apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity
28,817 Commits 304 Branches 324 Tags
Commit Graph

85 Commits

Author SHA1 Message Date
Wilder Rodrigues
a17fa48de1 CLOUDSTACK-9075 - Adds VPC static routes test 
- Adds redundant VPC tests
   - Adds support to Static Routes on VPC private gatways
   - Removes the route configuration in case static route is deleted.
 2015-12-02 10:36:52 +01:00
Wilder Rodrigues
cd05a252fb CLOUDSTACK-9015 - Make sure the Backup router can talk to the Master router after a stop/start/reboot 
- Stop KeepaliveD/ConntrackD if the eth2 (guest) interface is not configured and UP
   - Only setup the redundancy after all the router configuration is done
   - Open the FW for the VRRP communitation
     - 224.0.0.18 and 225.0.0.50
   - Set keepalived.conf.templ by default to use interface eth2 (guest)
     - It will be reconfigured anyway, but having eth2 there is more clear
 2015-11-12 18:13:51 +01:00
Wilder Rodrigues
79dabfdae4 CLOUDSTACK-8925 - Implement the default egress DENY/ALLOW properly 
- Make tests work with right IP and rules
   - Add egress rule for port 53 protocol UDP when testing default egress DENY on RVR
 2015-11-04 13:48:04 +01:00
Wilder Rodrigues
caa0b4071c CLOUDSTACK-8925 - Drop the traffic when default egress is set to false 
- The DROP rule should be appended and the other rules inserted.
 2015-11-02 21:45:03 +01:00
Wei Zhou
9f7f42330a CLOUDSTACK-9013: Virtual router failed to start on KVM 
This fix a typo of commit 4a177031b055f3649e3b4a00c80eddb5cafa1dd7
 2015-10-30 20:04:56 +01:00
Wilder Rodrigues
b2aa1f8417 CLOUDSTACK-8957 - Implement password server in configure.py 2015-10-29 07:14:51 +01:00
Wilder Rodrigues
2b286ecd73 CLOUDSTACK-8952 - Make sure the calls to CsFile use the new logic of commit/is_changed methods 
- We now have to check if the file changed before commiting. Doesn't make sense to write on disk if there was nono change.
 2015-10-17 12:20:40 +02:00
Wilder Rodrigues
4a177031b0 CLOUDSTACK-8947 - Avoid multiple entries in the FW_EGRESS_RULES table 2015-10-14 07:44:38 +02:00
Wilder Rodrigues
cbd6464b88 CLOUDSTACK-8947 - FW_EGRESS should be added only to filter table 2015-10-14 07:44:37 +02:00
Wilder Rodrigues
cd8c3e97f5 CLOUDSTACK-8934 - Fix the AclIP class to make it configure the default FW policy 2015-10-11 14:57:33 +02:00
Wilder Rodrigues
b4dc392bfd CLOUDSTACK-8934 - Fix default EGRESS rules for isolated networks 
- The default is Accept and will be changed based on the configuration of the offering.

CLOUDSTACK-8934 - The default egress is set as Deny in the router.

   - We had to change it on the Java side in order to make the apply it once the default is defined as allowed on the net offering
 2015-10-11 14:57:32 +02:00
Wilder Rodrigues
0c752eab60 CLOUDSTACK-8915 - Rearrenging a bit the default route code in order to make it more clear 2015-10-06 16:41:13 +02:00
Remi Bergsma
4420f48e3e Merge pull request #882 from jayapalu/CLOUDSTACK-8881 
CLOUDSTACK-8881: Fixed Static and PF configuration issue1. For static nat filter rules are not configured in VR.
2. Corrected vm ip in PF rule.

* pr/882:
  CLOUDSTACK-8881: Fixed Static and PF configuration issue

Signed-off-by: Remi Bergsma <github@remi.nl>
 2015-09-24 15:36:18 +02:00
Remi Bergsma
649a4bdc76 Merge pull request #881 from jayapalu/CLOUDSTACK-8905 
CLOUDSTACK-8905: Fixed hooking egress rulesAdded hooking the FIREWALL_EGRESS_RULES chain into FW_OUTBOUND chain.
With this egress rules will effective.

* pr/881:
  CLOUDSTACK-8905: Fixed hooking egress rules

Signed-off-by: Remi Bergsma <github@remi.nl>
 2015-09-24 15:36:04 +02:00
Jayapal
40138d2e99 CLOUDSTACK-8881: Fixed Static and PF configuration issue 2015-09-24 17:22:29 +05:30
Jayapal
2bf7fb4b63 CLOUDSTACK-8905: Fixed hooking egress rules 2015-09-24 17:06:11 +05:30
Jayapal
746a5dc48e CLOUDSTACK-8891: Fixed default iptables rules on VR for guest traffic 2015-09-24 12:49:43 +05:30
Jayapal
33f4f952cf CLOUDSTACK-8690: Updated the iptables order 2015-09-09 10:50:50 +05:30
Jayapal
f661ac0a2a CLOUDSTACK-8690:Added remote access vpn and vpn users configuration 2015-09-09 10:50:50 +05:30
wilderrodrigues
f5e5f4d002 CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be set to DROP instead of ACCEPT 
- In order to be able to access the routers via the link local interface, we have to add a rules with NEW and ESTABLISHED state
 2015-08-31 12:43:04 +02:00
Remi Bergsma
7ddec661ca Merge pull request #690 from jayapalu/vpn 
CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn
@remibergsma @wilderrodrigues
Moved applying iptables rules apply after vpn configuration so that vpn specific rules also get applied

* pr/690:
  CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn

This closes #690

Signed-off-by: Remi Bergsma <github@remi.nl>
 2015-08-14 09:11:21 +02:00
Remi Bergsma
9b97719c5c tighten security of site-to-site VPN 
It was like this in 4.4 and 4.5
 2015-08-14 09:05:59 +02:00
Remi Bergsma
382458317e CLOUDSTACK-8730: fix s2s iptables rules and ipsec config 
For site2site VPN to work, we need a default gateway to be set.
See CLOUDSTACK-8685
 2015-08-14 09:02:21 +02:00
Jayapal
da9e757b8e CLOUDSTACK-8710: Fixed applying iptables rules for s2s vpn 2015-08-13 14:07:12 +05:30
Jayapal
97eb0f7528 CLOUDSTACK-8707: Removed convert sec to h on esp_lifetime 
This closes #655
 2015-08-05 14:14:55 +05:30
Jayapal
c13201353c CLOUDSTACK-8707: Added missed esp policy esp is added with esp_lifetime instead of esp_policy, corrected it. 2015-08-05 14:14:46 +05:30
Ian Southam
b7b54f1680 Fixes to enable test to succeed. Small change to Marvin to be able to override retries 
Signed-off-by: wilderrodrigues <wrodrigues@schubergphilis.com>
 2015-07-08 11:19:12 +02:00
Ian Southam
56483436f0 Pep8 changes that got lost with the strange double push request problem last time 2015-05-26 07:07:43 -04:00
Ian Southam
ab915b6c92 Allow forward to fix port forwarding rules 2015-05-19 12:54:38 +00:00
wilderrodrigues
2fad87d3f3 Make the routers persistent 
- After configuration save the ipdated in files
    * /etc/iptables/router_rules.v4 and /etc/iptables/router_rules.v6
    * Reload the configuration on reboot via the /etc/rc.local using iptables-restore
 2015-04-14 15:09:47 +02:00
wilderrodrigues
cb2b9e870b Fixing the communication with VM via Public IP 
- Pub IP port forwarding and static NAT fixed for single VPCs
   - Pub IP port forwarding fixed for redundant VPCs

[wip] fix static NAT for redundant VPCs

This closes #150
 2015-04-08 16:04:55 +02:00
Ian Southam
7bfccd699b Fixed Port forwarding (DNAT/SNAT) for isolated networks 
Fixed failure on using eth10 (which CS now supports)
Refactored CSForward to us CsInterface object instead of teh way it was kludged together
Fixed hex conversion for device numbers and iptables marks
 2015-03-16 11:40:12 +01:00
Ian Southam
585f5f7000 ACL issues 
ACL order issues
Do not block multicast traffic for vrrp
Many smaller bug fixes
checkrouter provided in /opt/cloud/bin
 2015-03-16 11:40:10 +01:00
Ian Southam
57d3ffaef8 Fixed password server, fixed more firewall issues 
Fixed issues with real IP and not virtual (gateway) IP being opened on the firewall
DNS now works on the vms
 2015-03-16 11:40:03 +01:00
Ian Southam
f5ef75ee7e Vrrp will fail if your own code keeps killing it off 2015-03-16 11:39:51 +01:00
wilderrodrigues
0be56a5ff6 Fixing the timout )ssh hanging) on the CsApp.py file 
Adding kill_all() method on the CsProcess.py file (not being used yet)
Changing a bit the logic in the merge.py

The changes in the logic might be reverted, but they are causing no harm now.
 2015-03-16 11:39:50 +01:00
wilderrodrigues
35151961be Fixing call on AclIP class. Instead of self.fw = fw we have to do self.fw = fw.get_fw() 
Fixing the master.py path in the keepalived.conf.templ
 2015-03-16 11:39:16 +01:00
Ian Southam
bdda01d269 Countless bug fixes, mostly do do with VR redundancy 
Also added some new unit tests and adjusted the code to make them work
 2015-03-16 11:38:18 +01:00
Ian Southam
8a6a407114 Dhcp refactor 
Loads of tiny bugs squashed and some big ones
Tested with domR needs VPC testing now
TODO:  Unit tests CsDhcp
 2015-03-16 11:38:17 +01:00
Hugo Trippaers
75dda0b5b2 Fix imports 2015-03-16 11:38:17 +01:00
Ian Southam
40eb8423b9 Fixed hostname on router 2015-03-16 11:38:16 +01:00
Ian Southam
84624091fd Load balancer config 2015-03-16 11:38:16 +01:00
Ian Southam
7d0df32560 Lots of fixes from the testing 
firewallrules implemented sperately from networkacl (ugly but best that can be done ATM)
Some refactoring in CsDHCP as it made no sense to do it that way anymore
processmonitoring implemented
Domain not correctly sourced in VR
 2015-03-16 11:38:15 +01:00
Ian Southam
08d2e10cb9 pep8 2015-03-16 11:38:15 +01:00
Ian Southam
0496ba7a00 firewallrules (VR) and metworkacl (VPC) did not as I believe they shgould get combined 
in the underlying java code
Have split them out again.
Omce tested this will need some refactorinfg because it is currently PFU
 2015-03-16 11:38:15 +01:00
Ian Southam
f924a9755d Adding port forwarding ranges exposes a rather unfortunate typo 2015-03-16 11:38:15 +01:00
Hugo Trippaers
5c4d221c34 Let's stick to CamelCase for now 2015-03-16 11:38:12 +01:00
Hugo Trippaers
9385f071d7 Fix PEP8 compliance 2015-03-16 11:38:07 +01:00
Ian Southam
54f5c53a20 Decided not at this stage to combine VPC and VR code 2015-03-16 11:38:06 +01:00
Hugo Trippaers
4cfe2a32c0 Fix a few things introduced by the rebase 2015-03-16 11:35:35 +01:00