[25/50] [abbrv] git commit: updated refs/heads/4.9-bountycastle-daan to 8a03127

Thu, 18 Aug 2016 03:02:46 -0700 

CLOUDSTACK-9437: Create egress chain on upgrade and cleanup for allow all 
traffic

- Ensure that FW_EGRESS_RULE chain exists after upgrading the router
- Flush allow all egress rule on 0.0.0.0/0, if such a rule exists in the config
  it will be added later (CLOUDSTACK-9437)


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/d302269f
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/d302269f
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/d302269f

Branch: refs/heads/4.9-bountycastle-daan
Commit: d302269fe53ca0d3ef4c7d4c51b28ce94d8a4847
Parents: 818063c
Author: Will Stevens <[email protected]>
Authored: Mon Jul 25 16:44:38 2016 -0400
Committer: Will Stevens <[email protected]>
Committed: Mon Jul 25 16:44:38 2016 -0400

----------------------------------------------------------------------
 systemvm/patches/debian/config/opt/cloud/bin/configure.py | 7 +++++++
 1 file changed, 7 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d302269f/systemvm/patches/debian/config/opt/cloud/bin/configure.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py 
b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index 35ac3f2..dd164a2 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -263,6 +263,12 @@ class CsAcl(CsDataBag):
                 rstr = rstr.replace("  ", " ").lstrip()
                 self.fw.append([self.table, self.count, rstr])
 
+    def flushAllowAllEgressRules(self):
+        logging.debug("Flush allow 'all' egress firewall rule")
+        # Ensure that FW_EGRESS_RULES chain exists
+        CsHelper.execute("iptables-save | grep '^:FW_EGRESS_RULES' || iptables 
-t filter -N FW_EGRESS_RULES")
+        CsHelper.execute("iptables-save | grep '^-A FW_EGRESS_RULES -j 
ACCEPT$' | sed 's/^-A/iptables -t filter -D/g' | bash")
+
     def process(self):
         for item in self.dbag:
             if item == "id":
@@ -978,6 +984,7 @@ def main(argv):
             acls.process()
 
             acls = CsAcl('firewallrules', config)
+            acls.flushAllowAllEgressRules()
             acls.process()
 
             fwd = CsForwardingRules("forwardingrules", config)

Reply via email to