apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

CS-15731: Make S2S VPN no-nat rule the top of POSTROUTING

Browse Source
This commit is contained in:
Sheng Yang 2012-07-27 18:38:28 -07:00
parent b410cbff5f
commit dd50bdf38e
2 changed files with 29 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
patches/systemvm/debian/config/opt/cloud/bin/vpc_staticnat.sh
View File

@ -28,6 +28,8 @@ usage() {
#set -x #set -x
vpnoutmark="0x525"
static_nat() { static_nat() {
local op=$1 local op=$1
local publicIp=$2 local publicIp=$2
@ -41,8 +43,19 @@ static_nat() {
[ "$op" == "-A" ] && static_nat "-D" $publicIp $instIp [ "$op" == "-A" ] && static_nat "-D" $publicIp $instIp
# the delete operation may have errored out but the only possible reason is # the delete operation may have errored out but the only possible reason is
# that the rules didn't exist in the first place # that the rules didn't exist in the first place
[ "$op" == "-A" ] && rulenum=1
[ "$op" == "-A" ] && op2="-I" [ "$op" == "-A" ] && op2="-I"
if [ "$op" == "-A" ]
then
# put static nat rule one rule after VPN no-NAT rule
# rule chain can be used to improve it later
iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
if [ $? -eq 0 ]
then
rulenum=2
else
rulenum=1
fi
fi
# shortcircuit the process if error and it is an append operation # shortcircuit the process if error and it is an append operation
# continue if it is delete # continue if it is delete
@ -51,7 +64,7 @@ static_nat() {
# add mark to force the package go out through the eth the public IP is on # add mark to force the package go out through the eth the public IP is on
#(sudo iptables -t mangle $op PREROUTING -s $instIp -j MARK \ #(sudo iptables -t mangle $op PREROUTING -s $instIp -j MARK \
# --set-mark $tableNo &> $OUTFILE || [ "$op" == "-D" ]) && # --set-mark $tableNo &> $OUTFILE || [ "$op" == "-D" ]) &&
(sudo iptables -t nat $op2 POSTROUTING -o $ethDev -s $instIp -j SNAT \ (sudo iptables -t nat $op2 POSTROUTING $rulenum -o $ethDev -s $instIp -j SNAT \
--to-source $publicIp &>> $OUTFILE ) --to-source $publicIp &>> $OUTFILE )
result=$? result=$?
logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result" logger -t cloud "$(basename $0): done static nat entry public ip=$publicIp op=$op result=$result"

15
patches/systemvm/debian/config/root/firewall.sh
View File

@ -24,6 +24,8 @@ then
exit 1 exit 1
fi fi
vpnoutmark="0x525"
usage() { usage() {
printf "Usage: %s: (-A|-D) -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code) -l <public ip address> -d <target port> -s <source cidrs> [-G] \n" $(basename $0) >&2 printf "Usage: %s: (-A|-D) -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code) -l <public ip address> -d <target port> -s <source cidrs> [-G] \n" $(basename $0) >&2
} }
@ -204,8 +206,19 @@ static_nat() {
[ "$op" == "-A" ] && static_nat $publicIp $instIp "-D" [ "$op" == "-A" ] && static_nat $publicIp $instIp "-D"
# the delete operation may have errored out but the only possible reason is # the delete operation may have errored out but the only possible reason is
# that the rules didn't exist in the first place # that the rules didn't exist in the first place
[ "$op" == "-A" ] && rulenum=1
[ "$op" == "-A" ] && op2="-I" [ "$op" == "-A" ] && op2="-I"
if [ "$op" == "-A" ]
then
# put static nat rule one rule after VPN no-NAT rule
# rule chain can be used to improve it later
iptables-save -t nat|grep "POSTROUTING" | grep $vpnoutmark > /dev/null
if [ $? -eq 0 ]
then
rulenum=2
else
rulenum=1
fi
fi
local dev=$(ip_to_dev $publicIp) local dev=$(ip_to_dev $publicIp)
[ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1 [ $? -ne 0 ] && echo "Could not find device associated with $publicIp" && return 1