feuhaps
diff --git a/‎api/src/com/cloud/offering/NetworkOffering.java‎
Lines changed: 1 addition & 0 deletions b/‎api/src/com/cloud/offering/NetworkOffering.java‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/src/org/apache/cloudstack/api/ApiConstants.java‎
Lines changed: 1 addition & 0 deletions b/‎api/src/org/apache/cloudstack/api/ApiConstants.java‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java‎
Lines changed: 10 additions & 0 deletions b/‎api/src/org/apache/cloudstack/api/command/admin/network/CreateNetworkOfferingCmd.java‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java‎
Lines changed: 7 additions & 0 deletions b/‎api/src/org/apache/cloudstack/api/response/NetworkOfferingResponse.java‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎core/src/com/cloud/agent/api/routing/NetworkElementCommand.java‎
Lines changed: 1 addition & 0 deletions b/‎core/src/com/cloud/agent/api/routing/NetworkElementCommand.java‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java‎
Lines changed: 7 additions & 0 deletions b/‎engine/schema/src/com/cloud/network/rules/FirewallRuleVO.java‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java‎
Lines changed: 9 additions & 1 deletion b/‎engine/schema/src/com/cloud/offerings/NetworkOfferingVO.java‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎patches/systemvm/debian/config/root/firewallRule_egress.sh‎
Lines changed: 21 additions & 5 deletions b/‎patches/systemvm/debian/config/root/firewallRule_egress.sh‎
Lines changed: 21 additions & 5 deletions
diff --git a/‎plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java‎
Lines changed: 8 additions & 0 deletions b/‎plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎server/src/com/cloud/api/ApiResponseHelper.java‎
Lines changed: 1 addition & 0 deletions b/‎server/src/com/cloud/api/ApiResponseHelper.java‎
Lines changed: 1 addition & 0 deletions
@@ -127,5 +127,6 @@ public enum Detail {
     boolean getInternalLb();
 
     boolean getPublicLb();
+    boolean getEgressDefaultPolicy();
 
 }
@@ -121,6 +121,7 @@ public class ApiConstants {
     public static final String IS_PORTABLE = "isportable";
     public static final String IS_PUBLIC = "ispublic";
     public static final String IS_PERSISTENT = "ispersistent";
+    public static final String EGRESS_DEFAULT_POLICY = "egressdefaultpolicy";
     public static final String IS_READY = "isready";
     public static final String IS_RECURSIVE = "isrecursive";
     public static final String ISO_FILTER = "isofilter";
 
@@ -99,6 +99,9 @@ public class CreateNetworkOfferingCmd extends BaseCmd {
     		" Supported keys are internallbprovider/publiclbprovider with service provider as a value")
     protected Map details;
 
+    @Parameter(name=ApiConstants.EGRESS_DEFAULT_POLICY, type=CommandType.BOOLEAN, description="true if default guest network egress policy is allow; false if default egress policy is deny")
+    private Boolean egressDefaultPolicy;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -162,6 +165,13 @@ public Boolean getIsPersistent() {
         return isPersistent == null ? false : isPersistent;
     }
 
+    public Boolean getEgressDefaultPolicy() {
+        if (egressDefaultPolicy == null) {
+            return true;
+        }
+        return egressDefaultPolicy;
+    }
+
     public Map<String, List<String>> getServiceProviders() {
         Map<String, List<String>> serviceProviderMap = null;
         if (serviceProviderList != null && !serviceProviderList.isEmpty()) {
 
@@ -88,6 +88,9 @@ public class NetworkOfferingResponse extends BaseResponse {
     @SerializedName(ApiConstants.DETAILS) @Param(description="additional key/value details tied with network offering", since="4.2.0")
     private Map details;
 
+    @SerializedName(ApiConstants.EGRESS_DEFAULT_POLICY) @Param(description="true if network offering supports persistent networks, false otherwise")
+    private Boolean egressDefaultPolicy;
+
 
     public void setId(String id) {
         this.id = id;
@@ -166,4 +169,8 @@ public void setDetails(Map details) {
         this.details = details;
     }
 
+    public void setEgressDefaultPolicy(Boolean egressDefaultPolicy) {
+        this.egressDefaultPolicy = egressDefaultPolicy;
+    }
+
 }
@@ -33,6 +33,7 @@ public abstract class NetworkElementCommand extends Command {
     public static final String ZONE_NETWORK_TYPE = "zone.network.type";
     public static final String GUEST_BRIDGE = "guest.bridge";
     public static final String VPC_PRIVATE_GATEWAY = "vpc.gateway.private";
+    public static final String FIREWALL_EGRESS_DEFAULT = "firewall.egress.default";
 
 
     protected NetworkElementCommand() {
 
@@ -223,6 +223,13 @@ public FirewallRuleVO(String xId, Long ipAddressId, Integer portStart, Integer p
     }
 
 
+    public FirewallRuleVO(String xId, Long ipAddressId, Integer portStart, Integer portEnd, String protocol,
+                          long networkId, long accountId, long domainId, Purpose purpose, List<String> sourceCidrs, Integer icmpCode,
+                          Integer icmpType, Long related, TrafficType trafficType, FirewallRuleType type) {
+        this(xId, ipAddressId, portStart, portEnd, protocol, networkId, accountId, domainId, purpose, sourceCidrs, icmpCode, icmpType, related, trafficType);
+        this.type = type;
+    }
+
     public FirewallRuleVO(String xId, long ipAddressId, int port, String protocol, long networkId, long accountId, 
             long domainId, Purpose purpose, List<String> sourceCidrs, Integer icmpCode, Integer icmpType, Long related) {
         this(xId, ipAddressId, port, port, protocol, networkId, accountId, domainId, purpose, sourceCidrs, icmpCode, icmpType, related, null);
 
@@ -130,6 +130,9 @@ public class NetworkOfferingVO implements NetworkOffering {
     @Column(name = "is_persistent")
     boolean isPersistent;
 
+    @Column(name = "egress_default_policy")
+    boolean egressdefaultpolicy;
+
     @Override
     public String getDisplayText() {
         return displayText;
@@ -275,6 +278,10 @@ public void setRedundantRouter(boolean redundantRouter) {
         this.redundantRouter = redundantRouter;
     }
 
+    public boolean getEgressDefaultPolicy() {
+        return egressdefaultpolicy;
+    }
+
     public NetworkOfferingVO(String name, String displayText, TrafficType trafficType, boolean systemOnly, boolean specifyVlan, Integer rateMbps, Integer multicastRateMbps, boolean isDefault,
             Availability availability, String tags, Network.GuestType guestType, boolean conserveMode, boolean specifyIpRanges, boolean isPersistent, boolean internalLb, boolean publicLb) {
         this.name = name;
@@ -306,7 +313,7 @@ public NetworkOfferingVO(String name, String displayText, TrafficType trafficTyp
 
     public NetworkOfferingVO(String name, String displayText, TrafficType trafficType, boolean systemOnly, boolean specifyVlan, Integer rateMbps, Integer multicastRateMbps, boolean isDefault,
             Availability availability, String tags, Network.GuestType guestType, boolean conserveMode, boolean dedicatedLb, boolean sharedSourceNat, boolean redundantRouter, boolean elasticIp, boolean elasticLb,
-            boolean specifyIpRanges, boolean inline, boolean isPersistent, boolean associatePublicIP, boolean publicLb, boolean internalLb) {
+            boolean specifyIpRanges, boolean inline, boolean isPersistent, boolean associatePublicIP, boolean publicLb, boolean internalLb, boolean egressdefaultpolicy) {
         this(name, displayText, trafficType, systemOnly, specifyVlan, rateMbps, multicastRateMbps, isDefault, availability, tags, guestType, conserveMode, specifyIpRanges, isPersistent, internalLb, publicLb);
         this.dedicatedLB = dedicatedLb;
         this.sharedSourceNat = sharedSourceNat;
@@ -315,6 +322,7 @@ public NetworkOfferingVO(String name, String displayText, TrafficType trafficTyp
         this.elasticLb = elasticLb;
         this.inline = inline;
         this.eipAssociatePublicIp = associatePublicIP;
+        this.egressdefaultpolicy = egressdefaultpolicy;
     }
 
     public NetworkOfferingVO() {
 
@@ -82,15 +82,14 @@ fw_entry_for_egress() {
       [ "$eport" == "-1" ] && typecode="$sport"
       [ "$sport" == "-1" ] && typecode="any"
       sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
-                     -j ACCEPT
+                     -j $target
       result=$?
     elif [ "$prot" == "all" ]
     then
-	    sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j ACCEPT
+	    sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j $target
 	    result=$?
     else
-	    sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr \
-	     	    $DPORT -j ACCEPT
+	    sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr  $DPORT -j $target
 	    result=$?
     fi
 
@@ -109,14 +108,18 @@ rules=""
 rules_list=""
 ip=""
 dev=""
+pflag=0
 shift
 shift
-while getopts 'a:' OPTION
+while getopts 'a:P:' OPTION
 do
   case $OPTION in
   a)	aflag=1
 		rules="$OPTARG"
 		;;
+  P)   pflag=1
+       pvalue="$OPTARG"
+       ;;
   ?)	usage
                 unlock_exit 2 $lock $locked
 		;;
@@ -142,6 +145,13 @@ fi
 
 success=0
 
+if [ "$pvalue" == "0" -o "$pvalue" == "2" ]
+  then
+     target="ACCEPT"
+  else
+     target="DROP"
+  fi
+
 fw_egress_chain
 for r in $rules_list
 do
@@ -162,6 +172,12 @@ then
   fw_egress_backup_restore
 else
   logger -t cloud "deleting backup for guest network"
+    if [ "$pvalue" == "1" -o "$pvalue" == "2" ]
+       then
+       #Adding default policy rule
+       sudo iptables -A FW_EGRESS_RULES  -j ACCEPT
+    fi
+
 fi
 
 fw_egress_remove_backup
 
@@ -7994,6 +7994,7 @@ protected SetFirewallRulesAnswer execute(SetFirewallRulesCommand cmd) {
         String callResult;
         Connection conn = getConnection();
         String routerIp = cmd.getAccessDetail(NetworkElementCommand.ROUTER_IP);
+        String egressDefault = cmd.getAccessDetail(NetworkElementCommand.FIREWALL_EGRESS_DEFAULT);
         FirewallRuleTO[] allrules = cmd.getRules();
         FirewallRule.TrafficType trafficType = allrules[0].getTrafficType();
         if (routerIp == null) {
@@ -8005,6 +8006,13 @@ protected SetFirewallRulesAnswer execute(SetFirewallRulesCommand cmd) {
         args += routerIp + " -F";
         if (trafficType == FirewallRule.TrafficType.Egress){
             args+= " -E";
+            if (egressDefault.equals("true")) {
+                args+= " -P 1";
+            } else if (egressDefault.equals("System")) {
+                args+= " -P 2";
+            } else {
+                args+= " -P 0";
+            }
         }
         StringBuilder sb = new StringBuilder();
         String[] fwRules = rules[0];
 
@@ -2009,6 +2009,7 @@ public NetworkOfferingResponse createNetworkOfferingResponse(NetworkOffering off
         response.setAvailability(offering.getAvailability().toString());
         response.setIsPersistent(offering.getIsPersistent());
         response.setNetworkRate(ApiDBUtils.getNetworkRate(offering.getId()));
+        response.setEgressDefaultPolicy(offering.getEgressDefaultPolicy());
         Long so = null;
         if (offering.getServiceOfferingId() != null) {
             so = offering.getServiceOfferingId();
Original file line number	Diff line number	Diff line change
`@@ -127,5 +127,6 @@ public enum Detail {`
`127`	`127`	`boolean getInternalLb();`
`128`	`128`
`129`	`129`	`boolean getPublicLb();`
	`130`	`+ boolean getEgressDefaultPolicy();`
`130`	`131`
`131`	`132`	`}`