From 4a0e645e28d3a0c1fb563ce9c0070225cd9be4c9 Mon Sep 17 00:00:00 2001
From: Anthony Xu <anthony@cloud.com>
Date: Fri, 7 Sep 2012 17:10:54 -0700
Subject: [PATCH]   CS-16254:          passwd_server listen on every interface,
 but only guest interface is enabled for that port

---
 patches/systemvm/debian/config/opt/cloud/bin/passwd_server  | 3 +--
 patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh | 6 ++++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/patches/systemvm/debian/config/opt/cloud/bin/passwd_server b/patches/systemvm/debian/config/opt/cloud/bin/passwd_server
index 596715e0bd0..7e93b679c6e 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/passwd_server
+++ b/patches/systemvm/debian/config/opt/cloud/bin/passwd_server
@@ -1,11 +1,10 @@
 #!/bin/bash
 
 . /etc/default/cloud-passwd-srvr
-guestIp=$(ifconfig eth0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}')
 
 while [ "$ENABLED" == "1" ]
 do
-	socat -lf /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=$guestIp SYSTEM:"/opt/cloud/bin/serve_password.sh \"\$SOCAT_PEERADDR\""
+	socat -lf /var/log/cloud.log TCP4-LISTEN:8080,reuseaddr,crnl,bind=0.0.0.0 SYSTEM:"/opt/cloud/bin/serve_password.sh \"\$SOCAT_PEERADDR\""
 
 	rc=$?
 	if [ $rc -ne 0 ]
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
index cb98fd419d0..ee9960c6253 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
@@ -124,6 +124,10 @@ create_guest_network() {
   sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
   sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
   sudo iptables -A INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT
   # restore mark from  connection mark
   local tableName="Table_$dev"
   sudo ip route add $subnet/$mask dev $dev table $tableName proto static
@@ -141,6 +145,8 @@ destroy_guest_network() {
   sudo ip addr del dev $dev $ip/$mask
   sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
   sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT
   sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
   sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
   destroy_acl_chain