VPC : loadbalance go through inbound chain

core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java

@@ -1584,7 +1584,8 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
         String[] statRules = rules[LoadBalancerConfigurator.STATS];
 
         String args = "vpc_loadbalancer.sh " + routerIp;
-
+        String ip = cmd.getNic().getIp();
+        args += " -i " + ip;
         StringBuilder sb = new StringBuilder();
         if (addRules.length > 0) {
             for (int i = 0; i < addRules.length; i++) {

patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh

@@ -31,17 +31,25 @@ usage() {
 }
 
 
-destroy_acl_outbound_chain() {
+destroy_acl_chain() {
   sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
   sudo iptables -t mangle -D PREROUTING -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
   sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -F ACL_INBOUND_$dev 2>/dev/null
+  sudo iptables -D FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev  2>/dev/null
+  sudo iptables -X ACL_INBOUND_$dev 2>/dev/null
+
 }
 
-create_acl_outbound_chain() {
-  destroy_acl_outbound_chain
+create_acl_chain() {
+  destroy_acl_chain
   sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
   sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
   sudo iptables -t mangle -A PREROUTING -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -N ACL_INBOUND_$dev 2>/dev/null
+  # drop if no rules match (this will be the last rule in the chain)
+  sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null
+  sudo iptables -A FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev  2>/dev/null
 }
 
 
@@ -133,7 +141,7 @@ create_guest_network() {
   sudo iptables -t mangle -A PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
   # set up hairpin
   sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
-  create_acl_outbound_chain
+  create_acl_chain
   setup_usage
   setup_dnsmasq
   setup_apache2

patches/systemvm/debian/config/opt/cloud/bin/vpc_loadbalancer.sh

@@ -15,6 +15,7 @@
 # @VERSION@
 
 source /root/func.sh
+source /opt/cloud/bin/vpc_func.sh
 
 lock="biglock"
 locked=$(getLockFile $lock)
@@ -90,7 +91,7 @@ fw_entry() {
     do
       local pubIp=$(echo $i | cut -d: -f1)
       local dport=$(echo $i | cut -d: -f2)    
-      sudo iptables -A load_balancer -p tcp -d $pubIp --dport $dport -j ACCEPT 2>/dev/null
+      sudo iptables -A load_balancer -p tcp -d $pubIp --dport $dport -j ACL_INBOUND_$dev 2>/dev/null
       success=$?
       if [ $success -gt 0 ]
       then
@@ -135,18 +136,16 @@ restore_lb() {
   fi
 }
 
-mflag=
 iflag=
 aflag=
 dflag=
-fflag=
 sflag=
 
 while getopts 'i:a:d:s:' OPTION
 do
   case $OPTION in
   i)	iflag=1
-		domRIp="$OPTARG"
+		ip="$OPTARG"
 		;;
   a)	aflag=1
 		addedIps="$OPTARG"
@@ -163,6 +162,9 @@ do
   esac
 done
 
+
+dev=$(getEthByIp $ip)
+
 if [ "$addedIps" == "" ]
 then
   addedIps="none"
@@ -184,14 +186,12 @@ fi
 
 # iptables entry to ensure that haproxy receives traffic
 fw_entry $addedIps $removedIps $statsIp
-  	
-if [ $? -gt 0 ]
+result=$?  	
+if [ $result -gt 0 ]
 then
   logger -t cloud "Failed to apply firewall rules for load balancing, reverting HA Proxy config"
   # Restore the LB
   restore_lb
 fi
  
-unlock_exit 0 $lock $locked
-  	
-
+unlock_exit $result $lock $locked