From caa0b4071c024b6672519ab811be733344a05086 Mon Sep 17 00:00:00 2001 From: Wilder Rodrigues Date: Mon, 2 Nov 2015 12:00:22 +0100 Subject: [PATCH] CLOUDSTACK-8925 - Drop the traffic when default egress is set to false - The DROP rule should be appended and the other rules inserted. --- systemvm/patches/debian/config/opt/cloud/bin/configure.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 399e4e0aa3b..e9efa9b6ee8 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -97,12 +97,16 @@ class CsAcl(CsDataBag): self.rule['last_port'] = obj['src_port_range'][1] self.rule['allowed'] = True + self.rule['action'] = "ACCEPT" + + # In that case it means we are processing the default egress rule if self.rule['type'] == 'all' and not obj['source_cidr_list']: + if self.rule['default_egress_policy'] == 'false': + self.rule['action'] = "DROP" self.rule['cidr'] = ['0.0.0.0/0'] else: self.rule['cidr'] = obj['source_cidr_list'] - self.rule['action'] = "ACCEPT" logging.debug("AclIP created for rule ==> %s", self.rule) def create(self):