Browse Source

Fix public network routing from slaves

Since we assign public gateway address on master node, all public
traffic goes through it. Unfortunately, it doesn't reach destination due
to rejecting rule in FORWARD chain:

    ACCEPT              all  --  10.20.0.0/24         anywhere
    ACCEPT              all  --  anywhere             anywhere
    REJECT              all  --  anywhere             anywhere
    ext-filter-forward  all  --  anywhere             anywhere

The commit fixes that problem by inserting (-I), not appending (-A)
ext-filter-forward entry. In that case that rule will have higher
priority and won't break routing.

    ACCEPT              all  --  10.20.0.0/24         anywhere
    ACCEPT              all  --  anywhere             anywhere
    ext-filter-forward  all  --  anywhere             anywhere
    REJECT              all  --  anywhere             anywhere

Change-Id: I7887f08a175fa0ce06654dc1fc18ab412cb296f5
Closes-Bug: #1566968
Igor Kalnitsky 3 years ago
parent
commit
80e86854be
1 changed files with 1 additions and 1 deletions
  1. 1
    1
      functions/product.sh

+ 1
- 1
functions/product.sh View File

@@ -234,7 +234,7 @@ enable_outbound_network_for_product_vm() {
234 234
         expect "$prompt"
235 235
         send "/sbin/iptables -t nat -A POSTROUTING -j ext-nat-postrouting\r"
236 236
         expect "$prompt"
237
-        send "/sbin/iptables -t filter -A FORWARD -j ext-filter-forward\r"
237
+        send "/sbin/iptables -t filter -I FORWARD -j ext-filter-forward\r"
238 238
         expect "$prompt"
239 239
         send "service iptables save &>/dev/null\r"
240 240
         expect "$prompt"

Loading…
Cancel
Save