CLOUDSTACK-9437: Create egress chain on upgrade and cleanup for allow all traffic

swill · swill · commit d302269fe53c · 2016-07-25T16:44:38.000-04:00
- Ensure that FW_EGRESS_RULE chain exists after upgrading the router
- Flush allow all egress rule on 0.0.0.0/0, if such a rule exists in the config
  it will be added later (CLOUDSTACK-9437)
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -263,6 +263,12 @@ def create(self):
                 rstr = rstr.replace("  ", " ").lstrip()
                 self.fw.append([self.table, self.count, rstr])
 
+    def flushAllowAllEgressRules(self):
+        logging.debug("Flush allow 'all' egress firewall rule")
+        # Ensure that FW_EGRESS_RULES chain exists
+        CsHelper.execute("iptables-save | grep '^:FW_EGRESS_RULES' || iptables -t filter -N FW_EGRESS_RULES")
+        CsHelper.execute("iptables-save | grep '^-A FW_EGRESS_RULES -j ACCEPT$' | sed 's/^-A/iptables -t filter -D/g' | bash")
+
     def process(self):
         for item in self.dbag:
             if item == "id":
@@ -978,6 +984,7 @@ def main(argv):
             acls.process()
 
             acls = CsAcl('firewallrules', config)
+            acls.flushAllowAllEgressRules()
             acls.process()
 
             fwd = CsForwardingRules("forwardingrules", config)
