apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

need to insert iptable rules into FORWARD chain instead of append, as on rhel6, there is a reject rule added at the end of FORWARD

Browse Source
This commit is contained in:
Edison Su 2011-05-13 16:05:07 -04:00
parent 46e40cab3f
commit 29c510de28
2 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
python/lib/cloudutils/serviceConfig.py
View File

@ -73,7 +73,8 @@ class networkConfigBase:
preCfged = False
for br in self.syscfg.env.nics:
if not self.netcfg.isNetworkDev(br):
raise CloudInternalException("%s is not a network device, is it down?"%br)
logging.debug("%s is not a network device, is it down?"%br)
return False
if not self.netcfg.isBridge(br):
raise CloudInternalException("%s is not a bridge"%br)
preCfged = True

9
scripts/vm/network/security_group.py
View File

@ -591,15 +591,16 @@ def addFWFramework(brname):
try:
refs = execute("iptables -n -L " + brfw + " |grep " + brfw + " | cut -d \( -f2 | awk '{print $1}'").strip()
if refs == "0":
execute("iptables -A FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
execute("iptables -A FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
execute("iptables -I FORWARD -i " + brname + " -j DROP")
execute("iptables -I FORWARD -o " + brname + " -j DROP")
execute("iptables -I FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
execute("iptables -I FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
phydev = execute("brctl show |grep " + brname + " | awk '{print $4}'").strip()
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-out " + phydev + " -j ACCEPT")
execute("iptables -A " + brfw + " -m state --state RELATED,ESTABLISHED -j ACCEPT")
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-out -j " + brfwout)
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-in -j " + brfwin)
execute("iptables -A FORWARD -i " + brname + " -j DROP")
execute("iptables -A FORWARD -o " + brname + " -j DROP")
return True
except: