From faccec41425f0ddbb465f3352016727d9b3617e1 Mon Sep 17 00:00:00 2001
From: Rakesh <rakeshv.com@gmail.com>
Date: Fri, 28 Feb 2020 17:05:44 +0100
Subject: [PATCH 1/2] Allow port 80/8080 accessible only from guest network
 (#3907)

---
 systemvm/debian/opt/cloud/bin/cs/CsAddress.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
index ba9ee082740..0f1a807661f 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
@@ -412,9 +412,9 @@ class CsIP:
             self.fw.append(
                 ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -s %s -j ACCEPT" % (self.dev, guestNetworkCidr)])
             self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT" % self.dev])
+                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -s %s -m state --state NEW -j ACCEPT" % (self.dev, guestNetworkCidr)])
             self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT" % self.dev])
+                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -s %s -m state --state NEW -j ACCEPT" % (self.dev, guestNetworkCidr)])
             self.fw.append(
                 ["filter", "", "-A FORWARD -i %s -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.dev])
             self.fw.append(
@@ -464,9 +464,9 @@ class CsIP:
                 ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 53 -s %s -j ACCEPT" % (self.dev, guestNetworkCidr)])
 
             self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT" % self.dev])
+                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 80 -s %s -m state --state NEW -j ACCEPT" % (self.dev, guestNetworkCidr)])
             self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT" % self.dev])
+                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 8080 -s %s -m state --state NEW -j ACCEPT" % (self.dev, guestNetworkCidr)])
             self.fw.append(["mangle", "",
                             "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
                             (self.dev, guestNetworkCidr, self.address['gateway'], self.dev)])

From 3f8b2c369dc894696bb06768f6bd355b3a2e6eda Mon Sep 17 00:00:00 2001
From: Wei Zhou <w.zhou@global.leaseweb.com>
Date: Fri, 28 Feb 2020 17:15:51 +0100
Subject: [PATCH 2/2] =?UTF-8?q?vrouter:=20reload=20keepalived=20instead=20?=
 =?UTF-8?q?of=20restart=20and=20fix=20password=E2=80=A6=20(#3898)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 systemvm/debian/opt/cloud/bin/configure.py      |  2 +-
 systemvm/debian/opt/cloud/bin/cs/CsAddress.py   |  5 +++++
 systemvm/debian/opt/cloud/bin/cs/CsRedundant.py | 12 +++++++++---
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py
index cadb7c54f05..2e2fbece5f1 100755
--- a/systemvm/debian/opt/cloud/bin/configure.py
+++ b/systemvm/debian/opt/cloud/bin/configure.py
@@ -61,7 +61,7 @@ class CsPassword(CsDataBag):
         server_ip = None
         guest_ip = None
         for interface in self.config.address().get_interfaces():
-            if interface.ip_in_subnet(vm_ip):
+            if interface.ip_in_subnet(vm_ip) and interface.is_added():
                 if self.config.cl.is_redundant():
                     server_ip = interface.get_gateway()
                     guest_ip = interface.get_ip()
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
index 0f1a807661f..5b0c0577489 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
@@ -581,6 +581,11 @@ class CsIP:
                         CsPasswdSvc(self.address['public_ip']).start()
                     elif method == "delete":
                         CsPasswdSvc(self.address['public_ip']).stop()
+                elif cmdline.is_master():
+                    if method == "add":
+                        CsPasswdSvc(self.address['gateway'] + "," + self.address['public_ip']).start()
+                    elif method == "delete":
+                        CsPasswdSvc(self.address['gateway'] + "," + self.address['public_ip']).stop()
 
         if self.get_type() == "public" and self.config.is_vpc() and method == "add":
             if self.address["source_nat"]:
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsRedundant.py b/systemvm/debian/opt/cloud/bin/cs/CsRedundant.py
index 8f389611191..cefedbfe84f 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsRedundant.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsRedundant.py
@@ -194,10 +194,15 @@ class CsRedundant(object):
         heartbeat_cron.commit()
 
         proc = CsProcess(['/usr/sbin/keepalived'])
-        if not proc.find() or keepalived_conf.is_changed() or force_keepalived_restart:
+        if not proc.find():
+            force_keepalived_restart = True
+        if keepalived_conf.is_changed() or force_keepalived_restart:
             keepalived_conf.commit()
             os.chmod(self.KEEPALIVED_CONF, 0o644)
-            CsHelper.service("keepalived", "restart")
+            if force_keepalived_restart or not self.cl.is_master():
+                CsHelper.service("keepalived", "restart")
+            else:
+                CsHelper.service("keepalived", "reload")
 
     def release_lock(self):
         try:
@@ -339,7 +344,8 @@ class CsRedundant(object):
 
         interfaces = [interface for interface in self.address.get_interfaces() if interface.needs_vrrp()]
         for interface in interfaces:
-            CsPasswdSvc(interface.get_gateway() + "," + interface.get_ip()).restart()
+            if interface.is_added():
+                CsPasswdSvc(interface.get_gateway() + "," + interface.get_ip()).restart()
 
         CsHelper.service("dnsmasq", "restart")
         self.cl.set_master_state(True)