From aa8a721c393347b2624184d6ed04e1ede7ed38a6 Mon Sep 17 00:00:00 2001
From: Rohit Yadav <rohit.yadav@shapeblue.com>
Date: Fri, 7 Apr 2017 17:14:18 +0530
Subject: [PATCH] CLOUDSTACK-9838: Allow ingress traffic between guest VMs via
 snat IPs

This enables the firewall/mangle tables rules to ACCEPT instead of RETURN, which
is the same behaviour as observed in ACS 4.5. By accepting the traffic, guest
VMs will be able to communicate tcp traffic between each other over snat public
IPs.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
---
 systemvm/patches/debian/config/opt/cloud/bin/configure.py    | 2 +-
 systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py | 2 +-
 systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index bdcfec9ade8..82244e43c6b 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -140,7 +140,7 @@ class CsAcl(CsDataBag):
                                     " -s %s " % cidr +
                                     " -p %s " % rule['protocol'] +
                                     " -m %s " % rule['protocol'] +
-                                    "  %s -j RETURN" % rnge])
+                                    "  %s -j %s" % (rnge, self.rule['action'])])
 
             logging.debug("Current ACL IP direction is ==> %s", self.direction)
             if self.direction == 'egress':
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
index a16fd071613..4eac3483a97 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@@ -380,7 +380,7 @@ class CsIP:
             self.fw.append(["mangle", "",
                             "-A FIREWALL_%s DROP" % self.address['public_ip']])
             self.fw.append(["mangle", "",
-                            "-A VPN_%s -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.address['public_ip']])
+                            "-I VPN_%s -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.address['public_ip']])
             self.fw.append(["mangle", "",
                             "-A VPN_%s -j RETURN" % self.address['public_ip']])
             self.fw.append(["nat", "",
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py
index 927c2ae0d74..56096c86466 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py
@@ -63,7 +63,7 @@ class CsRoute:
         table = self.get_tablename(dev)
         logging.info("Adding route: dev " + dev + " table: " +
                      table + " network: " + address + " if not present")
-        cmd = "dev %s table %s %s" % (dev, table, address)
+        cmd = "dev %s table %s throw %s proto static" % (dev, table, address)
         self.set_route(cmd)
 
     def set_route(self, cmd, method="add"):