[cloudstack] branch 4.11 updated: router: Fix rule duplication with non-VPC static NAT rules (#3366)

[rohit]

This is an automated email from the ASF dual-hosted git repository.

rohit pushed a commit to branch 4.11
in repository https://gitbox.apache.org/repos/asf/cloudstack.git


The following commit(s) were added to refs/heads/4.11 by this push:
     new 41f569e  router: Fix rule duplication with non-VPC static NAT rules 
(#3366)
41f569e is described below

commit 41f569e8a853cb4503646d06cadc4c9c1aea82b2
Author: Richard Lawley <rich...@richardlawley.com>
AuthorDate: Tue Jun 4 21:51:03 2019 +0100

    router: Fix rule duplication with non-VPC static NAT rules (#3366)
    
    The VR code has provision for inserting rules at the top or bottom by 
specifying "front" as the second parameter to self.fw.append. However, there 
are a number of cases where someone has been unaware of this and added a rule 
with the pattern self.fw.append(["mangle", "", "-I PREROUTING".... This causes 
the code to check for the rule already being present to fail, and duplicate 
rules end up being added.
    
    This PR fixes two of these cases which apply to adding static NAT rules. I 
am aware of more of these cases, but I don't have the ability to easily test 
the outcome of fixing them. I'm happy to add these in if you're confident that 
the automated tests will be sufficient. Searching for "-I (case sensitive) 
finds these.
    
    The code for dealing with "front" is included below to show that this 
shouldn't have any ill effects:
    
    if fw[1] == "front":
        cpy = cpy.replace('-A', '-I')
    
    Fixes #3177
---
 systemvm/debian/opt/cloud/bin/configure.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/systemvm/debian/opt/cloud/bin/configure.py 
b/systemvm/debian/opt/cloud/bin/configure.py
index 4df9911..a7f297e 100755
--- a/systemvm/debian/opt/cloud/bin/configure.py
+++ b/systemvm/debian/opt/cloud/bin/configure.py
@@ -922,11 +922,11 @@ class CsForwardingRules(CsDataBag):
         if device is None:
             raise Exception("Ip address %s has no device in the ips databag" % 
rule["public_ip"])
 
-        self.fw.append(["mangle", "",
-                        "-I PREROUTING -s %s/32 -m state --state NEW -j 
CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff" %
+        self.fw.append(["mangle", "front",
+                        "-A PREROUTING -s %s/32 -m state --state NEW -j 
CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff" %
                         rule["internal_ip"]])
-        self.fw.append(["mangle", "",
-                        "-I PREROUTING -s %s/32 -m state --state NEW -j MARK 
--set-xmark %s/0xffffffff" %
+        self.fw.append(["mangle", "front",
+                        "-A PREROUTING -s %s/32 -m state --state NEW -j MARK 
--set-xmark %s/0xffffffff" %
                         (rule["internal_ip"], hex(100 + 
int(device[len("eth"):])))])
         self.fw.append(["nat", "front",
                         "-A PREROUTING -d %s/32 -j DNAT --to-destination %s" % 
(rule["public_ip"], rule["internal_ip"])])