diff --git a/src/vnm_mad/remotes/fw/clean b/src/vnm_mad/remotes/fw/clean index ce74971f85..5308c108f6 100755 --- a/src/vnm_mad/remotes/fw/clean +++ b/src/vnm_mad/remotes/fw/clean @@ -33,7 +33,7 @@ begin xpath_filter, deploy_id) filter_driver.run_hooks(ARGV, template64) if filter_driver.deactivate == 0 -rescue Exception => e +rescue StandardError OpenNebula.log_error(e.message) OpenNebula.log_error(e.backtrace) exit 1 diff --git a/src/vnm_mad/remotes/lib/security_groups_iptables.rb b/src/vnm_mad/remotes/lib/security_groups_iptables.rb index 183aba793f..b27e304e9a 100644 --- a/src/vnm_mad/remotes/lib/security_groups_iptables.rb +++ b/src/vnm_mad/remotes/lib/security_groups_iptables.rb @@ -254,34 +254,45 @@ def new_rule(rule) def self.info commands = VNMNetwork::Commands.new - commands.add :iptables, "-S" + commands.add :iptables, '-S' iptables_s = commands.run! - commands.add :ip6tables, "-S" + commands.add :ip6tables, '-S' ip6tables_s = commands.run! - iptables_forwards = "" - ip6tables_forwards = "" + iptables_forwards = '' + ip6tables_forwards = '' + + iptables_inputs = '' + ip6tables_inputs = '' if iptables_s.match(/^-N #{GLOBAL_CHAIN}$/) commands.add :iptables, "-L #{GLOBAL_CHAIN} --line-numbers" iptables_forwards = commands.run! + + commands.add :iptables, '-L INPUT --line-numbers' + iptables_inputs = commands.run! end if ip6tables_s.match(/^-N #{GLOBAL_CHAIN}$/) commands.add :ip6tables, "-L #{GLOBAL_CHAIN} --line-numbers" ip6tables_forwards = commands.run! + + commands.add :ip6tables, '-L INPUT --line-numbers' + ip6tables_inputs = commands.run! end - commands.add :ipset, "list -name" + commands.add :ipset, 'list -name' ipset_list = commands.run! { - :iptables_forwards => iptables_forwards, - :iptables_s => iptables_s, + :iptables_forwards => iptables_forwards, + :iptables_inputs => iptables_inputs, + :iptables_s => iptables_s, :ip6tables_forwards => ip6tables_forwards, - :ip6tables_s => ip6tables_s, - :ipset_list => ipset_list + :ip6tables_inputs => ip6tables_inputs, + :ip6tables_s => ip6tables_s, + :ipset_list => ipset_list } end @@ -398,7 +409,8 @@ def self.nic_pre(bridged, vm, nic) # Send traffic to the NIC chains base_br = "-I #{GLOBAL_CHAIN} -m physdev --physdev-is-bridged " - nro = "#{base_br} --physdev-in #{nic[:tap]} -j #{chain_out}" + nro = "#{base_br} --physdev-in #{nic[:tap]} -j #{chain_out}" + nro_in = "-I INPUT -m physdev --physdev-in #{nic[:tap]} -j #{chain_out}" nris = [] nri6s = [] @@ -434,9 +446,13 @@ def self.nic_pre(bridged, vm, nic) nris.each {|nri| commands.add :iptables, nri } commands.add :iptables, nro + commands.add :iptables, nro_in nri6s.each {|nri| commands.add :ip6tables, nri } - commands.add :ip6tables, nro if nri6s.any? + if nri6s.any? + commands.add :ip6tables, nro + commands.add :ip6tables, nro_in + end # ICMPv6 Neighbor Discovery Protocol (ARP replacement for IPv6) ## Allow routers to send router advertisements @@ -572,9 +588,11 @@ def self.nic_deactivate(vm, nic) info = self.info iptables_forwards = info[:iptables_forwards] + iptables_inputs = info[:iptables_inputs] iptables_s = info[:iptables_s] ip6tables_forwards = info[:ip6tables_forwards] + ip6tables_inputs = info[:ip6tables_inputs] ip6tables_s = info[:ip6tables_s] ipset_list = info[:ipset_list] @@ -589,6 +607,14 @@ def self.nic_deactivate(vm, nic) end end + iptables_inputs.lines.reverse_each do |line| + fields = line.split + if [chain_in, chain_out].include?(fields[1]) + n = fields[0] + commands.add :iptables, "-D INPUT #{n}" + end + end + ip6tables_forwards.lines.reverse_each do |line| fields = line.split if [chain_in, chain_out].include?(fields[1]) @@ -597,6 +623,14 @@ def self.nic_deactivate(vm, nic) end end + ip6tables_inputs.lines.reverse_each do |line| + fields = line.split + if [chain_in, chain_out].include?(fields[1]) + n = fields[0] + commands.add :ip6tables, "-D INPUT #{n}" + end + end + remove_chains = [] iptables_s.lines.each do |line| if line.match(/^-N #{chain}(-|$)/)