apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix security group rules

Browse Source
This commit is contained in:
Edison Su 2011-02-27 21:17:44 -05:00
parent 0e90ede56a
commit a7c6b9f28e
2 changed files with 9 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
scripts/vm/network/security_group.py
View File

@ -201,7 +201,6 @@ def default_network_rules_systemvm(vm_name, brname):
except:
execute("iptables -F " + vmchain)
for vif in vifs:
try:
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain)
@ -430,13 +429,13 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif
logging.debug("Rules already programmed for vm " + vm_name)
return 'true'
if changes[0] or changes[2]:
default_network_rules(vmName, vm_id, vm_ip, vmMac, vif, brname)
if rules == "" or rules == None:
write_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno)
return 'true'
if changes[0] or changes[2]:
default_network_rules(vmName, vm_id, vm_ip, vmMac, vif, brname)
lines = rules.split(';')[:-1]
logging.debug(" programming network rules for IP: " + vm_ip + " vmname=" + vm_name)
@ -462,27 +461,25 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif
if ips:
if protocol == 'all':
for ip in ips:
iptables = "iptables -I " + vmchain + " -m state --state NEW -s " + ip + " -j ACCEPT"
execute("iptables -I " + vmchain + " -m state --state NEW -s " + ip + " -j ACCEPT")
elif protocol != 'icmp':
for ip in ips:
iptables = "iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -s " + ip + " -j ACCEPT"
execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -s " + ip + " -j ACCEPT")
else:
range = start + "/" + end
if start == "-1":
range = "any"
for ip in ips:
iptables = "iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -s " + ip + " -j ACCEPT"
execute(iptables)
execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -s " + ip + " -j ACCEPT")
if allow_any and protocol != 'all':
if protocol != 'icmp':
iptables = "iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -j ACCEPT"
execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -j ACCEPT")
else:
range = start + "/" + end
if start == "-1":
range = "any"
iptables = "iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -j ACCEPT"
execute(iptables)
execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -j ACCEPT")
iptables = "iptables -A " + vmchain + " -j DROP"
execute(iptables)

2
server/src/com/cloud/api/ApiResponseHelper.java
View File

@ -1256,7 +1256,7 @@ public class ApiResponseHelper implements ResponseGenerator {
Network network = ApiDBUtils.findNetworkById(singleNicProfile.getNetworkId());
if (network != null) {
TrafficType trafficType = TrafficType.Public;
if(zone.getNetworkType() == NetworkType.Basic) {
if(zone.getNetworkType() == NetworkType.Basic || zone.isSecurityGroupEnabled()) {
trafficType = TrafficType.Guest;
}
if (network.getTrafficType() == trafficType) {