Commit df27ac54 authored by Leigh B Stoller's avatar Leigh B Stoller
Browse files

Clean up the fix for long physical node names that result in chain

names that are greater the Linux max of 28 characters, and make it
backward compatible with running VMs.
parent be8216bc
......@@ -159,6 +159,16 @@ my $local_tmcd_port = $TMCD_PORT + $vmid;
my $outer_controlif = `cat $BOOTDIR/controlif`;
chomp($outer_controlif);
# Ick, iptables has a 28 character limit on chain names. But we have to
# be backwards compatible with existing chain names. See corresponding
# code in libvnode_xen.
my $INCOMING_CHAIN = "INCOMING_${vnode_id}";
my $OUTGOING_CHAIN = "OUTGOING_${vnode_id}";
if (length($INCOMING_CHAIN) > 28) {
my $INCOMING_CHAIN = "I_${vnode_id}";
my $OUTGOING_CHAIN = "O_${vnode_id}";
}
#
# We setup a bunch of iptables rules when a container goes online, and
# then clear them when it goes offline.
......@@ -210,9 +220,9 @@ sub Online()
if ($VIFROUTING) {
push(@rules,
"-A FORWARD -i $vif -s $vnode_ip ".
"-m mac --mac-source $vnode_mac -j OUTGOING_${vnode_id}");
"-m mac --mac-source $vnode_mac -j $OUTGOING_CHAIN");
push(@rules,
"-A FORWARD -o $vif -d $vnode_ip -j INCOMING_${vnode_id}");
"-A FORWARD -o $vif -d $vnode_ip -j $INCOMING_CHAIN");
#
# Another wrinkle. We have to think about packets coming from
......@@ -223,7 +233,7 @@ sub Online()
#
push(@rules,
"-A INPUT -i $vif -s $vnode_ip ".
"-m mac --mac-source $vnode_mac -j OUTGOING_${vnode_id}");
"-m mac --mac-source $vnode_mac -j $OUTGOING_CHAIN");
#
# This rule effectively says that if the packet was not filtered
......@@ -243,11 +253,11 @@ sub Online()
#
push(@rules,
"-I FORWARD -m physdev --physdev-is-bridged ".
"--physdev-in $vif -s $vnode_ip -j OUTGOING_${vnode_id}");
"--physdev-in $vif -s $vnode_ip -j $OUTGOING_CHAIN");
push(@rules,
"-I FORWARD -m physdev --physdev-is-bridged ".
"--physdev-out $vif -j INCOMING_${vnode_id}");
"--physdev-out $vif -j $INCOMING_CHAIN");
#
# Another wrinkle. We have to think about packets coming from
......@@ -261,7 +271,7 @@ sub Online()
# eth0, according to iptables logging. WTF!
#
push(@rules,
"-A INPUT -s $vnode_ip -j OUTGOING_${vnode_id}");
"-A INPUT -s $vnode_ip -j $OUTGOING_CHAIN");
push(@rules,
"-A OUTPUT -d $vnode_ip -j ACCEPT");
......@@ -335,6 +345,13 @@ sub Online()
"-o $bridge");
}
#
# Watch for a vnode with a public IP, no need to nat.
#
if (isRoutable($vnode_ip)) {
goto skipnat;
}
#
# If the source is from the vnode, headed to the local control
# net, no need for any NAT; just let it through.
......@@ -390,7 +407,8 @@ sub Online()
"-t nat -A POSTROUTING ".
"-s $vnode_ip -o $outer_controlif ".
"-j SNAT --to-source $host_ip");
skipnat:
# Apply the rules
DoIPtables(@rules) == 0 or
return -1;
......@@ -415,12 +433,12 @@ sub Offline()
if ($VIFROUTING) {
push(@rules,
"-D FORWARD -i $vif -s $vnode_ip ".
"-m mac --mac-source $vnode_mac -j OUTGOING_${vnode_id}");
"-m mac --mac-source $vnode_mac -j $OUTGOING_CHAIN");
push(@rules,
"-D FORWARD -o $vif -d $vnode_ip -j INCOMING_${vnode_id}");
"-D FORWARD -o $vif -d $vnode_ip -j $INCOMING_CHAIN");
push(@rules,
"-D INPUT -i $vif -s $vnode_ip ".
"-m mac --mac-source $vnode_mac -j OUTGOING_${vnode_id}");
"-m mac --mac-source $vnode_mac -j $OUTGOING_CHAIN");
push(@rules,
"-D OUTPUT -o $vif -j ACCEPT");
......@@ -428,12 +446,12 @@ sub Offline()
else {
push(@rules,
"-D FORWARD -m physdev --physdev-is-bridged ".
"--physdev-in $vif -s $vnode_ip -j OUTGOING_${vnode_id}");
"--physdev-in $vif -s $vnode_ip -j $OUTGOING_CHAIN");
push(@rules,
"-D FORWARD -m physdev --physdev-is-bridged ".
"--physdev-out $vif -j INCOMING_${vnode_id}");
"--physdev-out $vif -j $INCOMING_CHAIN");
push(@rules,
"-D INPUT -s $vnode_ip -j OUTGOING_${vnode_id}");
"-D INPUT -s $vnode_ip -j $OUTGOING_CHAIN");
push(@rules,
"-D OUTPUT -d $vnode_ip -j ACCEPT");
}
......@@ -469,6 +487,13 @@ sub Offline()
"-o $bridge");
}
#
# Watch for a vnode with a public IP, no need to nat.
#
if (isRoutable($vnode_ip)) {
goto skipnat;
}
push(@rules,
"-t nat -D POSTROUTING -j ACCEPT ".
"-s $vnode_ip -d $jail_network/$jail_netmask");
......@@ -495,6 +520,7 @@ sub Offline()
"-t nat -D POSTROUTING ".
"-s $vnode_ip -o $outer_controlif -j SNAT --to-source $host_ip");
skipnat:
# evproxy
push(@rules,
"-t nat -D PREROUTING -j DNAT -p tcp ".
......
......@@ -1839,15 +1839,24 @@ sub vnodePreConfigControlNetwork($$$$$$$$$$$$)
#
my @rules = ();
push(@rules, "-N INCOMING_${vnode_id}");
push(@rules, "-F INCOMING_${vnode_id}");
push(@rules, "-N OUTGOING_${vnode_id}");
push(@rules, "-F OUTGOING_${vnode_id}");
# Ick, iptables has a 28 character limit on chain names. But we have to
# be backwards compatible with existing chain names. See corresponding
# code in emulab-cnet.pl
my $INCOMING_CHAIN = "INCOMING_${vnode_id}";
my $OUTGOING_CHAIN = "OUTGOING_${vnode_id}";
if (length($INCOMING_CHAIN) > 28) {
my $INCOMING_CHAIN = "I_${vnode_id}";
my $OUTGOING_CHAIN = "O_${vnode_id}";
}
push(@rules, "-N $INCOMING_CHAIN");
push(@rules, "-F $INCOMING_CHAIN");
push(@rules, "-N $OUTGOING_CHAIN");
push(@rules, "-F $OUTGOING_CHAIN");
# Match existing dynamic rules as early as possible.
push(@rules, "-A INCOMING_${vnode_id} -m conntrack ".
push(@rules, "-A $INCOMING_CHAIN -m conntrack ".
"--ctstate RELATED,ESTABLISHED -j ACCEPT");
push(@rules, "-A OUTGOING_${vnode_id} -m conntrack ".
push(@rules, "-A $OUTGOING_CHAIN -m conntrack ".
"--ctstate RELATED,ESTABLISHED -j ACCEPT");
# Do all the rules regardless of whether they fail
......@@ -1857,14 +1866,14 @@ sub vnodePreConfigControlNetwork($$$$$$$$$$$$)
@rules = ();
if ($vnconfig->{'fwconfig'}->{'fwinfo'}->{'TYPE'} eq "none") {
push(@rules, "-A INCOMING_${vnode_id} -j ACCEPT");
push(@rules, "-A OUTGOING_${vnode_id} -j ACCEPT");
push(@rules, "-A $INCOMING_CHAIN -j ACCEPT");
push(@rules, "-A $OUTGOING_CHAIN -j ACCEPT");
}
else {
if (0) {
push(@rules, "-A INCOMING_${vnode_id} -j LOG ".
push(@rules, "-A $INCOMING_CHAIN -j LOG ".
" --log-prefix 'IIN ${vnode_id}: ' --log-level 5");
push(@rules, "-A OUTGOING_${vnode_id} -j LOG ".
push(@rules, "-A $OUTGOING_CHAIN -j LOG ".
" --log-prefix 'OOUT ${vnode_id}: ' --log-level 5");
}
......@@ -1874,11 +1883,11 @@ sub vnodePreConfigControlNetwork($$$$$$$$$$$$)
#
my $local_tmcd_port = $TMCD_PORT + $vmid;
push(@rules,
"-A OUTGOING_${vnode_id} -p tcp ".
"-A $OUTGOING_CHAIN -p tcp ".
"-d $ctrlip --dport $local_tmcd_port ".
"-m conntrack --ctstate NEW -j ACCEPT");
push(@rules,
"-A OUTGOING_${vnode_id} -p udp ".
"-A $OUTGOING_CHAIN -p udp ".
"-d $ctrlip --dport $local_tmcd_port ".
"-m conntrack --ctstate NEW -j ACCEPT");
......@@ -1888,8 +1897,8 @@ sub vnodePreConfigControlNetwork($$$$$$$$$$$$)
foreach my $rule (@{ $vnconfig->{'fwconfig'}->{'fwrules'} }) {
my $rulestr = $rule->{'RULE'};
$rulestr =~ s/\s+me\s+/ $ctrlip /g;
$rulestr =~ s/\s+INSIDE\s+/ OUTGOING_${vnode_id} /g;
$rulestr =~ s/\s+OUTSIDE\s+/ INCOMING_${vnode_id} /g;
$rulestr =~ s/\s+INSIDE\s+/ $OUTGOING_CHAIN /g;
$rulestr =~ s/\s+OUTSIDE\s+/ $INCOMING_CHAIN /g;
$rulestr =~ s/^iptables //;
push(@rules, $rulestr);
}
......@@ -1899,9 +1908,9 @@ sub vnodePreConfigControlNetwork($$$$$$$$$$$$)
# since they are going to get dropped.
#
if (0) {
push(@rules, "-A INCOMING_${vnode_id} -j LOG ".
push(@rules, "-A $INCOMING_CHAIN -j LOG ".
" --log-prefix 'IN ${vnode_id}: ' --log-level 5");
push(@rules, "-A OUTGOING_${vnode_id} -j LOG ".
push(@rules, "-A $OUTGOING_CHAIN -j LOG ".
" --log-prefix 'OUT ${vnode_id}: ' --log-level 5");
}
}
......@@ -2512,16 +2521,25 @@ sub vnodeDestroy($$$$)
}
}
# Kill the chains.
# Ick, iptables has a 28 character limit on chain names. But we have to
# be backwards compatible with existing chain names. See corresponding
# code in emulab-cnet.pl
my $INCOMING_CHAIN = "INCOMING_${vnode_id}";
my $OUTGOING_CHAIN = "OUTGOING_${vnode_id}";
if (length($INCOMING_CHAIN) > 28) {
my $INCOMING_CHAIN = "I_${vnode_id}";
my $OUTGOING_CHAIN = "O_${vnode_id}";
}
DoIPtables("-F $INCOMING_CHAIN");
DoIPtables("-X $INCOMING_CHAIN");
DoIPtables("-F $OUTGOING_CHAIN");
DoIPtables("-X $OUTGOING_CHAIN");
# Always do this.
return -1
if (vnodeTearDown($vnode_id, $vmid, $vnconfig, $private));
# Kill the chains.
DoIPtables("-F INCOMING_${vnode_id}");
DoIPtables("-X INCOMING_${vnode_id}");
DoIPtables("-F OUTGOING_${vnode_id}");
DoIPtables("-X OUTGOING_${vnode_id}");
# DHCP entry...
if (exists($vninfo->{'dhcp'})) {
my $mac = $vninfo->{'dhcp'}->{'mac'};
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment