CLOUDSTACK-8891: Fixed default iptables rules on VR for guest traffic

Jayapal · Jayapal · commit 6e5d5c300f0d · 2015-09-24T12:46:09.000+05:30
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -818,51 +818,66 @@ def main(argv):
                         format=config.get_format())
     config.set_address()
 
+    logging.debug("Configuring ip addresses")
     # IP configuration
     config.address().compare()
     config.address().process()
 
+    logging.debug("Configuring vmpassword")
     password = CsPassword("vmpassword", config)
     password.process()
 
+    logging.debug("Configuring vmdata")
     metadata = CsVmMetadata('vmdata', config)
     metadata.process()
 
+    logging.debug("Configuring networkacl")
     acls = CsAcl('networkacl', config)
     acls.process()
 
+    logging.debug("Configuring firewall rules")
     acls = CsAcl('firewallrules', config)
     acls.process()
 
+    logging.debug("Configuring PF rules")
     fwd = CsForwardingRules("forwardingrules", config)
     fwd.process()
 
     red = CsRedundant(config)
     red.set()
 
+    logging.debug("Configuring s2s vpn")
     vpns = CsSite2SiteVpn("site2sitevpn", config)
     vpns.process()
 
+    logging.debug("Configuring remote access vpn")
     #remote access vpn
     rvpn = CsRemoteAccessVpn("remoteaccessvpn", config)
     rvpn.process()
 
+    logging.debug("Configuring vpn users list")
     #remote access vpn users
     vpnuser = CsVpnUser("vpnuserlist", config)
     vpnuser.process()
 
+    logging.debug("Configuring dhcp entry")
     dhcp = CsDhcp("dhcpentry", config)
     dhcp.process()
 
+    logging.debug("Configuring load balancer")
     lb = CsLoadBalancer("loadbalancer", config)
     lb.process()
 
+    logging.debug("Configuring monitor service")
     mon = CsMonitor("monitorservice", config)
     mon.process()
 
+    logging.debug("Configuring iptables rules .....")
     nf = CsNetfilters()
     nf.compare(config.get_fw())
 
+    logging.debug("Configuring iptables rules done ...saving rules")
+
     # Save iptables configuration - will be loaded on reboot by the iptables-restore that is configured on /etc/rc.local
     CsHelper.save_iptables("iptables-save", "/etc/iptables/router_rules.v4")
     CsHelper.save_iptables("ip6tables-save", "/etc/iptables/router_rules.v6")
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@@ -121,8 +121,8 @@ def process(self):
             ip = CsIP(dev, self.config)
 
             for address in self.dbag[dev]:
-                if(address["nw_type"]!="public"):
-                    continue
+               # if(address["nw_type"]!="public"):
+               #     continue
 
                 #check if link is up
                 if (not self.check_if_link_exists(dev)):
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
@@ -126,6 +126,7 @@ def get_unseen(self):
         del_list = [x for x in self.rules if x.unseen()]
         for r in del_list:
             cmd = "iptables -t %s %s" % (r.get_table(), r.to_str(True))
+            logging.debug("unseen cmd:  %s ", cmd)
             CsHelper.execute(cmd)
             # print "Delete rule %s from table %s" % (r.to_str(True), r.get_table())
             logging.info("Delete rule %s from table %s", r.to_str(True), r.get_table())
@@ -150,10 +151,10 @@ def compare(self, list):
             if isinstance(fw[1], int):
                 new_rule.set_count(fw[1])
             if self.has_rule(new_rule):
-                logging.debug("rule %s exists in table %s", fw[2], new_rule.get_table())
+                logging.debug("Exists: rule=%s table=%s", fw[2], new_rule.get_table())
             else:
                 # print "Add rule %s in table %s" % ( fw[2], new_rule.get_table())
-                logging.info("Add rule %s in table %s", fw[2], new_rule.get_table())
+                logging.info("Add: rule=%s table=%s", fw[2], new_rule.get_table())
                 # front means insert instead of append
                 cpy = fw[2]
                 if fw[1] == "front":
@@ -185,6 +186,7 @@ def del_standard(self):
                 if i.startswith('-A'):  # Rule
                     self.del_rule(table, i.strip())
         except IOError:
+            logging.debug("Exception in del_standard, returning")
             # Nothing can be done
             return
 
