From 87a7fd1a26a9a04b44a4c5dbce774908367aeeb1 Mon Sep 17 00:00:00 2001 From: anthony Date: Mon, 9 Jul 2012 11:48:28 -0700 Subject: [PATCH] VPC : CS-15501, outbound only work on new connection --- patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh | 6 +++--- patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh index 7fde493a0fb..e6676a1bb8e 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh @@ -34,7 +34,7 @@ acl_remove_backup() { sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$dev 2>/dev/null sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null - sudo iptables -t mangle -D PREROUTING -i $dev -s $gcidr ! -d $ip -j _ACL_OUTBOUND_$dev 2>/dev/null + sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j _ACL_OUTBOUND_$dev 2>/dev/null sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null } @@ -43,7 +43,7 @@ acl_remove() { sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$dev 2>/dev/null sudo iptables -X ACL_INBOUND_$dev 2>/dev/null sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null - sudo iptables -t mangle -D PREROUTING -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null + sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null } @@ -69,7 +69,7 @@ acl_chain_for_guest_network () { # outbound sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null - sudo iptables -t mangle -A PREROUTING -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null + sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null } diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh index 7b7935b76a0..c09e2938f2b 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh @@ -33,7 +33,7 @@ usage() { destroy_acl_chain() { sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null - sudo iptables -t mangle -D PREROUTING -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null + sudo iptables -t mangle -D PREROUTING -m state --state NEW -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null sudo iptables -F ACL_INBOUND_$dev 2>/dev/null sudo iptables -D FORWARD -o $dev -d $subnet/$mask -j ACL_INBOUND_$dev 2>/dev/null @@ -45,7 +45,7 @@ create_acl_chain() { destroy_acl_chain sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null - sudo iptables -t mangle -A PREROUTING -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null + sudo iptables -t mangle -A PREROUTING -m state --state NEW -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev 2>/dev/null sudo iptables -N ACL_INBOUND_$dev 2>/dev/null # drop if no rules match (this will be the last rule in the chain) sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null