CLOUDSTACK-6432: Blocking DHCP server to service DNS outside network This would cover only DHCP only network since in basic and shared network, the private IP used by VR and network may expose to outside.
(cherry picked from commit a554ebdf750be2ff2fd02fda38713b40313fcca8) Signed-off-by: Rohit Yadav <[email protected]> Conflicts: server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/76f5f304 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/76f5f304 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/76f5f304 Branch: refs/heads/4.3 Commit: 76f5f3048e115c5ba25ec09a44e4947b5b290ebb Parents: 83df80b Author: Sheng Yang <[email protected]> Authored: Wed Apr 16 18:40:26 2014 -0700 Committer: Rohit Yadav <[email protected]> Committed: Fri Nov 14 00:19:31 2014 +0530 ---------------------------------------------------------------------- .../router/VirtualNetworkApplianceManagerImpl.java | 11 ++++++++--- .../patches/debian/config/etc/init.d/cloud-early-config | 11 +++++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/76f5f304/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java index bab1419..b0e1228 100755 --- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java @@ -2239,12 +2239,14 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V if (domain != null) { buf.append(" domain=" + domain); } - + + long cidrSize = 0; + //setup dhcp range if (dc.getNetworkType() == NetworkType.Basic) { if (guestNic.isDefaultNic()) { - long cidrSize = NetUtils.getCidrSize(guestNic.getNetmask()); - String cidr = NetUtils.getCidrSubNet(guestNic.getGateway(), cidrSize); + cidrSize = NetUtils.getCidrSize(guestNic.getNetmask()); + final String cidr = NetUtils.getCidrSubNet(guestNic.getGateway(), cidrSize); if (cidr != null) { dhcpRange = NetUtils.getIpRangeStartIpFromCidr(cidr, cidrSize); } @@ -2252,11 +2254,14 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V } else if (dc.getNetworkType() == NetworkType.Advanced) { String cidr = guestNetwork.getCidr(); if (cidr != null) { + cidrSize = NetUtils.getCidrSize(NetUtils.getCidrNetmask(cidr)); dhcpRange = NetUtils.getDhcpRange(cidr); } } if (dhcpRange != null) { + // To limit DNS to the cidr range + buf.append(" cidrsize=" + String.valueOf(cidrSize)); buf.append(" dhcprange=" + dhcpRange); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/76f5f304/systemvm/patches/debian/config/etc/init.d/cloud-early-config ---------------------------------------------------------------------- diff --git a/systemvm/patches/debian/config/etc/init.d/cloud-early-config b/systemvm/patches/debian/config/etc/init.d/cloud-early-config index 77cb05a..4783ec2 100755 --- a/systemvm/patches/debian/config/etc/init.d/cloud-early-config +++ b/systemvm/patches/debian/config/etc/init.d/cloud-early-config @@ -1083,8 +1083,16 @@ setup_dhcpsrvr() { enable_svc cloud 0 enable_fwding 0 chkconfig nfs-common off + cp /etc/iptables/iptables-router /etc/iptables/rules.v4 cp /etc/iptables/iptables-router /etc/iptables/rules + + #Only allow DNS service for current network + sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4 + sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules + sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4 + sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules + if [ "$SSHONGUEST" == "true" ] then setup_sshd $ETH0_IP "eth0" @@ -1425,6 +1433,9 @@ for i in $CMDLINE vpccidr) VPCCIDR=$VALUE ;; + cidrsize) + CIDR_SIZE=$VALUE + ;; esac done
