CS-16409 : dhcp request doesn't have target ip, remove ip in the iptable rule
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/ed094447 Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/ed094447 Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/ed094447 Branch: refs/heads/4.0 Commit: ed094447cd536311988589181dc9de2f93683efd Parents: 95df352 Author: Anthony Xu <[email protected]> Authored: Thu Sep 27 20:24:37 2012 -0700 Committer: Anthony Xu <[email protected]> Committed: Wed Oct 3 10:04:11 2012 -0700 ---------------------------------------------------------------------- .../debian/config/opt/cloud/bin/vpc_guestnw.sh | 22 +++++--------- 1 files changed, 8 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/ed094447/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh ---------------------------------------------------------------------- diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh index 90de218..ae966ec 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh @@ -79,6 +79,11 @@ desetup_apache2() { setup_dnsmasq() { logger -t cloud "Setting up dnsmasq for network $ip/$mask " + # setup rules to allow dhcp/dns request + sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT + sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT + sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT + sudo iptables -A INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT # setup static sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf echo "dhcp-range=interface:$dev,set:interface-$dev,$ip,static" >> /etc/dnsmasq.d/cloud.conf @@ -93,7 +98,9 @@ setup_dnsmasq() { desetup_dnsmasq() { logger -t cloud "Desetting up dnsmasq for network $ip/$mask " - + # remove rules to allow dhcp/dns request + sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT + sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,option:router.*$/d" /etc/dnsmasq.d/cloud.conf sed -i -e "/^[#]*dhcp-option=tag:interface-$dev,6.*$/d" /etc/dnsmasq.d/cloud.conf sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf @@ -121,15 +128,6 @@ create_guest_network() { sudo ip addr add dev $dev $ip/$mask brd + sudo ip link set $dev up sudo arping -c 3 -I $dev -A -U -s $ip $ip - # setup rules to allow dhcp/dns request - sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT - sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT - sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT - sudo iptables -A INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT - sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT - sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT - sudo iptables -A INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT - sudo iptables -A INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT # restore mark from connection mark local tableName="Table_$dev" sudo ip route add $subnet/$mask dev $dev table $tableName proto static @@ -146,10 +144,6 @@ destroy_guest_network() { logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask " sudo ip addr del dev $dev $ip/$mask - sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT - sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT - sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT - sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip destroy_acl_chain
