Skip to content

Commit 0ea1c7d

Browse files
author
Sheng Yang
committed
CLOUDSTACK-5779: Move firewall to use routerProxy
1 parent ce67e24 commit 0ea1c7d

8 files changed

Lines changed: 56 additions & 147 deletions

File tree

core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java

Lines changed: 39 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -102,7 +102,6 @@
102102
public class VirtualRoutingResource implements Manager {
103103
private static final Logger s_logger = Logger.getLogger(VirtualRoutingResource.class);
104104
private String _publicIpAddress;
105-
private String _firewallPath;
106105
private String _loadbPath;
107106
private String _publicEthIf;
108107
private String _privateEthIf;
@@ -232,18 +231,16 @@ private Answer execute(SetFirewallRulesCommand cmd) {
232231
FirewallRule.TrafficType trafficType = allrules[0].getTrafficType();
233232

234233
String[][] rules = cmd.generateFwRules();
235-
final Script command = new Script(_firewallPath, _timeout, s_logger);
236-
command.add(routerIp);
237-
command.add("-F");
234+
String args = " -F";
238235

239236
if (trafficType == FirewallRule.TrafficType.Egress) {
240-
command.add("-E");
237+
args += "-E";
241238
if (egressDefault.equals("true")) {
242-
command.add("-P ", "1");
239+
args += " -P 1";
243240
} else if (egressDefault.equals("System")) {
244-
command.add("-P ", "2");
241+
args += " -P 2";
245242
} else {
246-
command.add("-P ", "0");
243+
args += " -P 0";
247244
}
248245
}
249246

@@ -253,10 +250,17 @@ private Answer execute(SetFirewallRulesCommand cmd) {
253250
for (int i = 0; i < fwRules.length; i++) {
254251
sb.append(fwRules[i]).append(',');
255252
}
256-
command.add("-a", sb.toString());
253+
args += " -a " + sb.toString();
254+
}
255+
256+
String result = null;
257+
258+
if (trafficType == FirewallRule.TrafficType.Egress) {
259+
result = routerProxy("firewall_egress.sh", routerIp, args);
260+
} else {
261+
result = routerProxy("firewall_ingress.sh", routerIp, args);
257262
}
258263

259-
String result = command.execute();
260264
if (result != null) {
261265
return new SetFirewallRulesAnswer(cmd, false, results);
262266
}
@@ -270,22 +274,21 @@ private Answer execute(SetPortForwardingRulesCommand cmd) {
270274
int i = 0;
271275
boolean endResult = true;
272276
for (PortForwardingRuleTO rule : cmd.getRules()) {
273-
String result = null;
274-
final Script command = new Script(_firewallPath, _timeout, s_logger);
275-
276-
command.add(routerIp);
277-
command.add(rule.revoked() ? "-D" : "-A");
278-
command.add("-P ", rule.getProtocol().toLowerCase());
279-
command.add("-l ", rule.getSrcIp());
280-
command.add("-p ", rule.getStringSrcPortRange());
281-
command.add("-r ", rule.getDstIp());
282-
command.add("-d ", rule.getStringDstPortRange());
283-
result = command.execute();
284-
if (result == null) {
285-
results[i++] = null;
286-
} else {
277+
StringBuilder args = new StringBuilder();
278+
args.append(rule.revoked() ? " -D " : " -A ");
279+
args.append(" -P ").append(rule.getProtocol().toLowerCase());
280+
args.append(" -l ").append(rule.getSrcIp());
281+
args.append(" -p ").append(rule.getStringSrcPortRange());
282+
args.append(" -r ").append(rule.getDstIp());
283+
args.append(" -d ").append(rule.getStringDstPortRange());
284+
285+
String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
286+
287+
if (result == null || result.isEmpty()) {
287288
results[i++] = "Failed";
288289
endResult = false;
290+
} else {
291+
results[i++] = null;
289292
}
290293
}
291294

@@ -325,28 +328,26 @@ private Answer execute(SetStaticNatRulesCommand cmd) {
325328
int i = 0;
326329
boolean endResult = true;
327330
for (StaticNatRuleTO rule : cmd.getRules()) {
328-
String result = null;
329-
final Script command = new Script(_firewallPath, _timeout, s_logger);
330-
command.add(routerIp);
331-
command.add(rule.revoked() ? "-D" : "-A");
332-
333331
//1:1 NAT needs instanceip;publicip;domrip;op
334-
command.add(" -l ", rule.getSrcIp());
335-
command.add(" -r ", rule.getDstIp());
332+
StringBuilder args = new StringBuilder();
333+
args.append(rule.revoked() ? " -D " : " -A ");
334+
args.append(" -l ").append(rule.getSrcIp());
335+
args.append(" -r ").append(rule.getDstIp());
336336

337337
if (rule.getProtocol() != null) {
338-
command.add(" -P ", rule.getProtocol().toLowerCase());
338+
args.append(" -P ").append(rule.getProtocol().toLowerCase());
339339
}
340340

341-
command.add(" -d ", rule.getStringSrcPortRange());
342-
command.add(" -G ");
341+
args.append(" -d ").append(rule.getStringSrcPortRange());
342+
args.append(" -G ");
343343

344-
result = command.execute();
345-
if (result == null) {
346-
results[i++] = null;
347-
} else {
344+
String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
345+
346+
if (result == null || result.isEmpty()) {
348347
results[i++] = "Failed";
349348
endResult = false;
349+
} else {
350+
results[i++] = null;
350351
}
351352
}
352353

@@ -1105,11 +1106,6 @@ public boolean configure(final String name, final Map<String, Object> params) th
11051106
s_logger.warn("Incoming public ip address is overriden. Will always be using the same ip address: " + _publicIpAddress);
11061107
}
11071108

1108-
_firewallPath = findScript("call_firewall.sh");
1109-
if (_firewallPath == null) {
1110-
throw new ConfigurationException("Unable to find the call_firewall.sh");
1111-
}
1112-
11131109
_loadbPath = findScript("call_loadbalancer.sh");
11141110
if (_loadbPath == null) {
11151111
throw new ConfigurationException("Unable to find the call_loadbalancer.sh");

plugins/hypervisors/vmware/src/com/cloud/hypervisor/vmware/resource/VmwareResource.java

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -847,10 +847,10 @@ protected Answer execute(SetPortForwardingRulesCommand cmd) {
847847

848848
try {
849849
VmwareManager mgr = getServiceContext().getStockObject(VmwareManager.CONTEXT_STOCK_NAME);
850-
Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall.sh " + args);
850+
Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_nat.sh " + args);
851851

852852
if (s_logger.isDebugEnabled())
853-
s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall.sh " + args);
853+
s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_nat.sh " + args);
854854

855855
if (!result.first()) {
856856
s_logger.error("SetPortForwardingRulesCommand failure on setting one rule. args: " + args);
@@ -905,16 +905,16 @@ protected SetFirewallRulesAnswer execute(SetFirewallRulesCommand cmd) {
905905
Pair<Boolean, String> result = null;
906906

907907
if (trafficType == FirewallRule.TrafficType.Egress) {
908-
result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewallRule_egress.sh " + args);
908+
result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_egress.sh " + args);
909909
} else {
910-
result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall_rule.sh " + args);
910+
result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_ingress.sh " + args);
911911
}
912912

913913
if (s_logger.isDebugEnabled()) {
914914
if (trafficType == FirewallRule.TrafficType.Egress) {
915-
s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewallRule_egress.sh " + args);
915+
s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_egress.sh " + args);
916916
} else {
917-
s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall_rule.sh " + args);
917+
s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_ingress.sh " + args);
918918
}
919919
}
920920

@@ -1012,10 +1012,10 @@ protected Answer execute(SetStaticNatRulesCommand cmd) {
10121012
try {
10131013
VmwareManager mgr = getServiceContext().getStockObject(VmwareManager.CONTEXT_STOCK_NAME);
10141014
String controlIp = getRouterSshControlIp(cmd);
1015-
Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/root/firewall.sh " + args);
1015+
Pair<Boolean, String> result = SshHelper.sshExecute(controlIp, DefaultDomRSshPort, "root", mgr.getSystemVMKeyFile(), null, "/opt/cloud/bin/firewall_nat.sh " + args);
10161016

10171017
if (s_logger.isDebugEnabled())
1018-
s_logger.debug("Executing script on domain router " + controlIp + ": /root/firewall.sh " + args);
1018+
s_logger.debug("Executing script on domain router " + controlIp + ": /opt/cloud/bin/firewall_nat.sh " + args);
10191019

10201020
if (!result.first()) {
10211021
s_logger.error("SetStaticNatRulesCommand failure on setting one rule. args: " + args);

plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2047,15 +2047,14 @@ protected SetPortForwardingRulesAnswer execute(SetPortForwardingRulesCommand cmd
20472047
boolean endResult = true;
20482048
for (PortForwardingRuleTO rule : cmd.getRules()) {
20492049
StringBuilder args = new StringBuilder();
2050-
args.append(routerIp);
20512050
args.append(rule.revoked() ? " -D " : " -A ");
20522051
args.append(" -P ").append(rule.getProtocol().toLowerCase());
20532052
args.append(" -l ").append(rule.getSrcIp());
20542053
args.append(" -p ").append(rule.getStringSrcPortRange());
20552054
args.append(" -r ").append(rule.getDstIp());
20562055
args.append(" -d ").append(rule.getStringDstPortRange());
20572056

2058-
String result = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args.toString());
2057+
String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
20592058

20602059
if (result == null || result.isEmpty()) {
20612060
results[i++] = "Failed";
@@ -2096,14 +2095,12 @@ protected SetStaticNatRulesAnswer execute(SetStaticNatRulesCommand cmd) {
20962095
Connection conn = getConnection();
20972096

20982097
String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP);
2099-
//String args = routerIp;
21002098
String[] results = new String[cmd.getRules().length];
21012099
int i = 0;
21022100
boolean endResult = true;
21032101
for (StaticNatRuleTO rule : cmd.getRules()) {
21042102
//1:1 NAT needs instanceip;publicip;domrip;op
21052103
StringBuilder args = new StringBuilder();
2106-
args.append(routerIp);
21072104
args.append(rule.revoked() ? " -D " : " -A ");
21082105
args.append(" -l ").append(rule.getSrcIp());
21092106
args.append(" -r ").append(rule.getDstIp());
@@ -2115,7 +2112,7 @@ protected SetStaticNatRulesAnswer execute(SetStaticNatRulesCommand cmd) {
21152112
args.append(" -d ").append(rule.getStringSrcPortRange());
21162113
args.append(" -G ");
21172114

2118-
String result = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args.toString());
2115+
String result = routerProxy("firewall_nat.sh", routerIp, args.toString());
21192116

21202117
if (result == null || result.isEmpty()) {
21212118
results[i++] = "Failed";
@@ -7606,8 +7603,7 @@ protected SetFirewallRulesAnswer execute(SetFirewallRulesCommand cmd) {
76067603
}
76077604

76087605
String[][] rules = cmd.generateFwRules();
7609-
String args = "";
7610-
args += routerIp + " -F";
7606+
String args = " -F";
76117607
if (trafficType == FirewallRule.TrafficType.Egress) {
76127608
args += " -E";
76137609
if (egressDefault.equals("true")) {
@@ -7627,7 +7623,11 @@ protected SetFirewallRulesAnswer execute(SetFirewallRulesCommand cmd) {
76277623
args += " -a " + sb.toString();
76287624
}
76297625

7630-
callResult = callHostPlugin(conn, "vmops", "setFirewallRule", "args", args);
7626+
if (trafficType == FirewallRule.TrafficType.Egress) {
7627+
callResult = routerProxy("firewall_egress.sh", routerIp, args);
7628+
} else {
7629+
callResult = routerProxy("firewall_ingress.sh", routerIp, args);
7630+
}
76317631

76327632
if (callResult == null || callResult.isEmpty()) {
76337633
//FIXME - in the future we have to process each rule separately; now we temporarily set every rule to be false if single rule fails

scripts/network/domr/call_firewall.sh

Lines changed: 0 additions & 70 deletions
This file was deleted.

scripts/vm/hypervisor/xenserver/vmops

Lines changed: 1 addition & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -222,23 +222,6 @@ def setLinkLocalIP(session, args):
222222
txt = 'success'
223223
return txt
224224

225-
226-
227-
@echo
228-
def setFirewallRule(session, args):
229-
sargs = args['args']
230-
cmd = sargs.split(' ')
231-
cmd.insert(0, "/opt/cloud/bin/call_firewall.sh")
232-
cmd.insert(0, "/bin/bash")
233-
try:
234-
txt = util.pread2(cmd)
235-
txt = 'success'
236-
except:
237-
logging.debug(" set firewall rule failed " )
238-
txt = ''
239-
240-
return txt
241-
242225
@echo
243226
def routerProxy(session, args):
244227
sargs = args['args']
@@ -1556,7 +1539,7 @@ if __name__ == "__main__":
15561539
"getgateway": getgateway, "preparemigration": preparemigration,
15571540
"setIptables": setIptables, "pingdomr": pingdomr, "pingxenserver": pingxenserver,
15581541
"savePassword": savePassword,
1559-
"setFirewallRule": setFirewallRule, "routerProxy": routerProxy,
1542+
"routerProxy": routerProxy,
15601543
"setLoadBalancerRule": setLoadBalancerRule, "createFile": createFile, "deleteFile": deleteFile,
15611544
"network_rules":network_rules,
15621545
"can_bridge_firewall":can_bridge_firewall, "default_network_rules":default_network_rules,

systemvm/patches/debian/config/root/firewallRule_egress.sh renamed to systemvm/patches/debian/config/opt/cloud/bin/firewall_egress.sh

File renamed without changes.

systemvm/patches/debian/config/root/firewall_rule.sh renamed to systemvm/patches/debian/config/opt/cloud/bin/firewall_ingress.sh

File renamed without changes.

systemvm/patches/debian/config/root/firewall.sh renamed to systemvm/patches/debian/config/opt/cloud/bin/firewall_nat.sh

File renamed without changes.

0 commit comments

Comments
 (0)