apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-12-16 18:43:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge in various security groups fixes from 2.1.x

Browse Source
This commit is contained in:
Chiradeep Vittal 2011-01-07 15:54:28 -08:00
parent bd35fd20a0
commit c6b027310d
1 changed files with 35 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
scripts/vm/hypervisor/xenserver/vmops
View File

@ -358,7 +358,7 @@ def can_bridge_firewall(session, args):
util.pread2(['iptables', '-D', 'FORWARD', '-j', 'RH-Firewall-1-INPUT']) util.pread2(['iptables', '-D', 'FORWARD', '-j', 'RH-Firewall-1-INPUT'])
except: except:
util.SMlog('Chain BRIDGE-FIREWALL already exists') util.SMlog('Chain BRIDGE-FIREWALL already exists')
privnic = get_private_nic(session,args) privnic = get_private_nic(session, args)
result = 'true' result = 'true'
try: try:
util.pread2(['/bin/bash', '-c', 'iptables -n -L FORWARD | grep BRIDGE-FIREWALL']) util.pread2(['/bin/bash', '-c', 'iptables -n -L FORWARD | grep BRIDGE-FIREWALL'])
@ -374,7 +374,7 @@ def can_bridge_firewall(session, args):
os.makedirs('/var/run/cloud') os.makedirs('/var/run/cloud')
cleanup_rules_for_dead_vms(session) cleanup_rules_for_dead_vms(session)
cleanup_rules(session) cleanup_rules(session, args)
return result return result
@ -414,13 +414,13 @@ def destroy_network_rules_for_vm(session, args):
vmchain = '-'.join(vm_name.split('-')[:-1]) vmchain = '-'.join(vm_name.split('-')[:-1])
vmchain_default = '-'.join(vm_name.split('-')[:-2]) + "-def" vmchain_default = '-'.join(vm_name.split('-')[:-2]) + "-def"
destroy_ebtables_rules(vmchain) try:
util.pread2(['iptables', '-F', vmchain_default])
util.pread2(['iptables', '-X', vmchain_default])
except:
util.SMlog("Ignoring failure to delete chain " + vmchain_default)
try: destroy_ebtables_rules(vmchain)
util.pread2(['iptables', '-F', vmchain_default])
util.pread2(['iptables', '-X', vmchain_default])
except:
util.SMlog("Ignoring failure to delete chain " + vmchain_default)
try: try:
util.pread2(['iptables', '-F', vmchain]) util.pread2(['iptables', '-F', vmchain])
@ -591,15 +591,21 @@ def default_network_rules(session, args):
return 'false' return 'false'
vif = "vif" + domid + ".0" vif = "vif" + domid + ".0"
tap = "tap" + domid + ".0"
vifs = [vif]
try:
util.pread2(['ifconfig', tap])
vifs.append(tap)
except:
pass
delete_rules_for_vm_in_bridge_firewall_chain(vm_name) delete_rules_for_vm_in_bridge_firewall_chain(vm_name)
vm_name = '-'.join(vm_name.split('-')[:-1]) vmchain = '-'.join(vm_name.split('-')[:-1])
vmchain = vm_name vmchain_default = '-'.join(vm_name.split('-')[:-2]) + "-def"
vmchain_default = '-'.join(vmchain.split('-')[:-1]) + "-def"
destroy_ebtables_rules(vm_name) destroy_ebtables_rules(vmchain)
try: try:
@ -630,7 +636,8 @@ def default_network_rules(session, args):
util.SMlog("Failed to program default rules for vm " + vm_name) util.SMlog("Failed to program default rules for vm " + vm_name)
return 'false' return 'false'
default_ebtables_rules(vm_name, vif, vm_ip, vm_mac) for v in vifs:
default_ebtables_rules(vm_name, v, vm_ip, vm_mac)
if write_rule_log_for_vm(vmName, vm_id, vm_ip, domid, '_initial_', '-1') == False: if write_rule_log_for_vm(vmName, vm_id, vm_ip, domid, '_initial_', '-1') == False:
util.SMlog("Failed to log default network rules, ignoring") util.SMlog("Failed to log default network rules, ignoring")
@ -666,10 +673,9 @@ def check_domid_changed(session, vmName):
def delete_rules_for_vm_in_bridge_firewall_chain(vmName): def delete_rules_for_vm_in_bridge_firewall_chain(vmName):
vm_name = vmName vm_name = vmName
if vm_name.startswith('i-') or vm_name.startswith('r-'):
vm_name = '-'.join(vm_name.split('-')[:-2])
vmchain = vm_name vmchain = vm_name
if vm_name.startswith('i-') or vm_name.startswith('r-'):
vmchain = '-'.join(vm_name.split('-')[:-1])
delcmd = "iptables -S BRIDGE-FIREWALL | grep " + vmchain + " | sed 's/-A/-D/'" delcmd = "iptables -S BRIDGE-FIREWALL | grep " + vmchain + " | sed 's/-A/-D/'"
delcmds = util.pread2(['/bin/bash', '-c', delcmd]).split('\n') delcmds = util.pread2(['/bin/bash', '-c', delcmd]).split('\n')
@ -726,7 +732,7 @@ def network_rules_for_rebooted_vm(session, vmName):
inscmd2 = "iptables -S " + vmchain_default + " | grep physdev-in | grep tap | sed -r 's/tap[0-9]+.0/" + tap + "/' | sed 's/-A/-I/'" inscmd2 = "iptables -S " + vmchain_default + " | grep physdev-in | grep tap | sed -r 's/tap[0-9]+.0/" + tap + "/' | sed 's/-A/-I/'"
ipts = [] ipts = []
for cmd in [delcmd, inscmd]: for cmd in [delcmd, inscmd, inscmd2]:
cmds = util.pread2(['/bin/bash', '-c', cmd]).split('\n') cmds = util.pread2(['/bin/bash', '-c', cmd]).split('\n')
cmds.pop() cmds.pop()
for c in cmds: for c in cmds:
@ -824,7 +830,7 @@ def cleanup_rules_for_dead_vms(session):
@echo @echo
def cleanup_rules(session): def cleanup_rules(session, args):
try: try:
chainscmd = "iptables-save | grep '^:' | grep -v '.*-def' | awk '{print $1}' | cut -d':' -f2" chainscmd = "iptables-save | grep '^:' | grep -v '.*-def' | awk '{print $1}' | cut -d':' -f2"
chains = util.pread2(['/bin/bash', '-c', chainscmd]).split('\n') chains = util.pread2(['/bin/bash', '-c', chainscmd]).split('\n')
@ -851,9 +857,11 @@ def cleanup_rules(session):
for vmname in cleanup: for vmname in cleanup:
destroy_network_rules_for_vm(session, {'vmName':vmname}) destroy_network_rules_for_vm(session, {'vmName':vmname})
util.SMlog("Cleaned up rules for " + str(len(cleanup)) + " chains") util.SMlog("Cleaned up rules for " + str(len(cleanup)) + " chains")
return str(len(cleanup))
except: except:
util.SMlog("Failed to cleanup rules !") util.SMlog("Failed to cleanup rules !")
return '-1';
@echo @echo
def check_rule_log_for_vm(vmName, vmID, vmIP, domID, signature, seqno): def check_rule_log_for_vm(vmName, vmID, vmIP, domID, signature, seqno):
@ -939,6 +947,13 @@ def network_rules(session, args):
return 'false' return 'false'
vif = "vif" + domid + ".0" vif = "vif" + domid + ".0"
tap = "tap" + domid + ".0"
vifs = [vif]
try:
util.pread2(['ifconfig', tap])
vifs.append(tap)
except:
pass
vm_name = '-'.join(vm_name.split('-')[:-1]) vm_name = '-'.join(vm_name.split('-')[:-1])
vmchain = vm_name vmchain = vm_name
@ -1017,5 +1032,5 @@ def network_rules(session, args):
if __name__ == "__main__": if __name__ == "__main__":
XenAPIPlugin.dispatch({"pingtest": pingtest, "setup_iscsi":setup_iscsi, "gethostvmstats": gethostvmstats, "getvncport": getvncport, "getgateway": getgateway, "preparemigration": preparemigration, "setIptables": setIptables, "pingdomr": pingdomr, "pingxenserver": pingxenserver, "ipassoc": ipassoc, "vm_data": vm_data, "savePassword": savePassword, "saveDhcpEntry": saveDhcpEntry, "setFirewallRule": setFirewallRule, "setLoadBalancerRule": setLoadBalancerRule, "createFile": createFile, "deleteFile": deleteFile, "networkUsage": networkUsage, "network_rules":network_rules, "can_bridge_firewall":can_bridge_firewall, "default_network_rules":default_network_rules, "destroy_network_rules_for_vm":destroy_network_rules_for_vm, "default_network_rules_systemvm":default_network_rules_systemvm, "get_rule_logs_for_vms":get_rule_logs_for_vms, "setLinkLocalIP":setLinkLocalIP, "lt2p_vpn":lt2p_vpn}) XenAPIPlugin.dispatch({"pingtest": pingtest, "setup_iscsi":setup_iscsi, "gethostvmstats": gethostvmstats, "getvncport": getvncport, "getgateway": getgateway, "preparemigration": preparemigration, "setIptables": setIptables, "pingdomr": pingdomr, "pingxenserver": pingxenserver, "ipassoc": ipassoc, "vm_data": vm_data, "savePassword": savePassword, "saveDhcpEntry": saveDhcpEntry, "setFirewallRule": setFirewallRule, "setLoadBalancerRule": setLoadBalancerRule, "createFile": createFile, "deleteFile": deleteFile, "networkUsage": networkUsage, "network_rules":network_rules, "can_bridge_firewall":can_bridge_firewall, "default_network_rules":default_network_rules, "destroy_network_rules_for_vm":destroy_network_rules_for_vm, "default_network_rules_systemvm":default_network_rules_systemvm, "get_rule_logs_for_vms":get_rule_logs_for_vms, "setLinkLocalIP":setLinkLocalIP, "lt2p_vpn":lt2p_vpn, "cleanup_rules":cleanup_rules})