git commit: Summary: Add TCP to DNS firewall settings for virtual routers

mlsorensen Mon, 26 Nov 2012 08:21:34 -0800

Updated Branches:
  refs/heads/master ac1920ee9 -> 82a7e49fa


Summary: Add TCP to DNS firewall settings for virtual routers

Detail: TCP is occasionally used for certain DNS query types

BUG-ID: CLOUDSTACK-535
Bugfix-for: 4.0.1
Reported-by: Tamas Monos
Signed-off-by: Marcus Sorensen <[email protected]> 1353946670 -0700


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: 
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/82a7e49f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/82a7e49f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/82a7e49f

Branch: refs/heads/master
Commit: 82a7e49fad81b001410b66d151743b112d0daa65
Parents: ac1920e
Author: Marcus Sorensen <[email protected]>
Authored: Mon Nov 26 09:21:32 2012 -0700
Committer: Marcus Sorensen <[email protected]>
Committed: Mon Nov 26 09:21:32 2012 -0700

----------------------------------------------------------------------
 .../debian/config/etc/iptables/iptables-router     |    1 +
 patches/systemvm/debian/config/etc/iptables/rules  |    1 +
 .../debian/config/opt/cloud/bin/vpc_guestnw.sh     |    2 ++
 .../debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh       |    2 ++
 .../systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh  |    3 ++-
 5 files changed, 8 insertions(+), 1 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/82a7e49f/patches/systemvm/debian/config/etc/iptables/iptables-router
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/etc/iptables/iptables-router 
b/patches/systemvm/debian/config/etc/iptables/iptables-router
index 59d2e46..28469fb 100644
--- a/patches/systemvm/debian/config/etc/iptables/iptables-router
+++ b/patches/systemvm/debian/config/etc/iptables/iptables-router
@@ -33,6 +33,7 @@ COMMIT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
 -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
 -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/82a7e49f/patches/systemvm/debian/config/etc/iptables/rules
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/etc/iptables/rules 
b/patches/systemvm/debian/config/etc/iptables/rules
index 614c3f9..7c57761 100644
--- a/patches/systemvm/debian/config/etc/iptables/rules
+++ b/patches/systemvm/debian/config/etc/iptables/rules
@@ -31,6 +31,7 @@ COMMIT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
 -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m state --state NEW --dport 8080 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/82a7e49f/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh 
b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
index faf62c6..d20ed5a 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
@@ -83,8 +83,10 @@ setup_dnsmasq() {
   # setup rules to allow dhcp/dns request
   sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
   sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m tcp --dport 53 -j ACCEPT
   sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
   sudo iptables -A INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -d $ip -p tcp -m tcp --dport 53 -j ACCEPT
   # setup static 
   sed -i -e "/^[#]*dhcp-range=interface:$dev/d" /etc/dnsmasq.d/cloud.conf
   echo "dhcp-range=interface:$dev,set:interface-$dev,$ip,static" >> 
/etc/dnsmasq.d/cloud.conf

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/82a7e49f/patches/systemvm/debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh 
b/patches/systemvm/debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh
index 9277bc7..0595869 100755
--- a/patches/systemvm/debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh
+++ b/patches/systemvm/debian/vpn/opt/cloud/bin/vpc_vpn_l2tp.sh
@@ -40,7 +40,9 @@ iptables_() {
   sudo iptables $op FORWARD -i ppp+ -d $zcidr -j ACCEPT
   sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT 
   sudo iptables $op INPUT -i ppp+ -p udp --dport 53 -j ACCEPT
+  sudo iptables $op INPUT -i ppp+ -p tcp --dport 53 -j ACCEPT
   sudo iptables -t nat $op PREROUTING -i ppp+ -p udp --dport 53 -j DNAT 
--to-destination $local_ip
+  sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp --dport 53 -j DNAT 
--to-destination $local_ip
 }
 
 ipsec_server() {

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/82a7e49f/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh 
b/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
index 7eb8b00..79661c8 100755
--- a/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
+++ b/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
@@ -49,7 +49,8 @@ iptables_() {
    sudo iptables $op FORWARD -i $subnet_if -o ppp+ -j ACCEPT 
    sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT 
    sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT
-   sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j  
DNAT --to-destination $subnet_ip
+   sudo iptables $op INPUT -i ppp+ -m tcp -p tcp --dport 53 -j ACCEPT
+   sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp -m tcp --dport 53 -j  
DNAT --to-destination $subnet_ip
 
    if sudo iptables -t mangle -N VPN_$public_ip &> /dev/null
    then

git commit: Summary: Add TCP to DNS firewall settings for virtual routers

Reply via email to