mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
add security group for direct tagged vlan
This commit is contained in:
Edison Su
parent
cc77245a80
commit
37cb0ae2c9
@ -1500,7 +1500,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
|
||||
private AttachVolumeAnswer execute(AttachVolumeCommand cmd) {
|
||||
try {
|
||||
Connect conn = LibvirtConnection.getConnection();
|
||||
attachOrDetachDisk(conn, cmd.getAttach(), cmd.getVmName(), cmd.getVolumePath());
|
||||
attachOrDetachDisk(conn, cmd.getAttach(), cmd.getVmName(), cmd.getVolumePath(), cmd.getDeviceId().intValue());
|
||||
} catch (LibvirtException e) {
|
||||
return new AttachVolumeAnswer(cmd, e.toString());
|
||||
} catch (InternalErrorException e) {
|
||||
@ -1766,12 +1766,12 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
|
||||
LibvirtDomainXMLParser parser = new LibvirtDomainXMLParser();
|
||||
String xml = dm.getXMLDesc(0);
|
||||
parser.parseDomainXML(xml);
|
||||
List<String> nics = parser.getInterfaces();
|
||||
List<InterfaceDef> nics = parser.getInterfaces();
|
||||
if (nics.size() != 3) {
|
||||
return new Answer(cmd, false, vmName + " doesn't have public nic");
|
||||
}
|
||||
String pubNic = nics.get(2);
|
||||
Pair<Double, Double> nicStats = getNicStats(pubNic);
|
||||
InterfaceDef pubNic = nics.get(2);
|
||||
Pair<Double, Double> nicStats = getNicStats(pubNic.getBrName());
|
||||
/*Note: received means bytes received by all the vms, but from host kernel's pov, it's tx*/
|
||||
return new NetworkUsageAnswer(cmd, "", nicStats.first().longValue(), nicStats.second().longValue());
|
||||
} catch (LibvirtException e) {
|
||||
@ -2045,20 +2045,29 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
|
||||
startDomain(conn, vmName, vm.toString());
|
||||
|
||||
if (vmSpec.getType() != VirtualMachine.Type.User) {
|
||||
default_network_rules_for_systemvm(vmName);
|
||||
default_network_rules_for_systemvm(vmName);
|
||||
} else {
|
||||
NicTO[] nics = vmSpec.getNics();
|
||||
List<InterfaceDef> vifs = getInterfaces(conn, vmName);
|
||||
StringBuilder rules = new StringBuilder();
|
||||
|
||||
for (NicTO nic : nics) {
|
||||
if (nic.getIsolationUri() != null && nic.getIsolationUri().getScheme().equalsIgnoreCase(IsolationType.Ec2.toString())) {
|
||||
default_network_rules(vmName, vmSpec.getNics()[0].getIp(), vmSpec.getId(), vmSpec.getNics()[0].getMac());
|
||||
if (nic.getIsolationUri() != null ) {
|
||||
if (nic.getIsolationUri().getScheme().equalsIgnoreCase(IsolationType.Ec2.toString()) ||
|
||||
nic.getType() == TrafficType.Public) {
|
||||
rules.append(nic.getIp() + "," + nic.getMac() + "," + vifs.get(nic.getDeviceId()).getDevName() + ";") ;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (rules.toString() != null)
|
||||
default_network_rules(vmName, vmSpec.getId(), rules.toString());
|
||||
}
|
||||
|
||||
// Attach each data volume to the VM, if there is a deferred attached disk
|
||||
for (DiskDef disk : vm.getDevices().getDisks()) {
|
||||
if (disk.isAttachDeferred()) {
|
||||
attachOrDetachDisk(conn, true, vmName, disk.getDiskPath());
|
||||
attachOrDetachDisk(conn, true, vmName, disk.getDiskPath(), disk.getDiskSeq());
|
||||
}
|
||||
}
|
||||
state = State.Running;
|
||||
@ -2247,16 +2256,15 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
|
||||
return attachOrDetachDevice(conn, true, vmName, isoXml);
|
||||
}
|
||||
|
||||
protected synchronized String attachOrDetachDisk(Connect conn, boolean attach, String vmName, String sourceFile) throws LibvirtException, InternalErrorException {
|
||||
String diskDev = null;
|
||||
SortedMap<String, String> diskMaps = null;
|
||||
protected synchronized String attachOrDetachDisk(Connect conn, boolean attach, String vmName, String sourceFile, int devId) throws LibvirtException, InternalErrorException {
|
||||
List<DiskDef> disks = null;
|
||||
Domain dm = null;
|
||||
try {
|
||||
dm = conn.domainLookupByUUID(UUID.nameUUIDFromBytes(vmName.getBytes()));
|
||||
LibvirtDomainXMLParser parser = new LibvirtDomainXMLParser();
|
||||
String xml = dm.getXMLDesc(0);
|
||||
parser.parseDomainXML(xml);
|
||||
diskMaps = parser.getDiskMaps();
|
||||
disks = parser.getDisks();
|
||||
} catch (LibvirtException e) {
|
||||
throw e;
|
||||
} finally {
|
||||
@ -2265,32 +2273,26 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
|
||||
}
|
||||
}
|
||||
|
||||
if (attach) {
|
||||
diskDev = diskMaps.lastKey();
|
||||
/*Find the latest disk dev, and add 1 on it: e.g. if we already attach sdc to a vm, the next disk dev is sdd*/
|
||||
diskDev = diskDev.substring(0, diskDev.length() - 1) + (char)(diskDev.charAt(diskDev.length() -1) + 1);
|
||||
} else {
|
||||
Set<Map.Entry<String, String>> entrySet = diskMaps.entrySet();
|
||||
Iterator<Map.Entry<String, String>> itr = entrySet.iterator();
|
||||
while (itr.hasNext()) {
|
||||
Map.Entry<String, String> entry = itr.next();
|
||||
if ((entry.getValue() != null) && (entry.getValue().equalsIgnoreCase(sourceFile))) {
|
||||
diskDev = entry.getKey();
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!attach) {
|
||||
boolean diskAttached = false;
|
||||
|
||||
for (DiskDef disk : disks) {
|
||||
if (disk.getDiskPath().equalsIgnoreCase(sourceFile)) {
|
||||
devId = disk.getDiskSeq();
|
||||
diskAttached = true;
|
||||
}
|
||||
}
|
||||
if (!diskAttached) {
|
||||
throw new InternalErrorException("disk: " + sourceFile + " is not attached before");
|
||||
}
|
||||
}
|
||||
|
||||
if (diskDev == null) {
|
||||
s_logger.warn("Can't get disk dev");
|
||||
return "Can't get disk dev";
|
||||
}
|
||||
DiskDef disk = new DiskDef();
|
||||
String guestOSType = getGuestType(conn, vmName);
|
||||
if (isGuestPVEnabled(guestOSType)) {
|
||||
disk.defFileBasedDisk(sourceFile, diskDev, DiskDef.diskBus.VIRTIO, DiskDef.diskFmtType.QCOW2);
|
||||
disk.defFileBasedDisk(sourceFile, devId, DiskDef.diskBus.VIRTIO, DiskDef.diskFmtType.QCOW2);
|
||||
} else {
|
||||
disk.defFileBasedDisk(sourceFile, diskDev, DiskDef.diskBus.SCSI, DiskDef.diskFmtType.QCOW2);
|
||||
disk.defFileBasedDisk(sourceFile, devId, DiskDef.diskBus.SCSI, DiskDef.diskFmtType.QCOW2);
|
||||
}
|
||||
String xml = disk.toString();
|
||||
return attachOrDetachDevice(conn, attach, vmName, xml);
|
||||
@ -2993,18 +2995,20 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
|
||||
return conn.domainLookupByUUID(UUID.nameUUIDFromBytes(vmName.getBytes()));
|
||||
}
|
||||
|
||||
private List<String> getInterfaces(Connect conn, String vmName) {
|
||||
private List<InterfaceDef> getInterfaces(Connect conn, String vmName) {
|
||||
LibvirtDomainXMLParser parser = new LibvirtDomainXMLParser();
|
||||
Domain dm = null;
|
||||
try {
|
||||
dm = conn.domainLookupByUUID(UUID.nameUUIDFromBytes(vmName.getBytes()));
|
||||
parser.parseDomainXML(dm.getXMLDesc(0));
|
||||
return parser.getInterfaces();
|
||||
|
||||
} catch (LibvirtException e) {
|
||||
s_logger.debug("Failed to get dom xml: " + e.toString());
|
||||
return new ArrayList<String>();
|
||||
return new ArrayList<InterfaceDef>();
|
||||
} catch (Exception e) {
|
||||
s_logger.debug("Failed to get dom xml: " + e.toString());
|
||||
return new ArrayList<String>();
|
||||
return new ArrayList<InterfaceDef>();
|
||||
} finally {
|
||||
try {
|
||||
if (dm != null) {
|
||||
@ -3014,7 +3018,6 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
|
||||
|
||||
}
|
||||
}
|
||||
return parser.getInterfaces();
|
||||
}
|
||||
|
||||
private String executeBashScript(String script) {
|
||||
@ -3091,11 +3094,11 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
|
||||
|
||||
/*get network stats*/
|
||||
|
||||
List<String> vifs = getInterfaces(conn, vmName);
|
||||
List<InterfaceDef> vifs = getInterfaces(conn, vmName);
|
||||
long rx = 0;
|
||||
long tx = 0;
|
||||
for (String vif : vifs) {
|
||||
DomainInterfaceStats ifStats = dm.interfaceStats(vif);
|
||||
for (InterfaceDef vif : vifs) {
|
||||
DomainInterfaceStats ifStats = dm.interfaceStats(vif.getDevName());
|
||||
rx += ifStats.rx_bytes;
|
||||
tx += ifStats.tx_bytes;
|
||||
}
|
||||
@ -3145,16 +3148,15 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
|
||||
return true;
|
||||
}
|
||||
|
||||
private boolean default_network_rules(String vmName, String pubIP, long vmId, String mac) {
|
||||
private boolean default_network_rules(String vmName, long vmId, String rules) {
|
||||
if (!_can_bridge_firewall) {
|
||||
return false;
|
||||
}
|
||||
Script cmd = new Script(_securityGroupPath, _timeout, s_logger);
|
||||
cmd.add("default_network_rules");
|
||||
cmd.add("--vmname", vmName);
|
||||
cmd.add("--vmip", pubIP);
|
||||
cmd.add("--rules", rules);
|
||||
cmd.add("--vmid", Long.toString(vmId));
|
||||
cmd.add("--vmmac", mac);
|
||||
|
||||
String result = cmd.execute();
|
||||
if (result != null) {
|
||||
|
||||
@ -17,97 +17,152 @@
|
||||
*/
|
||||
package com.cloud.agent.resource.computing;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.StringReader;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.SortedMap;
|
||||
import java.util.TreeMap;
|
||||
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.parsers.ParserConfigurationException;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.w3c.dom.Node;
|
||||
import org.w3c.dom.NodeList;
|
||||
import org.xml.sax.Attributes;
|
||||
import org.xml.sax.InputSource;
|
||||
import org.xml.sax.SAXException;
|
||||
|
||||
import com.cloud.agent.resource.computing.LibvirtVMDef.DiskDef;
|
||||
import com.cloud.agent.resource.computing.LibvirtVMDef.InterfaceDef;
|
||||
import com.cloud.agent.resource.computing.LibvirtVMDef.InterfaceDef.nicModel;
|
||||
|
||||
/**
|
||||
* @author chiradeep
|
||||
*
|
||||
*/
|
||||
public class LibvirtDomainXMLParser extends LibvirtXMLParser {
|
||||
|
||||
private final ArrayList<String> interfaces = new ArrayList<String>();
|
||||
private final SortedMap<String, String> diskMaps = new TreeMap<String, String>();
|
||||
|
||||
private boolean _interface;
|
||||
private boolean _disk;
|
||||
private boolean _desc;
|
||||
public class LibvirtDomainXMLParser {
|
||||
private static final Logger s_logger = Logger.getLogger(LibvirtDomainXMLParser.class);
|
||||
private final List<InterfaceDef> interfaces = new ArrayList<InterfaceDef>();
|
||||
private final List<DiskDef> diskDefs = new ArrayList<DiskDef>();
|
||||
private Integer vncPort;
|
||||
private String diskDev;
|
||||
private String diskFile;
|
||||
private String desc;
|
||||
|
||||
public boolean parseDomainXML(String domXML) {
|
||||
DocumentBuilder builder;
|
||||
try {
|
||||
builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
|
||||
|
||||
InputSource is = new InputSource();
|
||||
is.setCharacterStream(new StringReader(domXML));
|
||||
Document doc = builder.parse(is);
|
||||
|
||||
Element rootElement = doc.getDocumentElement();
|
||||
|
||||
desc = getTagValue("description", rootElement);
|
||||
|
||||
Element devices = (Element)rootElement.getElementsByTagName("devices").item(0);
|
||||
NodeList disks = devices.getElementsByTagName("disk");
|
||||
for (int i = 0; i < disks.getLength(); i++) {
|
||||
Element disk = (Element)disks.item(i);
|
||||
String diskFmtType = getAttrValue("driver", "type", disk);
|
||||
String diskFile = getAttrValue("source", "file", disk);
|
||||
String diskLabel = getAttrValue("target", "dev", disk);
|
||||
String bus = getAttrValue("target", "bus", disk);
|
||||
String type = disk.getAttribute("type");
|
||||
String device = disk.getAttribute("device");
|
||||
|
||||
DiskDef def = new DiskDef();
|
||||
if (type.equalsIgnoreCase("file")) {
|
||||
if (device.equalsIgnoreCase("disk")) {
|
||||
DiskDef.diskFmtType fmt = null;
|
||||
if (diskFmtType != null) {
|
||||
fmt = DiskDef.diskFmtType.valueOf(diskFmtType.toUpperCase());
|
||||
}
|
||||
def.defFileBasedDisk(diskFile, diskLabel, DiskDef.diskBus.valueOf(bus.toUpperCase()), fmt);
|
||||
} else if (device.equalsIgnoreCase("cdrom")) {
|
||||
def.defISODisk(diskFile);
|
||||
}
|
||||
}
|
||||
diskDefs.add(def);
|
||||
}
|
||||
|
||||
NodeList nics = devices.getElementsByTagName("interface");
|
||||
for (int i = 0; i < nics.getLength(); i++ ) {
|
||||
Element nic = (Element)nics.item(i);
|
||||
|
||||
String type = nic.getAttribute("type");
|
||||
String mac = getAttrValue("mac", "address", nic);
|
||||
String dev = getAttrValue("target", "dev", nic);
|
||||
String model = getAttrValue("model", "type", nic);
|
||||
InterfaceDef def = new InterfaceDef();
|
||||
|
||||
if (type.equalsIgnoreCase("network")) {
|
||||
String network = getAttrValue("source", "network", nic);
|
||||
def.defPrivateNet(network, dev, mac, nicModel.valueOf(model.toUpperCase()));
|
||||
} else if (type.equalsIgnoreCase("bridge")) {
|
||||
String bridge = getAttrValue("source", "bridge", nic);
|
||||
def.defBridgeNet(bridge, dev, mac, nicModel.valueOf(model.toUpperCase()));
|
||||
}
|
||||
interfaces.add(def);
|
||||
}
|
||||
|
||||
Element graphic = (Element)devices.getElementsByTagName("graphics").item(0);
|
||||
String port = graphic.getAttribute("port");
|
||||
if (port != null) {
|
||||
try {
|
||||
vncPort = Integer.parseInt(port);
|
||||
if (vncPort != -1) {
|
||||
vncPort = vncPort - 5900;
|
||||
} else {
|
||||
vncPort = null;
|
||||
}
|
||||
}catch (NumberFormatException nfe){
|
||||
vncPort = null;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
} catch (ParserConfigurationException e) {
|
||||
s_logger.debug(e.toString());
|
||||
} catch (SAXException e) {
|
||||
s_logger.debug(e.toString());
|
||||
} catch (IOException e) {
|
||||
s_logger.debug(e.toString());
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private static String getTagValue(String tag, Element eElement){
|
||||
NodeList nlList= eElement.getElementsByTagName(tag).item(0).getChildNodes();
|
||||
Node nValue = (Node) nlList.item(0);
|
||||
|
||||
return nValue.getNodeValue();
|
||||
}
|
||||
|
||||
private static String getAttrValue(String tag, String attr, Element eElement){
|
||||
NodeList tagNode = eElement.getElementsByTagName(tag);
|
||||
if (tagNode.getLength() == 0) {
|
||||
return null;
|
||||
}
|
||||
Element node = (Element)tagNode.item(0);
|
||||
return node.getAttribute(attr);
|
||||
}
|
||||
|
||||
public Integer getVncPort() {
|
||||
return vncPort;
|
||||
}
|
||||
|
||||
public void characters(char[] ch, int start, int length) throws SAXException {
|
||||
if (_desc) {
|
||||
desc = new String(ch, start, length);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void startElement(String uri, String localName, String qName,
|
||||
Attributes attributes) throws SAXException {
|
||||
if(qName.equalsIgnoreCase("interface")) {
|
||||
_interface = true;
|
||||
} else if (qName.equalsIgnoreCase("target")){
|
||||
if (_interface)
|
||||
interfaces.add(attributes.getValue("dev"));
|
||||
else if (_disk)
|
||||
diskDev = attributes.getValue("dev");
|
||||
} else if (qName.equalsIgnoreCase("source")){
|
||||
if (_disk)
|
||||
diskFile = attributes.getValue("file");
|
||||
} else if (qName.equalsIgnoreCase("disk")) {
|
||||
_disk = true;
|
||||
} else if (qName.equalsIgnoreCase("graphics")) {
|
||||
String port = attributes.getValue("port");
|
||||
if (port != null) {
|
||||
try {
|
||||
vncPort = Integer.parseInt(port);
|
||||
if (vncPort != -1) {
|
||||
vncPort = vncPort - 5900;
|
||||
} else {
|
||||
vncPort = null;
|
||||
}
|
||||
}catch (NumberFormatException nfe){
|
||||
vncPort = null;
|
||||
}
|
||||
}
|
||||
} else if (qName.equalsIgnoreCase("description")) {
|
||||
_desc = true;
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void endElement(String uri, String localName, String qName)
|
||||
throws SAXException {
|
||||
|
||||
if(qName.equalsIgnoreCase("interface")) {
|
||||
_interface = false;
|
||||
} else if (qName.equalsIgnoreCase("disk")) {
|
||||
diskMaps.put(diskDev, diskFile);
|
||||
_disk = false;
|
||||
diskFile = null;
|
||||
diskDev = null;
|
||||
} else if (qName.equalsIgnoreCase("description")) {
|
||||
_desc = false;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
public ArrayList<String> getInterfaces() {
|
||||
public List<InterfaceDef> getInterfaces() {
|
||||
return interfaces;
|
||||
}
|
||||
|
||||
public SortedMap<String, String> getDiskMaps() {
|
||||
return diskMaps;
|
||||
public List<DiskDef> getDisks() {
|
||||
return diskDefs;
|
||||
}
|
||||
|
||||
public String getDescription() {
|
||||
@ -140,6 +195,7 @@ public class LibvirtDomainXMLParser extends LibvirtXMLParser {
|
||||
"<devices>"+
|
||||
"<emulator>/usr/bin/qemu-kvm</emulator>"+
|
||||
"<disk type='file' device='disk'>"+
|
||||
"<driver name='qemu' type='raw'/>"+
|
||||
"<source file='/mnt/tank//vmops/CV/vm/u000004/r000006/rootdisk'/>"+
|
||||
"<target dev='hda' bus='ide'/>"+
|
||||
"</disk>"+
|
||||
@ -170,9 +226,12 @@ public class LibvirtDomainXMLParser extends LibvirtXMLParser {
|
||||
"</domain>"
|
||||
|
||||
);
|
||||
for (String intf: parser.getInterfaces()){
|
||||
for (InterfaceDef intf: parser.getInterfaces()){
|
||||
System.out.println(intf);
|
||||
}
|
||||
for (DiskDef disk : parser.getDisks()) {
|
||||
System.out.println(disk);
|
||||
}
|
||||
System.out.println(parser.getVncPort());
|
||||
System.out.println(parser.getDescription());
|
||||
}
|
||||
|
||||
@ -483,6 +483,9 @@ public class LibvirtVMDef {
|
||||
public guestNetType getNetType() {
|
||||
return _netType;
|
||||
}
|
||||
public String getDevName() {
|
||||
return _networkName;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
|
||||
@ -156,9 +156,10 @@ def destroy_ebtables_rules(vm_name):
|
||||
except:
|
||||
logging.debug("Ignoring failure to delete ebtables chain for vm " + vm_name)
|
||||
|
||||
def default_ebtables_rules(vm_name, vif, vm_ip, vm_mac):
|
||||
def default_ebtables_rules(vm_name, rules):
|
||||
vmchain_in = vm_name + "-in"
|
||||
vmchain_out = vm_name + "-out"
|
||||
rule = rules.split(";")[:-1]
|
||||
|
||||
for chain in [vmchain_in, vmchain_out]:
|
||||
try:
|
||||
@ -168,30 +169,39 @@ def default_ebtables_rules(vm_name, vif, vm_ip, vm_mac):
|
||||
|
||||
try:
|
||||
# -s ! 52:54:0:56:44:32 -j DROP
|
||||
execute("ebtables -t nat -A PREROUTING -i " + vif + " -j " + vmchain_in)
|
||||
execute("ebtables -t nat -A POSTROUTING -o " + vif + " -j " + vmchain_out)
|
||||
for r in rule:
|
||||
vif = r.split(",")[2]
|
||||
execute("ebtables -t nat -A PREROUTING -i " + vif + " -j " + vmchain_in)
|
||||
execute("ebtables -t nat -A POSTROUTING -o " + vif + " -j " + vmchain_out)
|
||||
except:
|
||||
logging.debug("Failed to program default rules")
|
||||
return 'false'
|
||||
|
||||
try:
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -i " + vif + " -s ! " + vm_mac + " -j DROP")
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -p ARP -s ! " + vm_mac + " -j DROP")
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-mac-src ! " + vm_mac + " -j DROP")
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-ip-src ! " + vm_ip + " -j DROP")
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Request -j ACCEPT")
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Reply -j ACCEPT")
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -p ARP -j DROP")
|
||||
for r in rule:
|
||||
vm_ip = r.split(",")[0]
|
||||
vm_mac = r.split(",")[1]
|
||||
vif = r.split(",")[2]
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -i " + vif + " -s ! " + vm_mac + " -j DROP")
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -p ARP -s ! " + vm_mac + " -j DROP")
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-mac-src ! " + vm_mac + " -j DROP")
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-ip-src ! " + vm_ip + " -j DROP")
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Request -j ACCEPT")
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Reply -j ACCEPT")
|
||||
execute("ebtables -t nat -A " + vmchain_in + " -p ARP -j DROP")
|
||||
except:
|
||||
logging.exception("Failed to program default ebtables IN rules")
|
||||
return 'false'
|
||||
|
||||
try:
|
||||
execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply --arp-mac-dst ! " + vm_mac + " -j DROP")
|
||||
execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-ip-dst ! " + vm_ip + " -j DROP")
|
||||
execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Request -j ACCEPT")
|
||||
execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply -j ACCEPT")
|
||||
execute("ebtables -t nat -A " + vmchain_out + " -p ARP -j DROP")
|
||||
for r in rule:
|
||||
vm_ip = r.split(",")[0]
|
||||
vm_mac = r.split(",")[1]
|
||||
execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply --arp-mac-dst ! " + vm_mac + " -j DROP")
|
||||
execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-ip-dst ! " + vm_ip + " -j DROP")
|
||||
execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Request -j ACCEPT")
|
||||
execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply -j ACCEPT")
|
||||
execute("ebtables -t nat -A " + vmchain_out + " -p ARP -j DROP")
|
||||
except:
|
||||
logging.debug("Failed to program default ebtables OUT rules")
|
||||
return 'false'
|
||||
@ -225,10 +235,7 @@ def default_network_rules_systemvm(vm_name):
|
||||
return 'true'
|
||||
|
||||
|
||||
def default_network_rules(vm_name, vm_ip, vm_id, vm_mac):
|
||||
print vm_name
|
||||
print vm_ip
|
||||
print vm_mac
|
||||
def default_network_rules(vm_name, vm_id, rules):
|
||||
vmName = vm_name
|
||||
domID = getvmId(vm_name)
|
||||
delete_rules_for_vm_in_bridge_firewall_chain(vmName)
|
||||
@ -236,8 +243,6 @@ def default_network_rules(vm_name, vm_ip, vm_id, vm_mac):
|
||||
vmchain_default = '-'.join(vmchain.split('-')[:-1]) + "-def"
|
||||
|
||||
destroy_ebtables_rules(vmName)
|
||||
|
||||
vifs = getVifs(vmName)
|
||||
|
||||
try:
|
||||
execute("iptables -N " + vmchain)
|
||||
@ -249,29 +254,35 @@ def default_network_rules(vm_name, vm_ip, vm_id, vm_mac):
|
||||
except:
|
||||
execute("iptables -F " + vmchain_default)
|
||||
|
||||
rule = rules.split(";")[:-1]
|
||||
try:
|
||||
for v in vifs:
|
||||
execute("iptables -A BRIDGE-FIREWALL -m physdev --physdev-is-bridged --physdev-out " + v + " -j " + vmchain_default)
|
||||
execute("iptables -A BRIDGE-FIREWALL -m physdev --physdev-is-bridged --physdev-in " + v + " -j " + vmchain_default)
|
||||
for r in rule:
|
||||
vif = r.split(",")[2]
|
||||
execute("iptables -A BRIDGE-FIREWALL -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain_default)
|
||||
execute("iptables -A BRIDGE-FIREWALL -m physdev --physdev-is-bridged --physdev-in " + vif + " -j " + vmchain_default)
|
||||
execute("iptables -A " + vmchain_default + " -m state --state RELATED,ESTABLISHED -j ACCEPT")
|
||||
#allow dhcp
|
||||
for v in vifs:
|
||||
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + v + " -p udp --dport 67 --sport 68 -j ACCEPT")
|
||||
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + v + " -p udp --dport 68 --sport 67 -j ACCEPT")
|
||||
for r in rule:
|
||||
vif = r.split(",")[2]
|
||||
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -p udp --dport 67 --sport 68 -j ACCEPT")
|
||||
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -p udp --dport 68 --sport 67 -j ACCEPT")
|
||||
|
||||
#don't let vm spoof its ip address
|
||||
for v in vifs:
|
||||
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + v + " --source " + vm_ip + " -j RETURN")
|
||||
for r in rule:
|
||||
vmip = r.split(",")[0]
|
||||
vif = r.split(",")[2]
|
||||
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " --source " + vmip + " -j ACCEPT")
|
||||
execute("iptables -A " + vmchain_default + " -j " + vmchain)
|
||||
except:
|
||||
logging.debug("Failed to program default rules for vm " + vm_name)
|
||||
return 'false'
|
||||
|
||||
for v in vifs:
|
||||
default_ebtables_rules(vmchain, v, vm_ip, vm_mac)
|
||||
default_ebtables_rules(vmchain, rules)
|
||||
|
||||
if write_rule_log_for_vm(vmName, vm_id, vm_ip, domID, '_initial_', '-1') == False:
|
||||
logging.debug("Failed to log default network rules, ignoring")
|
||||
for r in rule:
|
||||
vm_ip = r.split(",")[0]
|
||||
if write_rule_log_for_vm(vmName, vm_id, vm_ip, domID, '_initial_', '-1') == False:
|
||||
logging.debug("Failed to log default network rules, ignoring")
|
||||
|
||||
logging.debug("Programmed default rules for vm " + vm_name)
|
||||
return 'true'
|
||||
@ -385,7 +396,7 @@ def check_rule_log_for_vm(vmName, vmId, vmIP, domID, signature, seqno):
|
||||
lines = (line.rstrip() for line in open(logfilename))
|
||||
except:
|
||||
logging.debug("failed to open " + logfilename)
|
||||
return False
|
||||
return [True, True, True, True, True, True]
|
||||
|
||||
[_vmName,_vmID,_vmIP,_domID,_signature,_seqno] = ['_', '-1', '_', '-1', '_', '-1']
|
||||
try:
|
||||
@ -395,7 +406,7 @@ def check_rule_log_for_vm(vmName, vmId, vmIP, domID, signature, seqno):
|
||||
except:
|
||||
logging.debug("Failed to parse log file for vm " + vm_name)
|
||||
remove_rule_log_for_vm(vm_name)
|
||||
return False
|
||||
return [True, True, True, True, True, True]
|
||||
|
||||
return [(vm_name != _vmName), (vmId != _vmID), (vmIP != _vmIP), (domID != _domID), (signature != _signature),(seqno != _seqno)]
|
||||
|
||||
@ -436,22 +447,18 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules):
|
||||
domId = getvmId(vmName)
|
||||
vmchain = vm_name
|
||||
|
||||
changes = []
|
||||
changes = check_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno)
|
||||
|
||||
if not 1 in changes:
|
||||
logging.debug("Rules already programmed for vm " + vm_name)
|
||||
return 'true'
|
||||
|
||||
if changes[1] or changes[2] or changes[3]:
|
||||
logging.debug("Change detected in vmId or vmIp or domId, resetting default rules")
|
||||
default_network_rules(vmName, vm_ip, vm_id, vmMac)
|
||||
|
||||
if rules == "" or rules == None:
|
||||
return 'true'
|
||||
|
||||
lines = rules.split(';')
|
||||
lines = rules.split(';')[:-1]
|
||||
|
||||
print lines
|
||||
logging.debug(" programming network rules for IP: " + vm_ip + " vmname=" + vm_name)
|
||||
#iptables('-F', vmchain)
|
||||
|
||||
@ -535,12 +542,13 @@ if __name__ == '__main__':
|
||||
parser.add_option("--sig", dest="sig")
|
||||
parser.add_option("--seq", dest="seq")
|
||||
parser.add_option("--rules", dest="rules")
|
||||
parser.add_option("--phynic", dest="phynic")
|
||||
(option, args) = parser.parse_args()
|
||||
cmd = args[0]
|
||||
if cmd == "can_bridge_firewall":
|
||||
can_bridge_firewall(args[1])
|
||||
elif cmd == "default_network_rules":
|
||||
default_network_rules(option.vmName, option.vmIP, option.vmID, option.vmMAC)
|
||||
default_network_rules(option.vmName, option.vmID, option.rules)
|
||||
elif cmd == "destroy_network_rules_for_vm":
|
||||
destroy_network_rules_for_vm(option.vmName)
|
||||
elif cmd == "default_network_rules_systemvm":
|
||||
@ -550,4 +558,4 @@ if __name__ == '__main__':
|
||||
elif cmd == "add_network_rules":
|
||||
add_network_rules(option.vmName, option.vmID, option.vmIP, option.sig, option.seq, option.vmMAC, option.rules)
|
||||
elif cmd == "cleanup_rules":
|
||||
cleanup_rules()
|
||||
cleanup_rules()
|
||||
|
||||
@ -2211,7 +2211,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
||||
List<NicVO> nics = _nicDao.listByVmId(userVm.getId());
|
||||
for (NicVO nic : nics) {
|
||||
NetworkVO network = _networkDao.findById(nic.getNetworkId());
|
||||
if (network.getTrafficType() == TrafficType.Guest) {
|
||||
if (network.getTrafficType() == TrafficType.Guest || network.getTrafficType() == TrafficType.Public) {
|
||||
userVm.setPrivateIpAddress(nic.getIp4Address());
|
||||
userVm.setPrivateMacAddress(nic.getMacAddress());
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user