From 585f5f7000d876d96bb17cc0996efc98f22a840e Mon Sep 17 00:00:00 2001 From: Ian Southam Date: Thu, 26 Feb 2015 14:07:36 +0100 Subject: [PATCH] ACL issues ACL order issues Do not block multicast traffic for vrrp Many smaller bug fixes checkrouter provided in /opt/cloud/bin --- .../config/opt/cloud/bin/checkrouter.sh | 8 +++++ .../debian/config/opt/cloud/bin/configure.py | 19 ++++++++---- .../config/opt/cloud/bin/cs/CsAddress.py | 5 +++ .../debian/config/opt/cloud/bin/cs/CsApp.py | 0 .../config/opt/cloud/bin/cs/CsConfig.py | 0 .../config/opt/cloud/bin/cs/CsDatabag.py | 14 ++++++--- .../debian/config/opt/cloud/bin/cs/CsDhcp.py | 0 .../debian/config/opt/cloud/bin/cs/CsFile.py | 0 .../config/opt/cloud/bin/cs/CsGuestNetwork.py | 0 .../config/opt/cloud/bin/cs/CsHelper.py | 0 .../config/opt/cloud/bin/cs/CsLoadBalancer.py | 0 .../config/opt/cloud/bin/cs/CsMonitor.py | 0 .../config/opt/cloud/bin/cs/CsNetfilter.py | 31 +++++++++++++++++-- .../config/opt/cloud/bin/cs/CsProcess.py | 0 .../config/opt/cloud/bin/cs/CsRedundant.py | 8 ++--- .../debian/config/opt/cloud/bin/cs/CsRoute.py | 0 .../debian/config/opt/cloud/bin/cs/CsRule.py | 0 .../config/opt/cloud/bin/cs/__init__.py | 0 .../debian/config/opt/cloud/bin/cs_cmdline.py | 0 .../debian/config/opt/cloud/bin/cs_dhcp.py | 0 .../config/opt/cloud/bin/cs_firewallrules.py | 0 .../opt/cloud/bin/cs_forwardingrules.py | 0 .../config/opt/cloud/bin/cs_guestnetwork.py | 0 .../debian/config/opt/cloud/bin/cs_ip.py | 0 .../config/opt/cloud/bin/cs_loadbalancer.py | 0 .../config/opt/cloud/bin/cs_monitorservice.py | 0 .../config/opt/cloud/bin/cs_network_acl.py | 0 .../config/opt/cloud/bin/cs_site2sitevpn.py | 0 .../debian/config/opt/cloud/bin/cs_vmdata.py | 0 .../debian/config/opt/cloud/bin/cs_vmp.py | 0 .../opt/cloud/bin/get_template_version.sh | 2 +- 31 files changed, 69 insertions(+), 18 deletions(-) create mode 100755 systemvm/patches/debian/config/opt/cloud/bin/checkrouter.sh mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsApp.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsConfig.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsGuestNetwork.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsHelper.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsLoadBalancer.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsMonitor.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsProcess.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/CsRule.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs/__init__.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs_cmdline.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs_dhcp.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs_firewallrules.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs_forwardingrules.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs_guestnetwork.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs_ip.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs_loadbalancer.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs_monitorservice.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs_network_acl.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs_site2sitevpn.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs_vmdata.py mode change 100644 => 100755 systemvm/patches/debian/config/opt/cloud/bin/cs_vmp.py diff --git a/systemvm/patches/debian/config/opt/cloud/bin/checkrouter.sh b/systemvm/patches/debian/config/opt/cloud/bin/checkrouter.sh new file mode 100755 index 00000000000..4b50f9b29ef --- /dev/null +++ b/systemvm/patches/debian/config/opt/cloud/bin/checkrouter.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +STATUS=$(cat /etc/cloudstack/cmdline.json | grep redundant_state | awk '{print $2;}' | sed -e 's/[,\"]//g') +if [ "$?" -ne "0" ] +then + STATUS=MASTER +fi +echo "Status: ${STATUS}&Bumped: NO" diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 43b01b6a993..399c9c420cc 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -141,6 +141,9 @@ class CsAcl(CsDataBag): class AclDevice(): """ A little class for each list of acls per device """ + FIXED_RULES_INGRESS = 3 + FIXED_RULES_EGRESS = 3 + def __init__(self, obj, config): self.ingess = [] self.egress = [] @@ -156,23 +159,27 @@ class CsAcl(CsDataBag): self.fw = config.get_fw() def create(self): - self.process("ingress", self.ingress) - self.process("egress", self.egress) + self.process("ingress", self.ingress, self.FIXED_RULES_INGRESS) + self.process("egress", self.egress, self.FIXED_RULES_EGRESS) - def process(self, direction, rule_list): + def process(self, direction, rule_list, base): + count = base for i in rule_list: - r = self.AclRule(direction, self, i, self.config) + r = self.AclRule(direction, self, i, self.config, count) r.create() + count += 1 class AclRule(): - def __init__(self, direction, acl, rule, config): + def __init__(self, direction, acl, rule, config, count): + self.count = count if config.is_vpc(): self.init_vpc(direction, acl, rule, config) def init_vpc(self, direction, acl, rule, config): self.table = "" self.device = acl.device + self.direction = direction # acl is an object of the AclDevice type. So, its fw attribute is already a list. self.fw = acl.fw self.chain = config.get_ingress_chain(self.device, acl.ip) @@ -210,7 +217,7 @@ class CsAcl(CsDataBag): rstr = "%s -m icmp --icmp-type %s" % (rstr, self.icmp_type) rstr = "%s %s -j %s" % (rstr, self.dport, self.action) rstr = rstr.replace(" ", " ").lstrip() - self.fw.append([self.table, "front", rstr]) + self.fw.append([self.table, self.count, rstr]) def process(self): for item in self.dbag: diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py old mode 100644 new mode 100755 index 04d642e9d0e..8f4d5117c10 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py @@ -371,9 +371,14 @@ class CsIP: "-j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff"]) if self.get_type() in ["guest"]: self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" % (self.address['network'], self.dev, self.dev)]) + self.fw.append(["filter", "front", "-A ACL_INBOUND_%s -d 224.0.0.18/32 -j ACCEPT" % self.dev]) + self.fw.append(["filter", "front", "-A ACL_INBOUND_%s -d 225.0.0.50/32 -j ACCEPT" % self.dev]) + self.fw.append(["mangle", "front", "-A ACL_OUTBOUND_%s -d 225.0.0.50/32 -j ACCEPT" % self.dev]) + self.fw.append(["mangle", "front", "-A ACL_OUTBOUND_%s -d 224.0.0.18/32 -j ACCEPT" % self.dev]) self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 67 -j ACCEPT" % self.dev]) self.fw.append(["filter", "", "-A INPUT -i %s -p udp -m udp --dport 53 -j ACCEPT" % self.dev]) self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -j ACCEPT" % self.dev]) + self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT" % self.dev]) self.fw.append(["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT" % self.dev]) self.fw.append(["mangle", "", diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsApp.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsApp.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsConfig.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsConfig.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py old mode 100644 new mode 100755 index a3818e572a8..035e864bc34 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDatabag.py @@ -119,10 +119,16 @@ class CsCmdLine(CsDataBag): return self.idata()['redundant_state'] == "MASTER" return False - def get_state(self): - if "redundant_state" in self.idata(): - return self.idata()['redundant_state'] - return "MASTER" + def set_fault_state(self): + self.idata()['redundant_state'] = "FAULT" + self.idata()['redundant_master'] = False + + def set_master_state(self, value): + if value: + self.idata()['redundant_state'] = "MASTER" + else: + self.idata()['redundant_state'] = "BACKUP" + self.idata()['redundant_master'] = value def get_router_id(self): if "router_id" in self.idata(): diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsDhcp.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsFile.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsGuestNetwork.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsGuestNetwork.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsHelper.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsHelper.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsLoadBalancer.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsLoadBalancer.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsMonitor.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsMonitor.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py index 6a546a4fbf5..6c1d091435c 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py @@ -26,19 +26,28 @@ class CsChain(object): def __init__(self): self.chain = {} self.last_added = '' + self.count = {} def add(self, table, chain): if table not in self.chain.keys(): self.chain.setdefault(table, []).append(chain) else: self.chain[table].append(chain) - self.last_added = chain + if self.last_added != chain: + self.last_added = chain + self.count[chain] = 0 + + def add_rule(self, chain): + self.count[chain] += 1 def get(self, table): if table not in self.chain.keys(): return {} return self.chain[table] + def get_count(self, chain): + return self.count[chain] + def last(self): return self.last_added @@ -84,9 +93,12 @@ class CsNetfilters(object): if i.startswith(':'): # Chain self.chain.add(self.table.last(), i[1:].split(' ')[0]) if i.startswith('-A'): # Rule + self.chain.add_rule(i.split()[1]) rule = CsNetfilter() rule.parse(i) rule.set_table(self.table.last()) + rule.set_chain(i.split()[1]) + rule.set_count(self.chain.get_count(i.split()[1])) self.save(rule) def save(self, rule): @@ -104,6 +116,8 @@ class CsNetfilters(object): def has_rule(self, new_rule): for r in self.get(): if new_rule == r: + if new_rule.get_count() > 0: + continue r.mark_seen() return True return False @@ -119,8 +133,8 @@ class CsNetfilters(object): def compare(self, list): """ Compare reality with what is needed """ for c in self.chain.get("filter"): - # Ensure all inbound chains have a default drop rule - if c.startswith("ACL_INBOUND"): + # Ensure all inbound/outbound chains have a default drop rule + if c.startswith("ACL_INBOUND") or c.startswith("ACL_OUTBOUND"): list.append(["filter", "", "-A %s -j DROP" % c]) # PASS 1: Ensure all chains are present for fw in list: @@ -133,6 +147,8 @@ class CsNetfilters(object): new_rule = CsNetfilter() new_rule.parse(fw[2]) new_rule.set_table(fw[0]) + if isinstance(fw[1], int): + new_rule.set_count(fw[1]) if self.has_rule(new_rule): logging.debug("rule %s exists in table %s", fw[2], new_rule.get_table()) else: @@ -142,6 +158,8 @@ class CsNetfilters(object): cpy = fw[2] if fw[1] == "front": cpy = cpy.replace('-A', '-I') + if isinstance(fw[1], int): + cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), fw[1])) CsHelper.execute("iptables -t %s %s" % (new_rule.get_table(), cpy)) self.del_standard() @@ -189,6 +207,7 @@ class CsNetfilter(object): self.table = '' self.chain = '' self.seen = False + self.count = 0 def parse(self, rule): self.rule = self.__convert_to_dict(rule) @@ -227,6 +246,12 @@ class CsNetfilter(object): def set_chain(self, chain): self.chain = chain + def set_count(self, count=0): + self.count = count + + def get_count(self): + return self.count + def get_chain(self): return self.chain diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsProcess.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsProcess.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py old mode 100644 new mode 100755 index 7ada710fe33..dc08b85c7a2 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRedundant.py @@ -174,8 +174,8 @@ class CsRedundant(object): ads = [o for o in self.address.get_ips() if o.needs_vrrp()] for o in ads: pwdsvc = CsPasswdSvc(o.get_gateway()).stop() - cl.dbag['config']['redundant_master'] = "false" - cl.save() + self.cl.set_fault_state() + self.cl.save() logging.info("Router switched to fault mode") def set_backup(self): @@ -201,7 +201,7 @@ class CsRedundant(object): pwdsvc = CsPasswdSvc(o.get_gateway()).stop() CsHelper.service("dnsmasq", "stop") # self._set_priority(self.CS_PRIO_DOWN) - self.cl.dbag['config']['redundant_master'] = "false" + self.cl.set_master_state(False) # CsHelper.service("keepalived", "restart") self.cl.save() logging.info("Router switched to backup mode") @@ -235,7 +235,7 @@ class CsRedundant(object): for o in ads: pwdsvc = CsPasswdSvc(o.get_gateway()).restart() CsHelper.service("dnsmasq", "restart") - self.cl.dbag['config']['redundant_master'] = "true" + self.cl.set_master_state(True) self.cl.save() # CsHelper.service("keepalived", "restart") logging.info("Router switched to master mode") diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRule.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRule.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/__init__.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/__init__.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_cmdline.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_cmdline.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_dhcp.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_dhcp.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_firewallrules.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_firewallrules.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_forwardingrules.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_forwardingrules.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_guestnetwork.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_guestnetwork.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_ip.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_ip.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_loadbalancer.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_loadbalancer.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_monitorservice.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_monitorservice.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_network_acl.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_network_acl.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_site2sitevpn.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_site2sitevpn.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_vmdata.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_vmdata.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_vmp.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_vmp.py old mode 100644 new mode 100755 diff --git a/systemvm/patches/debian/config/opt/cloud/bin/get_template_version.sh b/systemvm/patches/debian/config/opt/cloud/bin/get_template_version.sh index 233ec983f8e..996e9dd5ce5 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/get_template_version.sh +++ b/systemvm/patches/debian/config/opt/cloud/bin/get_template_version.sh @@ -18,7 +18,7 @@ # As the last command send to router before any rules operation, wait until boot up done -__TIMEOUT=60 +__TIMEOUT=240 __FLAGFILE=/var/cache/cloud/boot_up_done done=0 for i in `seq 1 $(($__TIMEOUT * 10))`