VPC VR: update iptables rule

weizhouapache · weizhouapache · commit 8d3468efabbf · 2025-01-30T17:20:31.000+01:00
This fixes the issue that SSH/ping does not work from vm in private network to vm in vpc, if
- VPC tier uses ACL default_allow
- private gateway uses ACL "allow egress but deny ingress"
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
@@ -544,6 +544,8 @@ def fw_vpcrouter(self):
         if self.is_private_gateway():
             self.fw.append(["filter", "front", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
                             (self.address['network'], self.dev, self.dev)])
+            self.fw.append(["filter", "front", "-A FORWARD -d %s -o %s -m state --state RELATED,ESTABLISHED -j ACCEPT" %
+                            (self.address['network'], self.dev)])
             self.fw.append(["filter", "", "-A ACL_INBOUND_%s -j DROP" % self.dev])
             self.fw.append(["mangle", "",
                             "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s/32 -j ACL_OUTBOUND_%s" %
