M #-: SG for NIC_ALIAS (#1094)

(cherry picked from commit a3cea2b0b6245ca692787570c5b5a50f33c2e509)
2025-03-22 18:50:08 +03:00 · 2021-04-13 13:09:13 +02:00 · 2021-04-13 13:09:13 +02:00 · a7c9633e5e
commit a7c9633e5e
parent 9764019c36
2 changed files with 25 additions and 13 deletions
--- a/src/vnm_mad/remotes/lib/security_groups_iptables.rb
+++ b/src/vnm_mad/remotes/lib/security_groups_iptables.rb
@ -14,6 +14,8 @@
 # limitations under the License.                                             #
 #--------------------------------------------------------------------------- #

+require 'ipaddr'
+
 module VNMMAD

 # This module implements the SecurityGroup abstraction on top of iptables
@ -288,7 +290,7 @@ module SGIPTables
    #   2.- Forwards the bridge traffic to the GLOBAL_CHAIN
    #   3.- By default ACCEPT all traffic
    #
-    # If inbound packets are routed (not bridged) by the hypervisor OpenNebula 
+    # If inbound packets are routed (not bridged) by the hypervisor OpenNebula
    # process all forwarding traffic.
    def self.global_bootstrap(bridged)
        info = SGIPTables.info
@ -381,9 +383,12 @@ module SGIPTables
        commands.add :ip6tables, "-N #{chain_out}" # outbound

        # Send traffic to the NIC chains
-
        base_br = "-I #{GLOBAL_CHAIN} -m physdev --physdev-is-bridged "
-        nro     = "#{base_br} --physdev-in #{nic[:tap]} -j #{chain_out}"
+        if nic[:alias_id]
+            nro = "#{base_br} --physdev-in #{nic[:parent_nic][:tap]} -s #{nic[:ip]} -j #{chain_out}"
+        else
+            nro = "#{base_br} --physdev-in #{nic[:tap]} -j #{chain_out}"
+        end

        if bridged
            if nic[:alias_id]
@ -395,12 +400,13 @@ module SGIPTables
            nri = "-I #{GLOBAL_CHAIN} -d #{nic[:ip]} -j #{chain_in}"
        end

-        #TODO routed traffic is only filtered for IPv4 addressing
-        commands.add :iptables, nri
-        commands.add :iptables, nro
-
-        commands.add :ip6tables, nri if bridged
-        commands.add :ip6tables, nro
+        if IPAddr.new(nic[:ip]).ipv4?
+            commands.add :iptables, nri
+            commands.add :iptables, nro
+        else
+            commands.add :ip6tables, nri
+            commands.add :ip6tables, nro
+        end

        # ICMPv6 Neighbor Discovery Protocol (ARP replacement for IPv6)
        ## Allow routers to send router advertisements
--- a/src/vnm_mad/remotes/lib/sg_driver.rb
+++ b/src/vnm_mad/remotes/lib/sg_driver.rb
@ -80,10 +80,13 @@ module VNMMAD
            # Global Bootstrap
            SGIPTables.global_bootstrap(@bridged)

-            attach_nic_id = @vm['TEMPLATE/NIC[ATTACH="YES"]/NIC_ID'] if !do_all
+            unless do_all
+               attach_nic_id = @vm['TEMPLATE/NIC[ATTACH="YES"]/NIC_ID']
+               attach_nic_id ||= @vm['TEMPLATE/NIC_ALIAS[ATTACH="YES"]/NIC_ID']
+            end

            # Process the rules
-            process do |nic|
+            process_all do |nic|
                next if attach_nic_id && attach_nic_id != nic[:nic_id]

                if nic[:security_groups].nil?
@ -124,9 +127,12 @@ module VNMMAD
            lock

            begin
-                attach_nic_id = @vm['TEMPLATE/NIC[ATTACH="YES"]/NIC_ID'] if !do_all
+                unless do_all
+                   attach_nic_id = @vm['TEMPLATE/NIC[ATTACH="YES"]/NIC_ID']
+                   attach_nic_id ||= @vm['TEMPLATE/NIC_ALIAS[ATTACH="YES"]/NIC_ID']
+                end

-                @vm.nics.each do |nic|
+                process_all do |nic|
                    next if attach_nic_id && attach_nic_id != nic[:nic_id]

                    SGIPTables.nic_deactivate(@vm, nic)