From 29c510de289bfb0118d0c73fa3158e646e7bd3ae Mon Sep 17 00:00:00 2001
From: Edison Su <edison@cloud.com>
Date: Fri, 13 May 2011 16:05:07 -0400
Subject: [PATCH] need to insert iptable rules into FORWARD chain instead of
 append, as on rhel6, there is a reject rule added at the end of FORWARD

---
 python/lib/cloudutils/serviceConfig.py | 3 ++-
 scripts/vm/network/security_group.py   | 9 +++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/python/lib/cloudutils/serviceConfig.py b/python/lib/cloudutils/serviceConfig.py
index 418e54c65b3..73f19a90d7a 100644
--- a/python/lib/cloudutils/serviceConfig.py
+++ b/python/lib/cloudutils/serviceConfig.py
@@ -73,7 +73,8 @@ class networkConfigBase:
         preCfged = False
         for br in self.syscfg.env.nics:
             if not self.netcfg.isNetworkDev(br):
-                raise CloudInternalException("%s is not a network device, is it down?"%br)
+                logging.debug("%s is not a network device, is it down?"%br)
+                return False
             if not self.netcfg.isBridge(br):
                 raise CloudInternalException("%s is not a bridge"%br)
             preCfged = True
diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index 97664fd33aa..7ba9c937f8d 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -591,15 +591,16 @@ def addFWFramework(brname):
     try:
         refs = execute("iptables -n -L  " + brfw + " |grep " + brfw + " | cut -d \( -f2 | awk '{print $1}'").strip()
         if refs == "0":
-            execute("iptables -A FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
-            execute("iptables -A FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
+            execute("iptables -I FORWARD -i " + brname + " -j DROP")
+            execute("iptables -I FORWARD -o " + brname + " -j DROP")
+            execute("iptables -I FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
+            execute("iptables -I FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
             phydev = execute("brctl show |grep " + brname + " | awk '{print $4}'").strip()
             execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-out " + phydev + " -j ACCEPT")
             execute("iptables -A " + brfw + " -m state --state RELATED,ESTABLISHED -j ACCEPT")
             execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-out -j " + brfwout)
             execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-in -j " + brfwin)
-            execute("iptables -A FORWARD -i " + brname + " -j DROP")
-            execute("iptables -A FORWARD -o " + brname + " -j DROP")
+           
     
         return True
     except: