Repository: cloudstack Updated Branches: refs/heads/master 59a9db39b -> a554ebdf7
CLOUDSTACK-6432: Blocking DHCP server to service DNS outside network This would cover only DHCP only network since in basic and shared network, the private IP used by VR and network may expose to outside. Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/a554ebdf Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/a554ebdf Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/a554ebdf Branch: refs/heads/master Commit: a554ebdf750be2ff2fd02fda38713b40313fcca8 Parents: 59a9db3 Author: Sheng Yang <sheng.y...@citrix.com> Authored: Wed Apr 16 18:40:26 2014 -0700 Committer: Sheng Yang <sheng.y...@citrix.com> Committed: Wed Apr 16 19:13:23 2014 -0700 ---------------------------------------------------------------------- .../router/VirtualNetworkApplianceManagerImpl.java | 7 ++++++- .../patches/debian/config/etc/init.d/cloud-early-config | 11 +++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a554ebdf/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java index bbec5f7..d552001 100755 --- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java @@ -2347,10 +2347,12 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V buf.append(" domain=" + domain); } + long cidrSize = 0; + //setup dhcp range if (dc.getNetworkType() == NetworkType.Basic) { if (guestNic.isDefaultNic()) { - final long cidrSize = NetUtils.getCidrSize(guestNic.getNetmask()); + cidrSize = NetUtils.getCidrSize(guestNic.getNetmask()); final String cidr = NetUtils.getCidrSubNet(guestNic.getGateway(), cidrSize); if (cidr != null) { dhcpRange = NetUtils.getIpRangeStartIpFromCidr(cidr, cidrSize); @@ -2359,11 +2361,14 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V } else if (dc.getNetworkType() == NetworkType.Advanced) { final String cidr = guestNetwork.getCidr(); if (cidr != null) { + cidrSize = NetUtils.getCidrSize(NetUtils.getCidrNetmask(cidr)); dhcpRange = NetUtils.getDhcpRange(cidr); } } if (dhcpRange != null) { + // To limit DNS to the cidr range + buf.append(" cidrsize=" + String.valueOf(cidrSize)); buf.append(" dhcprange=" + dhcpRange); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/a554ebdf/systemvm/patches/debian/config/etc/init.d/cloud-early-config ---------------------------------------------------------------------- diff --git a/systemvm/patches/debian/config/etc/init.d/cloud-early-config b/systemvm/patches/debian/config/etc/init.d/cloud-early-config index 3c47f13..f8ba8a1 100755 --- a/systemvm/patches/debian/config/etc/init.d/cloud-early-config +++ b/systemvm/patches/debian/config/etc/init.d/cloud-early-config @@ -1073,8 +1073,16 @@ setup_dhcpsrvr() { enable_svc cloud 0 enable_fwding 0 chkconfig nfs-common off + cp /etc/iptables/iptables-router /etc/iptables/rules.v4 cp /etc/iptables/iptables-router /etc/iptables/rules + + #Only allow DNS service for current network + sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4 + sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules + sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4 + sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules + if [ "$SSHONGUEST" == "true" ] then setup_sshd $ETH0_IP "eth0" @@ -1420,6 +1428,9 @@ for i in $CMDLINE vpccidr) VPCCIDR=$VALUE ;; + cidrsize) + CIDR_SIZE=$VALUE + ;; esac done
