Skip to content

Commit 8fb2efe

Browse files
ustcweizhouDaanHoogland
ustcweizhou
authored and
DaanHoogland
committed
bugfix #6 vpc vr: Add iptables rules for ACL of private gateway
1 parent 7e6f484 commit 8fb2efe

File tree

5 files changed

+47
-15
lines changed

5 files changed

+47
-15
lines changed

api/src/main/java/com/cloud/agent/api/to/IpAddressTO.java

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ public class IpAddressTO {
3535
private String networkName;
3636
private Integer nicDevId;
3737
private boolean newNic;
38+
private boolean isPrivateGateway;
3839

3940
public IpAddressTO(long accountId, String ipAddress, boolean add, boolean firstIP, boolean sourceNat, String broadcastUri, String vlanGateway, String vlanNetmask,
4041
String vifMacAddress, Integer networkRate, boolean isOneToOneNat) {
@@ -133,4 +134,12 @@ public boolean isNewNic() {
133134
public void setNewNic(boolean newNic) {
134135
this.newNic = newNic;
135136
}
137+
138+
public boolean isPrivateGateway() {
139+
return isPrivateGateway;
140+
}
141+
142+
public void setPrivateGateway(boolean isPrivateGateway) {
143+
this.isPrivateGateway = isPrivateGateway;
144+
}
136145
}

core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/IpAssociationConfigItem.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ public List<ConfigItem> generateConfig(final NetworkElementCommand cmd) {
4242
for (final IpAddressTO ip : command.getIpAddresses()) {
4343
final IpAddress ipAddress = new IpAddress(ip.getPublicIp(), ip.isSourceNat(), ip.isAdd(), ip.isOneToOneNat(), ip.isFirstIP(), ip.getVlanGateway(), ip.getVlanNetmask(),
4444
ip.getVifMacAddress(), ip.getNicDevId(), ip.isNewNic(), ip.getTrafficType().toString());
45+
ipAddress.setPrivateGateway(ip.isPrivateGateway());
4546
ips.add(ipAddress);
4647
}
4748

core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/IpAddress.java

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,7 @@ public class IpAddress {
3232
private Integer nicDevId;
3333
private boolean newNic;
3434
private String nwType;
35+
private boolean isPrivateGateway;
3536

3637
public IpAddress() {
3738
// Empty constructor for (de)serialization
@@ -133,4 +134,12 @@ public void setNewNic(boolean newNic) {
133134
this.newNic = newNic;
134135
}
135136

137+
public boolean isPrivateGateway() {
138+
return isPrivateGateway;
139+
}
140+
141+
public void setPrivateGateway(boolean isPrivateGateway) {
142+
this.isPrivateGateway = isPrivateGateway;
143+
}
144+
136145
}

server/src/main/java/com/cloud/network/router/CommandSetupHelper.java

Lines changed: 11 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -104,9 +104,7 @@
104104
import com.cloud.network.vpc.StaticRouteProfile;
105105
import com.cloud.network.vpc.Vpc;
106106
import com.cloud.network.vpc.VpcGateway;
107-
import com.cloud.network.vpc.VpcGatewayVO;
108107
import com.cloud.network.vpc.dao.VpcDao;
109-
import com.cloud.network.vpc.dao.VpcGatewayDao;
110108
import com.cloud.offering.NetworkOffering;
111109
import com.cloud.offerings.NetworkOfferingVO;
112110
import com.cloud.offerings.dao.NetworkOfferingDao;
@@ -172,8 +170,6 @@ public class CommandSetupHelper {
172170
@Inject
173171
private VpcDao _vpcDao;
174172
@Inject
175-
private VpcGatewayDao _vpcGatewayDao;
176-
@Inject
177173
private VlanDao _vlanDao;
178174
@Inject
179175
private IPAddressDao _ipAddressDao;
@@ -726,8 +722,7 @@ public int compare(final PublicIpAddress o1, final PublicIpAddress o2) {
726722
final IpAddressTO ip = new IpAddressTO(ipAddr.getAccountId(), ipAddr.getAddress().addr(), add, firstIP, sourceNat, BroadcastDomainType.fromString(ipAddr.getVlanTag()).toString(), ipAddr.getGateway(),
727723
ipAddr.getNetmask(), macAddress, networkRate, ipAddr.isOneToOneNat());
728724

729-
ip.setTrafficType(getNetworkTrafficType(network));
730-
ip.setNetworkName(_networkModel.getNetworkTag(router.getHypervisorType(), network));
725+
setIpAddressNetworkParams(ip, network, router);
731726
ipsToSend[i++] = ip;
732727
if (ipAddr.isSourceNat()) {
733728
sourceNatIpAdd = new Pair<IpAddressTO, Long>(ip, ipAddr.getNetworkId());
@@ -851,8 +846,7 @@ public int compare(final PublicIpAddress o1, final PublicIpAddress o2) {
851846
final IpAddressTO ip = new IpAddressTO(ipAddr.getAccountId(), ipAddr.getAddress().addr(), add, firstIP, sourceNat, vlanId, vlanGateway, vlanNetmask,
852847
vifMacAddress, networkRate, ipAddr.isOneToOneNat());
853848

854-
ip.setTrafficType(getNetworkTrafficType(network));
855-
ip.setNetworkName(_networkModel.getNetworkTag(router.getHypervisorType(), network));
849+
setIpAddressNetworkParams(ip, network, router);
856850
ipsToSend[i++] = ip;
857851
/*
858852
* send the firstIP = true for the first Add, this is to create
@@ -979,8 +973,7 @@ public void createVpcAssociatePrivateIPCommands(final VirtualRouter router, fina
979973
final IpAddressTO ip = new IpAddressTO(Account.ACCOUNT_ID_SYSTEM, ipAddr.getIpAddress(), add, false, ipAddr.getSourceNat(), ipAddr.getBroadcastUri(),
980974
ipAddr.getGateway(), ipAddr.getNetmask(), ipAddr.getMacAddress(), null, false);
981975

982-
ip.setTrafficType(getNetworkTrafficType(network));
983-
ip.setNetworkName(_networkModel.getNetworkTag(router.getHypervisorType(), network));
976+
setIpAddressNetworkParams(ip, network, router);
984977
ipsToSend[i++] = ip;
985978

986979
}
@@ -1136,13 +1129,16 @@ protected String getGuestDhcpRange(final NicProfile guestNic, final Network gues
11361129
return dhcpRange;
11371130
}
11381131

1139-
private TrafficType getNetworkTrafficType(Network network) {
1140-
final VpcGatewayVO gateway = _vpcGatewayDao.getVpcGatewayByNetworkId(network.getId());
1141-
if (gateway != null) {
1132+
private void setIpAddressNetworkParams(IpAddressTO ipAddress, final Network network, final VirtualRouter router) {
1133+
if (_networkModel.isPrivateGateway(network.getId())) {
11421134
s_logger.debug("network " + network.getId() + " (name: " + network.getName() + " ) is a vpc private gateway, set traffic type to Public");
1143-
return TrafficType.Public;
1135+
ipAddress.setTrafficType(TrafficType.Public);
1136+
ipAddress.setPrivateGateway(true);
11441137
} else {
1145-
return network.getTrafficType();
1138+
ipAddress.setTrafficType(network.getTrafficType());
1139+
ipAddress.setPrivateGateway(false);
11461140
}
1141+
ipAddress.setNetworkName(_networkModel.getNetworkTag(router.getHypervisorType(), network));
11471142
}
1143+
11481144
}

systemvm/debian/opt/cloud/bin/cs/CsAddress.py

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -197,6 +197,11 @@ def is_public(self):
197197
return True
198198
return False
199199

200+
def is_private_gateway(self):
201+
if "is_private_gateway" in self.address:
202+
return self.address['is_private_gateway']
203+
return False
204+
200205
def is_added(self):
201206
return self.get_attr("add")
202207

@@ -476,6 +481,13 @@ def fw_vpcrouter(self):
476481
self.fw.append(["", "front", "-A NETWORK_STATS_%s -o %s -s %s" %
477482
("eth1", "eth1", guestNetworkCidr)])
478483

484+
if self.is_private_gateway():
485+
self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
486+
(self.address['network'], self.dev, self.dev)])
487+
self.fw.append(["filter", "", "-A ACL_INBOUND_%s -j DROP" % self.dev])
488+
self.fw.append(["mangle", "",
489+
"-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
490+
(self.dev, self.address['network'], self.address['gateway'], self.dev)])
479491
if self.address["source_nat"]:
480492
self.fw.append(["nat", "front",
481493
"-A POSTROUTING -o %s -j SNAT --to-source %s" %
@@ -625,6 +637,11 @@ def is_public(self):
625637
return True
626638
return False
627639

640+
def is_private_gateway(self):
641+
if "is_private_gateway" in self.address:
642+
return self.address['is_private_gateway']
643+
return False
644+
628645
def ip(self):
629646
return str(self.address['cidr'])
630647

0 commit comments

Comments
 (0)