From 583c8ad979681365b7c3bf79de95d85f9326346a Mon Sep 17 00:00:00 2001
From: anthony <anthony@cloud.com>
Date: Fri, 22 Jun 2012 18:01:22 -0700
Subject: [PATCH] VPC : acl works

---
 .../debian/config/etc/iptables/iptables-vpcrouter         | 1 +
 patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh   | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/patches/systemvm/debian/config/etc/iptables/iptables-vpcrouter b/patches/systemvm/debian/config/etc/iptables/iptables-vpcrouter
index c1d0c158cc2..262aa5f9f19 100644
--- a/patches/systemvm/debian/config/etc/iptables/iptables-vpcrouter
+++ b/patches/systemvm/debian/config/etc/iptables/iptables-vpcrouter
@@ -21,5 +21,6 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
+-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A OUTPUT -p udp --dport bootpc -j CHECKSUM --checksum-fill
 COMMIT
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
index e48c2329fdb..7ef648d5232 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
@@ -69,7 +69,7 @@ acl_chain_for_guest_network () {
   # outbound
   sudo iptables -N ACL_OUTBOUND_$ip 2>/dev/null
   sudo iptables -A ACL_OUTBOUND_$ip -j DROP 2>/dev/null
-  sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$ip  2>/dev/null
+  sudo iptables -A FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$ip  2>/dev/null
 }
 
 
@@ -84,9 +84,9 @@ acl_entry_for_guest_network() {
   local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
   if [ "$sport" == "0" -a "$eport" == "0" ]
   then
-      DPORT = ""
+      DPORT=""
   else
-      DPORT = "--dport $sport:$eport"
+      DPORT="--dport $sport:$eport"
   fi
   logger -t cloud "$(basename $0): enter apply acl rules for guest network: $gcidr, inbound:$inbound:$prot:$sport:$eport:$cidrs"  
   
@@ -115,7 +115,7 @@ acl_entry_for_guest_network() {
                     $DPORT -j ACCEPT
       else
         sudo iptables -I ACL_OUTBOUND_$ip -p $prot -d $lcidr \
-                    $DPORT -j ACCEP
+                    $DPORT -j ACCEPT
       fi
     fi
     result=$?