bug 10561: fix: last entry in the firewall rules unable to delete

api/src/com/cloud/agent/api/routing/SetFirewallRulesCommand.java

@@ -51,7 +51,19 @@ public class SetFirewallRulesCommand extends NetworkElementCommand {
 
 		
 		for (FirewallRuleTO fwTO: rules) {
-			if (fwTO.revoked() == true) continue;
+		/* example  :  172.16.92.44:tcp:80:80:0.0.0.0/0:,200.16.92.44:tcp:220:220:0.0.0.0/0:, 
+		 *  each entry format      <ip>:protocol:srcport:destport:scidr:
+		 *  reverted entry format  <ip>:reverted:0:0:0:
+		 */
+			if (fwTO.revoked() == true) 
+			{
+				StringBuilder sb = new StringBuilder();
+				/* This entry is added just to make sure atleast there will one entry in the list to get the ipaddress */
+				sb.append(fwTO.getSrcIp()).append(":reverted:0:0:0:"); 
+				String fwRuleEntry = sb.toString();
+				toAdd.add(fwRuleEntry);
+				continue;
+			}
 			
 			List<String> cidr;
 			StringBuilder sb = new StringBuilder();
@@ -64,6 +76,7 @@ public class SetFirewallRulesCommand extends NetworkElementCommand {
 				sb.append("0:0").append(":");
 			else
 			    sb.append(fwTO.getStringSrcPortRange()).append(":");
+			
 			cidr = fwTO.getSourceCidrList();
 			if (cidr == null || cidr.isEmpty())
 			{

patches/systemvm/debian/config/root/firewall_rule.sh

@@ -67,6 +67,10 @@ fw_entry_for_public_ip() {
   # note that rules are inserted after the RELATED,ESTABLISHED rule but before the DROP rule
   for src in $scidrs
   do
+    if [ "$prot" == "reverted" ]
+    then
+      continue;
+    fi
     if [ "$prot" == "icmp" ]
     then
     # TODO  icmp code need to be implemented
@@ -75,7 +79,12 @@ fw_entry_for_public_ip() {
       then
            sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot  -j RETURN
        else
-           sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot --icmp-type $sport  -j RETURN
+           if ["$eport" == "-1"]
+           then
+               sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot --icmp-type $sport  -j RETURN
+           else
+               sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot --icmp-type $sport/$eport  -j RETURN
+           fi
        fi
     else
        sudo iptables -t mangle -I FIREWALL_$pubIp 2 -s $src -p $prot --dport $sport:$eport -j RETURN
@@ -127,7 +136,9 @@ then
 fi
 
 #-a 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,172.16.92.44:tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
-
+#    if any entry is reverted , entry will be in the format <ip>:reverted:0:0:0
+# example : 172.16.92.44:tcp:80:80:0.0.0.0/0:,172.16.92.44:tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0 
+# The reverted entries will fix the following partially 
 #FIXME: rule leak: when there are multiple ip address, there will chance that entry will be left over if the ipadress  does not appear in the current execution when compare to old one 
 # example :  In the below first transaction have 2 ip's whereas in second transaction it having one ip, so after the second trasaction 200.1.2.3 ip will have rules in mangle table.
 #  1)  -a 172.16.92.44:tcp:80:80:0.0.0.0/0:,200.16.92.44:tcp:220:220:0.0.0.0/0:,

scripts/network/domr/call_firewall.sh

@@ -29,7 +29,7 @@ usage() {
   printf "Usage for other purposes : %s: <domR eth1 ip> (-A|-D) -i <domR eth1 ip>  -r <target-instance-ip> -P protocol (-p port_range | -t icmp_type_code)  -l <public ip address> -d <target port> [-f <firewall ip> -u <firewall user> -y <firewall password> -z <firewall enable password> ] \n" $(basename $0) >&2
 }
 
- set -x
+# set -x
 
 # check if gateway domain is up and running
 check_gw() {