From c803daec17226aa03682336ee9b647fb4e020753 Mon Sep 17 00:00:00 2001
From: Murali Reddy <muralimmreddy@gmail.com>
Date: Tue, 6 Sep 2016 03:32:35 +0530
Subject: [PATCH] Use mangle table PREROUTING chain to ensure traffic from any
 public interface on VPC VR is connection marked. Traffic from RELATED,
 ESTABLISHED connectinso on guest network interfaces on VPC VR connection
 marking is restored.

---
 .../config/opt/cloud/bin/cs/CsAddress.py      | 36 +++++++++++--------
 .../debian/config/opt/cloud/bin/cs/CsRoute.py |  9 +++++
 2 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
index c3835542325..5a0090de5b1 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@@ -285,7 +285,9 @@ class CsIP:
 
             CsRule(self.dev).addMark()
             self.check_is_up()
-            if self.dnum != '0':
+            if not self.config.is_vpc() and self.dnum != '0':
+                self.set_mark()
+            if self.config.is_vpc():
                 self.set_mark()
             self.arpPing()
 
@@ -435,10 +437,10 @@ class CsIP:
     def fw_vpcrouter(self):
         if not self.config.is_vpc():
             return
-        self.fw.append(["mangle", "front", "-A PREROUTING " +
-                        "-m state --state RELATED,ESTABLISHED " +
-                        "-j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff"])
         if self.get_type() in ["guest"]:
+            self.fw.append(["mangle", "front", "-A PREROUTING " +
+                            " -i %s -m state --state RELATED,ESTABLISHED "  % self.dev +
+                            "-j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff"])
             self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
                             (self.address['network'], self.dev, self.dev)])
             self.fw.append(
@@ -512,20 +514,26 @@ class CsIP:
         tableName = "Table_" + self.dev
 
         if method == "add":
-            # treat the first IP on a interface as special case to set up the routing rules
-            if self.get_type() in ["public"] and (not self.config.is_vpc()) and (len(self.iplist) == 1):
-                CsHelper.execute("sudo ip route add throw " + self.config.address().dbag['eth0'][0]['network'] + " table " + tableName + " proto static")
-                CsHelper.execute("sudo ip route add throw " + self.config.address().dbag['eth1'][0]['network'] + " table " + tableName + " proto static")
+            if not self.config.is_vpc():
+                # treat the first IP on a interface as special case to set up the routing rules
+                if self.get_type() in ["public"] and (len(self.iplist) == 1):
+                    CsHelper.execute("sudo ip route add throw " + self.config.address().dbag['eth0'][0]['network'] + " table " + tableName + " proto static")
+                    CsHelper.execute("sudo ip route add throw " + self.config.address().dbag['eth1'][0]['network'] + " table " + tableName + " proto static")
 
-            # add 'defaul via gateway' rule in the device specific routing table
-            if "gateway" in self.address and self.address["gateway"] != "None":
-                route.add_route(self.dev, self.address["gateway"])
+                # add 'defaul via gateway' rule in the device specific routing table
+                if "gateway" in self.address and self.address["gateway"] != "None":
+                    route.add_route(self.dev, self.address["gateway"])
+
+                if self.get_type() in ["public"]:
+                    CsRule(self.dev).addRule("from " + str(self.address["network"]))
+
+            if self.config.is_vpc():
+                if self.get_type() in ["public"] and "gateway" in self.address and self.address["gateway"] != "None":
+                    route.add_route(self.dev, self.address["gateway"])
+                route.add_network_route(self.dev, str(self.address["network"]))
 
             CsHelper.execute("sudo ip route flush cache")
 
-            if self.get_type() in ["public"]:
-                CsRule(self.dev).addRule("from " + str(self.address["network"]))
-
         elif method == "delete":
             # treat the last IP to be dis-associated with interface as special case to clean up the routing rules
             if self.get_type() in ["public"] and (not self.config.is_vpc()) and (len(self.iplist) == 0):
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py
index 4868bf54ebc..927c2ae0d74 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsRoute.py
@@ -57,6 +57,15 @@ class CsRoute:
         cmd = "default via %s table %s proto static" % (address, table)
         self.set_route(cmd)
 
+    def add_network_route(self, dev, address):
+        """ Wrapper method that adds table name and device to route statement """
+        # ip route add dev eth1 table Table_eth1 10.0.2.0/24
+        table = self.get_tablename(dev)
+        logging.info("Adding route: dev " + dev + " table: " +
+                     table + " network: " + address + " if not present")
+        cmd = "dev %s table %s %s" % (dev, table, address)
+        self.set_route(cmd)
+
     def set_route(self, cmd, method="add"):
         """ Add a route if it is not already defined """
         found = False