Skip to content

Commit 29c510d

Browse files
edisonSuedisonSu
committed
need to insert iptable rules into FORWARD chain instead of append, as on rhel6, there is a reject rule added at the end of FORWARD
1 parent 46e40ca commit 29c510d

2 files changed

Lines changed: 7 additions & 5 deletions

File tree

python/lib/cloudutils/serviceConfig.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,8 @@ def isPreConfiged(self):
7373
preCfged = False
7474
for br in self.syscfg.env.nics:
7575
if not self.netcfg.isNetworkDev(br):
76-
raise CloudInternalException("%s is not a network device, is it down?"%br)
76+
logging.debug("%s is not a network device, is it down?"%br)
77+
return False
7778
if not self.netcfg.isBridge(br):
7879
raise CloudInternalException("%s is not a bridge"%br)
7980
preCfged = True

scripts/vm/network/security_group.py

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -591,15 +591,16 @@ def addFWFramework(brname):
591591
try:
592592
refs = execute("iptables -n -L " + brfw + " |grep " + brfw + " | cut -d \( -f2 | awk '{print $1}'").strip()
593593
if refs == "0":
594-
execute("iptables -A FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
595-
execute("iptables -A FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
594+
execute("iptables -I FORWARD -i " + brname + " -j DROP")
595+
execute("iptables -I FORWARD -o " + brname + " -j DROP")
596+
execute("iptables -I FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
597+
execute("iptables -I FORWARD -o " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
596598
phydev = execute("brctl show |grep " + brname + " | awk '{print $4}'").strip()
597599
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-out " + phydev + " -j ACCEPT")
598600
execute("iptables -A " + brfw + " -m state --state RELATED,ESTABLISHED -j ACCEPT")
599601
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-out -j " + brfwout)
600602
execute("iptables -A " + brfw + " -m physdev --physdev-is-bridged --physdev-is-in -j " + brfwin)
601-
execute("iptables -A FORWARD -i " + brname + " -j DROP")
602-
execute("iptables -A FORWARD -o " + brname + " -j DROP")
603+
603604

604605
return True
605606
except:

0 commit comments

Comments
 (0)