From 47454eca7dc79fb197dc5c2bb230d0ca14a58934 Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Wed, 6 Apr 2022 05:16:12 +0200 Subject: [PATCH 1/2] VR: add '-m ' for tcp or udp protocol (#6188) --- systemvm/debian/opt/cloud/bin/configure.py | 1 + 1 file changed, 1 insertion(+) diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py index 53e9452d0b9..940a3b2e74d 100755 --- a/systemvm/debian/opt/cloud/bin/configure.py +++ b/systemvm/debian/opt/cloud/bin/configure.py @@ -162,6 +162,7 @@ class CsAcl(CsDataBag): " -A FIREWALL_%s" % self.ip + " -s %s " % cidr + " -p %s " % rule['protocol'] + + " -m %s " % rule['protocol'] + " %s -j %s" % (rnge, self.rule['action'])]) sflag = False From c61ea9f96d23ca885138ad5ccea09af62489b373 Mon Sep 17 00:00:00 2001 From: Wei Zhou Date: Wed, 6 Apr 2022 05:16:47 +0200 Subject: [PATCH 2/2] VR: Do not add iptables rules for the revoked ip addresses (#6189) --- systemvm/debian/opt/cloud/bin/cs/CsAddress.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py index 0bc5d44ac53..afc1107a618 100755 --- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py @@ -498,7 +498,7 @@ class CsIP: if not inf.startswith("eth"): continue for address in addresses: - if "nw_type" in address and address["nw_type"] == "guest": + if "nw_type" in address and address["nw_type"] == "guest" and address["add"]: self.fw.append(["filter", "front", "-A FORWARD -s %s -d %s -j ACL_INBOUND_%s" % (address["network"], self.address["network"], self.dev)]) self.fw.append(["filter", "front", "-A FORWARD -s %s -d %s -j ACL_INBOUND_%s" %