diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh index 71197b86427..1ded5e37454 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh @@ -62,13 +62,11 @@ acl_save() { acl_chain_for_guest_network () { acl_save # inbound - sudo iptables -E ACL_INBOUND_$ip _ACL_INBOUND_$ip 2>/dev/null sudo iptables -N ACL_INBOUND_$ip 2>/dev/null # drop if no rules match (this will be the last rule in the chain) sudo iptables -A ACL_INBOUND_$ip -j DROP 2>/dev/null sudo iptables -A FORWARD -o $dev -d $gcidr -j ACL_INBOUND_$ip 2>/dev/null # outbound - sudo iptables -E ACL_OUTBOUND_$ip _ACL_OUTBOUND_$ip 2>/dev/null sudo iptables -N ACL_OUTBOUND_$ip 2>/dev/null sudo iptables -A ACL_OUTBOUND_$ip -j DROP 2>/dev/null sudo iptables -D FORWARD -i $dev -s $gcidr -j ACL_OUTBOUND_$ip 2>/dev/null @@ -79,7 +77,7 @@ acl_chain_for_guest_network () { acl_entry_for_guest_network() { local rule=$1 - local inbound=$(echo $rule | cut -d: -f1) + local ttype=$(echo $rule | cut -d: -f1) local prot=$(echo $rules | cut -d: -f2) local sport=$(echo $rules | cut -d: -f3) local eport=$(echo $rules | cut -d: -f4) @@ -97,7 +95,7 @@ acl_entry_for_guest_network() { typecode="$sport/$eport" [ "$eport" == "-1" ] && typecode="$sport" [ "$sport" == "-1" ] && typecode="any" - if [ "$inbound" == "1" ] + if [ "$ttype" == "Ingress" ] then sudo iptables -I ACL_INBOUND_$ip -p $prot -s $lcidr \ --icmp-type $typecode -j ACCEPT @@ -106,13 +104,14 @@ acl_entry_for_guest_network() { --icmp-type $typecode -j ACCEPT fi else - if [ "$inbound" == "1" ] + if [ "$ttype" == "Egress" ] then sudo iptables -I ACL_INBOUND_$ip -p $prot -s $lcidr \ --dport $sport:$eport -j ACCEPT else sudo iptables -I ACL_OUTBOUND_$ip -p $prot -d $lcidr \ - --dport $sport:$eport -j ACCEP`T + --dport $sport:$eport -j ACCEP + fi fi result=$? [ $result -gt 0 ] && @@ -134,7 +133,7 @@ rules_list="" gcidr="" ip="" dev="" -while getopts ':d:g:a:' OPTION +while getopts 'd:g:a:' OPTION do case $OPTION in d) dflag=1 diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh index 5d437e5f4a2..4be5f505d82 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh @@ -80,35 +80,11 @@ create_guest_network() { local tableName="Table_$dev" sudo ip route add $subnet/$mask dev $dev table $tableName proto static - # create inbound acl chain - if sudo iptables -N ACL_INBOUND_$ip 2>/dev/null - then - logger -t cloud "$(basename $0): create VPC inbound acl chain for network $ip/$mask" - # policy drop - sudo iptables -A ACL_INBOUND_$ip -j DROP >/dev/null - sudo iptables -A FORWARD -o $dev -d $ip/$mask -j ACL_INBOUND_$ip - fi - # create outbound acl chain - if sudo iptables -N ACL_OUTBOUND_$ip 2>/dev/null - then - logger -t cloud "$(basename $0): create VPC outbound acl chain for network $ip/$mask" - sudo iptables -A ACL_OUTBOUND_$ip -j DROP >/dev/null - sudo iptables -A FORWARD -i $dev -s $ip/$mask -j ACL_OUTBOUND_$ip - fi - setup_dnsmasq } destroy_guest_network() { logger -t cloud " $(basename $0): Create network on interface $dev, gateway $gw, network $ip/$mask " - # destroy inbound acl chain - sudo iptables -F ACL_INBOUND_$ip 2>/dev/null - sudo iptables -D FORWARD -o $dev -d $ip/$mask -j ACL_INBOUND_$ip 2>/dev/null - sudo iptables -X ACL_INBOUND_$ip 2>/dev/null - # destroy outbound acl chain - sudo iptables -F ACL_OUTBOUND_$ip 2>/dev/null - sudo iptables -D FORWARD -i $dev -s $ip/$mask -j ACL_OUTBOUND_$ip 2>/dev/null - sudo iptables -X ACL_OUTBOUND_$ip 2>/dev/null sudo ip addr del dev $dev $ip/$mask sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT