iAdd chains before provisioning rules

2025-11-03 04:12:31 +01:00 · 2014-11-13 19:28:36 +01:00 · 2014-11-13 19:28:36 +01:00 · 6b0c40ed3e
commit 6b0c40ed3e
parent 50ee12c6e3
2 changed files with 10 additions and 5 deletions
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@ -289,12 +289,12 @@ class CsIP:
            self.fw.append(["mangle", "",
                            "-A VPN_%s -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.address['public_ip']])
            self.fw.append(["mangle", "",
-                            "-A VPN_%s RETURN" % self.address['public_ip']])
+                            "-A VPN_%s -j RETURN" % self.address['public_ip']])
            self.fw.append(["mangle", "front",
-                            "-A POSTROUTING",
+                            "-A POSTROUTING " +
                            "-p udp -m udp --dport 68 -j CHECKSUM --checksum-fill"])
            self.fw.append(["nat", "",
-                            "-A POSTROUTING -o eth2 -j SNAT --to-source 10.0.2.102" % self.address['public_ip']])
+                            "-A POSTROUTING -o eth2 -j SNAT --to-source %s" % self.address['public_ip']])

        self.fw.append(["filter", "", "-A INPUT -d 224.0.0.18/32 -j ACCEPT"])
        self.fw.append(["filter", "", "-A INPUT -d 225.0.0.50/32 -j ACCEPT"])
@ -332,8 +332,7 @@ class CsIP:
        self.fw_router()
        self.fw_vpcrouter()
        # On deletion nw_type will no longer be known
-        if (self.get_type() in ["guest"] and self.config.is_vpc()) or \
-           (self.get_type() in ['public'] and not self.config.is_vpc()):
+        if self.get_type() in ["guest"] and self.config.is_vpc():
            devChain = self.config.get_ingress_chain(self.dev, self.address['public_ip'])
            CsDevice(self.dev, self.config).configure_rp()

--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
@ -122,11 +122,17 @@ class CsNetfilters(object):
            # Ensure all inbound chains have a default drop rule
            if c.startswith("ACL_INBOUND"):
                list.append(["filter", "", "-A %s -j DROP" % c])
+        # PASS 1:  Ensure all chains are present
        for fw in list:
            new_rule = CsNetfilter()
            new_rule.parse(fw[2])
            new_rule.set_table(fw[0])
            self.add_chain(new_rule)
+        # PASS 2: Create rules
+        for fw in list:
+            new_rule = CsNetfilter()
+            new_rule.parse(fw[2])
+            new_rule.set_table(fw[0])
            if self.has_rule(new_rule):
                logging.debug("rule %s exists in table %s", fw[2], new_rule.get_table())
            else: