Repository: cloudstack Updated Branches: refs/heads/master 9b0797944 -> f6ff11c7d
OVS distributed routing: fix the issues related to applying network ACL's on OVS. OVS OF rules does not accept 0.0.0.0/0 so while applying ACL dont include source CIDR in the OF rule if source CIDR is 0.0.0.0/0 Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/f6ff11c7 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/f6ff11c7 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/f6ff11c7 Branch: refs/heads/master Commit: f6ff11c7d6376f718e9ef998ba8375b9b7479b01 Parents: 9b07979 Author: Murali Reddy <muralimmre...@gmail.com> Authored: Fri Mar 28 17:06:02 2014 +0530 Committer: Murali Reddy <muralimmre...@gmail.com> Committed: Fri Mar 28 17:09:55 2014 +0530 ---------------------------------------------------------------------- .../xenserver/cloudstack_pluginlib.py | 86 ++++++++++++++------ scripts/vm/hypervisor/xenserver/ovstunnel | 4 +- 2 files changed, 62 insertions(+), 28 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f6ff11c7/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py ---------------------------------------------------------------------- diff --git a/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py b/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py index 4ebb435..50a1fa2 100644 --- a/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py +++ b/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py @@ -358,7 +358,7 @@ def configure_bridge_for_network_topology(bridge, this_host_id, json_config): for host in vpc_spanning_hosts: if str(this_host_id) == str(host.hostid): continue - other_host_vms = get_vms_on_host(vpconfig, host.hostid) + other_host_vms = get_vms_on_host(vpconfig, str(host.hostid)) for vm in other_host_vms: for nic in vm.nics: mac_addr = nic.macaddress @@ -397,8 +397,9 @@ def configure_ovs_bridge_for_routing_policies(bridge, json_config): return "FAILURE:IMPROPER_JSON_CONFG_FILE" try: - # First flush current egress ACL's before re-applying the ACL's + # First flush current ingress and egress ACL's before re-applying the ACL's del_flows(bridge, table=3) + del_flows(bridge, table=5) egress_rules_added = False ingress_rules_added = False @@ -419,15 +420,22 @@ def configure_ovs_bridge_for_routing_policies(bridge, json_config): source_cidrs = acl_item.sourcecidrs acl_priority = 1000 + number for source_cidr in source_cidrs: - if direction is "ingress": + if direction == "ingress": ingress_rules_added = True - if source_port_start is None and source_port_end is None: - if action is "deny": - add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr, + if source_cidr.startswith('0.0.0.0'): + if action == "deny": + add_flow(bridge, priority= acl_priority, table=5, nw_dst=tier_cidr, + nw_proto=protocol, actions='drop') + if action == "allow": + add_flow(bridge, priority= acl_priority,table=5, nw_dst=tier_cidr, + nw_proto=protocol, actions='resubmit(,1)') + else: + if action == "deny": + add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr, nw_proto=protocol, actions='drop') - if action is "allow": - add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr, + if action == "allow": + add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr, nw_proto=protocol, actions='resubmit(,1)') continue @@ -435,36 +443,59 @@ def configure_ovs_bridge_for_routing_policies(bridge, json_config): # source_cidr and destination ip is in tier_cidr port = source_port_start while (port < source_port_end): - if action is "deny": - add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port, + if source_cidr.startswith('0.0.0.0'): + if action == "deny": + add_flow(bridge, priority= acl_priority, table=5, nw_dst=tier_cidr, tp_dst=port, nw_proto=protocol, actions='drop') - if action is "allow": - add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port, + if action == "allow": + add_flow(bridge, priority= acl_priority,table=5, nw_dst=tier_cidr, tp_dst=port, + nw_proto=protocol, actions='resubmit(,1)') + else: + if action == "deny": + add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port, + nw_proto=protocol, actions='drop') + if action == "allow": + add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port, nw_proto=protocol, actions='resubmit(,1)') port = port + 1 - elif direction in "egress": + elif direction == "egress": egress_rules_added = True - if source_port_start is None and source_port_end is None: - if action is "deny": - add_flow(bridge, priority= acl_priority, table=3, nw_src=source_cidr, nw_dst=tier_cidr, + if source_cidr.startswith('0.0.0.0'): + if action == "deny": + add_flow(bridge, priority= acl_priority, table=3, nw_dst=tier_cidr, nw_proto=protocol, actions='drop') - if action is "allow": - add_flow(bridge, priority= acl_priority,table=3, nw_src=source_cidr, nw_dst=tier_cidr, - nw_proto=protocol, actions='resubmit(,1)') + if action == "allow": + add_flow(bridge, priority= acl_priority,table=3, nw_dst=tier_cidr, + nw_proto=protocol, actions='resubmit(,4)') + else: + if action == "deny": + add_flow(bridge, priority= acl_priority, table=3, nw_src=source_cidr, nw_dst=tier_cidr, + nw_proto=protocol, actions='drop') + if action == "allow": + add_flow(bridge, priority= acl_priority,table=3, nw_src=source_cidr, nw_dst=tier_cidr, + nw_proto=protocol, actions='resubmit(,4)') continue # add flow rule to do action (allow/deny) for flows where destination IP of the packet is in # source_cidr and source ip is in tier_cidr port = source_port_start while (port < source_port_end): - if action is "deny": - add_flow(bridge, priority= acl_priority, table=3, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port, - nw_proto=protocol, actions='drop') - if action is "allow": - add_flow(bridge, priority= acl_priority, table=3, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port, - nw_proto=protocol, actions='resubmit(,1)') + if source_cidr.startswith('0.0.0.0'): + if action == "deny": + add_flow(bridge, priority= acl_priority, table=3, nw_dst=source_cidr, tp_dst=port, + nw_proto=protocol, actions='drop') + if action == "allow": + add_flow(bridge, priority= acl_priority, table=3, nw_dst=source_cidr, tp_dst=port, + nw_proto=protocol, actions='resubmit(,4)') + else: + if action == "deny": + add_flow(bridge, priority= acl_priority, table=3, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port, + nw_proto=protocol, actions='drop') + if action == "allow": + add_flow(bridge, priority= acl_priority, table=3, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port, + nw_proto=protocol, actions='resubmit(,4)') port = port + 1 if egress_rules_added is False: @@ -472,8 +503,11 @@ def configure_ovs_bridge_for_routing_policies(bridge, json_config): add_flow(bridge, priority=0, table=3, actions='resubmit(,4)') if ingress_rules_added is False: - # add a default rule in egress table drop packets + # add a default rule in ingress table drop packets add_flow(bridge, priority=0, table=5, actions='drop') + + return "SUCCESS: successfully configured bridge as per the later routing policies of the VPC" + except: logging.debug("An unexpected error occurred while configuring bridge as per VPC's routing policies.") raise \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f6ff11c7/scripts/vm/hypervisor/xenserver/ovstunnel ---------------------------------------------------------------------- diff --git a/scripts/vm/hypervisor/xenserver/ovstunnel b/scripts/vm/hypervisor/xenserver/ovstunnel index 068f89f..3e17360 100755 --- a/scripts/vm/hypervisor/xenserver/ovstunnel +++ b/scripts/vm/hypervisor/xenserver/ovstunnel @@ -402,7 +402,7 @@ def configure_ovs_bridge_for_routing_policies(session, args): bridge = args.pop("bridge") json_config = args.pop("config") - return lib.configure_ovs_bridge_for_router_policies(bridge, json_config) + return lib.configure_ovs_bridge_for_routing_policies(bridge, json_config) if __name__ == "__main__": XenAPIPlugin.dispatch({"create_tunnel": create_tunnel, @@ -413,4 +413,4 @@ if __name__ == "__main__": "getLabel": getLabel, "setup_ovs_bridge_for_distributed_routing": setup_ovs_bridge_for_distributed_routing, "configure_ovs_bridge_for_network_topology": configure_ovs_bridge_for_network_topology, - "configure_ovs_bridge_for_routing_policies": "configure_ovs_bridge_for_routing_policies"}) + "configure_ovs_bridge_for_routing_policies": configure_ovs_bridge_for_routing_policies})
