestNic.getIp4Address()));
try {
if (!applyRules(staticNatRules, true)) {
return false;
}
} catch (ResourceUnavailableException ex) {
s_logger.warn("Failed to apply icmp firewall rules due to ", ex);
return false;
}
return true;
}
return false;
}
@DB
@ -1121,29 +1101,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager {
s_logger.warn("Unable to revoke all static nat rules for ip " + ipAddress);
success = false;
}
if (success)
{
long vmId = ipAddress.getAssociatedWithVmId();
Nic guestNic = _networkMgr.getNicInNetwork(vmId, ipAddress.getAssociatedWithNetworkId());
if (guestNic == null) {
throw new InvalidParameterValueException("Vm doesn't belong to the network " + ipAddress.getAssociatedWithNetworkId());
}
List<StaticNatRule> staticNatRules = new ArrayList<StaticNatRule>();
FirewallRuleVO ruleVO = new FirewallRuleVO(null, ipAddress.getId(), 0, 0, "icmp",
ipAddress.getAssociatedWithNetworkId(),ipAddress.getAccountId(), ipAddress.getDomainId(), Purpose.StaticNat);
ruleVO.setState(State.Revoke);
staticNatRules.add(new StaticNatRuleImpl(ruleVO, guestNic.getIp4Address()));
try {
if (!applyRules(staticNatRules, true)) {
return false;
}
} catch (ResourceUnavailableException ex) {
s_logger.warn("Failed to apply icmp firewall rules due to ", ex);
return false;
}
}
if (success) {
ipAddress.setOneToOneNat(false);
ipAddress.setAssociatedWithVmId(null);