mirror of
https://github.com/apache/cloudstack.git
synced 2025-11-02 20:02:29 +01:00
bug 10800,10557 :
Cahnges:
1) putting back the changes(bug 10800 and 10557) that had been reverted during merging of Elb/nectarine.
2) 10800 Upgrade from previous release also added: Upgrade from Previous release will leave iptable rules in the INPUT ipchain, this is fixed.
This commit is contained in:
Naredula Janardhana Reddy
parent
cd94e6ac25
commit
ad29587e43
@ -72,11 +72,33 @@ ip_entry() {
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
fw_remove_backup() {
|
||||
for vif in $VIF_LIST; do
|
||||
iptables -F back_load_balancer_$vif 2> /dev/null
|
||||
iptables -D INPUT -i $vif -p tcp -j back_load_balancer_$vif 2> /dev/null
|
||||
iptables -X back_load_balancer_$vif 2> /dev/null
|
||||
done
|
||||
iptables -F back_lb_stats 2> /dev/null
|
||||
iptables -D INPUT -i $STAT_IF -p tcp -j back_lb_stats 2> /dev/null
|
||||
iptables -X back_lb_stats 2> /dev/null
|
||||
}
|
||||
fw_restore() {
|
||||
for vif in $VIF_LIST; do
|
||||
iptables -F load_balancer_$vif 2> /dev/null
|
||||
iptables -D INPUT -i $vif -p tcp -j load_balancer_$vif 2> /dev/null
|
||||
iptables -X load_balancer_$vif 2> /dev/null
|
||||
iptables -E back_load_balancer_$vif load_balancer_$vif 2> /dev/null
|
||||
done
|
||||
iptables -F lb_stats 2> /dev/null
|
||||
iptables -D INPUT -i $STAT_IF -p tcp -j lb_stats 2> /dev/null
|
||||
iptables -X lb_stats 2> /dev/null
|
||||
iptables -E back_lb_stats lb_stats 2> /dev/null
|
||||
}
|
||||
# firewall entry to ensure that haproxy can receive on specified port
|
||||
fw_entry() {
|
||||
local added=$1
|
||||
local removed=$2
|
||||
local stats=$3
|
||||
|
||||
if [ "$added" == "none" ]
|
||||
then
|
||||
@ -90,16 +112,29 @@ fw_entry() {
|
||||
|
||||
local a=$(echo $added | cut -d, -f1- --output-delimiter=" ")
|
||||
local r=$(echo $removed | cut -d, -f1- --output-delimiter=" ")
|
||||
|
||||
|
||||
# back up the iptable rules by renaming before creating new.
|
||||
for vif in $VIF_LIST; do
|
||||
iptables -E load_balancer_$vif back_load_balancer_$vif 2> /dev/null
|
||||
iptables -N load_balancer_$vif 2> /dev/null
|
||||
iptables -A INPUT -i $vif -p tcp -j load_balancer_$vif
|
||||
done
|
||||
iptables -E lb_stats back_lb_stats 2> /dev/null
|
||||
iptables -N lb_stats 2> /dev/null
|
||||
iptables -A INPUT -i $STAT_IF -p tcp -j lb_stats
|
||||
|
||||
for i in $a
|
||||
do
|
||||
local pubIp=$(echo $i | cut -d: -f1)
|
||||
local dport=$(echo $i | cut -d: -f2)
|
||||
logger -t cloud "Opening up firewall $pubIp:$dport (INPUT chain) for load balancing"
|
||||
local dport=$(echo $i | cut -d: -f2)
|
||||
local cidrs=$(echo $i | cut -d: -f3 | sed 's/-/,/')
|
||||
|
||||
for vif in $VIF_LIST; do
|
||||
sudo iptables -D INPUT -i $vif -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null
|
||||
sudo iptables -A INPUT -i $vif -p tcp -d $pubIp --dport $dport -j ACCEPT
|
||||
|
||||
#TODO : The below delete will be used only when we upgrade the from older verion to the newer one , the below delete become obsolute in the future.
|
||||
iptables -D INPUT -i $vif -s $cidrs -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null
|
||||
|
||||
iptables -A load_balancer_$vif -s $cidrs -p tcp -d $pubIp --dport $dport -j ACCEPT
|
||||
|
||||
if [ $? -gt 0 ]
|
||||
then
|
||||
@ -107,18 +142,24 @@ fw_entry() {
|
||||
fi
|
||||
done
|
||||
done
|
||||
local pubIp=$(echo $stats | cut -d: -f1)
|
||||
local dport=$(echo $stats | cut -d: -f2)
|
||||
local cidrs=$(echo $stats | cut -d: -f3 | sed 's/-/,/')
|
||||
iptables -A lb_stats -s $cidrs -p tcp -m state --state NEW -d $pubIp --dport $dport -j ACCEPT
|
||||
|
||||
|
||||
#TODO : The below delete in the for-loop will be used only when we upgrade the from older verion to the newer one , the below delete become obsolute in the future.
|
||||
for i in $r
|
||||
do
|
||||
local pubIp=$(echo $i | cut -d: -f1)
|
||||
local dport=$(echo $i | cut -d: -f2)
|
||||
logger -t cloud "Closing up firewall (INPUT chain) $pubIp:$dport for deleted load balancers"
|
||||
local dport=$(echo $i | cut -d: -f2)
|
||||
local cidrs=$(echo $i | cut -d: -f3 | sed 's/-/,/')
|
||||
|
||||
for vif in $VIF_LIST; do
|
||||
sudo iptables -D INPUT -i $vif -p tcp -d $pubIp --dport $dport -j ACCEPT
|
||||
iptables -D INPUT -i $vif -s $cidrs -p tcp -d $pubIp --dport $dport -j ACCEPT 2> /dev/null
|
||||
done
|
||||
done
|
||||
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
@ -182,7 +223,9 @@ do
|
||||
cfgfile="$OPTARG"
|
||||
;;
|
||||
|
||||
s) sflag=1;;
|
||||
s) sflag=1
|
||||
statsIp="$OPTARG"
|
||||
;;
|
||||
?) usage
|
||||
exit 2
|
||||
;;
|
||||
@ -217,7 +260,8 @@ if [ "$VIF_LIST" == "eth0" ]
|
||||
then
|
||||
ip_entry $addedIps $removedIps
|
||||
fi
|
||||
|
||||
# FIXME make the load balancer stat interface generic
|
||||
STAT_IF="eth0"
|
||||
|
||||
# hot reconfigure haproxy
|
||||
reconfig_lb $cfgfile
|
||||
@ -234,7 +278,7 @@ then
|
||||
fi
|
||||
|
||||
# iptables entry to ensure that haproxy receives traffic
|
||||
fw_entry $addedIps $removedIps
|
||||
fw_entry $addedIps $removedIps $statsIp
|
||||
|
||||
if [ $? -gt 0 ]
|
||||
then
|
||||
@ -243,8 +287,8 @@ then
|
||||
restore_lb
|
||||
|
||||
logger -t cloud "Reverting firewall config"
|
||||
# Revert iptables rules on DomR, with addedIps and removedIps swapped
|
||||
fw_entry $removedIps $addedIps
|
||||
# Revert iptables rules on DomR
|
||||
fw_restore
|
||||
|
||||
#FIXME: make this explicit via check on vm type or passed in flag
|
||||
if [ "$VIF_LIST" == "eth0" ]
|
||||
@ -254,6 +298,9 @@ then
|
||||
fi
|
||||
|
||||
exit 1
|
||||
else
|
||||
# Remove backedup iptable rules
|
||||
fw_remove_backup
|
||||
fi
|
||||
|
||||
exit 0
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user