From a7c6b9f28ef9cf68d79bfc50c01a563f45abf7f7 Mon Sep 17 00:00:00 2001 From: Edison Su Date: Sun, 27 Feb 2011 21:17:44 -0500 Subject: [PATCH] fix security group rules --- scripts/vm/network/security_group.py | 19 ++++++++----------- .../src/com/cloud/api/ApiResponseHelper.java | 2 +- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py index ad6983f6165..7111ef7bfbc 100755 --- a/scripts/vm/network/security_group.py +++ b/scripts/vm/network/security_group.py @@ -201,7 +201,6 @@ def default_network_rules_systemvm(vm_name, brname): except: execute("iptables -F " + vmchain) - for vif in vifs: try: execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain) @@ -430,13 +429,13 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif logging.debug("Rules already programmed for vm " + vm_name) return 'true' + if changes[0] or changes[2]: + default_network_rules(vmName, vm_id, vm_ip, vmMac, vif, brname) + if rules == "" or rules == None: write_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno) return 'true' - if changes[0] or changes[2]: - default_network_rules(vmName, vm_id, vm_ip, vmMac, vif, brname) - lines = rules.split(';')[:-1] logging.debug(" programming network rules for IP: " + vm_ip + " vmname=" + vm_name) @@ -462,27 +461,25 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif if ips: if protocol == 'all': for ip in ips: - iptables = "iptables -I " + vmchain + " -m state --state NEW -s " + ip + " -j ACCEPT" + execute("iptables -I " + vmchain + " -m state --state NEW -s " + ip + " -j ACCEPT") elif protocol != 'icmp': for ip in ips: - iptables = "iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -s " + ip + " -j ACCEPT" + execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -s " + ip + " -j ACCEPT") else: range = start + "/" + end if start == "-1": range = "any" for ip in ips: - iptables = "iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -s " + ip + " -j ACCEPT" - execute(iptables) + execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -s " + ip + " -j ACCEPT") if allow_any and protocol != 'all': if protocol != 'icmp': - iptables = "iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -j ACCEPT" + execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -j ACCEPT") else: range = start + "/" + end if start == "-1": range = "any" - iptables = "iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -j ACCEPT" - execute(iptables) + execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -j ACCEPT") iptables = "iptables -A " + vmchain + " -j DROP" execute(iptables) diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index 4597d5eeb15..992f294b065 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -1256,7 +1256,7 @@ public class ApiResponseHelper implements ResponseGenerator { Network network = ApiDBUtils.findNetworkById(singleNicProfile.getNetworkId()); if (network != null) { TrafficType trafficType = TrafficType.Public; - if(zone.getNetworkType() == NetworkType.Basic) { + if(zone.getNetworkType() == NetworkType.Basic || zone.isSecurityGroupEnabled()) { trafficType = TrafficType.Guest; } if (network.getTrafficType() == trafficType) {