From 8ea75f1a85b53908f97a6397637ecb346b821387 Mon Sep 17 00:00:00 2001
From: Wido den Hollander <wido@widodh.nl>
Date: Thu, 20 Oct 2016 10:14:36 +0200
Subject: [PATCH] CLOUDSTACK-9552: Allow egress TCP/53 implicitly in Basic
 Networking

Allow DNS queries over TCP when egress filtering is configured.

When using DNSSEC more and more queries are done over TCP and this
requires 53/TCP to be allowed.

Signed-off-by: Wido den Hollander <wido@widodh.nl>
---
 scripts/vm/network/security_group.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index e459a297406..8283256db6b 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -493,6 +493,7 @@ def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname, sec_ips):
         if vm_ip is not None:
             execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set ! --set " + vmipsetName + " src -j DROP")
             execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53  -j RETURN ")
+            execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -p tcp --dport 53  -j RETURN ")
             execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress)
         execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain)
         execute("iptables -A " + vmchain + " -j DROP")