[06/50] [abbrv] git commit: updated refs/heads/4.9-bountycastle-daan to 8a03127

Thu, 18 Aug 2016 03:02:14 -0700 

Added fix for adding/editing Network ACL rule ordering


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6dd6ef0c
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6dd6ef0c
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6dd6ef0c

Branch: refs/heads/4.9-bountycastle-daan
Commit: 6dd6ef0c9a30f128657de22fa8b6ea8ab5daa133
Parents: 1f9bf93
Author: Patrick Dube <[email protected]>
Authored: Mon Jul 11 15:12:41 2016 -0400
Committer: Patrick Dube <[email protected]>
Committed: Mon Jul 11 15:12:41 2016 -0400

----------------------------------------------------------------------
 .../debian/config/opt/cloud/bin/cs/CsNetfilter.py        | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6dd6ef0c/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py 
b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
index 4b5b492..39f184b 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
@@ -151,6 +151,8 @@ class CsNetfilters(object):
             if isinstance(fw[1], int):
                 new_rule.set_count(fw[1])
 
+            rule_chain = new_rule.get_chain()
+
             logging.debug("Checking if the rule already exists: rule=%s 
table=%s chain=%s", new_rule.get_rule(), new_rule.get_table(), 
new_rule.get_chain())
             if self.has_rule(new_rule):
                 logging.debug("Exists: rule=%s table=%s", fw[2], 
new_rule.get_table())
@@ -162,9 +164,14 @@ class CsNetfilters(object):
                 if fw[1] == "front":
                     cpy = cpy.replace('-A', '-I')
                 if isinstance(fw[1], int):
-                    cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s 
%s' % (new_rule.get_chain(), fw[1]))
-
+                    # if the rule is for ACLs, we want to insert them in 
order, right before the DROP all
+                    if rule_chain.startswith("ACL_INBOUND") or 
rule_chain.startswith("ACL_OUTBOUND"):
+                        rule_count = self.chain.get_count(rule_chain)
+                        cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I 
%s %s' % (new_rule.get_chain(), rule_count))
+                    else:
+                        cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I 
%s %s' % (new_rule.get_chain(), fw[1]))
                 CsHelper.execute("iptables -t %s %s" % (new_rule.get_table(), 
cpy))
+                self.chain.add_rule(rule_chain)
         self.del_standard()
         self.get_unseen()

Reply via email to