From 41f569e8a853cb4503646d06cadc4c9c1aea82b2 Mon Sep 17 00:00:00 2001 From: Richard Lawley Date: Tue, 4 Jun 2019 21:51:03 +0100 Subject: [PATCH] router: Fix rule duplication with non-VPC static NAT rules (#3366) The VR code has provision for inserting rules at the top or bottom by specifying "front" as the second parameter to self.fw.append. However, there are a number of cases where someone has been unaware of this and added a rule with the pattern self.fw.append(["mangle", "", "-I PREROUTING".... This causes the code to check for the rule already being present to fail, and duplicate rules end up being added. This PR fixes two of these cases which apply to adding static NAT rules. I am aware of more of these cases, but I don't have the ability to easily test the outcome of fixing them. I'm happy to add these in if you're confident that the automated tests will be sufficient. Searching for "-I (case sensitive) finds these. The code for dealing with "front" is included below to show that this shouldn't have any ill effects: if fw[1] == "front": cpy = cpy.replace('-A', '-I') Fixes #3177 --- systemvm/debian/opt/cloud/bin/configure.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/systemvm/debian/opt/cloud/bin/configure.py b/systemvm/debian/opt/cloud/bin/configure.py index 4df99111bfd..a7f297edbb2 100755 --- a/systemvm/debian/opt/cloud/bin/configure.py +++ b/systemvm/debian/opt/cloud/bin/configure.py @@ -922,11 +922,11 @@ class CsForwardingRules(CsDataBag): if device is None: raise Exception("Ip address %s has no device in the ips databag" % rule["public_ip"]) - self.fw.append(["mangle", "", - "-I PREROUTING -s %s/32 -m state --state NEW -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff" % + self.fw.append(["mangle", "front", + "-A PREROUTING -s %s/32 -m state --state NEW -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff" % rule["internal_ip"]]) - self.fw.append(["mangle", "", - "-I PREROUTING -s %s/32 -m state --state NEW -j MARK --set-xmark %s/0xffffffff" % + self.fw.append(["mangle", "front", + "-A PREROUTING -s %s/32 -m state --state NEW -j MARK --set-xmark %s/0xffffffff" % (rule["internal_ip"], hex(100 + int(device[len("eth"):])))]) self.fw.append(["nat", "front", "-A PREROUTING -d %s/32 -j DNAT --to-destination %s" % (rule["public_ip"], rule["internal_ip"])])