Fix private gateway acl on static routes (#10262)

This commit is contained in:
Vishesh 2025-02-10 23:20:30 +05:30 committed by GitHub
parent aa6c581e40
commit ae1d7cc860
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -24,6 +24,7 @@ from CsDatabag import CsDataBag
from CsApp import CsApache, CsDnsmasq, CsPasswdSvc from CsApp import CsApache, CsDnsmasq, CsPasswdSvc
from CsRoute import CsRoute from CsRoute import CsRoute
from CsRule import CsRule from CsRule import CsRule
from CsStaticRoutes import CsStaticRoutes
VRRP_TYPES = ['guest'] VRRP_TYPES = ['guest']
@ -553,6 +554,23 @@ class CsIP:
self.fw.append(["mangle", "front", self.fw.append(["mangle", "front",
"-A PREROUTING -s %s -d %s -m state --state NEW -j MARK --set-xmark %s/0xffffffff" % "-A PREROUTING -s %s -d %s -m state --state NEW -j MARK --set-xmark %s/0xffffffff" %
(self.cl.get_vpccidr(), self.address['network'], hex(100 + int(self.dev[3:])))]) (self.cl.get_vpccidr(), self.address['network'], hex(100 + int(self.dev[3:])))])
static_routes = CsStaticRoutes("staticroutes", self.config)
if static_routes:
for item in static_routes.get_bag():
if item == "id":
continue
static_route = static_routes.get_bag()[item]
if static_route['ip_address'] == self.address['public_ip'] and not static_route['revoke']:
self.fw.append(["mangle", "",
"-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
(self.dev, static_route['network'], static_route['ip_address'], self.dev)])
self.fw.append(["filter", "front", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
(static_route['network'], self.dev, self.dev)])
self.fw.append(["filter", "front",
"-A FORWARD -d %s -o %s -m state --state RELATED,ESTABLISHED -j ACCEPT" %
(static_route['network'], self.dev)])
if self.address["source_nat"]: if self.address["source_nat"]:
self.fw.append(["nat", "front", self.fw.append(["nat", "front",
"-A POSTROUTING -o %s -j SNAT --to-source %s" % "-A POSTROUTING -o %s -j SNAT --to-source %s" %