From acd9a251d30a0c8bf607c4e4df99c3a06d9d716e Mon Sep 17 00:00:00 2001
From: Rohit Yadav <rohit.yadav@shapeblue.com>
Date: Sat, 25 Apr 2015 01:00:16 +0200
Subject: [PATCH] CLOUDSTACK-4611: cleanup_rules using ebtables rules from
 /proc/modules

The SG python script depends on ebtables-save which is not available on Debian
based distros (Ubuntu and Debian for example). The commit uses /proc/modules
to find available bridge tables (one of nat, filter or broute) and then
find VMs that need to be removed. Further it uses set() to remove duplicate VMs
so we don't try to remove a VM's rules more than once leading to unwanted errors
in the log.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit d66677101c7770b5c4b8c39064eba5ee94d124c6)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
---
 scripts/vm/network/security_group.py | 31 ++++++++++++++--------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index e11ce1c67fd..90b60c7be05 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -700,22 +700,23 @@ def cleanup_rules():
                     logging.debug("vm " + vm_name + " is not running or paused, cleaning up iptable rules")
                     cleanup.append(vm_name)
 
-        chainscmd = """ebtables-save | awk '/:i/ { gsub(/(^:|-(in|out|ips))/, "") ; print $1}'"""
-        chains = execute(chainscmd).split('\n')
-        for chain in chains:
-            if 1 in [ chain.startswith(c) for c in ['r-', 'i-', 's-', 'v-'] ]:
-                vm_name = chain
-
-                result = virshdomstate(vm_name)
-
-                if result == None or len(result) == 0:
-                    logging.debug("chain " + chain + " does not correspond to a vm, cleaning up ebtable rules")
-                    cleanup.append(vm_name)
-                    continue
-                if not (result == "running" or result == "paused"):
-                    logging.debug("vm " + vm_name + " is not running or paused, cleaning up ebtable rules")
-                    cleanup.append(vm_name)
+        bridge_tables = execute("""grep -E '^ebtable_' /proc/modules | cut -f1 -d' ' | sed s/ebtable_//""").split('\n')
+        for table in filter(None, bridge_tables):
+            chainscmd = """ebtables -t %s -L | awk '/chain:/ { gsub(/(^.*chain: |-(in|out|ips).*)/, ""); print $1}' | sort | uniq""" % table
+            chains = execute(chainscmd).split('\n')
+            for chain in filter(None, chains):
+                if 1 in [ chain.startswith(c) for c in ['r-', 'i-', 's-', 'v-'] ]:
+                    vm_name = chain
+                    result = virshdomstate(vm_name)
+                    if result == None or len(result) == 0:
+                        logging.debug("chain " + chain + " does not correspond to a vm, cleaning up ebtable rules")
+                        cleanup.append(vm_name)
+                        continue
+                    if not (result == "running" or result == "paused"):
+                        logging.debug("vm " + vm_name + " is not running or paused, cleaning up ebtable rules")
+                        cleanup.append(vm_name)
 
+        cleanup = list(set(cleanup))  # remove duplicates
         for vmname in cleanup:
             destroy_network_rules_for_vm(vmname)