diff --git a/patches/systemvm/debian/config/etc/init.d/cloud-early-config b/patches/systemvm/debian/config/etc/init.d/cloud-early-config index b2566ebf04d..5f59cded505 100755 --- a/patches/systemvm/debian/config/etc/init.d/cloud-early-config +++ b/patches/systemvm/debian/config/etc/init.d/cloud-early-config @@ -171,8 +171,7 @@ setup_interface() { local intfnum=$1 local ip=$2 local mask=$3 - local gw=$4 - local force=$5 + local force=$4 local intf=eth${intfnum} local bootproto="static" @@ -286,11 +285,11 @@ disable_hvc() { setup_common() { init_interfaces $1 $2 $3 - setup_interface "0" $ETH0_IP $ETH0_MASK $GW - setup_interface "1" $ETH1_IP $ETH1_MASK $GW + setup_interface "0" $ETH0_IP $ETH0_MASK + setup_interface "1" $ETH1_IP $ETH1_MASK if [ -n "$ETH2_IP" ] then - setup_interface "2" $ETH2_IP $ETH2_MASK $GW + setup_interface "2" $ETH2_IP $ETH2_MASK fi echo $NAME > /etc/hostname @@ -472,38 +471,20 @@ setup_redundant_router() { fi } -setup_router() { - log_it "Setting up virtual router system vm" - + +setup_vmware_extra_nics() { + local oldmd5 oldmd5= [ -f "/etc/udev/rules.d/70-persistent-net.rules" ] && oldmd5=$(md5sum "/etc/udev/rules.d/70-persistent-net.rules" | awk '{print $1}') - - if [ -n "$ETH2_IP" ] + + if [ -n "$EXTRA_NICS" ] then - setup_common eth0 eth1 eth2 - - if [ -n "$EXTRA_PUBNICS" ] - then - for((i = 3; i < 3 + $EXTRA_PUBNICS; i++)) - do - setup_interface "$i" "0.0.0.0" "255.255.255.255" $GW "force" - done - fi - else - setup_common eth0 eth1 - if [ -n "$EXTRA_PUBNICS" ] - then - for((i = 2; i < 2 + $EXTRA_PUBNICS; i++)) - do - setup_interface "$i" "0.0.0.0" "255.255.255.255" $GW "force" - done - fi - fi - - if [ -n "$ETH2_IP" -a "$RROUTER" == "1" ] - then - setup_redundant_router + for((i = 1; i < 1 + $EXTRA_NICS; i++)) + do + setup_interface "$i" "0.0.0.0" "255.255.255.255" "force" + done fi + log_it "Checking udev NIC assignment order changes" if [ "$NIC_MACS" != "" ] @@ -522,18 +503,29 @@ setup_router() { fi fi - - - NS=$NS1 - [ -n "$NS2" ] && NS=$NS1,$NS2 - if [ "$USE_EXTERNAL_DNS" == "true" ] - then - sed -i -e "/^[#]*dhcp-option=6.*$/d" /etc/dnsmasq.conf - echo "dhcp-option=6,$NS" >> /etc/dnsmasq.conf + +} + + +setup_router() { + log_it "Setting up virtual router system vm" + if [ "$hyp" == "vmware" ]; then + setup_vmware_extra_nics fi + + setup_common eth0 + + if [ "$RROUTER" == "1" ] + then + setup_redundant_router + fi + + setup_dnsmasq + setup_apache2 $ETH0_IP sed -i /gateway/d /etc/hosts + echo "$ETH0_IP $NAME" >> /etc/hosts setup_sshd $ETH0_IP enable_svc dnsmasq 1 @@ -546,47 +538,6 @@ setup_router() { cp /etc/iptables/iptables-router /etc/iptables/rules } -setup_dhcpsrvr() { - log_it "Setting up dhcp server system vm" - setup_common eth0 - setup_dnsmasq - setup_apache2 $ETH0_IP - - NS=$NS1 - [ -n "$NS2" ] && NS=$NS1,$NS2 - if [ "$DEFAULTROUTE" != "false" ] - then - sed -i -e "/^[#]*dhcp-option=option:router.*$/d" /etc/dnsmasq.conf - echo "dhcp-option=option:router,$GW" >> /etc/dnsmasq.conf - #for now set up ourself as the dns server as well - sed -i -e "/^[#]*dhcp-option=6.*$/d" /etc/dnsmasq.conf - if [ "$USE_EXTERNAL_DNS" == "true" ] - then - echo "dhcp-option=6,$NS" >> /etc/dnsmasq.conf - else - echo "dhcp-option=6,$ETH0_IP,$NS" >> /etc/dnsmasq.conf - fi - else - sed -i -e "/^[#]*dhcp-option=option:router.*$/d" /etc/dnsmasq.conf - echo "dhcp-option=option:router" >> /etc/dnsmasq.conf - sed -i -e "/^[#]*dhcp-option=6.*$/d" /etc/dnsmasq.conf - echo "dhcp-option=6,$NS" >> /etc/dnsmasq.conf - fi - - sed -i /gateway/d /etc/hosts - echo "$ETH0_IP $NAME" >> /etc/hosts - - setup_sshd $ETH0_IP - - enable_svc dnsmasq 1 - enable_svc haproxy 0 - enable_svc cloud-passwd-srvr 1 - enable_svc cloud 0 - enable_fwding 0 - chkconfig nfs-common off - cp /etc/iptables/iptables-router /etc/iptables/rules -} - setup_storage_network() { if [ x"$STORAGE_IP" == "x" -o x"$STORAGE_NETMASK" == "x" ] then @@ -701,10 +652,6 @@ start() { [ "$NAME" == "" ] && NAME=router setup_router ;; - dhcpsrvr) - [ "$NAME" == "" ] && NAME=dhcpsrvr - setup_dhcpsrvr - ;; secstorage) [ "$NAME" == "" ] && NAME=secstorage setup_secstorage $hyp; diff --git a/patches/systemvm/debian/config/root/acl.sh b/patches/systemvm/debian/config/root/acl.sh new file mode 100755 index 00000000000..6a3449aabee --- /dev/null +++ b/patches/systemvm/debian/config/root/acl.sh @@ -0,0 +1,199 @@ +#!/usr/bin/env bash +# Copyright 2012 Citrix Systems, Inc. Licensed under the +# Apache License, Version 2.0 (the "License"); you may not use this +# file except in compliance with the License. Citrix Systems, Inc. +# reserves all rights not expressly granted by the License. +# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Automatically generated by addcopyright.py at 04/03/2012 +# firewall_rule.sh -- allow some ports / protocols to vm instances +# @VERSION@ + +source /root/func.sh + +lock="biglock" +locked=$(getLockFile $lock) +if [ "$locked" != "1" ] +then + exit 1 +fi + +usage() { + printf "Usage: %s: -a \n" $(basename $0) >&2 + printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n" +} +#set -x +#FIXME: eating up the error code during execution of iptables +acl_remove_backup() { + sudo iptables -F _ACL_INBOND_$gGW 2>/dev/null + sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOND_$gGW 2>/dev/null + sudo iptables -X _ACL_INBOND_$gGW 2>/dev/null + sudo iptables -F _ACL_OUTBOND_$gGW 2>/dev/null + sudo iptables -D FORWARD -i $dev -s $gcidr -j _ACL_OUTBOND_$gGW 2>/dev/null + sudo iptables -X _ACL_OUTBOND_$gGW 2>/dev/null +} + +acl_remove() { + sudo iptables -F ACL_INBOND_$gGW 2>/dev/null + sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOND_$gGW 2>/dev/null + sudo iptables -X ACL_INBOND_$gGW 2>/dev/null + sudo iptables -F ACL_OUTBOND_$gGW 2>/dev/null + sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOND_$gGW 2>/dev/null + sudo iptables -X ACL_OUTBOND_$gGW 2>/dev/null +} + +acl_restore() { + acl_remove + sudo iptables -E _ACL_INBOND_$gGW ACL_INBOND_$gGW 2>/dev/null + sudo iptables -E _ACL_OUTBOND_$gGW ACL_OUTBOND_$gGW 2>/dev/null +} + +acl_save() { + acl_remove_backup + sudo iptables -E ACL_INBOND_$gGW _ACL_INBOND_$gGW 2>/dev/null + sudo iptables -E ACL_OUTBOND_$gGW _ACL_OUTBOND_$gGW 2>/dev/null +} + +acl_chain_for_guest_network () { + acl_save + # inbond + sudo iptables -E ACL_INBOND_$gGW _ACL_INBOND_$gGW 2>/dev/null + sudo iptables -N ACL_INBOND_$gGW 2>/dev/null + # drop if no rules match (this will be the last rule in the chain) + sudo iptables -A ACL_INBOND_$gGW -j DROP 2>/dev/null + sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOND_$gGW 2>/dev/null + # outbond + sudo iptables -E ACL_OUTBOND_$gGW _ACL_OUTBOND_$gGW 2>/dev/null + sudo iptables -N ACL_OUTBOND_$gGW 2>/dev/null + sudo iptables -A ACL_OUTBOND_$gGW -j DROP 2>/dev/null + sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOND_$gGW 2>/dev/null +} + + + +acl_entry_for_guest_network() { + local rule=$1 + + local inbond=$(echo $rule | cut -d: -f1) + local prot=$(echo $rules | cut -d: -f2) + local sport=$(echo $rules | cut -d: -f3) + local eport=$(echo $rules | cut -d: -f4) + local cidrs=$(echo $rules | cut -d: -f5 | sed 's/-/ /g') + + logger -t cloud "$(basename $0): enter apply firewall rules for guest network: $gcidr inbond:$inbond:$prot:$sport:$eport:$cidrs" + + # note that rules are inserted after the RELATED,ESTABLISHED rule + # but before the DROP rule + for lcidr in $scidrs + do + [ "$prot" == "reverted" ] && continue; + if [ "$prot" == "icmp" ] + then + typecode="$sport/$eport" + [ "$eport" == "-1" ] && typecode="$sport" + [ "$sport" == "-1" ] && typecode="any" + if [ "$inbond" == "1" ] + then + sudo iptables -I ACL_INBOND_$gGW -p $prot -s $lcidr \ + --icmp-type $typecode -j ACCEPT + else + sudo iptables -I ACL_OUTBOND_$gGW -p $prot -d $lcidr \ + --icmp-type $typecode -j ACCEPT + fi + else + if [ "$inbond" == "1" ] + then + sudo iptables -I ACL_INBOND_$gGW -p $prot -s $lcidr \ + --dport $sport:$eport -j ACCEPT + else + sudo iptables -I ACL_OUTBOND_$gGW -p $prot -d $lcidr \ + --dport $sport:$eport -j ACCEP`T + fi + result=$? + [ $result -gt 0 ] && + logger -t cloud "Error adding iptables entry for $pubIp:$prot:$sport:$eport:$src" && + break + done + + logger -t cloud "$(basename $0): exit apply firewall rules for public ip $pubIp" + return $result +} + + +shift +dflag=0 +gflag=0 +aflag=0 +rules="" +rules_list="" +gcidr="" +gGW="" +dev="" +while getopts ':d:g:a:' OPTION +do + case $OPTION in + d) dflag=1 + dev="$OPTAGR" + g) gflag=1 + gcidr="$OPTAGR" + a) aflag=1 + rules="$OPTARG" + ;; + ?) usage + unlock_exit 2 $lock $locked + ;; + esac +done + +VIF_LIST=$(get_vif_list) + +if [ "$gflag$aflag" != "11" ] +then + usage() +fi + + +if [ -n "$rules" == "" ] +then + rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ") +fi + +# rule format +# protocal:sport:eport:cidr +#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32 +# if any entry is reverted , entry will be in the format :reverted:0:0:0 +# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0 + +success=0 +gGW=$(echo $gcidr | awk -F'/' '{print $1}') + +acl_chain_for_guest_network + +for r in $rules_list +do + acl_entry_for_guest_network $r + success=$? + if [ $success -gt 0 ] + then + logger -t cloud "$(basename $0): failure to apply fw rules for guest network: $gcidr" + break + else + logger -t cloud "$(basename $0): successful in applying fw rules for guest network: $gcidr" + fi +done + +if [ $success -gt 0 ] +then + logger -t cloud "$(basename $0): restoring from backup for guest network: $gcidr" + acl_restore +else + logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr" + acl_remove_backup +fi +unlock_exit $success $lock $locked + diff --git a/patches/systemvm/debian/config/root/guestnw.sh b/patches/systemvm/debian/config/root/guestnw.sh new file mode 100755 index 00000000000..e958dd07bd5 --- /dev/null +++ b/patches/systemvm/debian/config/root/guestnw.sh @@ -0,0 +1,163 @@ +#!/usr/bin/env bash +# Copyright 2012 Citrix Systems, Inc. Licensed under the +# Apache License, Version 2.0 (the "License"); you may not use this +# file except in compliance with the License. Citrix Systems, Inc. +# reserves all rights not expressly granted by the License. +# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Automatically generated by addcopyright.py at 04/03/2012 + +# guestnw.sh -- create/destroy guest network +# @VERSION@ + +source /root/func.sh + +lock="biglock" +locked=$(getLockFile $lock) +if [ "$locked" != "1" ] +then + exit 1 +fi + +usage() { + printf "Usage:\n %s -A -c -g -m -d -r [-f] \n" $(basename $0) >&2 + printf " %s -D -c \n" $(basename $0) >&2 +} + + +setup_dnsmasq() { + loger -t cloud "Setting up dnsmasq for network $gwIP " + + sed -i -e "/^[#]*dhcp-range=interface:$ethDev/d" /etc/dnsmasq.d/cloud.conf + + echo "dhcp-range=interface:$ethDev,$gwIP,static/" >> /etc/dnsmasq.d/cloud.conf + + service dnsmasq restart + sleep 1 +} + +desetup_dnsmasq() { + loger -t cloud "Setting up dnsmasq for network $gwIP " + + sed -i -e "/^[#]*dhcp-range=interface:$ethDev/d" /etc/dnsmasq.d/cloud.conf + + service dnsmasq restart + sleep 1 +} + + +create_network() { + logger -t cloud " $(basename $0): Create network on interface $ethDev, gateway $gwIP, network $network, cidr $cidr " + + sudo ip addr add $ethDev $gwIP/$cidr + + # create inbond acl chain + if sudo iptables -N ACL_INBOND_$gwIP 2>/dev/null + then + logger -t cloud "$(basename $0): create VPC inbond acl chain for network $gwIP" + # policy drop + sudo iptables -A ACL_INBOND_$gwIP DROP >/dev/null + sudo iptables -A FORWARD -o $dev -d $gwIP/$cidr -j ACL_INBOND_$gwIP + fi + # create outbond acl chain + if sudo iptables -N ACL_OUTBOND_$gwIP 2>/dev/null + then + logger -t cloud "$(basename $0): create VPC outbond acl chain for network $gwIP" + sudo iptables -A ACL_OUTBOND_$gwIP DROP >/dev/null + sudo iptables -A FORWARD -i $dev -s $gwIP/$cidr -j ACL_OUTBOND_$gwIP + fi + + setup_dnsmasq +} + +destroy_network() { + logger -t cloud " $(basename $0): Create network on interface $ethDev, gateway $gwIP, network $network, cidr $cidr " + + + # destroy egress firewall chain + sudo iptables -t mangle -D PREROUTING -s $gwIP/$cidr -j FIREWALL_EGRESS_$gwIP + sudo iptables -t mangle -F FIREWALL_EGRESS_$gwIP + sudo iptables -t mangle -X FIREWALL_EGRESS_$gwIP + + # destroy ingress firewall chain + + sudo iptables -t mangle -D POSTROUTING -o $devDev-d $gwIP/$cidr -j FIREWALL_IEGRESS_$gwIP + sudo iptables -t mangle -F FIREWALL_INGRESS_$gwIP + sudo iptables -t mangle -X FIREWALL_INGRESS_$gwIP + + desetup_dnsmasq +} + +#set -x +nflag=0 +dflag= +cflag= +gflag= +Cflag= +Dflag= + +op="" + + +while getopts 'CDg:n:m:c:v' OPTION +do + case $OPTION in + C) Cflag=1 + op="-C" + ;; + D) Dflag=1 + op="-D" + ;; + n) nflag=1 + network="$OPTAGR" + ;; + c) cflag=1 + cidr="$OPTARG" + ;; + d) dflag=1 + ethDev="$OPTARG" + ;; + v) vflag=1 + vcidr="$OPTARG" + ;; + + g) gflag=1 + gwIP="$OPTARG" + ;; + ?) usage + unlock_exit 2 $lock $locked + ;; + esac +done + + +if [ "$Cflag$Dflag$cflag" != "11" ] +then + usage + unlock_exit 2 $lock $locked +fi + +if [ "$Cflag" == "1" ] && ["$nflag$mflag$gflag$vflag" != "1111" ] +then + usage + unlock_exit 2 $lock $locked +fi + + +if [ "$Cflag" == "1" ] +then + create_guest_network +fi + + +if [ "$Dflag" == "1" ] +then + destroy_guest_network +fi + +unlock_exit 0 $lock $locked