CLOUDSTACK-9848: Added exit status checking for the iptables commands

jayapalu · jayapalu · commit da8a3567a387 · 2017-05-09T17:40:02.000+05:30
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -168,12 +168,10 @@ def add_rule(self, cidr):
                 if rule['protocol'] == "icmp":
                     fwr += " -s %s " % cidr + \
                                     " -p %s " % rule['protocol'] + \
-                                    " -m %s " % rule['protocol'] + \
                                     " --icmp-type %s" % icmp_type
                 elif rule['protocol'] != "all":
                     fwr += " -s %s " % cidr + \
                            " -p %s " % rule['protocol'] + \
-                           " -m %s " % rule['protocol'] + \
                            "  %s" % rnge
                 elif rule['protocol'] == "all":
                     fwr += " -s %s " % cidr
@@ -1022,6 +1020,7 @@ def main(argv):
             static_routes.process()
     except Exception:
         logging.exception("Exception while configuring router")
+        return 1
 
 if __name__ == "__main__":
     main(sys.argv)
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@@ -382,7 +382,7 @@ def fw_router(self):
                             "-A FIREWALL_%s " % self.address['public_ip'] +
                             "-m state --state RELATED,ESTABLISHED -j ACCEPT"])
             self.fw.append(["mangle", "",
-                            "-A FIREWALL_%s DROP" % self.address['public_ip']])
+                            "-A FIREWALL_%s -j DROP" % self.address['public_ip']])
             self.fw.append(["mangle", "",
                             "-A VPN_%s -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.address['public_ip']])
             self.fw.append(["mangle", "",
@@ -392,8 +392,6 @@ def fw_router(self):
             self.fw.append(["mangle", "",
                             "-A PREROUTING -i %s -m state --state NEW " % self.dev +
                             "-j CONNMARK --set-xmark %s/0xffffffff" % self.dnum])
-            self.fw.append(
-                ["mangle", "", "-A FIREWALL_%s -j DROP" % self.address['public_ip']])
             self.fw.append(["filter", "",
                             "-A FORWARD -i %s -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT" % self.dev])
             self.fw.append(["filter", "",
@@ -484,10 +482,6 @@ def fw_vpcrouter(self):
                             (guestNetworkCidr, self.dev, self.address['public_ip'])])
 
         if self.get_type() in ["public"]:
-            self.fw.append(["", "front",
-                            "-A FORWARD -o %s -d %s -j ACL_INBOUND_%s" % (
-                                self.dev, self.address['network'], self.dev)
-                            ])
             self.fw.append(
                 ["mangle", "", "-A FORWARD -j VPN_STATS_%s" % self.dev])
             self.fw.append(
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsHelper.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsHelper.py
@@ -181,8 +181,11 @@ def get_hostname():
 
 def execute(command):
     """ Execute command """
-    logging.debug("Executing: %s" % command)
     p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+    p.wait()
+    rc = p.returncode
+
+    logging.debug("Executed: %s - exitstatus=%s " % (command, rc))
     result = p.communicate()[0]
     return result.splitlines()
 
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsNetfilter.py
@@ -16,8 +16,7 @@
 # specific language governing permissions and limitations
 # under the License.
 import CsHelper
-from pprint import pprint
-from CsDatabag import CsDataBag, CsCmdLine
+from CsDatabag import CsCmdLine
 import logging
 
 
@@ -173,7 +172,15 @@ def compare(self, list):
                         cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), rule_count))
                     else:
                         cpy = cpy.replace("-A %s" % new_rule.get_chain(), '-I %s %s' % (new_rule.get_chain(), fw[1]))
-                CsHelper.execute("iptables -t %s %s" % (new_rule.get_table(), cpy))
+                ret = CsHelper.execute2("iptables -t %s %s" % (new_rule.get_table(), cpy))
+                #There are some issues in this framework causing failures  .. like adding a chain without checking it is present causing
+                # the failures. Also some of the rule like removeFromLoadBalancerRule is deleting rule and deleteLoadBalancerRule
+                #trying to delete which causes the failure.
+                #For now raising the log.
+                #TODO: Need to fix in the framework.
+                if ret.returncode != 0 :
+                    error = ret.communicate()[0]
+                    logging.debug("iptables command got failed ... continuing")
                 ruleSet.add(tupledFw)
                 self.chain.add_rule(rule_chain)
         self.del_standard()
