You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by fr...@apache.org on 2013/10/10 23:44:30 UTC

git commit: updated refs/heads/4.2 to 999c1bc

Updated Branches:
  refs/heads/4.2 1ac6ef1a7 -> 999c1bc1c


Change security_group_agent python side in line with default
security group rules change in 4.2


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/999c1bc1
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/999c1bc1
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/999c1bc1

Branch: refs/heads/4.2
Commit: 999c1bc1c029a21110b5bea4638d2d9a99b00f12
Parents: 1ac6ef1
Author: Frank.Zhang <fr...@citrix.com>
Authored: Thu Oct 10 14:43:40 2013 -0700
Committer: Frank.Zhang <fr...@citrix.com>
Committed: Thu Oct 10 14:44:14 2013 -0700

----------------------------------------------------------------------
 .../security_group_agent/cs_sg_agent.py                 | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/999c1bc1/plugins/hypervisors/baremetal/resources/security_group_agent/security_group_agent/cs_sg_agent.py
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/baremetal/resources/security_group_agent/security_group_agent/cs_sg_agent.py b/plugins/hypervisors/baremetal/resources/security_group_agent/security_group_agent/cs_sg_agent.py
index f940264..9bd541b 100755
--- a/plugins/hypervisors/baremetal/resources/security_group_agent/security_group_agent/cs_sg_agent.py
+++ b/plugins/hypervisors/baremetal/resources/security_group_agent/security_group_agent/cs_sg_agent.py
@@ -323,6 +323,14 @@ class SGAgent(object):
     
     @staticmethod
     def start():
+
+        def create_rule_if_not_exists(rule):
+            out = sglib.ShellCmd('iptables-save')()
+            if rule in out:
+                return
+
+            sglib.ShellCmd('iptables %s' % rule)()
+
         def prepare_default_rules():
             sglib.ShellCmd('iptables --policy INPUT DROP')()
             name = 'default-chain'
@@ -330,7 +338,9 @@ class SGAgent(object):
                 sglib.ShellCmd('iptables -F %s' % name)()
             except Exception:
                 sglib.ShellCmd('iptables -N %s' % name)()
-            sglib.ShellCmd('iptables -I INPUT -p tcp --dport 9988 -j ACCEPT')()
+
+            create_rule_if_not_exists('-I INPUT -p tcp --dport 9988 -j ACCEPT')
+            create_rule_if_not_exists('-I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT')
 
 
         prepare_default_rules()