- Instead of changing the router type in a local variable, lets have a dedicated file for the dhcpsrvr routers
- The file is called iptables-dhcpsrvr, just like we have iptables-vpcrouter and iptables-router
CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VROn basic zone share network VR default iptables rules are not applied correctly. Due to this ssh to VR got failed.
In shared network the VR type is 'dhcpsrvr' not router. So corrected it in the ''del_standard' method to select the correct type.
Testing:
1. VR is deployed correctly.
2. Tested restart, stop, start VR.
3. New VM deployment is success.
4. ssh to VR from the host is successful.
5. iptables rules on the VR came up correctly.
below is the output from the VR:
iptables -L INPUT -nv
Chain INPUT (policy DROP 16 packets, 1056 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18
0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50
104 9800 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
281 36500 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 504 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 656 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
13 780 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3922 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
0 0 ACCEPT tcp -- eth0 * 10.147.40.0/23 0.0.0.0/0 state NEW tcp dpt:8080
* pr/842:
CLOUDSTACK-8843: Fixed issue in default iptables rules on shared network VR
Signed-off-by: Remi Bergsma <github@remi.nl>
CLOUDSTACK-8881: Fixed Static and PF configuration issue1. For static nat filter rules are not configured in VR.
2. Corrected vm ip in PF rule.
* pr/882:
CLOUDSTACK-8881: Fixed Static and PF configuration issue
Signed-off-by: Remi Bergsma <github@remi.nl>
Configured dnsmasq to listen on all interfaces so that vpn client gets dns1. Dnsmasq is not listening on the ppp+ interfaces due to this remote access vpn clients dns requests are dropped.
2. Configured the dnsmasq to listen on all the interfaces except public. There is firewall to allow only specific cidr to allow the dns requests.
Tested from windows client nslookup.
* pr/870:
Configured dnsmasq to listen on all interfaces so that vpn client gets dns
Signed-off-by: Remi Bergsma <github@remi.nl>
CLOUDSTACK-8891: Fixed default iptables rules on VR for guest trafficVR default iptables rules in INPUT chain are configured partially.
In CsAddress.py rules are configured while configuring public interface, guest interface post configuration is missed. Fixed to configure guest post configuration so that iptables rules are configured.
Testing:
1. Deployed vm in the network.
2.iptables rules on the VR configured correctly.
3.VM got the dhcp ip address from the VR.
* pr/867:
CLOUDSTACK-8891: Fixed default iptables rules on VR for guest traffic
Signed-off-by: Remi Bergsma <github@remi.nl>
CLOUDSTACK-8798 Fixed the vrrp virtual ip config in case of rvr enablFixed the vrrp virtual ip config in case of rvr enabled isolated networks.
changed the CsRedundant.py to bring down the public interface when rvr changes state to
backup. Also fixed vrrp authentication for isolated networks.
This fix dose not effect the vpc networks. it is only meant for rvr isolated networks.
manullay deployed a vm in rvr enabled isolated network and ran the tests below.
nosetests --with-marvin --marvin-config=/marvin-config test/integration/component/test_redundant_router_services.py
Test redundant router internals ... === TestName: test_enableVPNOverRvR | Status : SUCCESS ===
----------------------------------------------------------------------
Ran 1 test in 633.336s
nosetests --with-marvin --marvin-config=/marvin-config test/integration/component/test_redundant_router_cleanups.py
Test network garbage collection with RVR ... === TestName: test_network_gc | Status : SUCCESS ===
ok
Test restarting RvR network without cleanup ... === TestName: test_restart_ntwk_no_cleanup | Status : SUCCESS ===
ok
Test restart RvR network with cleanup ... === TestName: test_restart_ntwk_with_cleanup | Status : SUCCESS ===
----------------------------------------------------------------------
Ran 3 tests in 2120.263s
* pr/800:
CLOUDSTACK-8798 Fixed the vrrp virtual ip config in case of rvr enabled isolated networks. changed the CsRedundant.py to bring down the public interface when rvr changes state to backup. Also fixed vrrp authentication for isolated networks.
Signed-off-by: wilderrodrigues <wrodrigues@schubergphilis.com>
CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be set to DROP instead of ACCEPT
- In order to be able to access the routers via the link local interface, we have to add a rules with NEW and ESTABLISHED state
* pr/765:
CLOUDSTACK-8688 - Adding Marvin tests in order to cover the fixes applied
CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be set to DROP instead of ACCEPT
Signed-off-by: wilderrodrigues <wrodrigues@schubergphilis.com>
CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn
@remibergsma @wilderrodrigues
Moved applying iptables rules apply after vpn configuration so that vpn specific rules also get applied
* pr/690:
CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn
This closes#690
Signed-off-by: Remi Bergsma <github@remi.nl>
Logging before:
2015-08-12 16:30:07,126 Searching for 192.168.23.6 and replacing with 192.168.23.6 192.168.23.5: PSK "preSharedKey"
Logging after:
2015-08-12 16:30:07,126 Searching for 192.168.23.6 and replacing with 192.168.23.6 192.168.23.5: PSK "****"
- For package installation/update please refer to: cloud-tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh
Signed-off-by: wilderrodrigues <wrodrigues@schubergphilis.com>
This closes#587
- preempt delay reverted on version 1.2.13 - from the backports
- vrrp : Revert "Honor preempt_delay setting on startup.".
- See changelog: http://www.keepalived.org/changelog.html
- Refactoring some variable names to avoid misunderstanding
Signed-off-by: wilderrodrigues <wrodrigues@schubergphilis.com>
- We use no preempt mode with state set as EQUAL to both nodes, no need to have Priotities setup
- Do not add IPs as comments to the configuration. If a new guest interface is added, the file will change anyway.
- This was used in the past when keepalived would restart for each new interface added
- Removed the long sleep form the tests: we now sleep 5 seconds per PF rule added
CLOUDSTACK-8616 - Fix keepalived.ts/2 files comparison
- Add call to set_fault() in case of router transits to that state
- Removing commented out code
CLOUDSTACK-8616 - Fixing check_heartbeat.sh.templ
CLOUDSTACK-8616 - Call set_fault from the check_heartbeat.sh script
Signed-off-by: wilderrodrigues <wrodrigues@schubergphilis.com>
- After configuration save the ipdated in files
* /etc/iptables/router_rules.v4 and /etc/iptables/router_rules.v6
* Reload the configuration on reboot via the /etc/rc.local using iptables-restore
In 6ac06e5e5e3ceed4a3e3a86ea5f82ffb59c266f2 logrotate was changed to run hourly.
Some logrotate configs still have set `daily` only which results in logs not
rotated hourly. The only way to ensure the log is rotated is to use size.
This closes#162
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
- Pub IP port forwarding and static NAT fixed for single VPCs
- Pub IP port forwarding fixed for redundant VPCs
[wip] fix static NAT for redundant VPCs
This closes#150
- With the changes added by the rVPC work, the bump priority became deprecated.
This commit includes a refactor to get it removed from the following resources:
* Java classes
* domain_router table - removing the is_priority_bumpup column
* Fixing unit tests
All changes were tested with:
XenServer 6.2 running under our VMWare zone
CloudStack Management Server running on MacBook Pro
MySql running on MackBook Pro
Storage Type: Local
