Fix iptable rules when chain reference count is 0 (#5328)

ravening · Rakesh Venkatesh · web-flow · commit c1fc00235913 · 2021-08-20T13:17:45.000+02:00
Sometimes the chain reference count is 0 and in that case
proper iptables rules are not applied. Because of this, ping fails.
So check the reference count for the main chain and as well as
-IN and -OUT chain as well

Co-authored-by: Rakesh Venkatesh &lt;rakeshv@apache.org&gt;
diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
@@ -1327,9 +1327,11 @@ def add_fw_framework(brname):
 
     try:
         refs = int(execute("""iptables -n -L %s | awk '/%s(.*)references/ {gsub(/\(/, "") ;print $3}'""" % (brfw,brfw)).strip())
+        refs_in = int(execute("""iptables -n -L %s-IN | awk '/%s-IN(.*)references/ {gsub(/\(/, "") ;print $3}'""" % (brfw,brfw)).strip())
+        refs_out = int(execute("""iptables -n -L %s-OUT | awk '/%s-OUT(.*)references/ {gsub(/\(/, "") ;print $3}'""" % (brfw,brfw)).strip())
         refs6 = int(execute("""ip6tables -n -L %s | awk '/%s(.*)references/ {gsub(/\(/, "") ;print $3}'""" % (brfw,brfw)).strip())
 
-        if refs == 0:
+        if refs == 0 or refs_in == 0 or refs_out == 0:
             execute("iptables -I FORWARD -i " + brname + " -j DROP")
             execute("iptables -I FORWARD -o " + brname + " -j DROP")
             execute("iptables -I FORWARD -i " + brname + " -m physdev --physdev-is-bridged -j " + brfw)
