You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by an...@apache.org on 2012/09/08 02:03:47 UTC

git commit: VPC : by default , outgoing traffic is allowed out, once egress rules are added, only traffic specified in those are allowed out, others are blocked

Updated Branches:
  refs/heads/master b52bd1fc5 -> 3cfe01d07


    VPC : by default , outgoing traffic is allowed out, once egress rules are added, only traffic specified in those are allowed out, others are blocked


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/3cfe01d0
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/3cfe01d0
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/3cfe01d0

Branch: refs/heads/master
Commit: 3cfe01d07cefc7094ce4ed2a9dde28c88437b1d1
Parents: b52bd1f
Author: Anthony Xu <an...@cloud.com>
Authored: Fri Sep 7 17:03:12 2012 -0700
Committer: Anthony Xu <an...@cloud.com>
Committed: Fri Sep 7 17:03:12 2012 -0700

----------------------------------------------------------------------
 .../debian/config/opt/cloud/bin/vpc_acl.sh         |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/3cfe01d0/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
index fa57c04..4ebed3a 100755
--- a/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/vpc_acl.sh
@@ -126,6 +126,7 @@ acl_entry_for_guest_network() {
         sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr  \
                     --icmp-type $typecode  -j ACCEPT
       else
+        let egress++
         sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr  \
                     --icmp-type $typecode  -j ACCEPT
       fi
@@ -135,6 +136,7 @@ acl_entry_for_guest_network() {
         sudo iptables -I ACL_INBOUND_$dev -p $prot -s $lcidr \
                     $DPORT -j ACCEPT
       else
+        let egress++
         sudo iptables -t mangle -I ACL_OUTBOUND_$dev -p $prot -d $lcidr \
                     $DPORT -j ACCEPT
       fi
@@ -199,7 +201,7 @@ fi
 success=0
 
 acl_chain_for_guest_network
-
+egress=0
 for r in $rules_list
 do
   acl_entry_for_guest_network $r
@@ -219,6 +221,12 @@ then
   acl_restore
 else
   logger -t cloud "$(basename $0): deleting backup for guest network: $gcidr"
+  if [ $egress -eq 0 ]
+  then
+    sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j ACCEPT 2>/dev/null
+  else
+    sudo iptables -t mangle -A ACL_OUTBOUND_$dev -j DROP 2>/dev/null
+  fi   
   acl_switch_to_new
 fi
 unlock_exit $success $lock $locked