Merge branch 'master' of ssh://git.cloud.com/var/lib/git/cloudstack-oss

core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java

@@ -635,6 +635,9 @@ public class VirtualRoutingResource implements Manager {
 
         String publicNic = "eth" + nicNum;
         command.add("-c", publicNic);
+        
+        command.add("-g", vlanGateway);
+        
 
         return command.execute();
     }

core/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java

@@ -752,7 +752,10 @@ public class VmwareResource implements StoragePoolResource, ServerResource, Vmwa
         }
 
         args += " -c ";
-        args += "eth" + publicNicInfo.first();
+        args += "eth" + publicNicInfo.first();
+        
+        args += " -g ";
+        args += vlanGateway;
 
         if (s_logger.isDebugEnabled()) {
             s_logger.debug("Run command on domain router " + privateIpAddress + ", /root/ipassoc.sh " + args);

core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java

@@ -1639,7 +1639,10 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
 
             args += " -c ";
             args += "eth" + correctVif.getDevice(conn);
-
+            
+            args += " -g ";
+            args += vlanGateway;
+            
 
             String result = callHostPlugin(conn, "vmops", "ipassoc", "args", args);
             if (result == null || result.isEmpty()) {

patches/systemvm/debian/config/etc/iptables/iptables-router

@@ -30,4 +30,5 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 -A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill
+-A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
 COMMIT

patches/systemvm/debian/config/root/firewall.sh

@@ -59,6 +59,7 @@ tcp_or_udp_entry() {
   local op=$5
   local proto=$6
   local cidrs=$7
+
   logger -t cloud "$(basename $0): creating port fwd entry for PAT: public ip=$publicIp \
   instance ip=$instIp proto=$proto port=$port dport=$dport op=$op"
 
@@ -67,11 +68,16 @@ tcp_or_udp_entry() {
   # the delete operation may have errored out but the only possible reason is 
   # that the rules didn't exist in the first place
   local dev=$(ip_to_dev $publicIp)
+  local tableNo=$(echo $dev | awk -F'eth' '{print $2}')
   # shortcircuit the process if error and it is an append operation
   # continue if it is delete
   (sudo iptables -t nat $op PREROUTING --proto $proto -i $dev -d $publicIp \
            --destination-port $port -j DNAT  \
            --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&
+  (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
+           --destination-port $port -j MARK --set-mark $tableNo) && 
+  (sudo iptables -t mangle $op PREROUTING --proto $proto -i $dev -d $publicIp \
+           --destination-port $port -m state --state NEW -j CONNMARK --save-mark) &&
   (sudo iptables -t nat $op OUTPUT  --proto $proto -d $publicIp  \
            --destination-port $port -j DNAT  \
            --to-destination $instIp:$dport &>> $OUTFILE || [ "$op" == "-D" ]) &&

patches/systemvm/debian/config/root/ipassoc.sh

@@ -134,6 +134,76 @@ convert_primary_to_32() {
   done
 }
 
+remove_routing() {
+  local pubIp=$1
+  logger -t cloud "$(basename $0):Remove routing $pubIp on interface $ethDev"
+  local ipNoMask=$(echo $pubIp | awk -F'/' '{print $1}')
+  local mask=$(echo $pubIp | awk -F'/' '{print $2}')
+  local tableNo=$(echo $ethDev | awk -F'eth' '{print $2}')
+
+  local tableName="Table_$ethDev"
+  local ethMask=$(ip route list scope link dev $ethDev | awk '{print $1}')
+  if [ "$ethMask" == "" ]
+  then
+# rules and routes will be deleted for the last ip of the interface.
+     sudo ip rule delete fwmark $tableNo table $tableName
+     sudo ip rule delete table $tableName
+     sudo ip route flush  table $tableName 
+     sudo ip route flush cache
+     logger -t cloud "$(basename $0):Remove routing $pubIp - routes and rules deleted"
+  fi
+}
+
+# copy eth0,eth1 and the current public interface
+copy_routes_from_main() {
+  local tableName=$1
+
+#get the network masks from the main table
+  local eth0Mask=$(ip route list scope link dev eth0 | awk '{print $1}')
+  local eth1Mask=$(ip route list scope link dev eth1 | awk '{print $1}')
+  local ethMask=$(ip route list scope link dev $ethDev  | awk '{print $1}')
+
+# eth0,eth1 and other know routes will be skipped, so as main routing table will decide the route. This will be useful if the interface is down and up.  
+  sudo ip route add throw $eth0Mask table $tableName proto static 
+  sudo ip route add throw $eth1Mask table $tableName proto static 
+  sudo ip route add throw $ethMask  table $tableName proto static 
+  return 0;
+}
+
+add_routing() {
+  local pubIp=$1
+  logger -t cloud "$(basename $0):Add routing $pubIp on interface $ethDev"
+  local ipNoMask=$(echo $1 | awk -F'/' '{print $1}')
+  local mask=$(echo $1 | awk -F'/' '{print $2}')
+
+  local tableName="Table_$ethDev"
+  local tablePresent=$(grep $tableName /etc/iproute2/rt_tables)
+  local tableNo=$(echo $ethDev | awk -F'eth' '{print $2}')
+  if [ "$tablePresent" == "" ]
+  then
+     if [ "$tableNo" == ""] 
+     then
+       return 0;
+     fi
+     sudo echo "$tableNo $tableName" >> /etc/iproute2/rt_tables
+  fi
+
+  copy_routes_from_main $tableName
+# NOTE: this  entry will be deleted if the interface is down without knowing to Management server, in that case all the outside traffic will be send through main routing table or it will be the first public NIC.
+  sudo ip route add default via $defaultGwIP table $tableName proto static
+  sudo ip route flush cache
+
+  local ethMask=$(ip route list scope link dev $ethDev  | awk '{print $1}')
+  local rulePresent=$(ip rule show | grep $ethMask)
+  if [ "$rulePresent" == "" ]
+  then
+# rules will be added while adding the first ip of the interface 
+     sudo ip rule add from $ethMask table $tableName
+     sudo ip rule add fwmark $tableNo table $tableName
+     logger -t cloud "$(basename $0):Add routing $pubIp rules added"
+  fi
+  return 0;
+}
 
 add_nat_entry() {
   local pubIp=$1
@@ -167,6 +237,7 @@ add_nat_entry() {
       sudo ip link set $ethDev up
       sudo arping -c 3 -I $ethDev -A -U -s $ipNoMask $ipNoMask;
   fi
+  add_routing $1 
 
   return 0
 }
@@ -182,6 +253,7 @@ del_nat_entry() {
   sudo iptables -t nat -D POSTROUTING   -j SNAT -o $ethDev --to-source $ipNoMask;
   sudo ip addr del dev $ethDev "$ipNoMask/$mask"
  
+  remove_routing $1
   if [ $? -gt 0  -a $? -ne 2 ]
   then
      return 1
@@ -205,7 +277,7 @@ add_an_ip () {
       sudo ip link set $ethDev up
       sudo arping -c 3 -I $ethDev -A -U -s $ipNoMask $ipNoMask;
   fi
-
+  add_routing $1 
   return $?
    
 }
@@ -236,6 +308,7 @@ remove_an_ip () {
         fi
     result=$?
   fi
+  remove_routing $1
   if [ $result -gt 0  -a $result -ne 2 ]
   then
      return 1
@@ -268,7 +341,7 @@ then
     if_keep_state=1
 fi
 
-while getopts 'fADa:l:c:' OPTION
+while getopts 'fADa:l:c:g:' OPTION
 do
   case $OPTION in
   A)	Aflag=1
@@ -285,6 +358,9 @@ do
   c)	cflag=1
   		ethDev="$OPTARG"
   		;;
+  g)	gflag=1
+  		defaultGwIP="$OPTARG"
+  		;;
   ?)	usage
                 unlock_exit 2 $lock $locked
 		;;

patches/systemvm/debian/config/root/loadbalancer.sh

@@ -78,8 +78,15 @@ ip_entry() {
   
   return 0
 }
+get_lb_vif_list() {
+# add eth0 to the VIF_LIST if it is not there, this allows guest VMs to use the LB service.
+  local lb_list="$VIF_LIST eth0";
+  lb_list=$(echo $lb_list | tr " " "\n" | sort | uniq | tr "\n" " ")
+  echo $lb_list
+}
 fw_remove_backup() {
-  for vif in $VIF_LIST; do 
+  local lb_vif_list=$(get_lb_vif_list)
+  for vif in $lb_vif_list; do 
     sudo iptables -F back_load_balancer_$vif 2> /dev/null
     sudo iptables -D INPUT -i $vif -p tcp  -j back_load_balancer_$vif 2> /dev/null
     sudo iptables -X back_load_balancer_$vif 2> /dev/null
@@ -89,7 +96,8 @@ fw_remove_backup() {
   sudo iptables -X back_lb_stats 2> /dev/null
 }
 fw_restore() {
-  for vif in $VIF_LIST; do 
+  local lb_vif_list=$(get_lb_vif_list)
+  for vif in $lb_vif_list; do 
     sudo iptables -F load_balancer_$vif 2> /dev/null
     sudo iptables -D INPUT -i $vif -p tcp  -j load_balancer_$vif 2> /dev/null
     sudo iptables -X load_balancer_$vif 2> /dev/null
@@ -120,7 +128,8 @@ fw_entry() {
   local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ")
 
 # back up the iptable rules by renaming before creating new. 
-  for vif in $VIF_LIST; do 
+  local lb_vif_list=$(get_lb_vif_list)
+  for vif in $lb_vif_list; do 
     sudo iptables -E load_balancer_$vif back_load_balancer_$vif 2> /dev/null
     sudo iptables -N load_balancer_$vif 2> /dev/null
     sudo iptables -A INPUT -i $vif -p tcp  -j load_balancer_$vif
@@ -133,8 +142,8 @@ fw_entry() {
   do
     local pubIp=$(echo $i | cut -d: -f1)
     local dport=$(echo $i | cut -d: -f2)    
-    
-    for vif in $VIF_LIST; do 
+    local lb_vif_list=$(get_lb_vif_list)
+    for vif in $lb_vif_list; do 
 
 #TODO : The below delete will be used only when we upgrade the from older verion to the newer one , the below delete become obsolute in the future.
       sudo iptables -D INPUT -i $vif  -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null

server/src/com/cloud/user/AccountManagerImpl.java

@@ -299,6 +299,15 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
 
     @Override
     public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) {
+        
+        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getType())) {
+            //no need to make permission checks if the system/root admin makes the call
+            if (s_logger.isTraceEnabled()) {
+                s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
+            } 
+            return;
+        }
+
         HashMap<Long, List<ControlledEntity>> domains = new HashMap<Long, List<ControlledEntity>>();
         Long ownerId = null;
         ControlledEntity prevEntity = null;