Updated Branches: refs/heads/vpc 14fa5279e -> a1333649d
CS-15536: Insert VPN mangle policy to FORWARD and OUTPUT In order to get traffic tagged while ACL chain involved in PREROUTING chain. Also using more generic tag checking in nat table. Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/a1333649 Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/a1333649 Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/a1333649 Branch: refs/heads/vpc Commit: a1333649dbf1c6521d671bfd900cf7ba89efe270 Parents: 14fa527 Author: Sheng Yang <[email protected]> Authored: Tue Jul 17 16:47:37 2012 -0700 Committer: Sheng Yang <[email protected]> Committed: Tue Jul 17 17:23:11 2012 -0700 ---------------------------------------------------------------------- .../debian/config/opt/cloud/bin/ipsectunnel.sh | 13 +++++++------ 1 files changed, 7 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/a1333649/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh ---------------------------------------------------------------------- diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh index 7426d4b..470fca9 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -40,16 +40,21 @@ enable_iptable() { sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT for net in $rightnets do - sudo iptables -A PREROUTING -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark + sudo iptables -A FORWARD -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark + sudo iptables -A OUTPUT -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark done + # Prevent NAT on "marked" VPN traffic, so need to be the first one on POSTROUTING chain + sudo iptables -t nat -I POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT } disable_iptable() { sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT for net in $rightnets do - sudo iptables -D PREROUTING -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark + sudo iptables -D FORWARD -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark + sudo iptables -D OUTPUT -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark done + sudo iptables -t nat -D POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT } ipsec_tunnel_del() { @@ -107,10 +112,6 @@ ipsec_tunnel_add() { sudo ipsec auto --rereadall sudo ipsec auto --add vpn-$rightpeer sudo ipsec auto --up vpn-$rightpeer - # Prevent NAT on "marked" VPN traffic - sudo iptables -D POSTROUTING -t nat -o $outIf -j SNAT --to-source $outIp - sudo iptables -D POSTROUTING -t nat -o $outIf -m mark ! --mark $vpnoutmark -j SNAT --to-source $outIp - sudo iptables -A POSTROUTING -t nat -o $outIf -m mark ! --mark $vpnoutmark -j SNAT --to-source $outIp logger -t cloud "$(basename $0): done ipsec tunnel entry for right peer=$rightpeer right networks=$rightnets"
