Skip to content

Commit bdec29b

Browse files
committed
Create iptable rules for all bridges assigned to a system VM
The default_network_rules_systemvm method in security_group.py only created the appropriate rules for just one bridge. This however leads to traffic not being forwarded to the virtual machine in the case of the system VMs both (console & storage) having different bridges in basic networking. This patch makes sure rules are generated for all target devices based on their source device/bridge It however excludes the LinkLocalBridge since no filtering is needed on that bridge.
1 parent fc9a656 commit bdec29b

2 files changed

Lines changed: 51 additions & 30 deletions

File tree

agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java

Lines changed: 1 addition & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -3950,24 +3950,11 @@ protected boolean default_network_rules_for_systemvm(Connect conn,
39503950
if (!_can_bridge_firewall) {
39513951
return false;
39523952
}
3953-
List<InterfaceDef> intfs = getInterfaces(conn, vmName);
3954-
if (intfs.size() < 1) {
3955-
return false;
3956-
}
3957-
/* FIX ME: */
3958-
String brname = null;
3959-
if (vmName.startsWith("r-")) {
3960-
InterfaceDef intf = intfs.get(0);
3961-
brname = intf.getBrName();
3962-
} else {
3963-
InterfaceDef intf = intfs.get(intfs.size() - 1);
3964-
brname = intf.getBrName();
3965-
}
39663953

39673954
Script cmd = new Script(_securityGroupPath, _timeout, s_logger);
39683955
cmd.add("default_network_rules_systemvm");
39693956
cmd.add("--vmname", vmName);
3970-
cmd.add("--brname", brname);
3957+
cmd.add("--localbrname", _linkLocalBridgeName);
39713958
String result = cmd.execute();
39723959
if (result != null) {
39733960
return false;

scripts/vm/network/security_group.py

Lines changed: 50 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -215,14 +215,10 @@ def default_ebtables_rules(vm_name, vm_ip, vm_mac, vif):
215215
return 'false'
216216

217217

218-
def default_network_rules_systemvm(vm_name, brname):
219-
if not addFWFramework(brname):
220-
return False
221-
222-
vifs = getVifs(vm_name)
218+
def default_network_rules_systemvm(vm_name, localbrname):
219+
bridges = getBridges(vm_name)
223220
domid = getvmId(vm_name)
224221
vmchain = vm_name
225-
brfw = "BF-" + brname
226222

227223
delete_rules_for_vm_in_bridge_firewall_chain(vm_name)
228224

@@ -231,14 +227,20 @@ def default_network_rules_systemvm(vm_name, brname):
231227
except:
232228
execute("iptables -F " + vmchain)
233229

234-
for vif in vifs:
235-
try:
236-
execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain)
237-
execute("iptables -A " + brfw + "-IN" + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j " + vmchain)
238-
execute("iptables -A " + vmchain + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j RETURN")
239-
except:
240-
logging.debug("Failed to program default rules")
241-
return 'false'
230+
for bridge in bridges:
231+
if bridge != localbrname:
232+
if not addFWFramework(bridge):
233+
return False
234+
brfw = "BF-" + bridge
235+
vifs = getVifsForBridge(vm_name, bridge)
236+
for vif in vifs:
237+
try:
238+
execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain)
239+
execute("iptables -A " + brfw + "-IN" + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j " + vmchain)
240+
execute("iptables -A " + vmchain + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j RETURN")
241+
except:
242+
logging.debug("Failed to program default rules")
243+
return 'false'
242244

243245
execute("iptables -A " + vmchain + " -j ACCEPT")
244246

@@ -678,12 +680,43 @@ def getVifs(vmName):
678680
return vifs
679681

680682
dom = xml.dom.minidom.parseString(xmlfile)
681-
vifs = []
682683
for network in dom.getElementsByTagName("interface"):
683684
target = network.getElementsByTagName('target')[0]
684685
nicdev = target.getAttribute("dev").strip()
685686
vifs.append(nicdev)
686687
return vifs
688+
689+
def getVifsForBridge(vmName, brname):
690+
vifs = []
691+
try:
692+
xmlfile = virsh("dumpxml", vmName).stdout
693+
except:
694+
return vifs
695+
696+
dom = xml.dom.minidom.parseString(xmlfile)
697+
for network in dom.getElementsByTagName("interface"):
698+
source = network.getElementsByTagName('source')[0]
699+
bridge = source.getAttribute("bridge").strip()
700+
if bridge == brname:
701+
target = network.getElementsByTagName('target')[0]
702+
nicdev = target.getAttribute("dev").strip()
703+
vifs.append(nicdev)
704+
return list(set(vifs))
705+
706+
def getBridges(vmName):
707+
bridges = []
708+
try:
709+
xmlfile = virsh("dumpxml", vmName).stdout
710+
except:
711+
return bridges
712+
713+
dom = xml.dom.minidom.parseString(xmlfile)
714+
for network in dom.getElementsByTagName("interface"):
715+
for source in network.getElementsByTagName('source'):
716+
bridge = source.getAttribute("bridge").strip()
717+
bridges.append(bridge)
718+
return list(set(bridges))
719+
687720
def getvmId(vmName):
688721
cmd = "virsh list |grep " + vmName + " | awk '{print $1}'"
689722
return bash("-c", cmd).stdout.strip()
@@ -753,6 +786,7 @@ def addFWFramework(brname):
753786
parser.add_option("--seq", dest="seq")
754787
parser.add_option("--rules", dest="rules")
755788
parser.add_option("--brname", dest="brname")
789+
parser.add_option("--localbrname", dest="localbrname")
756790
parser.add_option("--dhcpSvr", dest="dhcpSvr")
757791
parser.add_option("--hostIp", dest="hostIp")
758792
parser.add_option("--hostMacAddr", dest="hostMacAddr")
@@ -765,7 +799,7 @@ def addFWFramework(brname):
765799
elif cmd == "destroy_network_rules_for_vm":
766800
destroy_network_rules_for_vm(option.vmName, option.vif)
767801
elif cmd == "default_network_rules_systemvm":
768-
default_network_rules_systemvm(option.vmName, option.brname)
802+
default_network_rules_systemvm(option.vmName, option.localbrname)
769803
elif cmd == "get_rule_logs_for_vms":
770804
get_rule_logs_for_vms()
771805
elif cmd == "add_network_rules":

0 commit comments

Comments
 (0)