Merge pull request #1713 from wido/CLOUDSTACK-9552

CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic NetworkingAllow DNS queries over TCP when egress filtering is configured.

When using DNSSEC more and more queries are done over TCP and this
requires 53/TCP to be allowed.

Signed-off-by: Wido den Hollander wido@widodh.nl

* pr/1713:
  CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic Networking

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

scripts/vm/network/security_group.py

@@ -493,6 +493,7 @@ def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname, sec_ips):
         if vm_ip is not None:
             execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set ! --set " + vmipsetName + " src -j DROP")
             execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53  -j RETURN ")
+            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -p tcp --dport 53  -j RETURN ")
             execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress)
         execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain)
         execute("iptables -A " + vmchain + " -j DROP")