From bffcb487a62b192e4120f04a2c65df2ebd2c09ba Mon Sep 17 00:00:00 2001 From: Vishesh Date: Fri, 24 Jan 2025 13:18:20 +0530 Subject: [PATCH 1/4] Fix private gateway acl on static routes --- systemvm/debian/opt/cloud/bin/cs/CsAddress.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py index 3d6d1f6f7222..9b6571399f68 100755 --- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py @@ -24,6 +24,7 @@ from CsApp import CsApache, CsDnsmasq, CsPasswdSvc from CsRoute import CsRoute from CsRule import CsRule +from CsStaticRoutes import CsStaticRoutes VRRP_TYPES = ['guest'] @@ -553,6 +554,20 @@ def fw_vpcrouter(self): self.fw.append(["mangle", "front", "-A PREROUTING -s %s -d %s -m state --state NEW -j MARK --set-xmark %s/0xffffffff" % (self.cl.get_vpccidr(), self.address['network'], hex(100 + int(self.dev[3:])))]) + + static_routes = CsStaticRoutes("staticroutes", self.config) + if static_routes: + for item in static_routes.get_bag(): + if item == "id": + continue + static_route = static_routes.get_bag()[item] + if static_route['ip_address'] == self.address['public_ip'] and not static_route['revoke']: + self.fw.append(["mangle", "", + "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s -j ACL_OUTBOUND_%s" % + (self.dev, self.address['network'], static_route['network'], self.dev)]) + self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" % + (static_route['network'], self.dev, self.dev)]) + if self.address["source_nat"]: self.fw.append(["nat", "front", "-A POSTROUTING -o %s -j SNAT --to-source %s" % From 45ede9d657d599eec9a2f45663a1ebc432001088 Mon Sep 17 00:00:00 2001 From: Vishesh Date: Fri, 24 Jan 2025 16:08:57 +0530 Subject: [PATCH 2/4] Fixup --- systemvm/debian/opt/cloud/bin/cs/CsAddress.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py index 9b6571399f68..1fd0106dfd28 100755 --- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py @@ -563,8 +563,8 @@ def fw_vpcrouter(self): static_route = static_routes.get_bag()[item] if static_route['ip_address'] == self.address['public_ip'] and not static_route['revoke']: self.fw.append(["mangle", "", - "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s -j ACL_OUTBOUND_%s" % - (self.dev, self.address['network'], static_route['network'], self.dev)]) + "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" % + (self.dev, static_route['network'], static_route['gateway'], self.dev)]) self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" % (static_route['network'], self.dev, self.dev)]) From 2fa9d8823ed93fa5384b19fb56cbd193da26c116 Mon Sep 17 00:00:00 2001 From: Vishesh Date: Fri, 24 Jan 2025 16:16:42 +0530 Subject: [PATCH 3/4] Update systemvm/debian/opt/cloud/bin/cs/CsAddress.py --- systemvm/debian/opt/cloud/bin/cs/CsAddress.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py index 1fd0106dfd28..fc1b69292960 100755 --- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py @@ -564,7 +564,7 @@ def fw_vpcrouter(self): if static_route['ip_address'] == self.address['public_ip'] and not static_route['revoke']: self.fw.append(["mangle", "", "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" % - (self.dev, static_route['network'], static_route['gateway'], self.dev)]) + (self.dev, static_route['network'], static_route['ip_address'], self.dev)]) self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" % (static_route['network'], self.dev, self.dev)]) From 77fb01c67fb2adeaedbd7416486b220ee7f75c86 Mon Sep 17 00:00:00 2001 From: Vishesh Date: Thu, 6 Feb 2025 14:53:47 +0530 Subject: [PATCH 4/4] Address commments --- systemvm/debian/opt/cloud/bin/cs/CsAddress.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py index fc1b69292960..7e7060a6cde9 100755 --- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py @@ -565,8 +565,11 @@ def fw_vpcrouter(self): self.fw.append(["mangle", "", "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" % (self.dev, static_route['network'], static_route['ip_address'], self.dev)]) - self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" % - (static_route['network'], self.dev, self.dev)]) + self.fw.append(["filter", "front", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" % + (static_route['network'], self.dev, self.dev)]) + self.fw.append(["filter", "front", + "-A FORWARD -d %s -o %s -m state --state RELATED,ESTABLISHED -j ACCEPT" % + (static_route['network'], self.dev)]) if self.address["source_nat"]: self.fw.append(["nat", "front",