From 80e86854be082ccc81099235ff6e5f16606e80e1 Mon Sep 17 00:00:00 2001 From: Igor Kalnitsky Date: Tue, 5 Apr 2016 18:43:02 +0300 Subject: [PATCH] Fix public network routing from slaves Since we assign public gateway address on master node, all public traffic goes through it. Unfortunately, it doesn't reach destination due to rejecting rule in FORWARD chain: ACCEPT all -- 10.20.0.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere ext-filter-forward all -- anywhere anywhere The commit fixes that problem by inserting (-I), not appending (-A) ext-filter-forward entry. In that case that rule will have higher priority and won't break routing. ACCEPT all -- 10.20.0.0/24 anywhere ACCEPT all -- anywhere anywhere ext-filter-forward all -- anywhere anywhere REJECT all -- anywhere anywhere Change-Id: I7887f08a175fa0ce06654dc1fc18ab412cb296f5 Closes-Bug: #1566968 --- functions/product.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/functions/product.sh b/functions/product.sh index d7d22d8..0701be5 100755 --- a/functions/product.sh +++ b/functions/product.sh @@ -234,7 +234,7 @@ enable_outbound_network_for_product_vm() { expect "$prompt" send "/sbin/iptables -t nat -A POSTROUTING -j ext-nat-postrouting\r" expect "$prompt" - send "/sbin/iptables -t filter -A FORWARD -j ext-filter-forward\r" + send "/sbin/iptables -t filter -I FORWARD -j ext-filter-forward\r" expect "$prompt" send "service iptables save &>/dev/null\r" expect "$prompt"