CLOUDSTACK-8030: Updated router to come up egress default ALLOW
On default iptables rules are updated to add ACCEPT egress traffic.
If the network egress default policy is false, CS remove ACCEPT and adds
the DROP rule which
is egress default rule when there are no other egress rules.
If the CS network egress default policy is true, CS won't configure any
default rule for egress because
router already came up to accept egress traffic. If there are already
egress rules for network then the
egress rules get applied on VR.
For isolated network with out firewall service, VR default allows egress
traffic (guestnetwork --> public network)
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/8278d88f
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/8278d88f
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/8278d88f
Branch: refs/heads/master
Commit: 8278d88f76ee129af75cd585b916bd6719e34e4c
Parents: e22cc6e
Author: Jayapal <[email protected]>
Authored: Wed Dec 3 16:49:24 2014 +0530
Committer: Jayapal <[email protected]>
Committed: Wed Dec 10 10:13:41 2014 +0530
----------------------------------------------------------------------
.../orchestration/NetworkOrchestrator.java | 30 +++++++++++---------
.../xenserver/resource/CitrixResourceBase.java | 1 +
.../network/element/VirtualRouterElement.java | 5 ++--
.../VirtualNetworkApplianceManagerImpl.java | 5 +++-
.../debian/config/etc/iptables/iptables-router | 3 ++
.../config/opt/cloud/bin/firewall_egress.sh | 8 +++---
6 files changed, 31 insertions(+), 21 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8278d88f/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
----------------------------------------------------------------------
diff --git
a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
index 17a2a9b..b28a26b 100755
---
a/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
+++
b/engine/orchestration/src/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java
@@ -1147,6 +1147,22 @@ public class NetworkOrchestrator extends ManagerBase
implements NetworkOrchestra
// This method re-programs the rules/ips for existing network
protected boolean reprogramNetworkRules(long networkId, Account caller,
Network network) throws ResourceUnavailableException {
boolean success = true;
+
+ //Apply egress rules first to effect the egress policy early on the
guest traffic
+ List<FirewallRuleVO> firewallEgressRulesToApply =
_firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall,
FirewallRule.TrafficType.Egress);
+ NetworkOfferingVO offering =
_networkOfferingDao.findById(network.getNetworkOfferingId());
+ DataCenter zone = _dcDao.findById(network.getDataCenterId());
+ if (_networkModel.areServicesSupportedInNetwork(network.getId(),
Service.Firewall) &&
_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall)
+ && (network.getGuestType() == Network.GuestType.Isolated ||
(network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() ==
NetworkType.Advanced))) {
+ // add default egress rule to accept the traffic
+ _firewallMgr.applyDefaultEgressFirewallRule(network.getId(),
offering.getEgressDefaultPolicy(), true);
+ }
+ if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply,
false, caller)) {
+ s_logger.warn("Failed to reapply firewall Egress rule(s) as a part
of network id=" + networkId + " restart");
+ success = false;
+ }
+
+
// associate all ip addresses
if (!_ipAddrMgr.applyIpAssociations(network, false)) {
s_logger.warn("Failed to apply ip addresses as a part of network
id" + networkId + " restart");
@@ -1166,20 +1182,6 @@ public class NetworkOrchestrator extends ManagerBase
implements NetworkOrchestra
success = false;
}
- List<FirewallRuleVO> firewallEgressRulesToApply =
_firewallDao.listByNetworkPurposeTrafficType(networkId, Purpose.Firewall,
FirewallRule.TrafficType.Egress);
- NetworkOfferingVO offering =
_networkOfferingDao.findById(network.getNetworkOfferingId());
- //there are no egress rules then apply the default egress rule
- DataCenter zone = _dcDao.findById(network.getDataCenterId());
- if (_networkModel.areServicesSupportedInNetwork(network.getId(),
Service.Firewall) &&
_networkModel.areServicesSupportedInNetwork(network.getId(), Service.Firewall)
- && (network.getGuestType() == Network.GuestType.Isolated ||
(network.getGuestType() == Network.GuestType.Shared && zone.getNetworkType() ==
NetworkType.Advanced))) {
- // add default egress rule to accept the traffic
- _firewallMgr.applyDefaultEgressFirewallRule(network.getId(),
offering.getEgressDefaultPolicy(), true);
- }
- if (!_firewallMgr.applyFirewallRules(firewallEgressRulesToApply,
false, caller)) {
- s_logger.warn("Failed to reapply firewall Egress rule(s) as a part
of network id=" + networkId + " restart");
- success = false;
- }
-
// apply port forwarding rules
if (!_rulesMgr.applyPortForwardingRulesForNetwork(networkId, false,
caller)) {
s_logger.warn("Failed to reapply port forwarding rule(s) as a part
of network id=" + networkId + " restart");
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8278d88f/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
----------------------------------------------------------------------
diff --git
a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
index 9b282d8..a090b11 100644
---
a/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
+++
b/plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/CitrixResourceBase.java
@@ -573,6 +573,7 @@ public abstract class CitrixResourceBase implements
ServerResource, HypervisorRe
public ExecutionResult createFileInVR(String routerIp, String path, String
filename, String content) {
Connection conn = getConnection();
String rc = callHostPlugin(conn, "vmops", "createFileInDomr",
"domrip", routerIp, "filepath", path + filename, "filecontents", content);
+ s_logger.debug ("VR Config file " + filename + " got created in VR
with ip " + routerIp + " with content \n" + content);
// Fail case would be start with "fail#"
return new ExecutionResult(rc.startsWith("succ#"), rc.substring(5));
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8278d88f/server/src/com/cloud/network/element/VirtualRouterElement.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/element/VirtualRouterElement.java
b/server/src/com/cloud/network/element/VirtualRouterElement.java
index dc6ffc8..ae4c933 100755
--- a/server/src/com/cloud/network/element/VirtualRouterElement.java
+++ b/server/src/com/cloud/network/element/VirtualRouterElement.java
@@ -251,9 +251,10 @@ NetworkMigrationResponder, AggregatedCommandExecutor {
}
if (rules != null && rules.size() == 1) {
- // for VR no need to add default egress rule to DENY traffic
+ // for VR no need to add default egress rule to ALLOW traffic
+ //The default allow rule is added from the router defalut
iptables rules iptables-router
if (rules.get(0).getTrafficType() ==
FirewallRule.TrafficType.Egress && rules.get(0).getType() ==
FirewallRule.FirewallRuleType.System &&
-
!_networkMdl.getNetworkEgressDefaultPolicy(config.getId()))
+
_networkMdl.getNetworkEgressDefaultPolicy(config.getId()))
return true;
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8278d88f/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
----------------------------------------------------------------------
diff --git
a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index fb39c0a..6c5ff9c 100755
---
a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++
b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -2789,7 +2789,7 @@ VirtualMachineGuru, Listener, Configurable,
StateListener<State, VirtualMachine.
// construct rule when egress policy is true. In true case for VR we
default allow rule need to be added
- if (defaultEgressPolicy) {
+ if (!defaultEgressPolicy) {
systemRule = String.valueOf(FirewallRule.FirewallRuleType.System);
List<String> sourceCidr = new ArrayList<String>();
@@ -2799,6 +2799,9 @@ VirtualMachineGuru, Listener, Configurable,
StateListener<State, VirtualMachine.
null, null, null, FirewallRule.TrafficType.Egress,
FirewallRule.FirewallRuleType.System);
rules.add(rule);
+ } else {
+ s_logger.debug(" Egress policy for the Network "+ networkId +" is
"+defaultEgressPolicy + " So no need"+
+ " of default rule is needed. ");
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8278d88f/systemvm/patches/debian/config/etc/iptables/iptables-router
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-router
b/systemvm/patches/debian/config/etc/iptables/iptables-router
index 3f5bc5f..f16b942 100644
--- a/systemvm/patches/debian/config/etc/iptables/iptables-router
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-router
@@ -24,6 +24,7 @@ COMMIT
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
+:FW_EGRESS_RULES - [0:0]
:FW_OUTBOUND - [0:0]
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
@@ -42,7 +43,9 @@ COMMIT
-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
+-A FW_EGRESS_RULES -j ACCEPT
-I FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FW_OUTBOUND -j FW_EGRESS_RULES
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/8278d88f/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
index b1e7a40..767f17e 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh
@@ -145,11 +145,11 @@ fi
success=0
-if [ "$pvalue" == "0" -o "$pvalue" == "2" ]
+if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
then
- target="ACCEPT"
- else
target="DROP"
+ else
+ target="ACCEPT"
fi
fw_egress_chain
@@ -172,7 +172,7 @@ then
fw_egress_backup_restore
else
logger -t cloud "deleting backup for guest network"
- if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
+ if [ "$pvalue" == "1" ]
then
#Adding default policy rule
sudo iptables -A FW_EGRESS_RULES -j ACCEPT
