From 1d52b3af891468fe3de852fb9766b82c684e334d Mon Sep 17 00:00:00 2001 From: Rohit Yadav Date: Fri, 22 Jul 2016 01:24:32 +0530 Subject: [PATCH] CLOUDSTACK-9437: Create egress chain on upgrade and cleanup for allow all traffic - Ensure that FW_EGRESS_RULE chain exists after upgrading the router - Flush allow all egress rule on 0.0.0.0/0, if such a rule exists in the config it will be added later (CLOUDSTACK-9437) Signed-off-by: Rohit Yadav --- .../patches/debian/config/opt/cloud/bin/configure.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index deb4a74e042..4eed8ecd92b 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -283,6 +283,14 @@ class CsAcl(CsDataBag): rstr = rstr.replace(" ", " ").lstrip() self.fw.append([self.table, self.count, rstr]) + + def flushAllowAllEgressRules(self): + logging.debug("Flush allow 'all' egress firewall rule") + # Ensure that FW_EGRESS_RULES chain exists + CsHelper.execute("iptables-save | grep '^:FW_EGRESS_RULES' || iptables -t filter -N FW_EGRESS_RULES") + CsHelper.execute("iptables-save | grep '^-A FW_EGRESS_RULES -j ACCEPT$' | sed 's/^-A/iptables -t filter -D/g' | bash") + + def process(self): for item in self.dbag: if item == "id": @@ -921,6 +929,7 @@ def main(argv): logging.debug("Configuring firewall rules") acls = CsAcl('firewallrules', config) + acls.flushAllowAllEgressRules() acls.process() logging.debug("Configuring PF rules")