Skip to content

Commit 4a0e645

Browse files
anthonyxuanthonyxu
committed
CS-16254:
 passwd_server listen on every interface, but only guest interface is enabled for that port
1 parent 33fdcf1 commit 4a0e645

2 files changed

Lines changed: 7 additions & 2 deletions

File tree

patches/systemvm/debian/config/opt/cloud/bin/passwd_server

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,10 @@
11
#!/bin/bash
22

33
. /etc/default/cloud-passwd-srvr
4-
guestIp=$(ifconfig eth0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}')
54

65
while [ "$ENABLED" == "1" ]
76
do
8-
socat -lf /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=$guestIp SYSTEM:"/opt/cloud/bin/serve_password.sh \"\$SOCAT_PEERADDR\""
7+
socat -lf /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=0.0.0.0 SYSTEM:"/opt/cloud/bin/serve_password.sh \"\$SOCAT_PEERADDR\""
98

109
rc=$?
1110
if [ $rc -ne 0 ]

patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,10 @@ create_guest_network() {
124124
sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
125125
sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
126126
sudo iptables -A INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
127+
sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT
128+
sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT
129+
sudo iptables -A INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT
130+
sudo iptables -A INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT
127131
# restore mark from connection mark
128132
local tableName="Table_$dev"
129133
sudo ip route add $subnet/$mask dev $dev table $tableName proto static
@@ -141,6 +145,8 @@ destroy_guest_network() {
141145
sudo ip addr del dev $dev $ip/$mask
142146
sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
143147
sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
148+
sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT
149+
sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT
144150
sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
145151
sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
146152
destroy_acl_chain

0 commit comments

Comments
 (0)