From 90c960eeed9f7067961cd581064f7ca12459ad78 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Tue, 4 Feb 2025 16:00:58 +0100
Subject: [PATCH] VPC VR: fix ACL between tier and private gateway (#10268)

---
 systemvm/debian/opt/cloud/bin/cs/CsAddress.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
index 3cb782daf7a..3d6d1f6f722 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
@@ -542,8 +542,10 @@ class CsIP:
                             (self.dev, guestNetworkCidr, self.address['gateway'], self.dev)])
 
         if self.is_private_gateway():
-            self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
+            self.fw.append(["filter", "front", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
                             (self.address['network'], self.dev, self.dev)])
+            self.fw.append(["filter", "front", "-A FORWARD -d %s -o %s -m state --state RELATED,ESTABLISHED -j ACCEPT" %
+                            (self.address['network'], self.dev)])
             self.fw.append(["filter", "", "-A ACL_INBOUND_%s -j DROP" % self.dev])
             self.fw.append(["mangle", "",
                             "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %