From c61ea9f96d23ca885138ad5ccea09af62489b373 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Wed, 6 Apr 2022 05:16:47 +0200
Subject: [PATCH] VR: Do not add iptables rules for the revoked ip addresses
 (#6189)

---
 systemvm/debian/opt/cloud/bin/cs/CsAddress.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
index 0bc5d44ac53..afc1107a618 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
@@ -498,7 +498,7 @@ class CsIP:
                     if not inf.startswith("eth"):
                         continue
                     for address in addresses:
-                        if "nw_type" in address and address["nw_type"] == "guest":
+                        if "nw_type" in address and address["nw_type"] == "guest" and address["add"]:
                             self.fw.append(["filter", "front", "-A FORWARD -s %s -d %s -j ACL_INBOUND_%s" %
                                             (address["network"], self.address["network"], self.dev)])
                             self.fw.append(["filter", "front", "-A FORWARD -s %s -d %s -j ACL_INBOUND_%s" %