From 2fa35c2227e42e90785784a30e95314390099c69 Mon Sep 17 00:00:00 2001
From: Frank Louwers <frank@openminds.be>
Date: Fri, 17 Jul 2015 15:33:07 +0200
Subject: [PATCH 1/2] CLOUDSTACK-8650: Fix securitygroups ingress FW for
 protocol any and 0.0.0.0/0

Change way 0.0.0.0/0 + all is handles, as per feedback in Slack channel
---
 scripts/vm/network/security_group.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index 7279518c43d4..c4a675369423 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -860,8 +860,10 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif
                 for ip in ips:
                     execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " " + direction + " " + ip + " -j "+ action)
 
-        if allow_any and protocol != 'all':
-            if protocol != 'icmp':
+        if allow_any
+            if protocol == 'all':
+                execute("iptables -I " + vmchain + " -m state --state NEW " + direction + " 0.0.0.0/0 -j "+action)
+            elif protocol != 'icmp':
                 execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -j "+ action)
             else:
                 range = start + "/" + end

From 2e94fffbd57e888a38b087eda3f7e0ae8ab8d6c5 Mon Sep 17 00:00:00 2001
From: Frank Louwers <frank@openminds.be>
Date: Wed, 22 Jul 2015 17:15:32 +0200
Subject: [PATCH 2/2] Sorry about the typo

---
 scripts/vm/network/security_group.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index c4a675369423..31984d2e87ed 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -860,7 +860,7 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif
                 for ip in ips:
                     execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " " + direction + " " + ip + " -j "+ action)
 
-        if allow_any
+        if allow_any:
             if protocol == 'all':
                 execute("iptables -I " + vmchain + " -m state --state NEW " + direction + " 0.0.0.0/0 -j "+action)
             elif protocol != 'icmp':