apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Create iptable rules for all bridges assigned to a system VM

Browse Source 
The default_network_rules_systemvm method in security_group.py only created the appropriate rules for
just one bridge.

This however leads to traffic not being forwarded to the virtual machine in the case of the system VMs
both (console & storage) having different bridges in basic networking.

This patch makes sure rules are generated for all target devices based on their source device/bridge

It however excludes the LinkLocalBridge since no filtering is needed on that bridge.
This commit is contained in:
Wido den Hollander 2012-06-19 12:20:22 +02:00
parent fc9a656b97
commit bdec29b3dc
2 changed files with 51 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
View File

@ -3950,24 +3950,11 @@ public class LibvirtComputingResource extends ServerResourceBase implements
if (!_can_bridge_firewall) { if (!_can_bridge_firewall) {
return false; return false;
} }
List<InterfaceDef> intfs = getInterfaces(conn, vmName);
if (intfs.size() < 1) {
return false;
}
/* FIX ME: */
String brname = null;
if (vmName.startsWith("r-")) {
InterfaceDef intf = intfs.get(0);
brname = intf.getBrName();
} else {
InterfaceDef intf = intfs.get(intfs.size() - 1);
brname = intf.getBrName();
}
Script cmd = new Script(_securityGroupPath, _timeout, s_logger); Script cmd = new Script(_securityGroupPath, _timeout, s_logger);
cmd.add("default_network_rules_systemvm"); cmd.add("default_network_rules_systemvm");
cmd.add("--vmname", vmName); cmd.add("--vmname", vmName);
cmd.add("--brname", brname); cmd.add("--localbrname", _linkLocalBridgeName);
String result = cmd.execute(); String result = cmd.execute();
if (result != null) { if (result != null) {
return false; return false;

50
scripts/vm/network/security_group.py
View File

@ -215,14 +215,10 @@ def default_ebtables_rules(vm_name, vm_ip, vm_mac, vif):
return 'false' return 'false'
def default_network_rules_systemvm(vm_name, brname): def default_network_rules_systemvm(vm_name, localbrname):
if not addFWFramework(brname): bridges = getBridges(vm_name)
return False
vifs = getVifs(vm_name)
domid = getvmId(vm_name) domid = getvmId(vm_name)
vmchain = vm_name vmchain = vm_name
brfw = "BF-" + brname
delete_rules_for_vm_in_bridge_firewall_chain(vm_name) delete_rules_for_vm_in_bridge_firewall_chain(vm_name)
@ -231,6 +227,12 @@ def default_network_rules_systemvm(vm_name, brname):
except: except:
execute("iptables -F " + vmchain) execute("iptables -F " + vmchain)
for bridge in bridges:
if bridge != localbrname:
if not addFWFramework(bridge):
return False
brfw = "BF-" + bridge
vifs = getVifsForBridge(vm_name, bridge)
for vif in vifs: for vif in vifs:
try: try:
execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain) execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain)
@ -678,12 +680,43 @@ def getVifs(vmName):
return vifs return vifs
dom = xml.dom.minidom.parseString(xmlfile) dom = xml.dom.minidom.parseString(xmlfile)
vifs = []
for network in dom.getElementsByTagName("interface"): for network in dom.getElementsByTagName("interface"):
target = network.getElementsByTagName('target')[0] target = network.getElementsByTagName('target')[0]
nicdev = target.getAttribute("dev").strip() nicdev = target.getAttribute("dev").strip()
vifs.append(nicdev) vifs.append(nicdev)
return vifs return vifs
def getVifsForBridge(vmName, brname):
vifs = []
try:
xmlfile = virsh("dumpxml", vmName).stdout
except:
return vifs
dom = xml.dom.minidom.parseString(xmlfile)
for network in dom.getElementsByTagName("interface"):
source = network.getElementsByTagName('source')[0]
bridge = source.getAttribute("bridge").strip()
if bridge == brname:
target = network.getElementsByTagName('target')[0]
nicdev = target.getAttribute("dev").strip()
vifs.append(nicdev)
return list(set(vifs))
def getBridges(vmName):
bridges = []
try:
xmlfile = virsh("dumpxml", vmName).stdout
except:
return bridges
dom = xml.dom.minidom.parseString(xmlfile)
for network in dom.getElementsByTagName("interface"):
for source in network.getElementsByTagName('source'):
bridge = source.getAttribute("bridge").strip()
bridges.append(bridge)
return list(set(bridges))
def getvmId(vmName): def getvmId(vmName):
cmd = "virsh list |grep " + vmName + " | awk '{print $1}'" cmd = "virsh list |grep " + vmName + " | awk '{print $1}'"
return bash("-c", cmd).stdout.strip() return bash("-c", cmd).stdout.strip()
@ -753,6 +786,7 @@ if __name__ == '__main__':
parser.add_option("--seq", dest="seq") parser.add_option("--seq", dest="seq")
parser.add_option("--rules", dest="rules") parser.add_option("--rules", dest="rules")
parser.add_option("--brname", dest="brname") parser.add_option("--brname", dest="brname")
parser.add_option("--localbrname", dest="localbrname")
parser.add_option("--dhcpSvr", dest="dhcpSvr") parser.add_option("--dhcpSvr", dest="dhcpSvr")
parser.add_option("--hostIp", dest="hostIp") parser.add_option("--hostIp", dest="hostIp")
parser.add_option("--hostMacAddr", dest="hostMacAddr") parser.add_option("--hostMacAddr", dest="hostMacAddr")
@ -765,7 +799,7 @@ if __name__ == '__main__':
elif cmd == "destroy_network_rules_for_vm": elif cmd == "destroy_network_rules_for_vm":
destroy_network_rules_for_vm(option.vmName, option.vif) destroy_network_rules_for_vm(option.vmName, option.vif)
elif cmd == "default_network_rules_systemvm": elif cmd == "default_network_rules_systemvm":
default_network_rules_systemvm(option.vmName, option.brname) default_network_rules_systemvm(option.vmName, option.localbrname)
elif cmd == "get_rule_logs_for_vms": elif cmd == "get_rule_logs_for_vms":
get_rule_logs_for_vms() get_rule_logs_for_vms()
elif cmd == "add_network_rules": elif cmd == "add_network_rules":