git commit: updated refs/heads/master to f1fb7c3

Tue, 30 Jul 2013 17:11:37 -0700 

Updated Branches:
  refs/heads/master e4f8068ef -> f1fb7c3ef


in security group, CS put a rule in ebtables filter table FORWARD chain to 
prevent user from changing VM mac address
util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-s', '!', vm_mac,  '-j', 
'DROP'])

if user changes the VM mac address, all egress packet from the VM will be 
dropped, but the egress packet still contaminate the bridge cache with fake MAC,

This patch moves the rule to ebtables nat table PREROUTING chain, then the 
egress packet with modified MAC will not contaminate the bridge cache.

Anthony


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/f1fb7c3e
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/f1fb7c3e
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/f1fb7c3e

Branch: refs/heads/master
Commit: f1fb7c3efe0892c05a3e8868bb091d99fa25ebee
Parents: e4f8068
Author: Anthony Xu <[email protected]>
Authored: Tue Jul 30 17:04:21 2013 -0700
Committer: Anthony Xu <[email protected]>
Committed: Tue Jul 30 17:04:21 2013 -0700

----------------------------------------------------------------------
 .../vm/hypervisor/xenserver/ovs-vif-flows.py    | 23 ++++++++++++++++----
 scripts/vm/hypervisor/xenserver/vmops           | 11 +++++++++-
 2 files changed, 29 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f1fb7c3e/scripts/vm/hypervisor/xenserver/ovs-vif-flows.py
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/ovs-vif-flows.py 
b/scripts/vm/hypervisor/xenserver/ovs-vif-flows.py
index 46aedc8..8452dae 100644
--- a/scripts/vm/hypervisor/xenserver/ovs-vif-flows.py
+++ b/scripts/vm/hypervisor/xenserver/ovs-vif-flows.py
@@ -52,20 +52,35 @@ def apply_flows(bridge, this_vif_ofport, vif_ofports):
     pluginlib.add_flow(bridge, priority=1100,
                        nw_dst='224.0.0.0/24', actions=action)
 
+def clear_rules(vif):
+    try:
+        delcmd = "/sbin/ebtables -t nat -L PREROUTING | grep " + vif
+        delcmds = pluginlib.do_cmd(['/bin/bash', '-c', delcmd]).split('\n')
+        for cmd in delcmds:
+            try:
+                cmd = '/sbin/ebtables -t nat -D PREROUTING ' + cmd
+                pluginlib.do_cmd(['/bin/bash', '-c', cmd])
+            except:
+                pass
+    except:
+        pass
+
 
 def main(command, vif_raw):
     if command not in ('online', 'offline'):
         return
+
+    vif_name, dom_id, vif_index = vif_raw.split('-')
+    # validate vif and dom-id
+    this_vif = "%s%s.%s" % (vif_name, dom_id, vif_index)
     # Make sure the networking stack is not linux bridge!
     net_stack = pluginlib.do_cmd(['cat', '/etc/xensource/network.conf'])
     if net_stack.lower() == "bridge":
+        if command == 'offline':
+            clear_rules(this_vif)
         # Nothing to do here!
         return
 
-    vif_name, dom_id, vif_index = vif_raw.split('-')
-    # validate vif and dom-id
-    this_vif = "%s%s.%s" % (vif_name, dom_id, vif_index)
-
     bridge = pluginlib.do_cmd([pluginlib.VSCTL_PATH, 'iface-to-br', this_vif])
     
        # find xs network for this bridge, verify is used for ovs tunnel network

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f1fb7c3e/scripts/vm/hypervisor/xenserver/vmops
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/vmops 
b/scripts/vm/hypervisor/xenserver/vmops
index 3b6ff3c..ff33c2d 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -486,6 +486,11 @@ def can_bridge_firewall(session, args):
     try:
         util.pread2(['ebtables', '-V'])
         util.pread2(['ipset', '-V'])
+        cmd = ['cat', '/etc/xensource/network.conf']
+        result = util.pread2(cmd)
+        if result.lower().strip() != "bridge":
+            return 'false'
+
     except:
         return 'false'
 
@@ -749,7 +754,11 @@ def default_ebtables_antispoof_rules(vm_chain, vifs, 
vm_ip, vm_mac):
     try:
         for vif in vifs:
             # only allow source mac that belongs to the vm
-           util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-s', '!', 
vm_mac,  '-j', 'DROP'])
+            try:
+                util.pread2(['ebtables', '-t', 'nat', '-I', 'PREROUTING', 
'-i', vif, '-s', '!' , vm_mac, '-j', 'DROP'])
+            except:
+                util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-s', '!', 
vm_mac,  '-j', 'DROP'])
+
             # do not allow fake dhcp responses
             util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-p', 'IPv4', 
'--ip-proto', 'udp', '--ip-dport', '68', '-j', 'DROP'])
             # do not allow snooping of dhcp requests

Reply via email to