Merge pull request #1609 from pdube/network-acl-add-order

[CLOUDSTACK-9430] Added fix for adding/editing Network ACL rule orderingBUG: https://issues.apache.org/jira/browse/CLOUDSTACK-9430 The issue occurred because all of the ACL rules get inserted before the old ones. Then, the cleanup deletes the duplicate rows, and leaves any new rule in front of the old ones. Here is an example with a simplified iptables view for ACL Ex: adding a rule 4 before add: 1,2,3 during add: 1',2',3',4',1,2,3 after add: 4',1,2,3 After fix: before add: 1,2,3 during add: 1,2,3,1',2',3',4' after add: 1',2',3',4' * pr/1609: Added fix for adding/editing Network ACL rule ordering Signed-off-by: Will Stevens <williamstevens@gmail.com>
2025-10-26 08:42:29 +01:00 · 2016-07-18 14:11:13 -04:00 · 2016-07-18 14:11:13 -04:00 · a566cde145
commit a566cde145
parent bb9d94bc64 6dd6ef0c9a
1 changed files with 9 additions and 2 deletions
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
@ -151,6 +151,8 @@ class CsNetfilters(object):
            if isinstance(fw[1], int):
                new_rule.set_count(fw[1])

+            rule_chain = new_rule.get_chain()
+
            logging.debug("Checking if the rule already exists: rule=%s table=%s chain=%s", new_rule.get_rule(), new_rule.get_table(), new_rule.get_chain())
            if self.has_rule(new_rule):
                logging.debug("Exists: rule=%s table=%s", fw[2], new_rule.get_table())
@ -162,9 +164,14 @@ class CsNetfilters(object):
                if fw[1] == "front":
                    cpy = cpy.replace('-A', '-I')
                if isinstance(fw[1], int):
+                    # if the rule is for ACLs, we want to insert them in order, right before the DROP all
+                    if rule_chain.startswith("ACL_INBOUND") or rule_chain.startswith("ACL_OUTBOUND"):
+                        rule_count = self.chain.get_count(rule_chain)
+                        cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), rule_count))
+                    else:
                        cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), fw[1]))
-
                CsHelper.execute("iptables -t %s %s" % (new_rule.get_table(), cpy))
+                self.chain.add_rule(rule_chain)
        self.del_standard()
        self.get_unseen()