Fix private gateway acl on static routes

vishesh92 · vishesh92 · commit 9186de77fec4 · 2025-01-24T13:18:20.000+05:30
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsAddress.py b/systemvm/debian/opt/cloud/bin/cs/CsAddress.py
@@ -24,6 +24,7 @@
 from CsApp import CsApache, CsDnsmasq, CsPasswdSvc
 from CsRoute import CsRoute
 from CsRule import CsRule
+from CsStaticRoutes import CsStaticRoutes
 
 VRRP_TYPES = ['guest']
 
@@ -551,6 +552,20 @@ def fw_vpcrouter(self):
             self.fw.append(["mangle", "front",
                             "-A PREROUTING -s %s -d %s -m state --state NEW -j MARK --set-xmark %s/0xffffffff" %
                             (self.cl.get_vpccidr(), self.address['network'], hex(100 + int(self.dev[3:])))])
+
+            static_routes = CsStaticRoutes("staticroutes", self.config)
+            if static_routes:
+                for item in static_routes.get_bag():
+                    if item == "id":
+                        continue
+                    static_route = static_routes.get_bag()[item]
+                    if static_route['ip_address'] == self.address['public_ip'] and not static_route['revoke']:
+                        self.fw.append(["mangle", "",
+                                        "-A PREROUTING -m state --state NEW -i %s -s %s ! -d %s -j ACL_OUTBOUND_%s" %
+                                        (self.dev, self.address['network'], static_route['network'], self.dev)])
+                        self.fw.append(["filter", "", "-A FORWARD -d %s -o %s -j ACL_INBOUND_%s" %
+                                (static_route['network'], self.dev, self.dev)])
+
             if self.address["source_nat"]:
                 self.fw.append(["nat", "front",
                                 "-A POSTROUTING -o %s -j SNAT --to-source %s" %
