apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-6432: Blocking DHCP server to service DNS outside network

Browse Source 
This would cover only DHCP only network since in basic and shared network, the
private IP used by VR and network may expose to outside.
This commit is contained in:
Sheng Yang 2014-04-16 18:40:26 -07:00
parent 59a9db39b1
commit a554ebdf75
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
View File

@ -2347,10 +2347,12 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
buf.append(" domain=" + domain);
}
long cidrSize = 0;
//setup dhcp range
if (dc.getNetworkType() == NetworkType.Basic) {
if (guestNic.isDefaultNic()) {
final long cidrSize = NetUtils.getCidrSize(guestNic.getNetmask());
cidrSize = NetUtils.getCidrSize(guestNic.getNetmask());
final String cidr = NetUtils.getCidrSubNet(guestNic.getGateway(), cidrSize);
if (cidr != null) {
dhcpRange = NetUtils.getIpRangeStartIpFromCidr(cidr, cidrSize);
@ -2359,11 +2361,14 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V
} else if (dc.getNetworkType() == NetworkType.Advanced) {
final String cidr = guestNetwork.getCidr();
if (cidr != null) {
cidrSize = NetUtils.getCidrSize(NetUtils.getCidrNetmask(cidr));
dhcpRange = NetUtils.getDhcpRange(cidr);
}
}
if (dhcpRange != null) {
// To limit DNS to the cidr range
buf.append(" cidrsize=" + String.valueOf(cidrSize));
buf.append(" dhcprange=" + dhcpRange);
}

11
systemvm/patches/debian/config/etc/init.d/cloud-early-config
View File

@ -1073,8 +1073,16 @@ setup_dhcpsrvr() {
enable_svc cloud 0
enable_fwding 0
chkconfig nfs-common off
cp /etc/iptables/iptables-router /etc/iptables/rules.v4
cp /etc/iptables/iptables-router /etc/iptables/rules
#Only allow DNS service for current network
sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
if [ "$SSHONGUEST" == "true" ]
then
setup_sshd $ETH0_IP "eth0"
@ -1420,6 +1428,9 @@ for i in $CMDLINE
vpccidr)
VPCCIDR=$VALUE
;;
cidrsize)
CIDR_SIZE=$VALUE
;;
esac
done