apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Revert "bug 10617: Added Egress rules to Security groups."

Browse Source 
revert pending review

This reverts commit a19212703b9734ebd44ebf55cfdd81ebdc9d7fe4.
This commit is contained in:
Chiradeep Vittal 2011-09-12 12:17:42 -07:00
parent 53970c89dc
commit d817f3c364
5 changed files with 19 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
View File

@ -929,7 +929,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
} else if (cmd instanceof CopyVolumeCommand) { } else if (cmd instanceof CopyVolumeCommand) {
return execute((CopyVolumeCommand)cmd); return execute((CopyVolumeCommand)cmd);
} else { } else {
s_logger.warn("Unsupported command :"+cmd.toString()); s_logger.warn("Unsupported command ");
return Answer.createUnsupportedCommandAnswer(cmd); return Answer.createUnsupportedCommandAnswer(cmd);
} }
} catch (final IllegalArgumentException e) { } catch (final IllegalArgumentException e) {
@ -1622,7 +1622,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
cmd.stringifyRules(), vif, brname); cmd.stringifyRules(), vif, brname);
if (!result) { if (!result) {
s_logger.warn("Failed to program Ingress network rules for vm " + cmd.getVmName()); s_logger.warn("Failed to program network rules for vm " + cmd.getVmName());
return new SecurityIngressRuleAnswer(cmd, false, "programming network rules failed"); return new SecurityIngressRuleAnswer(cmd, false, "programming network rules failed");
} else { } else {
s_logger.debug("Programmed network rules for vm " + cmd.getVmName() + " guestIp=" + cmd.getGuestIp() + ", numrules=" + cmd.getRuleSet().length); s_logger.debug("Programmed network rules for vm " + cmd.getVmName() + " guestIp=" + cmd.getGuestIp() + ", numrules=" + cmd.getRuleSet().length);
@ -1650,7 +1650,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
cmd.stringifyRules(), vif, brname); cmd.stringifyRules(), vif, brname);
if (!result) { if (!result) {
s_logger.warn("Failed to program Egress network rules for vm " + cmd.getVmName()); s_logger.warn("Failed to program network rules for vm " + cmd.getVmName());
return new SecurityEgressRuleAnswer(cmd, false, "programming network rules failed"); return new SecurityEgressRuleAnswer(cmd, false, "programming network rules failed");
} else { } else {
s_logger.debug("Programmed network rules for vm " + cmd.getVmName() + " guestIp=" + cmd.getGuestIp() + ", numrules=" + cmd.getRuleSet().length); s_logger.debug("Programmed network rules for vm " + cmd.getVmName() + " guestIp=" + cmd.getGuestIp() + ", numrules=" + cmd.getRuleSet().length);
@ -3516,7 +3516,7 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
cmd.add("--vmid", vmId); cmd.add("--vmid", vmId);
cmd.add("--vmip", guestIP); cmd.add("--vmip", guestIP);
/* type of the rule : ingress or egress */ /* type of the rule : ingress or egress */
cmd.add("--ruletype", type); cmd.add("--type", type);
cmd.add("--sig", sig); cmd.add("--sig", sig);
cmd.add("--seq", seq); cmd.add("--seq", seq);
cmd.add("--vmmac", mac); cmd.add("--vmmac", mac);

2
core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
View File

@ -482,8 +482,6 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
return execute((CheckSshCommand)cmd); return execute((CheckSshCommand)cmd);
} else if (clazz == SecurityIngressRulesCmd.class) { } else if (clazz == SecurityIngressRulesCmd.class) {
return execute((SecurityIngressRulesCmd) cmd); return execute((SecurityIngressRulesCmd) cmd);
} else if (clazz == SecurityEgressRulesCmd.class) {
return execute((SecurityEgressRulesCmd) cmd);
} else if (clazz == OvsCreateGreTunnelCommand.class) { } else if (clazz == OvsCreateGreTunnelCommand.class) {
return execute((OvsCreateGreTunnelCommand)cmd); return execute((OvsCreateGreTunnelCommand)cmd);
} else if (clazz == OvsSetTagAndFlowCommand.class) { } else if (clazz == OvsSetTagAndFlowCommand.class) {

35
scripts/vm/network/security_group.py
View File

@ -82,7 +82,6 @@ def ipset(ipsetname, proto, start, end, ips):
def destroy_network_rules_for_vm(vm_name, vif=None): def destroy_network_rules_for_vm(vm_name, vif=None):
vmchain = vm_name vmchain = vm_name
vmchain_egress = vm_name + "-egress"
vmchain_default = None vmchain_default = None
delete_rules_for_vm_in_bridge_firewall_chain(vm_name) delete_rules_for_vm_in_bridge_firewall_chain(vm_name)
@ -112,19 +111,7 @@ def destroy_network_rules_for_vm(vm_name, vif=None):
execute("iptables -X " + vmchain) execute("iptables -X " + vmchain)
except: except:
logging.debug("Ignoring failure to delete chain " + vmchain) logging.debug("Ignoring failure to delete chain " + vmchain)
try:
execute("iptables -F " + vmchain_egress)
except:
logging.debug("Ignoring failure to delete chain " + vmchain_egress)
try:
execute("iptables -X " + vmchain_egress)
except:
logging.debug("Ignoring failure to delete chain " + vmchain_egress)
if vif is not None: if vif is not None:
try: try:
dnats = execute("iptables -t nat -S | grep " + vif + " | sed 's/-A/-D/'").split("\n") dnats = execute("iptables -t nat -S | grep " + vif + " | sed 's/-A/-D/'").split("\n")
@ -259,7 +246,6 @@ def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname):
domID = getvmId(vm_name) domID = getvmId(vm_name)
delete_rules_for_vm_in_bridge_firewall_chain(vmName) delete_rules_for_vm_in_bridge_firewall_chain(vmName)
vmchain = vm_name vmchain = vm_name
vmchain_egress = vm_name +"-egress"
vmchain_default = '-'.join(vmchain.split('-')[:-1]) + "-def" vmchain_default = '-'.join(vmchain.split('-')[:-1]) + "-def"
destroy_ebtables_rules(vmName, vif) destroy_ebtables_rules(vmName, vif)
@ -268,12 +254,7 @@ def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname):
execute("iptables -N " + vmchain) execute("iptables -N " + vmchain)
except: except:
execute("iptables -F " + vmchain) execute("iptables -F " + vmchain)
try:
execute("iptables -N " + vmchain_egress)
except:
execute("iptables -F " + vmchain_egress)
try: try:
execute("iptables -N " + vmchain_default) execute("iptables -N " + vmchain_default)
except: except:
@ -289,7 +270,7 @@ def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname):
#don't let vm spoof its ip address #don't let vm spoof its ip address
if vm_ip is not None: if vm_ip is not None:
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " --source " + vm_ip + " -j " + vmchain_egress) execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " --source " + vm_ip + " -j ACCEPT")
execute("iptables -A " + vmchain_default + " -j " + vmchain) execute("iptables -A " + vmchain_default + " -j " + vmchain)
execute("iptables -A " + vmchain + " -j DROP") execute("iptables -A " + vmchain + " -j DROP")
except: except:
@ -571,17 +552,12 @@ def remove_rule_log_for_vm(vmName):
return result return result
def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif, brname,ruletype): def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif, brname):
try: try:
vmName = vm_name vmName = vm_name
domId = getvmId(vmName) domId = getvmId(vmName)
vmchain = vm_name
if ruletype == 'egress':
vmchain = vm_name + "-egress"
else:
vmchain = vm_name
changes = [] changes = []
changes = check_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno) changes = check_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno)
@ -728,7 +704,6 @@ if __name__ == '__main__':
parser.add_option("--vmid", dest="vmID") parser.add_option("--vmid", dest="vmID")
parser.add_option("--vmmac", dest="vmMAC") parser.add_option("--vmmac", dest="vmMAC")
parser.add_option("--vif", dest="vif") parser.add_option("--vif", dest="vif")
parser.add_option("--ruletype", dest="ruletype")
parser.add_option("--sig", dest="sig") parser.add_option("--sig", dest="sig")
parser.add_option("--seq", dest="seq") parser.add_option("--seq", dest="seq")
parser.add_option("--rules", dest="rules") parser.add_option("--rules", dest="rules")
@ -749,7 +724,7 @@ if __name__ == '__main__':
elif cmd == "get_rule_logs_for_vms": elif cmd == "get_rule_logs_for_vms":
get_rule_logs_for_vms() get_rule_logs_for_vms()
elif cmd == "add_network_rules": elif cmd == "add_network_rules":
add_network_rules(option.vmName, option.vmID, option.vmIP, option.sig, option.seq, option.vmMAC, option.rules, option.vif, option.brname,option.ruletype) add_network_rules(option.vmName, option.vmID, option.vmIP, option.sig, option.seq, option.vmMAC, option.rules, option.vif, option.brname)
elif cmd == "cleanup_rules": elif cmd == "cleanup_rules":
cleanup_rules() cleanup_rules()
elif cmd == "post_default_network_rules": elif cmd == "post_default_network_rules":

8
server/src/com/cloud/api/response/SecurityGroupResultObject.java
View File

@ -175,6 +175,11 @@ public class SecurityGroupResultObject {
currentGroup = groupResult; currentGroup = groupResult;
} }
SecurityGroupRulesVO dummyIngressobj=new SecurityGroupRulesVO();
SecurityGroupEgressRulesVO dummyEgressobj=new SecurityGroupEgressRulesVO() ;
String str=dummyIngressobj.getClass().getName();
String s1=netGroupRule.getClass().getSimpleName();
if (netGroupRule.getRuleId() != null && netGroupRule.getClass().getSimpleName().indexOf("SecurityGroupRulesVO") != -1) { if (netGroupRule.getRuleId() != null && netGroupRule.getClass().getSimpleName().indexOf("SecurityGroupRulesVO") != -1) {
// there's at least one ingress rule for this network group, add the ingress rule data // there's at least one ingress rule for this network group, add the ingress rule data
@ -241,9 +246,6 @@ public class SecurityGroupResultObject {
if (!ingressDataList.isEmpty()) { if (!ingressDataList.isEmpty()) {
currentGroup.setIngressRules(ingressDataList); currentGroup.setIngressRules(ingressDataList);
} }
if (!egressDataList.isEmpty()) {
currentGroup.setEgressRules(egressDataList);
}
resultObjects.add(currentGroup); resultObjects.add(currentGroup);
} }
} }

10
server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
View File

@ -988,10 +988,10 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
Account caller = UserContext.current().getCaller(); Account caller = UserContext.current().getCaller();
Long id = cmd.getId(); Long id = cmd.getId();
EgressRuleVO rule = _egressRuleDao.findById(id); IngressRuleVO rule = _ingressRuleDao.findById(id);
if (rule == null) { if (rule == null) {
s_logger.debug("Unable to find egress rule with id " + id); s_logger.debug("Unable to find ingress rule with id " + id);
throw new InvalidParameterValueException("Unable to find egress rule with id " + id); throw new InvalidParameterValueException("Unable to find ingress rule with id " + id);
} }
// Check permissions // Check permissions
@ -1010,8 +1010,8 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
return false; return false;
} }
_egressRuleDao.remove(id); _ingressRuleDao.remove(id);
s_logger.debug("revokeSecurityGroupEgress succeeded for ingress rule id: " + id); s_logger.debug("revokeSecurityGroupIngress succeeded for ingress rule id: " + id);
final Set<Long> affectedVms = new HashSet<Long>(); final Set<Long> affectedVms = new HashSet<Long>();
affectedVms.addAll(_securityGroupVMMapDao.listVmIdsBySecurityGroup(groupHandle.getId())); affectedVms.addAll(_securityGroupVMMapDao.listVmIdsBySecurityGroup(groupHandle.getId()));