Updated Branches: refs/heads/4.3 b72285f3e -> a11730f57
CLOUDSTACK-5297: Fix ACL rules on VPN for VPC Insert a new iptables chain for FORWARD chain, in order to let following ACL rules being executed as well. Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a11730f5 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a11730f5 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a11730f5 Branch: refs/heads/4.3 Commit: a11730f57cc60b8a2c28729725d2967cd50b48d3 Parents: b72285f Author: Sheng Yang <[email protected]> Authored: Mon Dec 9 17:28:53 2013 -0800 Committer: Sheng Yang <[email protected]> Committed: Mon Dec 9 17:28:53 2013 -0800 ---------------------------------------------------------------------- .../debian/vpn/opt/cloud/bin/vpn_l2tp.sh | 28 +++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a11730f5/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh ---------------------------------------------------------------------- diff --git a/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh b/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh index 5afe009..83d5272 100755 --- a/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh +++ b/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh @@ -35,21 +35,41 @@ get_intf_ip() { iptables_() { local op=$1 local public_ip=$2 + local is_vpc=false + local forward_action="ACCEPT" + if grep "vpcrouter" /var/cache/cloud/cmdline &> /dev/null + then + is_vpc=true + fi sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 500 -j ACCEPT sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 4500 -j ACCEPT sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 1701 -j ACCEPT sudo iptables $op INPUT -i $dev -p ah -j ACCEPT sudo iptables $op INPUT -i $dev -p esp -j ACCEPT - sudo iptables $op FORWARD -i ppp+ -d $cidr -j ACCEPT - sudo iptables $op FORWARD -s $cidr -o ppp+ -j ACCEPT - sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT + if $is_vpc + then + # Need to apply the following ACL rules as well. + if sudo iptables -N VPN_FORWARD &> /dev/null + then + sudo iptables -I FORWARD -i ppp+ -j VPN_FORWARD + sudo iptables -I FORWARD -o ppp+ -j VPN_FORWARD + sudo iptables -A VPN_FORWARD -j DROP + fi + sudo iptables $op VPN_FORWARD -i ppp+ -o ppp+ -j RETURN + sudo iptables $op VPN_FORWARD -i ppp+ -d $cidr -j RETURN + sudo iptables $op VPN_FORWARD -s $cidr -o ppp+ -j RETURN + else + sudo iptables $op FORWARD -i ppp+ -d $cidr -j ACCEPT + sudo iptables $op FORWARD -s $cidr -o ppp+ -j ACCEPT + sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT + fi sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT sudo iptables $op INPUT -i ppp+ -m tcp -p tcp --dport 53 -j ACCEPT sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp -m tcp --dport 53 -j DNAT --to-destination $local_ip sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j DNAT --to-destination $local_ip - if grep "vpcrouter" /var/cache/cloud/cmdline &> /dev/null + if $is_vpc then return fi
