From c18da90355e0c5f607c72f66c4eb104bc3b50da0 Mon Sep 17 00:00:00 2001
From: anthony <anthony@cloud.com>
Date: Fri, 6 Jul 2012 19:05:01 -0700
Subject: [PATCH] VPC : move egress chain to PREROUTING

---
 .../debian/config/opt/cloud/bin/vpc_acl.sh    | 26 +++++++++----------
 .../config/opt/cloud/bin/vpc_guestnw.sh       | 17 +++++++++++-
 2 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
index 4b83397fcde..7fde493a0fb 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
@@ -33,30 +33,30 @@ acl_remove_backup() {
   sudo iptables -F _ACL_INBOUND_$dev 2>/dev/null
   sudo iptables -D FORWARD -o $dev -d $gcidr -j _ACL_INBOUND_$dev  2>/dev/null
   sudo iptables -X _ACL_INBOUND_$dev 2>/dev/null
-  sudo iptables -F _ACL_OUTBOUND_$dev 2>/dev/null
-  sudo iptables -D FORWARD -i $dev -s $gcidr -j _ACL_OUTBOUND_$dev  2>/dev/null
-  sudo iptables -X _ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -F _ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -D PREROUTING -i $dev -s $gcidr ! -d $ip -j _ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -t mangle -X _ACL_OUTBOUND_$dev 2>/dev/null
 }
 
 acl_remove() {
   sudo iptables -F ACL_INBOUND_$dev 2>/dev/null
   sudo iptables -D FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$dev  2>/dev/null
   sudo iptables -X ACL_INBOUND_$dev 2>/dev/null
-  sudo iptables -F ACL_OUTBOUND_$dev 2>/dev/null
-  sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$dev  2>/dev/null
-  sudo iptables -X ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -D PREROUTING -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
 }
 
 acl_restore() {
   acl_remove
   sudo iptables -E _ACL_INBOUND_$dev ACL_INBOUND_$dev 2>/dev/null
-  sudo iptables -E _ACL_OUTBOUND_$dev ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -E _ACL_OUTBOUND_$dev ACL_OUTBOUND_$dev 2>/dev/null
 }
 
 acl_save() {
   acl_remove_backup
   sudo iptables -E ACL_INBOUND_$dev _ACL_INBOUND_$dev 2>/dev/null
-  sudo iptables -E ACL_OUTBOUND_$dev _ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -E ACL_OUTBOUND_$dev _ACL_OUTBOUND_$dev 2>/dev/null
 }
 
 acl_chain_for_guest_network () {
@@ -67,9 +67,9 @@ acl_chain_for_guest_network () {
   sudo iptables -A ACL_INBOUND_$dev -j DROP 2>/dev/null
   sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$dev  2>/dev/null
   # outbound
-  sudo iptables -N ACL_OUTBOUND_$dev 2>/dev/null
-  sudo iptables -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
-  sudo iptables -A FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
+  sudo iptables -t mangle -A PREROUTING -i $dev -s $gcidr ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
 }
 
 
@@ -105,7 +105,7 @@ acl_entry_for_guest_network() {
         sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr  \
                     --icmp-type $typecode  -j ACCEPT
       else
-        sudo iptables -I ACL_OUTBOUND_$dev -p $prot -d $lcidr  \
+        sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr  \
                     --icmp-type $typecode  -j ACCEPT
       fi
     else
@@ -114,7 +114,7 @@ acl_entry_for_guest_network() {
         sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
                     $DPORT -j ACCEPT
       else
-        sudo iptables -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
+        sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
                     $DPORT -j ACCEPT
       fi
     fi
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
index 8b976807137..715c2e0424b 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh
@@ -31,6 +31,20 @@ usage() {
 }
 
 
+destroy_acl_outbound_chain() {
+  sudo iptables -t mangle -F ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -D PREROUTING -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
+  sudo iptables -t mangle -X ACL_OUTBOUND_$dev 2>/dev/null
+}
+
+create_acl_outbound_chain() {
+  destroy_acl_outbound_chain
+  sudo iptables -t mangle -N ACL_OUTBOUND_$dev 2>/dev/null
+  sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
+  sudo iptables -t mangle -A PREROUTING -i $dev -s $subnet/$mask ! -d $ip -j ACL_OUTBOUND_$dev  2>/dev/null
+}
+
+
 setup_apache2() {
   logger_it "Setting up apache web server for $dev"
   cp /etc/apache2/vhostexample.conf /etc/apache2/conf.d/vhost$dev.conf
@@ -119,7 +133,7 @@ create_guest_network() {
   sudo iptables -t mangle -A PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
   # set up hairpin
   sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
-
+  create_acl_outbound_chain
   setup_usage
   setup_dnsmasq
   setup_apache2
@@ -133,6 +147,7 @@ destroy_guest_network() {
   sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
   sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
   sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
+  destroy_acl_outbound_chain
   desetup_usage
   desetup_dnsmasq
   desetup_apache2