mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
CLOUDSTACK-8030: Updated router to come up egress default ALLOW
On default iptables rules are updated to add ACCEPT egress traffic.
If the network egress default policy is false, CS remove ACCEPT and adds the DROP rule which
is egress default rule when there are no other egress rules.
If the CS network egress default policy is true, CS won't configure any default rule for egress because
router already came up to accept egress traffic. If there are already egress rules for network then the
egress rules get applied on VR.
For isolated network with out firewall service, VR default allows egress traffic (guestnetwork --> public network)
This commit is contained in:
Jayapal
parent
e22cc6e940
commit
8278d88f76
@ -1147,6 +1147,22 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
|
||||
// This method re-programs the rules/ips for existing network
|
||||
protected boolean reprogramNetworkRules(long networkId, Account caller, Network network) throws ResourceUnavailableException {
|
||||
boolean success = true;
|
||||
|
||||
//Apply egress rules first to effect the egress policy early on the guest traffic
|
||||
List<FirewallRuleVO> firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
|
||||
NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
|
||||
DataCenter zone = _dcDao.findById(network.getDataCenterId());
|
||||
if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall)
|
||||
&& (network.getGuestType() == Network.GuestType.Isolated || (network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced))) {
|
||||
// add default egress rule to accept the traffic
|
||||
_firewallMgr.applyDefaultEgressFirewallRule(network.getId(), offering.getEgressDefaultPolicy(), true);
|
||||
}
|
||||
if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) {
|
||||
s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart");
|
||||
success = false;
|
||||
}
|
||||
|
||||
|
||||
// associate all ip addresses
|
||||
if (!_ipAddrMgr.applyIpAssociations(network, false)) {
|
||||
s_logger.warn("Failed to apply ip addresses as a part of network id" + networkId + " restart");
|
||||
@ -1166,20 +1182,6 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
|
||||
success = false;
|
||||
}
|
||||
|
||||
List<FirewallRuleVO> firewallEgressRulesToApply = _firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall, FirewallRule.TrafficType.Egress);
|
||||
NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
|
||||
//there are no egress rules then apply the default egress rule
|
||||
DataCenter zone = _dcDao.findById(network.getDataCenterId());
|
||||
if (_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall) && _networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall)
|
||||
&& (network.getGuestType() == Network.GuestType.Isolated || (network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() == NetworkType.Advanced))) {
|
||||
// add default egress rule to accept the traffic
|
||||
_firewallMgr.applyDefaultEgressFirewallRule(network.getId(), offering.getEgressDefaultPolicy(), true);
|
||||
}
|
||||
if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply, false, caller)) {
|
||||
s_logger.warn("Failed to reapply firewall Egress rule(s) as a part of network id=" + networkId + " restart");
|
||||
success = false;
|
||||
}
|
||||
|
||||
// apply port forwarding rules
|
||||
if (!_rulesMgr.applyPortForwardingRulesForNetwork(networkId, false, caller)) {
|
||||
s_logger.warn("Failed to reapply port forwarding rule(s) as a part of network id=" + networkId + " restart");
|
||||
|
||||
@ -573,6 +573,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
|
||||
public ExecutionResult createFileInVR(String routerIp, String path, String filename, String content) {
|
||||
Connection conn = getConnection();
|
||||
String rc = callHostPlugin(conn, "vmops", "createFileInDomr", "domrip", routerIp, "filepath", path + filename, "filecontents", content);
|
||||
s_logger.debug ("VR Config file " + filename + " got created in VR with ip " + routerIp + " with content \n" + content);
|
||||
// Fail case would be start with "fail#"
|
||||
return new ExecutionResult(rc.startsWith("succ#"), rc.substring(5));
|
||||
}
|
||||
|
||||
@ -251,9 +251,10 @@ NetworkMigrationResponder, AggregatedCommandExecutor {
|
||||
}
|
||||
|
||||
if (rules != null && rules.size() == 1) {
|
||||
// for VR no need to add default egress rule to DENY traffic
|
||||
// for VR no need to add default egress rule to ALLOW traffic
|
||||
//The default allow rule is added from the router defalut iptables rules iptables-router
|
||||
if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System &&
|
||||
!_networkMdl.getNetworkEgressDefaultPolicy(config.getId()))
|
||||
_networkMdl.getNetworkEgressDefaultPolicy(config.getId()))
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
@ -2789,7 +2789,7 @@ VirtualMachineGuru, Listener, Configurable, StateListener<State, VirtualMachine.
|
||||
|
||||
|
||||
// construct rule when egress policy is true. In true case for VR we default allow rule need to be added
|
||||
if (defaultEgressPolicy) {
|
||||
if (!defaultEgressPolicy) {
|
||||
systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
|
||||
|
||||
List<String> sourceCidr = new ArrayList<String>();
|
||||
@ -2799,6 +2799,9 @@ VirtualMachineGuru, Listener, Configurable, StateListener<State, VirtualMachine.
|
||||
null, null, null, FirewallRule.TrafficType.Egress, FirewallRule.FirewallRuleType.System);
|
||||
|
||||
rules.add(rule);
|
||||
} else {
|
||||
s_logger.debug(" Egress policy for the Network "+ networkId +" is "+defaultEgressPolicy + " So no need"+
|
||||
" of default rule is needed. ");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -24,6 +24,7 @@ COMMIT
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:FW_EGRESS_RULES - [0:0]
|
||||
:FW_OUTBOUND - [0:0]
|
||||
-A INPUT -d 224.0.0.18/32 -j ACCEPT
|
||||
-A INPUT -d 225.0.0.50/32 -j ACCEPT
|
||||
@ -42,7 +43,9 @@ COMMIT
|
||||
-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
|
||||
-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
|
||||
-A FW_EGRESS_RULES -j ACCEPT
|
||||
-I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A FW_OUTBOUND -j FW_EGRESS_RULES
|
||||
COMMIT
|
||||
*mangle
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
|
||||
@ -145,11 +145,11 @@ fi
|
||||
|
||||
success=0
|
||||
|
||||
if [ "$pvalue" == "0" -o "$pvalue" == "2" ]
|
||||
if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
|
||||
then
|
||||
target="ACCEPT"
|
||||
else
|
||||
target="DROP"
|
||||
else
|
||||
target="ACCEPT"
|
||||
fi
|
||||
|
||||
fw_egress_chain
|
||||
@ -172,7 +172,7 @@ then
|
||||
fw_egress_backup_restore
|
||||
else
|
||||
logger -t cloud "deleting backup for guest network"
|
||||
if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
|
||||
if [ "$pvalue" == "1" ]
|
||||
then
|
||||
#Adding default policy rule
|
||||
sudo iptables -A FW_EGRESS_RULES -j ACCEPT
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user