need to insert iptable rules into FORWARD chain instead of append, as on rhel6, there is a reject rule added at the end of FORWARD

2011-05-13 16:07:00 -04:00 · 2011-05-13 16:07:00 -04:00 · 1c24605d29
parent 63424e16b2
commit 1c24605d29
1 changed files with 4 additions and 4 deletions
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@ -531,15 +531,15 @@ def addFWFramework(brname):
    try:
        refs = execute("iptables -n -L  " + brfw + " |grep " + brfw + " | cut -d \( -f2 | awk '{print $1}'").strip()
        if refs == "0":
-            execute("iptables -A FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
-            execute("iptables -A FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
+            execute("iptables -I FORWARD -i " + brname + " -j DROP")
+            execute("iptables -I FORWARD -o " + brname + " -j DROP")
+            execute("iptables -I FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
+            execute("iptables -I FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
            phydev = execute("brctl show |grep " + brname + " | awk '{print $4}'").strip()
            execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-out " + phydev + " -j ACCEPT")
            execute("iptables -A " + brfw + " -m state --state RELATED,ESTABLISHED -j ACCEPT")
            execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-out -j " + brfwout)
            execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-in -j " + brfwin)
-            execute("iptables -A FORWARD -i " + brname + " -j DROP")
-            execute("iptables -A FORWARD -o " + brname + " -j DROP")
    
        return True
    except: