VPC : create acl chain per acl command

patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh

@@ -62,13 +62,11 @@ acl_save() {
 acl_chain_for_guest_network () {
   acl_save
   # inbound
-  sudo iptables -E ACL_INBOUND_$ip _ACL_INBOUND_$ip 2>/dev/null
   sudo iptables -N ACL_INBOUND_$ip 2>/dev/null
   # drop if no rules match (this will be the last rule in the chain)
   sudo iptables -A ACL_INBOUND_$ip -j DROP 2>/dev/null
   sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$ip  2>/dev/null
   # outbound
-  sudo iptables -E ACL_OUTBOUND_$ip _ACL_OUTBOUND_$ip 2>/dev/null
   sudo iptables -N ACL_OUTBOUND_$ip 2>/dev/null
   sudo iptables -A ACL_OUTBOUND_$ip -j DROP 2>/dev/null
   sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$ip  2>/dev/null
@@ -79,7 +77,7 @@ acl_chain_for_guest_network () {
 acl_entry_for_guest_network() {
   local rule=$1
 
-  local inbound=$(echo $rule | cut -d: -f1)
+  local ttype=$(echo $rule | cut -d: -f1)
   local prot=$(echo $rules | cut -d: -f2)
   local sport=$(echo $rules | cut -d: -f3)    
   local eport=$(echo $rules | cut -d: -f4)    
@@ -97,7 +95,7 @@ acl_entry_for_guest_network() {
       typecode="$sport/$eport"
       [ "$eport" == "-1" ] && typecode="$sport"
       [ "$sport" == "-1" ] && typecode="any"
-      if [ "$inbound" == "1" ]
+      if [ "$ttype" == "Ingress" ]
       then
         sudo iptables -I ACL_INBOUND_$ip -p $prot -s $lcidr  \
                     --icmp-type $typecode  -j ACCEPT
@@ -106,13 +104,14 @@ acl_entry_for_guest_network() {
                     --icmp-type $typecode  -j ACCEPT
       fi
     else
-      if [ "$inbound" == "1" ]
+      if [ "$ttype" == "Egress" ]
       then
         sudo iptables -I ACL_INBOUND_$ip -p $prot -s $lcidr \
                     --dport $sport:$eport -j ACCEPT
       else
         sudo iptables -I ACL_OUTBOUND_$ip -p $prot -d $lcidr \
-                    --dport $sport:$eport -j ACCEP`T
+                    --dport $sport:$eport -j ACCEP
+      fi
     fi
     result=$?
     [ $result -gt 0 ] && 
@@ -134,7 +133,7 @@ rules_list=""
 gcidr=""
 ip=""
 dev=""
-while getopts ':d:g:a:' OPTION
+while getopts 'd:g:a:' OPTION
 do
   case $OPTION in
   d)    dflag=1

patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh

@@ -80,35 +80,11 @@ create_guest_network() {
   local tableName="Table_$dev"
   sudo ip route add $subnet/$mask dev $dev table $tableName proto static
 
-  # create inbound acl chain
-  if sudo iptables -N ACL_INBOUND_$ip 2>/dev/null
-  then
-    logger -t cloud "$(basename $0): create VPC inbound acl chain for network $ip/$mask"
-    # policy drop
-    sudo iptables -A ACL_INBOUND_$ip -j DROP >/dev/null
-    sudo iptables -A FORWARD -o $dev -d $ip/$mask -j ACL_INBOUND_$ip
-  fi
-  # create outbound acl chain
-  if sudo iptables -N ACL_OUTBOUND_$ip 2>/dev/null
-  then
-    logger -t cloud "$(basename $0): create VPC outbound acl chain for network $ip/$mask"
-    sudo iptables -A ACL_OUTBOUND_$ip -j DROP >/dev/null
-    sudo iptables -A FORWARD -i $dev -s $ip/$mask -j ACL_OUTBOUND_$ip
-  fi
-
   setup_dnsmasq
 }
 
 destroy_guest_network() {
   logger -t cloud " $(basename $0): Create network on interface $dev,  gateway $gw, network $ip/$mask "
-  # destroy inbound acl chain
-  sudo iptables -F ACL_INBOUND_$ip 2>/dev/null
-  sudo iptables -D FORWARD -o $dev -d $ip/$mask -j ACL_INBOUND_$ip  2>/dev/null
-  sudo iptables -X ACL_INBOUND_$ip 2>/dev/null
-  # destroy outbound acl chain
-  sudo iptables -F ACL_OUTBOUND_$ip 2>/dev/null
-  sudo iptables -D FORWARD -i $dev -s $ip/$mask -j ACL_OUTBOUND_$ip  2>/dev/null
-  sudo iptables -X ACL_OUTBOUND_$ip 2>/dev/null
 
   sudo ip addr del dev $dev $ip/$mask
   sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT