You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by sw...@apache.org on 2016/07/18 18:12:42 UTC

[06/13] git commit: updated refs/heads/master to 54039f9

Added fix for adding/editing Network ACL rule ordering


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6dd6ef0c
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6dd6ef0c
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6dd6ef0c

Branch: refs/heads/master
Commit: 6dd6ef0c9a30f128657de22fa8b6ea8ab5daa133
Parents: 1f9bf93
Author: Patrick Dube <pd...@cloudops.com>
Authored: Mon Jul 11 15:12:41 2016 -0400
Committer: Patrick Dube <pd...@cloudops.com>
Committed: Mon Jul 11 15:12:41 2016 -0400

----------------------------------------------------------------------
 .../debian/config/opt/cloud/bin/cs/CsNetfilter.py        | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6dd6ef0c/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
index 4b5b492..39f184b 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
@@ -151,6 +151,8 @@ class CsNetfilters(object):
             if isinstance(fw[1], int):
                 new_rule.set_count(fw[1])
 
+            rule_chain = new_rule.get_chain()
+
             logging.debug("Checking if the rule already exists: rule=%s table=%s chain=%s", new_rule.get_rule(), new_rule.get_table(), new_rule.get_chain())
             if self.has_rule(new_rule):
                 logging.debug("Exists: rule=%s table=%s", fw[2], new_rule.get_table())
@@ -162,9 +164,14 @@ class CsNetfilters(object):
                 if fw[1] == "front":
                     cpy = cpy.replace('-A', '-I')
                 if isinstance(fw[1], int):
-                    cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), fw[1]))
-
+                    # if the rule is for ACLs, we want to insert them in order, right before the DROP all
+                    if rule_chain.startswith("ACL_INBOUND") or rule_chain.startswith("ACL_OUTBOUND"):
+                        rule_count = self.chain.get_count(rule_chain)
+                        cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), rule_count))
+                    else:
+                        cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), fw[1]))
                 CsHelper.execute("iptables -t %s %s" % (new_rule.get_table(), cpy))
+                self.chain.add_rule(rule_chain)
         self.del_standard()
         self.get_unseen()