Revision ced96c87

View differences:

share/hooks/OpenNebulaVLAN.rb
294 294
            
295 295
            chain   = "one-#{vm_id}-#{nic[:network_id]}"
296 296
            tap     = nic[:tap]
297
            
297

  
298 298
            if tap
299 299
                #TCP
300 300
                if range = nic[:white_ports_tcp]
301
                    nic_rules << filter_established(chain, :tcp, :accept)
301 302
                    nic_rules << filter_ports(chain, :tcp, range, :accept)
302 303
                    nic_rules << filter_protocol(chain, :tcp, :drop)
303 304
                elsif range = nic[:black_ports_tcp]
......
306 307

  
307 308
                #UDP
308 309
                if range = nic[:white_ports_udp]
309
                    nic_rules << filter_ports(chain, :ucp, range, :accept)
310
                    nic_rules << filter_protocol(chain, :ucp, :drop)
310
                    nic_rules << filter_established(chain, :udp, :accept)
311
                    nic_rules << filter_ports(chain, :udp, range, :accept)
312
                    nic_rules << filter_protocol(chain, :udp, :drop)
311 313
                elsif range = nic[:black_ports_udp]
312
                    nic_rules << filter_ports(chain, :ucp, range, :drop)
314
                    nic_rules << filter_ports(chain, :udp, range, :drop)
313 315
                end
314 316

  
315 317
                #ICMP
316 318
                if nic[:icmp]
317 319
                    if %w(no drop).include? nic[:icmp].downcase
320
                        nic_rules << filter_established(chain, :icmp, :accept)
318 321
                        nic_rules << filter_protocol(chain, :icmp, :drop)
319 322
                    end
320 323
                end
......
357 360
        run_rules rules
358 361
    end
359 362

  
363
    def filter_established(chain, protocol, policy)
364
        policy   = policy.to_s.upcase
365
        rule "-A #{chain} -p #{protocol} -m state --state ESTABLISHED -j #{policy}"
366
    end
367

  
360 368
    def run_rules(rules)
361 369
        rules.flatten.each do |rule|
362 370
            system(rule)
363
            puts(rule)
364 371
        end
365 372
    end
366 373

  
......
381 388
    end
382 389

  
383 390
    def tap_to_chain(tap, chain)
384
        rule "-A FORWARD -m physdev --physdev-in #{tap} -j #{chain}"
391
        rule "-A FORWARD -m physdev --physdev-out #{tap} -j #{chain}"
385 392
    end
386 393

  
387 394
    def new_chain(chain)
share/hooks/firewall
9 9
action      = ARGV[0]
10 10
template    = ARGV[1]
11 11

  
12
#vm_xml =  Base64::decode64(ARGV[0])
13
vm_xml = `onevm show -x #{template}`
12
vm_xml =  Base64::decode64(template)
14 13

  
15 14
fw = OpenNebulaFirewall.new(vm_xml)
16 15

  

Also available in: Unified diff