etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-9437: Create egress chain on upgrade and cleanup for allow all traffic 

- Ensure that FW_EGRESS_RULE chain exists after upgrading the router
- Flush allow all egress rule on 0.0.0.0/0, if such a rule exists in the config
  it will be added later (CLOUDSTACK-9437)

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This commit is contained in:
Rohit Yadav 2016-07-22 01:24:32 +05:30
parent bc2e2cf427
commit 1d52b3af89
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
systemvm/patches/debian/config/opt/cloud/bin/configure.py
View File

@ -283,6 +283,14 @@ class CsAcl(CsDataBag):
rstr = rstr.replace(" ", " ").lstrip()
self.fw.append([self.table, self.count, rstr])
def flushAllowAllEgressRules(self):
logging.debug("Flush allow 'all' egress firewall rule")
# Ensure that FW_EGRESS_RULES chain exists
CsHelper.execute("iptables-save | grep '^:FW_EGRESS_RULES' || iptables -t filter -N FW_EGRESS_RULES")
CsHelper.execute("iptables-save | grep '^-A FW_EGRESS_RULES -j ACCEPT$' | sed 's/^-A/iptables -t filter -D/g' | bash")
def process(self):
for item in self.dbag:
if item == "id":
@ -921,6 +929,7 @@ def main(argv):
logging.debug("Configuring firewall rules")
acls = CsAcl('firewallrules', config)
acls.flushAllowAllEgressRules()
acls.process()
logging.debug("Configuring PF rules")