From 3cfe01d07cefc7094ce4ed2a9dde28c88437b1d1 Mon Sep 17 00:00:00 2001
From: Anthony Xu <anthony@cloud.com>
Date: Fri, 7 Sep 2012 17:03:12 -0700
Subject: [PATCH]     VPC : by default , outgoing traffic is allowed out, once
 egress rules are added, only traffic specified in those are allowed out,
 others are blocked

---
 .../systemvm/debian/config/opt/cloud/bin/vpc_acl.sh    | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
index fa57c043570..4ebed3abdf9 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
@@ -126,6 +126,7 @@ acl_entry_for_guest_network() {
         sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr  \
                     --icmp-type $typecode  -j ACCEPT
       else
+        let egress++
         sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr  \
                     --icmp-type $typecode  -j ACCEPT
       fi
@@ -135,6 +136,7 @@ acl_entry_for_guest_network() {
         sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
                     $DPORT -j ACCEPT
       else
+        let egress++
         sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
                     $DPORT -j ACCEPT
       fi
@@ -199,7 +201,7 @@ fi
 success=0
 
 acl_chain_for_guest_network
-
+egress=0
 for r in $rules_list
 do
   acl_entry_for_guest_network $r
@@ -219,6 +221,12 @@ then
   acl_restore
 else
   logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr"
+  if [ $egress -eq 0 ]
+  then
+    sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j ACCEPT 2>/dev/null
+  else
+    sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
+  fi   
   acl_switch_to_new
 fi
 unlock_exit $success $lock $locked