do not put in default accept rules for DNS and BOOTPS

2025-10-26 08:42:29 +01:00 · 2020-04-14 12:03:32 +02:00 · 2020-04-14 12:03:32 +02:00 · 6a72e6e9f8
commit 6a72e6e9f8
parent f18fe5e1da
4 changed files with 14 additions and 2 deletions
--- a/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManager.java
+++ b/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManager.java
@ -67,6 +67,8 @@ public interface VirtualNetworkApplianceManager extends Manager, VirtualNetworkA
            "If true, router minimum required version is checked before sending command", false);
    static final ConfigKey<Boolean> UseExternalDnsServers = new ConfigKey<Boolean>(Boolean.class, "use.external.dns", "Advanced", "false",
            "Bypass internal dns, use external dns1 and dns2", true, ConfigKey.Scope.Zone, null);
+    static final ConfigKey<Boolean> ExposeDnsAndBootpServer = new ConfigKey<Boolean>(Boolean.class, "expose.dns.externally", "Advanced", "true",
+            "open dns, dhcp and bootp on the public interface", true, ConfigKey.Scope.Zone, null);

    public static final int DEFAULT_ROUTER_VM_RAMSIZE = 256;            // 256M
    public static final int DEFAULT_ROUTER_CPU_MHZ = 500;                // 500 MHz
--- a/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/main/java/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@ -1489,6 +1489,10 @@ Configurable, StateListener<VirtualMachine.State, VirtualMachine.Event, VirtualM
            }
        }

+        if (Boolean.TRUE.equals(ExposeDnsAndBootpServer.valueIn(dc.getId()))) {
+            buf.append(" exposedns=true");
+        }
+
        if (Boolean.valueOf(_configDao.getValue(Config.BaremetalProvisionDoneNotificationEnabled.key()))) {
            final QueryBuilder<UserVO> acntq = QueryBuilder.create(UserVO.class);
            acntq.and(acntq.entity().getUsername(), SearchCriteria.Op.EQ, "baremetal-system-account");
@ -2597,7 +2601,7 @@ Configurable, StateListener<VirtualMachine.State, VirtualMachine.Event, VirtualM

    @Override
    public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey<?>[] { UseExternalDnsServers, routerVersionCheckEnabled, SetServiceMonitor, RouterAlertsCheckInterval };
+        return new ConfigKey<?>[] { UseExternalDnsServers, routerVersionCheckEnabled, SetServiceMonitor, RouterAlertsCheckInterval, ExposeDnsAndBootpServer };
    }

    @Override
--- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
@ -566,9 +566,12 @@ class CsIP:
                logging.error(
                    "Not able to setup source-nat for a regular router yet")

-            if self.config.has_dns() or self.config.is_dhcp():
+            if (self.config.has_dns() or self.config.is_dhcp()) and self.config.expose_dns():
+                logging.info("Making dns publicly available")
                dns = CsDnsmasq(self)
                dns.add_firewall_rules()
+            else:
+                logging.info("Not making dns publicly available")

            if self.config.has_metadata():
                app = CsApache(self)
--- a/systemvm/debian/opt/cloud/bin/cs/CsConfig.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsConfig.py
@ -78,6 +78,9 @@ class CsConfig(object):
    def use_extdns(self):
        return self.cmdline().idata().get('useextdns', 'false') == 'true'

+    def expose_dns(self):
+        return self.cmdline().idata().get('exposedns', 'false') == 'true'
+
    def get_dns(self):
        conf = self.cmdline().idata()
        dns = []