From 3ccdf67dfbb5cc1985e127de6138503edacb78df Mon Sep 17 00:00:00 2001
From: Sheng Yang <sheng.yang@citrix.com>
Date: Mon, 9 Dec 2013 17:28:53 -0800
Subject: [PATCH] CLOUDSTACK-5297: Fix ACL rules on VPN for VPC

Insert a new iptables chain for FORWARD chain, in order to let following ACL
rules being executed as well.
---
 .../debian/vpn/opt/cloud/bin/vpn_l2tp.sh      | 28 ++++++++++++++++---
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh b/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
index 5afe0096d9a..83d5272f3e1 100755
--- a/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
+++ b/systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
@@ -35,21 +35,41 @@ get_intf_ip() {
 iptables_() {
    local op=$1
    local public_ip=$2
+   local is_vpc=false
+   local forward_action="ACCEPT"
+   if grep "vpcrouter" /var/cache/cloud/cmdline &> /dev/null
+   then
+	is_vpc=true
+   fi
 
    sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 500 -j ACCEPT
    sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 4500 -j ACCEPT
    sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 1701 -j ACCEPT
    sudo iptables $op INPUT -i $dev -p ah -j ACCEPT
    sudo iptables $op INPUT -i $dev -p esp -j ACCEPT
-   sudo iptables $op FORWARD -i ppp+ -d $cidr -j ACCEPT
-   sudo iptables $op FORWARD -s $cidr -o ppp+ -j ACCEPT
-   sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT
+   if $is_vpc
+   then
+       # Need to apply the following ACL rules as well.
+       if sudo iptables -N VPN_FORWARD &> /dev/null
+       then
+           sudo iptables -I FORWARD -i ppp+ -j VPN_FORWARD
+           sudo iptables -I FORWARD -o ppp+ -j VPN_FORWARD
+           sudo iptables -A VPN_FORWARD -j DROP
+       fi
+       sudo iptables $op VPN_FORWARD -i ppp+ -o ppp+ -j RETURN
+       sudo iptables $op VPN_FORWARD -i ppp+ -d $cidr -j RETURN
+       sudo iptables $op VPN_FORWARD -s $cidr -o ppp+ -j RETURN
+   else
+       sudo iptables $op FORWARD -i ppp+ -d $cidr -j ACCEPT
+       sudo iptables $op FORWARD -s $cidr -o ppp+ -j ACCEPT
+       sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT
+   fi
    sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT
    sudo iptables $op INPUT -i ppp+ -m tcp -p tcp --dport 53 -j ACCEPT
    sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp -m tcp --dport 53 -j  DNAT --to-destination $local_ip
    sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j  DNAT --to-destination $local_ip
 
-   if grep "vpcrouter" /var/cache/cloud/cmdline &> /dev/null
+   if $is_vpc
    then
        return
    fi