You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by da...@apache.org on 2021/08/20 11:18:05 UTC
[cloudstack] branch 4.15 updated: Fix iptable rules when chain
reference count is 0 (#5328)
This is an automated email from the ASF dual-hosted git repository.
dahn pushed a commit to branch 4.15
in repository https://gitbox.apache.org/repos/asf/cloudstack.git
The following commit(s) were added to refs/heads/4.15 by this push:
new c1fc002 Fix iptable rules when chain reference count is 0 (#5328)
c1fc002 is described below
commit c1fc002359131e827f683a9f0b27f5cd121d2a80
Author: Rakesh <ra...@gmail.com>
AuthorDate: Fri Aug 20 13:17:45 2021 +0200
Fix iptable rules when chain reference count is 0 (#5328)
Sometimes the chain reference count is 0 and in that case
proper iptables rules are not applied. Because of this, ping fails.
So check the reference count for the main chain and as well as
-IN and -OUT chain as well
Co-authored-by: Rakesh Venkatesh <ra...@apache.org>
---
scripts/vm/network/security_group.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index 404edd4..a42ac34 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -1327,9 +1327,11 @@ def add_fw_framework(brname):
try:
refs = int(execute("""iptables -n -L %s | awk '/%s(.*)references/ {gsub(/\(/, "") ;print $3}'""" % (brfw,brfw)).strip())
+ refs_in = int(execute("""iptables -n -L %s-IN | awk '/%s-IN(.*)references/ {gsub(/\(/, "") ;print $3}'""" % (brfw,brfw)).strip())
+ refs_out = int(execute("""iptables -n -L %s-OUT | awk '/%s-OUT(.*)references/ {gsub(/\(/, "") ;print $3}'""" % (brfw,brfw)).strip())
refs6 = int(execute("""ip6tables -n -L %s | awk '/%s(.*)references/ {gsub(/\(/, "") ;print $3}'""" % (brfw,brfw)).strip())
- if refs == 0:
+ if refs == 0 or refs_in == 0 or refs_out == 0:
execute("iptables -I FORWARD -i " + brname + " -j DROP")
execute("iptables -I FORWARD -o " + brname + " -j DROP")
execute("iptables -I FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw)