VPC : by default , outgoing traffic is allowed out, once egress rules are added, only traffic specified in those are allowed out, others are blocked

2025-10-26 08:42:29 +01:00 · 2012-09-07 17:03:12 -07:00 · 2012-09-07 17:03:12 -07:00 · 3cfe01d07c
commit 3cfe01d07c
parent b52bd1fc5a
1 changed files with 9 additions and 1 deletions
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
@ -126,6 +126,7 @@ acl_entry_for_guest_network() {
        sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr  \
                    --icmp-type $typecode  -j ACCEPT
      else
+        let egress++
        sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr  \
                    --icmp-type $typecode  -j ACCEPT
      fi
@ -135,6 +136,7 @@ acl_entry_for_guest_network() {
        sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
                    $DPORT -j ACCEPT
      else
+        let egress++
        sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
                    $DPORT -j ACCEPT
      fi
@ -199,7 +201,7 @@ fi
 success=0

 acl_chain_for_guest_network
-
+egress=0
 for r in $rules_list
 do
  acl_entry_for_guest_network $r
@ -219,6 +221,12 @@ then
  acl_restore
 else
  logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr"
+  if [ $egress -eq 0 ]
+  then
+    sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j ACCEPT 2>/dev/null
+  else
+    sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
+  fi   
  acl_switch_to_new
 fi
 unlock_exit $success $lock $locked