This is an automated email from the ASF dual-hosted git repository.
nvazquez pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/main by this push:
new e53ed9e350 network: fix event, acl, firewall for ipv6 nw (#6314)
e53ed9e350 is described below
commit e53ed9e35053dc012185f3b8ce5b3b5937585f25
Author: Abhishek Kumar <[email protected]>
AuthorDate: Wed Apr 27 08:00:44 2022 +0530
network: fix event, acl, firewall for ipv6 nw (#6314)
* add guest ipv6 cidr for fw rule
Signed-off-by: Abhishek Kumar <[email protected]>
* fix fw, acl nft chains
Signed-off-by: Abhishek Kumar <[email protected]>
* remove unnecessary log
Signed-off-by: Abhishek Kumar <[email protected]>
* api response should return default internet protocol
Signed-off-by: Abhishek Kumar <[email protected]>
* event resource fix for ipv6 firewall rule events
Signed-off-by: Abhishek Kumar <[email protected]>
* fix radvd, restore ipv6 intf in vm type script
Signed-off-by: Abhishek Kumar <[email protected]>
* fix dadfailed with rvr
Signed-off-by: Abhishek Kumar <[email protected]>
---
.../user/ipv6/CreateIpv6FirewallRuleCmd.java | 11 +++
.../user/ipv6/DeleteIpv6FirewallRuleCmd.java | 14 ++++
.../user/ipv6/UpdateIpv6FirewallRuleCmd.java | 14 ++++
.../api/routing/SetIpv6FirewallRulesCommand.java | 8 +-
.../facade/SetIpv6FirewallRulesConfigItem.java | 1 +
.../virtualnetwork/model/FirewallRule.java | 8 ++
.../cloud/offerings/dao/NetworkOfferingDao.java | 2 +
.../offerings/dao/NetworkOfferingDaoImpl.java | 9 +++
.../main/java/com/cloud/api/ApiResponseHelper.java | 2 +-
.../api/query/dao/NetworkOfferingJoinDaoImpl.java | 8 +-
.../api/query/dao/VpcOfferingJoinDaoImpl.java | 8 +-
.../cloud/network/router/CommandSetupHelper.java | 18 ++---
systemvm/debian/opt/cloud/bin/configure.py | 46 +++++++----
systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py | 20 ++---
systemvm/debian/opt/cloud/bin/setup/bootstrap.sh | 9 ---
systemvm/debian/opt/cloud/bin/setup/common.sh | 88 ++++++++++++++++------
systemvm/debian/opt/cloud/bin/setup/router.sh | 1 +
17 files changed, 200 insertions(+), 67 deletions(-)
diff --git
a/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/CreateIpv6FirewallRuleCmd.java
b/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/CreateIpv6FirewallRuleCmd.java
index 780baa5664..be158c9de0 100644
---
a/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/CreateIpv6FirewallRuleCmd.java
+++
b/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/CreateIpv6FirewallRuleCmd.java
@@ -21,6 +21,7 @@ import java.util.List;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
@@ -252,4 +253,14 @@ public class CreateIpv6FirewallRuleCmd extends
BaseAsyncCreateCmd {
}
}
}
+
+ @Override
+ public Long getApiResourceId() {
+ return getNetworkId();
+ }
+
+ @Override
+ public ApiCommandResourceType getApiResourceType() {
+ return ApiCommandResourceType.Network;
+ }
}
diff --git
a/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/DeleteIpv6FirewallRuleCmd.java
b/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/DeleteIpv6FirewallRuleCmd.java
index 04c6082e05..e7343a80d0 100644
---
a/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/DeleteIpv6FirewallRuleCmd.java
+++
b/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/DeleteIpv6FirewallRuleCmd.java
@@ -17,6 +17,7 @@
package org.apache.cloudstack.api.command.user.ipv6;
import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
@@ -94,4 +95,17 @@ public class DeleteIpv6FirewallRuleCmd extends BaseAsyncCmd {
}
}
+ @Override
+ public Long getApiResourceId() {
+ FirewallRule rule = _firewallService.getFirewallRule(id);
+ if (rule != null) {
+ return rule.getNetworkId();
+ }
+ return null;
+ }
+
+ @Override
+ public ApiCommandResourceType getApiResourceType() {
+ return ApiCommandResourceType.Network;
+ }
}
diff --git
a/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/UpdateIpv6FirewallRuleCmd.java
b/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/UpdateIpv6FirewallRuleCmd.java
index bb8fc71b55..8a05d02ae5 100644
---
a/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/UpdateIpv6FirewallRuleCmd.java
+++
b/api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/UpdateIpv6FirewallRuleCmd.java
@@ -20,6 +20,7 @@ import java.util.List;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiCommandResourceType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseAsyncCustomIdCmd;
import org.apache.cloudstack.api.Parameter;
@@ -172,4 +173,17 @@ public class UpdateIpv6FirewallRuleCmd extends
BaseAsyncCustomIdCmd {
}
}
+ @Override
+ public Long getApiResourceId() {
+ FirewallRule rule = _firewallService.getFirewallRule(id);
+ if (rule != null) {
+ return rule.getNetworkId();
+ }
+ return null;
+ }
+
+ @Override
+ public ApiCommandResourceType getApiResourceType() {
+ return ApiCommandResourceType.Network;
+ }
}
diff --git
a/core/src/main/java/com/cloud/agent/api/routing/SetIpv6FirewallRulesCommand.java
b/core/src/main/java/com/cloud/agent/api/routing/SetIpv6FirewallRulesCommand.java
index 62cc2cabaa..638ba408de 100644
---
a/core/src/main/java/com/cloud/agent/api/routing/SetIpv6FirewallRulesCommand.java
+++
b/core/src/main/java/com/cloud/agent/api/routing/SetIpv6FirewallRulesCommand.java
@@ -30,18 +30,24 @@ import com.cloud.agent.api.to.FirewallRuleTO;
*/
public class SetIpv6FirewallRulesCommand extends NetworkElementCommand {
FirewallRuleTO[] rules;
+ String guestIp6Cidr;
protected SetIpv6FirewallRulesCommand() {
}
- public SetIpv6FirewallRulesCommand(List<FirewallRuleTO> rules) {
+ public SetIpv6FirewallRulesCommand(List<FirewallRuleTO> rules, String
guestIp6Cidr) {
this.rules = rules.toArray(new FirewallRuleTO[rules.size()]);
+ this.guestIp6Cidr = guestIp6Cidr;
}
public FirewallRuleTO[] getRules() {
return rules;
}
+ public String getGuestIp6Cidr() {
+ return guestIp6Cidr;
+ }
+
@Override
public int getAnswersCount() {
return rules.length;
diff --git
a/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetIpv6FirewallRulesConfigItem.java
b/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetIpv6FirewallRulesConfigItem.java
index ff4f266f99..75ec539681 100644
---
a/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetIpv6FirewallRulesConfigItem.java
+++
b/core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetIpv6FirewallRulesConfigItem.java
@@ -42,6 +42,7 @@ public class SetIpv6FirewallRulesConfigItem extends
AbstractConfigItemFacade{
final FirewallRule fwRule = new FirewallRule(rule.getId(),
rule.getSrcVlanTag(), rule.getSrcIp(), rule.getProtocol(),
rule.getSrcPortRange(), rule.revoked(),
rule.isAlreadyAdded(), rule.getSourceCidrList(),
rule.getDestCidrList(), rule.getPurpose().toString(), rule.getIcmpType(),
rule.getIcmpCode(), rule.getTrafficType().toString(),
rule.getGuestCidr(), rule.isDefaultEgressPolicy());
+ fwRule.setGuestIp6Cidr(command.getGuestIp6Cidr());
rules.add(fwRule);
}
diff --git
a/core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/FirewallRule.java
b/core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/FirewallRule.java
index 44ec9bef76..1baf05657f 100644
---
a/core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/FirewallRule.java
+++
b/core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/FirewallRule.java
@@ -38,6 +38,7 @@ public class FirewallRule {
private String guestCidr;
private boolean defaultEgressPolicy;
private String type;
+ private String guestIp6Cidr;
public FirewallRule() {
// Empty constructor for (de)serialization
@@ -174,4 +175,11 @@ public class FirewallRule {
this.defaultEgressPolicy = defaultEgressPolicy;
}
+ public String getGuestIp6Cidr() {
+ return guestIp6Cidr;
+ }
+
+ public void setGuestIp6Cidr(String guestIp6Cidr) {
+ this.guestIp6Cidr = guestIp6Cidr;
+ }
}
diff --git
a/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDao.java
b/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDao.java
index 60d7701cd0..381d2144df 100644
---
a/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDao.java
+++
b/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDao.java
@@ -73,5 +73,7 @@ public interface NetworkOfferingDao extends
GenericDao<NetworkOfferingVO, Long>
NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long
offeringId);
+ NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long
offeringId, NetUtils.InternetProtocol defaultProtocol);
+
boolean isIpv6Supported(long offeringId);
}
diff --git
a/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDaoImpl.java
b/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDaoImpl.java
index fd36a1b825..65362eba3c 100644
---
a/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDaoImpl.java
+++
b/engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDaoImpl.java
@@ -278,6 +278,15 @@ public class NetworkOfferingDaoImpl extends
GenericDaoBase<NetworkOfferingVO, Lo
return NetUtils.InternetProtocol.fromValue(internetProtocolStr);
}
+ @Override
+ public NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long
offeringId,NetUtils.InternetProtocol defaultProtocol) {
+ NetUtils.InternetProtocol protocol =
getNetworkOfferingInternetProtocol(offeringId);
+ if (protocol == null) {
+ return defaultProtocol;
+ }
+ return protocol;
+ }
+
@Override
public boolean isIpv6Supported(long offeringId) {
NetUtils.InternetProtocol internetProtocol =
getNetworkOfferingInternetProtocol(offeringId);
diff --git a/server/src/main/java/com/cloud/api/ApiResponseHelper.java
b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
index d7f03bc51c..2afe1d7d38 100644
--- a/server/src/main/java/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/main/java/com/cloud/api/ApiResponseHelper.java
@@ -2533,7 +2533,7 @@ public class ApiResponseHelper implements
ResponseGenerator {
response.setBytesSent(bytesSent);
if
(networkOfferingDao.isIpv6Supported(network.getNetworkOfferingId())) {
-
response.setInternetProtocol(networkOfferingDao.getNetworkOfferingInternetProtocol(network.getNetworkOfferingId()).toString());
+
response.setInternetProtocol(networkOfferingDao.getNetworkOfferingInternetProtocol(network.getNetworkOfferingId(),
NetUtils.InternetProtocol.IPv4).toString());
response.setIpv6Routing(Network.Routing.Static.toString());
response.setIpv6Routes(new LinkedHashSet<>());
if
(Network.GuestType.Isolated.equals(networkOffering.getGuestType())) {
diff --git
a/server/src/main/java/com/cloud/api/query/dao/NetworkOfferingJoinDaoImpl.java
b/server/src/main/java/com/cloud/api/query/dao/NetworkOfferingJoinDaoImpl.java
index ae51df3cb6..474409a976 100644
---
a/server/src/main/java/com/cloud/api/query/dao/NetworkOfferingJoinDaoImpl.java
+++
b/server/src/main/java/com/cloud/api/query/dao/NetworkOfferingJoinDaoImpl.java
@@ -19,6 +19,7 @@ package com.cloud.api.query.dao;
import java.util.List;
+import org.apache.commons.lang3.StringUtils;
import org.apache.cloudstack.api.response.NetworkOfferingResponse;
import org.apache.log4j.Logger;
@@ -27,6 +28,7 @@ import com.cloud.offering.NetworkOffering;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.net.NetUtils;
public class NetworkOfferingJoinDaoImpl extends
GenericDaoBase<NetworkOfferingJoinVO, Long> implements NetworkOfferingJoinDao {
public static final Logger s_logger =
Logger.getLogger(NetworkOfferingJoinDaoImpl.class);
@@ -99,7 +101,11 @@ public class NetworkOfferingJoinDaoImpl extends
GenericDaoBase<NetworkOfferingJo
networkOfferingResponse.setDomain(networkOfferingJoinVO.getDomainPath());
networkOfferingResponse.setZoneId(networkOfferingJoinVO.getZoneUuid());
networkOfferingResponse.setZone(networkOfferingJoinVO.getZoneName());
-
networkOfferingResponse.setInternetProtocol(networkOfferingJoinVO.getInternetProtocol());
+ String protocol = networkOfferingJoinVO.getInternetProtocol();
+ if (StringUtils.isEmpty(protocol)) {
+ protocol = NetUtils.InternetProtocol.IPv4.toString();
+ }
+ networkOfferingResponse.setInternetProtocol(protocol);
}
networkOfferingResponse.setObjectName("networkoffering");
diff --git
a/server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java
b/server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java
index c7afbe1790..0413d8eb52 100644
--- a/server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java
+++ b/server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java
@@ -20,6 +20,7 @@ package com.cloud.api.query.dao;
import java.util.List;
import org.apache.cloudstack.api.response.VpcOfferingResponse;
+import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;
import com.cloud.api.query.vo.VpcOfferingJoinVO;
@@ -27,6 +28,7 @@ import com.cloud.network.vpc.VpcOffering;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
+import com.cloud.utils.net.NetUtils;
public class VpcOfferingJoinDaoImpl extends GenericDaoBase<VpcOfferingJoinVO,
Long> implements VpcOfferingJoinDao {
public static final Logger s_logger =
Logger.getLogger(VpcOfferingJoinDaoImpl.class);
@@ -70,7 +72,11 @@ public class VpcOfferingJoinDaoImpl extends
GenericDaoBase<VpcOfferingJoinVO, Lo
offeringResponse.setDomain(offeringJoinVO.getDomainPath());
offeringResponse.setZoneId(offeringJoinVO.getZoneUuid());
offeringResponse.setZone(offeringJoinVO.getZoneName());
-
offeringResponse.setInternetProtocol(offeringJoinVO.getInternetProtocol());
+ String protocol = offeringJoinVO.getInternetProtocol();
+ if (StringUtils.isEmpty(protocol)) {
+ protocol = NetUtils.InternetProtocol.IPv4.toString();
+ }
+ offeringResponse.setInternetProtocol(protocol);
}
offeringResponse.setObjectName("vpcoffering");
diff --git
a/server/src/main/java/com/cloud/network/router/CommandSetupHelper.java
b/server/src/main/java/com/cloud/network/router/CommandSetupHelper.java
index 5cf9f51a7d..d6ee6e844d 100644
--- a/server/src/main/java/com/cloud/network/router/CommandSetupHelper.java
+++ b/server/src/main/java/com/cloud/network/router/CommandSetupHelper.java
@@ -461,7 +461,9 @@ public class CommandSetupHelper {
public void createApplyIpv6FirewallRulesCommands(final List<? extends
FirewallRule> rules, final VirtualRouter router, final Commands cmds, final
long guestNetworkId) {
final List<FirewallRuleTO> rulesTO = new ArrayList<>();
String systemRule = null;
- Boolean defaultEgressPolicy = false;
+ final NetworkVO network = _networkDao.findById(guestNetworkId);
+ final NetworkOfferingVO offering =
_networkOfferingDao.findById(network.getNetworkOfferingId());
+ Boolean defaultEgressPolicy = offering.isEgressDefaultPolicy();;
if (rules != null) {
if (rules.size() > 0) {
if (rules.get(0).getTrafficType() ==
FirewallRule.TrafficType.Egress && rules.get(0).getType() ==
FirewallRule.FirewallRuleType.System) {
@@ -476,16 +478,13 @@ public class CommandSetupHelper {
final FirewallRuleTO ruleTO = new FirewallRuleTO(rule,
null, null, Purpose.Ipv6Firewall, trafficType);
rulesTO.add(ruleTO);
} else if (rule.getTrafficType() ==
FirewallRule.TrafficType.Egress) {
- final NetworkVO network =
_networkDao.findById(guestNetworkId);
- final NetworkOfferingVO offering =
_networkOfferingDao.findById(network.getNetworkOfferingId());
- defaultEgressPolicy = offering.isEgressDefaultPolicy();
final FirewallRuleTO ruleTO = new FirewallRuleTO(rule,
null, "", Purpose.Ipv6Firewall, trafficType, defaultEgressPolicy);
rulesTO.add(ruleTO);
}
}
}
- final SetIpv6FirewallRulesCommand cmd = new
SetIpv6FirewallRulesCommand(rulesTO);
+ final SetIpv6FirewallRulesCommand cmd = new
SetIpv6FirewallRulesCommand(rulesTO, network.getIp6Cidr());
cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP,
_routerControlHelper.getRouterControlIp(router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP,
_routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME,
router.getInstanceName());
@@ -547,7 +546,9 @@ public class CommandSetupHelper {
public void createIpv6FirewallRulesCommands(final List<? extends
FirewallRule> rules, final VirtualRouter router, final Commands cmds, final
long guestNetworkId) {
final List<FirewallRuleTO> rulesTO = new ArrayList<>();
String systemRule = null;
- Boolean defaultEgressPolicy = false;
+ final NetworkVO network = _networkDao.findById(guestNetworkId);
+ final NetworkOfferingVO offering =
_networkOfferingDao.findById(network.getNetworkOfferingId());
+ Boolean defaultEgressPolicy = offering.isEgressDefaultPolicy();
if (rules != null) {
if (rules.size() > 0) {
if (rules.get(0).getTrafficType() ==
FirewallRule.TrafficType.Egress && rules.get(0).getType() ==
FirewallRule.FirewallRuleType.System) {
@@ -562,16 +563,13 @@ public class CommandSetupHelper {
final FirewallRuleTO ruleTO = new FirewallRuleTO(rule,
null, null, Purpose.Ipv6Firewall, traffictype);
rulesTO.add(ruleTO);
} else if (rule.getTrafficType() ==
FirewallRule.TrafficType.Egress) {
- final NetworkVO network =
_networkDao.findById(guestNetworkId);
- final NetworkOfferingVO offering =
_networkOfferingDao.findById(network.getNetworkOfferingId());
- defaultEgressPolicy = offering.isEgressDefaultPolicy();
final FirewallRuleTO ruleTO = new FirewallRuleTO(rule,
null, "", Purpose.Ipv6Firewall, traffictype, defaultEgressPolicy);
rulesTO.add(ruleTO);
}
}
}
- final SetIpv6FirewallRulesCommand cmd = new
SetIpv6FirewallRulesCommand(rulesTO);
+ final SetIpv6FirewallRulesCommand cmd = new
SetIpv6FirewallRulesCommand(rulesTO, network.getIp6Cidr());
cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP,
_routerControlHelper.getRouterControlIp(router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP,
_routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME,
router.getInstanceName());
diff --git a/systemvm/debian/opt/cloud/bin/configure.py
b/systemvm/debian/opt/cloud/bin/configure.py
index e6c608b469..67e575bfb7 100755
--- a/systemvm/debian/opt/cloud/bin/configure.py
+++ b/systemvm/debian/opt/cloud/bin/configure.py
@@ -296,17 +296,13 @@ class CsAcl(CsDataBag):
return
tier_cidr = self.ip6_cidr
chain = "%s_%s_policy" % (self.device, direction)
- rule = "accept"
- parent_chain = "acl_output"
+ parent_chain = "acl_forward"
cidr_key = "saddr"
- parent_chain_rule = "ip6 saddr ::/0 jump %s" % (chain)
if direction == "ingress":
- rule = "drop"
- parent_chain = "acl_input"
cidr_key = "daddr"
parent_chain_rule = "ip6 %s %s jump %s" % (cidr_key, tier_cidr,
chain)
- self.ipv6_acl.append({'type': "", 'chain': parent_chain, 'rule':
parent_chain_rule})
- self.ipv6_acl.insert(0, {'type': "chain", 'chain': chain, 'rule':
rule})
+ self.ipv6_acl.insert(0, {'type': "", 'chain': parent_chain,
'rule': parent_chain_rule})
+ self.ipv6_acl.insert(0, {'type': "chain", 'chain': chain})
for rule in rule_list:
cidr = rule['cidr']
if cidr != None and cidr != "":
@@ -369,6 +365,8 @@ class CsAcl(CsDataBag):
self.ipv6_acl.insert(0, {'type': type, 'chain': chain,
'rule': rstr})
else:
self.ipv6_acl.append({'type': type, 'chain': chain,
'rule': rstr})
+ rstr = "counter packets 0 bytes 0 drop"
+ self.ipv6_acl.append({'type': "", 'chain': chain, 'rule': rstr})
def process(self, direction, rule_list, base):
count = base
@@ -480,10 +478,30 @@ class CsIpv6Firewall(CsDataBag):
def process(self):
fw = self.config.get_ipv6_fw()
logging.info("Processing IPv6 firewall rules %s; %s" % (self.dbag, fw))
+ chains_added = False
+ egress_policy = None
for item in self.dbag:
if item == "id":
continue
rule = self.dbag[item]
+
+ if chains_added == False:
+ guest_cidr = rule['guest_ip6_cidr']
+ parent_chain = "fw_forward"
+ chain = "fw_chain_egress"
+ parent_chain_rule = "ip6 saddr %s jump %s" % (guest_cidr,
chain)
+ fw.append({'type': "chain", 'chain': chain})
+ fw.append({'type': "", 'chain': parent_chain, 'rule':
parent_chain_rule})
+ chain = "fw_chain_ingress"
+ parent_chain_rule = "ip6 daddr %s jump %s" % (guest_cidr,
chain)
+ fw.append({'type': "chain", 'chain': chain})
+ fw.append({'type': "", 'chain': parent_chain, 'rule':
parent_chain_rule})
+ if rule['default_egress_policy']:
+ egress_policy = "accept"
+ else:
+ egress_policy = "drop"
+ chains_added = True
+
rstr = ""
chain = "fw_chain_ingress"
@@ -561,14 +579,14 @@ class CsIpv6Firewall(CsDataBag):
rstr = appendStringIfNotEmpty(rstr, proto)
if rstr and action:
rstr = rstr + " " + action
- else:
- type = "chain"
- rstr = action
- logging.debug("Process IPv6 firewall rule %s" % rstr)
- if type == "chain":
- fw.insert(0, {'type': type, 'chain': chain, 'rule': rstr})
- else:
+ logging.debug("Process IPv6 firewall rule %s" % rstr)
fw.append({'type': type, 'chain': chain, 'rule': rstr})
+ if chains_added:
+ base_rstr = "counter packets 0 bytes 0"
+ rstr = "%s drop" % base_rstr
+ fw.append({'type': "", 'chain': "fw_chain_ingress", 'rule': rstr})
+ rstr = "%s %s" % (base_rstr, egress_policy)
+ fw.append({'type': "", 'chain': "fw_chain_egress", 'rule': rstr})
class CsVmMetadata(CsDataBag):
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
index 65bf4114a2..a034034dc8 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
@@ -229,23 +229,23 @@ class CsNetfilters(object):
if chain_policy and action:
chain_policy = "%s policy %s;" % (chain_policy, action)
CsHelper.execute("nft add chain %s %s %s '{ %s }'" %
(address_family, table, chain, chain_policy))
- if chain_policy:
+ if hook == "input" or hook == "output":
CsHelper.execute("nft add rule %s %s %s icmpv6 type {
echo-request, echo-reply, nd-neighbor-solicit, nd-router-advert,
nd-neighbor-advert } accept" % (address_family, table, chain))
def apply_ip6_rules(self, rules, type):
- logging.debug("Add IPv6 rules: %s", rules)
if len(rules) == 0:
return
address_family = 'ip6'
table = 'ip6_firewall'
default_chains = [
- { "chain": "fw_chain_ingress", "hook": "input", "action": "drop"}
+ { "chain": "fw_input", "hook": "input", "action": "drop"},
+ { "chain": "fw_forward", "hook": "forward", "action": "accept"}
]
if type == "acl":
table = 'ip6_acl'
default_chains = [
{ "chain": "acl_input", "hook": "input", "action": "drop" },
- { "chain": "acl_output", "hook": "output", "action": "accept" }
+ { "chain": "acl_forward", "hook": "forward", "action":
"accept"}
]
CsHelper.execute("nft add table %s %s" % (address_family, table))
for chain in default_chains:
@@ -253,13 +253,15 @@ class CsNetfilters(object):
for fw in rules:
chain = fw['chain']
type = fw['type']
- rule = fw['rule']
+ rule = None
+ if 'rule' in fw:
+ rule = fw['rule']
if type == "chain":
- hook = "input"
- if "egress" in chain:
+ hook = ""
+ if "output" in chain:
hook = "output"
- if chain.startswith("eth"):
- hook = ""
+ elif "input" in chain:
+ hook = "input"
self.add_ip6_chain(address_family, table, chain, hook, rule)
else:
logging.info("Add: rule=%s in address_family=%s table=%s,
chain=%s", rule, address_family, table, chain)
diff --git a/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
b/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
index b3409213ed..4720237543 100755
--- a/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
@@ -85,15 +85,6 @@ config_sysctl() {
sed -i "/^vm.vfs_cache_pressure/ c\vm.vfs_cache_pressure = 100"
/etc/sysctl.conf
fi
- eth0_ip6=$(grep -Po 'eth0ip6=\K[0-9a-zA-Z:]*' $CMDLINE)
- eth2_ip6=$(grep -Po 'eth2ip6=\K[0-9a-zA-Z:]*' $CMDLINE)
- if [ -n "$eth0_ip6" ] || [ -n "$eth2_ip6" ]
- then
- sed -i "s/net.ipv6.conf.all.disable_ipv6
=.*$/net.ipv6.conf.all.disable_ipv6 = 0/" /etc/sysctl.conf
- sed -i "s/net.ipv6.conf.all.forwarding
=.*$/net.ipv6.conf.all.forwarding = 1/" /etc/sysctl.conf
- sed -i "s/net.ipv6.conf.all.accept_ra =.*$/net.ipv6.conf.all.accept_ra
= 1/" /etc/sysctl.conf
- fi
-
sync
sysctl -p
}
diff --git a/systemvm/debian/opt/cloud/bin/setup/common.sh
b/systemvm/debian/opt/cloud/bin/setup/common.sh
index b937fd889b..a799a88be8 100755
--- a/systemvm/debian/opt/cloud/bin/setup/common.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/common.sh
@@ -110,23 +110,31 @@ setup_interface() {
fi
}
-setup_interface_ipv6() {
+enable_interface_ipv6() {
+ local intf=eth${1}
+ log_it "Enabling IPv6 on interface: ${intf}"
sysctl net.ipv6.conf.all.disable_ipv6=0
sysctl net.ipv6.conf.all.forwarding=1
sysctl net.ipv6.conf.all.accept_ra=1
-
sed -i "s/net.ipv6.conf.all.disable_ipv6
=.*$/net.ipv6.conf.all.disable_ipv6 = 0/" /etc/sysctl.conf
sed -i "s/net.ipv6.conf.all.forwarding =.*$/net.ipv6.conf.all.forwarding =
1/" /etc/sysctl.conf
sed -i "s/net.ipv6.conf.all.accept_ra =.*$/net.ipv6.conf.all.accept_ra =
1/" /etc/sysctl.conf
+ sysctl net.ipv6.conf.${intf}.accept_dad=0
+ sysctl net.ipv6.conf.${intf}.use_tempaddr=0
+ if [ "$2" = true ] ; then
+ ifdown ${intf}
+ ifup ${intf}
+ fi
+}
+
+setup_interface_ipv6() {
+ enable_interface_ipv6 $1 false
local intfnum=$1
local ipv6="$2"
local prelen="$3"
local intf=eth${intfnum}
- sysctl net.ipv6.conf.$intf.accept_dad=0
- sysctl net.ipv6.conf.$intf.use_tempaddr=0
-
echo "iface $intf inet6 static" >> /etc/network/interfaces
echo " address $ipv6 " >> /etc/network/interfaces
echo " netmask $prelen" >> /etc/network/interfaces
@@ -266,31 +274,52 @@ enable_rpsrfs() {
echo 256 > /sys/class/net/eth2/queues/rx-0/rps_flow_cnt
}
-setup_common() {
- init_interfaces $1 $2 $3
- if [ -n "$ETH0_IP" ]
+setup_ipv6() {
+ local enableradvd=false
+ if [ -n "$ETH0_IP6" ]
then
- setup_interface "0" $ETH0_IP $ETH0_MASK $GW
+ enableradvd=true
+ setup_interface_ipv6 "0" $ETH0_IP6 $ETH0_IP6_PRELEN
+ fi
+ if [ -n "$ETH0_IP6" ] || [ -n "$GUEST_GW6" -a -n "$GUEST_CIDR6_SIZE" ]
+ then
+ rm -rf /etc/radvd.conf
+ setup_radvd "0" $GUEST_GW6 $GUEST_CIDR6_SIZE $enableradvd
+ fi
+ if [ -n "$ETH2_IP6" ]
+ then
+ setup_interface_ipv6 "2" $ETH2_IP6 $ETH2_IP6_PRELEN
+ fi
+}
+
+restore_ipv6() {
+ if [ -n "$ETH0_IP6" ] || [ -n "$GUEST_GW6" -a -n "$GUEST_CIDR6_SIZE" ]
+ then
+ enable_interface_ipv6 "0" true
fi
if [ -n "$ETH0_IP6" ]
then
- setup_interface_ipv6 "0" $ETH0_IP6 $ETH0_IP6_PRELEN
- rm -rf /etc/radvd.conf
- setup_radvd "0" $ETH0_IP6 $ETH0_IP6_PRELEN true
- elif [ -n "$GUEST_GW6" -a -n "$GUEST_CIDR6_SIZE" ]
+ enable_radvd
+ fi
+ if [ -n "$ETH2_IP6" ]
then
- rm -rf /etc/radvd.conf
- setup_radvd "0" $GUEST_GW6 $GUEST_CIDR6_SIZE false
+ enable_interface_ipv6 "2" true
+ fi
+}
+
+
+setup_common() {
+ init_interfaces $1 $2 $3
+ if [ -n "$ETH0_IP" ]
+ then
+ setup_interface "0" $ETH0_IP $ETH0_MASK $GW
fi
setup_interface "1" $ETH1_IP $ETH1_MASK $GW
if [ -n "$ETH2_IP" ]
then
setup_interface "2" $ETH2_IP $ETH2_MASK $GW
fi
- if [ -n "$ETH2_IP6" ]
- then
- setup_interface_ipv6 "2" $ETH2_IP6 $ETH2_IP6_PRELEN
- fi
+ setup_ipv6
echo $NAME > /etc/hostname
echo 'AVAHI_DAEMON_DETECT_LOCAL=0' > /etc/default/avahi-daemon
@@ -370,6 +399,24 @@ setup_common() {
fi
}
+enable_radvd() {
+ systemctl -q is-enabled radvd
+ status=$?
+ if [ $status -ne 0 ]
+ then
+ log_it "Enabling radvd"
+ systemctl enable radvd
+ echo "radvd" >> /var/cache/cloud/enabled_svcs
+ fi
+ systemctl -q is-active radvd
+ status=$?
+ if [ $status -ne 0 ]
+ then
+ log_it "Starting radvd"
+ systemctl start radvd
+ fi
+}
+
setup_radvd() {
log_it "Setting up radvd"
@@ -394,8 +441,7 @@ setup_radvd() {
sed -i "s,{{ RDNSS_CONFIG }},$RDNSS_CFG,g" /etc/radvd.conf.$intf
cat /etc/radvd.conf.$intf >> /etc/radvd.conf
if [ "$enable" = true ] ; then
- systemctl enable radvd
- echo "radvd" >> /var/cache/cloud/enabled_svcs
+ enable_radvd
fi
}
diff --git a/systemvm/debian/opt/cloud/bin/setup/router.sh
b/systemvm/debian/opt/cloud/bin/setup/router.sh
index d7113c4930..f5fa95c7b1 100755
--- a/systemvm/debian/opt/cloud/bin/setup/router.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/router.sh
@@ -71,6 +71,7 @@ setup_router() {
enable_fwding 1
enable_rpsrfs 1
enable_passive_ftp 1
+ restore_ipv6
# Only allow DNS service for current network
sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i
eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g"
/etc/iptables/rules.v4
