ACL issues

ACL order issues
Do not block multicast traffic for vrrp
Many smaller bug fixes
checkrouter provided in /opt/cloud/bin

systemvm/patches/debian/config/opt/cloud/bin/checkrouter.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+STATUS=$(cat /etc/cloudstack/cmdline.json | grep redundant_state | awk '{print $2;}' | sed -e 's/[,\"]//g')
+if [ "$?" -ne "0" ]
+then
+	   STATUS=MASTER
+fi
+echo "Status: ${STATUS}&Bumped: NO"

systemvm/patches/debian/config/opt/cloud/bin/configure.py

@@ -141,6 +141,9 @@ class CsAcl(CsDataBag):
     class AclDevice():
         """ A little class for each list of acls per device """
 
+        FIXED_RULES_INGRESS = 3
+        FIXED_RULES_EGRESS = 3
+
         def __init__(self, obj, config):
             self.ingess = []
             self.egress = []
@@ -156,23 +159,27 @@ class CsAcl(CsDataBag):
             self.fw = config.get_fw()
 
         def create(self):
-            self.process("ingress", self.ingress)
-            self.process("egress", self.egress)
+            self.process("ingress", self.ingress, self.FIXED_RULES_INGRESS)
+            self.process("egress", self.egress, self.FIXED_RULES_EGRESS)
 
-        def process(self, direction, rule_list):
+        def process(self, direction, rule_list, base):
+            count = base
             for i in rule_list:
-                r = self.AclRule(direction, self, i, self.config)
+                r = self.AclRule(direction, self, i, self.config, count)
                 r.create()
+                count += 1
 
         class AclRule():
 
-            def __init__(self, direction, acl, rule, config):
+            def __init__(self, direction, acl, rule, config, count):
+                self.count = count
                 if config.is_vpc():
                     self.init_vpc(direction, acl, rule, config)
 
             def init_vpc(self, direction, acl, rule, config):
                 self.table = ""
                 self.device = acl.device
+                self.direction = direction
                 # acl is an object of the AclDevice type. So, its fw attribute is already a list.
                 self.fw = acl.fw
                 self.chain = config.get_ingress_chain(self.device, acl.ip)
@@ -210,7 +217,7 @@ class CsAcl(CsDataBag):
                     rstr = "%s -m icmp --icmp-type %s" % (rstr, self.icmp_type)
                 rstr = "%s %s -j %s" % (rstr, self.dport, self.action)
                 rstr = rstr.replace("  ", " ").lstrip()
-                self.fw.append([self.table, "front", rstr])
+                self.fw.append([self.table, self.count, rstr])
 
     def process(self):
         for item in self.dbag:

systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py

@@ -371,9 +371,14 @@ class CsIP:
                         "-j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff"])
         if self.get_type() in ["guest"]:
             self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" % (self.address['network'], self.dev, self.dev)])
+            self.fw.append(["filter", "front", "-A ACL_INBOUND_%s -d 224.0.0.18/32 -j ACCEPT" % self.dev])
+            self.fw.append(["filter", "front", "-A ACL_INBOUND_%s -d 225.0.0.50/32 -j ACCEPT" % self.dev])
+            self.fw.append(["mangle", "front", "-A ACL_OUTBOUND_%s -d 225.0.0.50/32 -j ACCEPT" % self.dev])
+            self.fw.append(["mangle", "front", "-A ACL_OUTBOUND_%s -d 224.0.0.18/32 -j ACCEPT" % self.dev])
             self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 67 -j ACCEPT" % self.dev])
             self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 53 -j ACCEPT" % self.dev])
             self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -j ACCEPT" % self.dev])
+
             self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT" % self.dev])
             self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT" % self.dev])
             self.fw.append(["mangle", "",

systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py

@@ -119,10 +119,16 @@ class CsCmdLine(CsDataBag):
             return self.idata()['redundant_state'] == "MASTER"
         return False
 
-    def get_state(self):
-        if "redundant_state" in self.idata():
-            return self.idata()['redundant_state']
-        return "MASTER"
+    def set_fault_state(self):
+        self.idata()['redundant_state'] = "FAULT"
+        self.idata()['redundant_master'] = False
+
+    def set_master_state(self, value):
+        if value:
+            self.idata()['redundant_state'] = "MASTER"
+        else:
+            self.idata()['redundant_state'] = "BACKUP"
+        self.idata()['redundant_master'] = value
 
     def get_router_id(self):
         if "router_id" in self.idata():

systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py

@@ -26,19 +26,28 @@ class CsChain(object):
     def __init__(self):
         self.chain = {}
         self.last_added = ''
+        self.count = {}
 
     def add(self, table, chain):
         if table not in self.chain.keys():
             self.chain.setdefault(table, []).append(chain)
         else:
             self.chain[table].append(chain)
-        self.last_added = chain
+        if self.last_added != chain:
+            self.last_added = chain
+            self.count[chain] = 0
+
+    def add_rule(self, chain):
+        self.count[chain] += 1
 
     def get(self, table):
         if table not in self.chain.keys():
             return {}
         return self.chain[table]
 
+    def get_count(self, chain):
+        return self.count[chain]
+
     def last(self):
         return self.last_added
 
@@ -84,9 +93,12 @@ class CsNetfilters(object):
             if i.startswith(':'):  # Chain
                 self.chain.add(self.table.last(), i[1:].split(' ')[0])
             if i.startswith('-A'):  # Rule
+                self.chain.add_rule(i.split()[1])
                 rule = CsNetfilter()
                 rule.parse(i)
                 rule.set_table(self.table.last())
+                rule.set_chain(i.split()[1])
+                rule.set_count(self.chain.get_count(i.split()[1]))
                 self.save(rule)
 
     def save(self, rule):
@@ -104,6 +116,8 @@ class CsNetfilters(object):
     def has_rule(self, new_rule):
         for r in self.get():
             if new_rule == r:
+                if new_rule.get_count() > 0:
+                    continue
                 r.mark_seen()
                 return True
         return False
@@ -119,8 +133,8 @@ class CsNetfilters(object):
     def compare(self, list):
         """ Compare reality with what is needed """
         for c in self.chain.get("filter"):
-            # Ensure all inbound chains have a default drop rule
-            if c.startswith("ACL_INBOUND"):
+            # Ensure all inbound/outbound chains have a default drop rule
+            if c.startswith("ACL_INBOUND") or c.startswith("ACL_OUTBOUND"):
                 list.append(["filter", "", "-A %s -j DROP" % c])
         # PASS 1:  Ensure all chains are present
         for fw in list:
@@ -133,6 +147,8 @@ class CsNetfilters(object):
             new_rule = CsNetfilter()
             new_rule.parse(fw[2])
             new_rule.set_table(fw[0])
+            if isinstance(fw[1], int):
+                new_rule.set_count(fw[1])
             if self.has_rule(new_rule):
                 logging.debug("rule %s exists in table %s", fw[2], new_rule.get_table())
             else:
@@ -142,6 +158,8 @@ class CsNetfilters(object):
                 cpy = fw[2]
                 if fw[1] == "front":
                     cpy = cpy.replace('-A', '-I')
+                if isinstance(fw[1], int):
+                    cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), fw[1]))
 
                 CsHelper.execute("iptables -t %s %s" % (new_rule.get_table(), cpy))
         self.del_standard()
@@ -189,6 +207,7 @@ class CsNetfilter(object):
         self.table = ''
         self.chain = ''
         self.seen = False
+        self.count = 0
 
     def parse(self, rule):
         self.rule = self.__convert_to_dict(rule)
@@ -227,6 +246,12 @@ class CsNetfilter(object):
     def set_chain(self, chain):
         self.chain = chain
 
+    def set_count(self, count=0):
+        self.count = count
+
+    def get_count(self):
+        return self.count
+
     def get_chain(self):
         return self.chain
 

systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py

@@ -174,8 +174,8 @@ class CsRedundant(object):
         ads = [o for o in self.address.get_ips() if o.needs_vrrp()]
         for o in ads:
             pwdsvc = CsPasswdSvc(o.get_gateway()).stop()
-        cl.dbag['config']['redundant_master'] = "false"
-        cl.save()
+        self.cl.set_fault_state()
+        self.cl.save()
         logging.info("Router switched to fault mode")
 
     def set_backup(self):
@@ -201,7 +201,7 @@ class CsRedundant(object):
             pwdsvc = CsPasswdSvc(o.get_gateway()).stop()
         CsHelper.service("dnsmasq", "stop")
         # self._set_priority(self.CS_PRIO_DOWN)
-        self.cl.dbag['config']['redundant_master'] = "false"
+        self.cl.set_master_state(False)
         # CsHelper.service("keepalived", "restart")
         self.cl.save()
         logging.info("Router switched to backup mode")
@@ -235,7 +235,7 @@ class CsRedundant(object):
         for o in ads:
             pwdsvc = CsPasswdSvc(o.get_gateway()).restart()
         CsHelper.service("dnsmasq", "restart")
-        self.cl.dbag['config']['redundant_master'] = "true"
+        self.cl.set_master_state(True)
         self.cl.save()
         # CsHelper.service("keepalived", "restart")
         logging.info("Router switched to master mode")

systemvm/patches/debian/config/opt/cloud/bin/get_template_version.sh

@@ -18,7 +18,7 @@
 
 # As the last command send to router before any rules operation, wait until boot up done
 
-__TIMEOUT=60
+__TIMEOUT=240
 __FLAGFILE=/var/cache/cloud/boot_up_done
 done=0
 for i in `seq 1 $(($__TIMEOUT * 10))`