From faf2c6f3b84c49651b374bb9fb4e68ee92cf8ffb Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rsmontero@opennebula.org>
Date: Tue, 21 Feb 2017 17:24:05 +0100
Subject: [PATCH] F #5027: Update security group driver to work with the IP6
 static AR

---
 src/vnm_mad/remotes/lib/security_groups.rb    |  5 ++
 .../remotes/lib/security_groups_iptables.rb   | 51 +++++++++++--------
 2 files changed, 34 insertions(+), 22 deletions(-)

diff --git a/src/vnm_mad/remotes/lib/security_groups.rb b/src/vnm_mad/remotes/lib/security_groups.rb
index aac7552afc..18a976ad6d 100644
--- a/src/vnm_mad/remotes/lib/security_groups.rb
+++ b/src/vnm_mad/remotes/lib/security_groups.rb
@@ -70,6 +70,7 @@ module VNMNetwork
 
             @range      = @rule[:range]
             @ip         = @rule[:ip]
+            @ip6        = @rule[:ip6]
             @ip6_global = @rule[:ip6_global]
             @ip6_ula    = @rule[:ip6_ula]
             @size       = @rule[:size]
@@ -124,6 +125,10 @@ module VNMNetwork
                 nets += VNMNetwork::to_nets(@ip6_ula, @size.to_i)
             end
 
+            if @ip6 && @size
+                nets += VNMNetwork::to_nets(@ip6, @size.to_i)
+            end
+
             return nets
         end
 
diff --git a/src/vnm_mad/remotes/lib/security_groups_iptables.rb b/src/vnm_mad/remotes/lib/security_groups_iptables.rb
index c8540750f9..bca6bdad77 100644
--- a/src/vnm_mad/remotes/lib/security_groups_iptables.rb
+++ b/src/vnm_mad/remotes/lib/security_groups_iptables.rb
@@ -84,7 +84,7 @@ module SGIPTables
             sets = []
 
             the_nets.each do |n|
-                if IPAddr.new(the_nets[0]).ipv6?
+                if IPAddr.new(the_nets[n]).ipv6?
                     command = :ip6tables
                     family  = "inet6"
                 else
@@ -124,32 +124,39 @@ module SGIPTables
 
             return if the_nets.empty?
 
-            if IPAddr.new(the_nets[0]).ipv6?
-                command = :ip6tables
-                family  = "inet6"
-            else
-                command = :iptables
-                family  = "inet"
-            end
-
-            if @rule_type == :inbound
-                chain = vars[:chain_in]
-                set = "#{vars[:set_sg_in]}-nr-#{family}"
-                dir = "src,dst"
-            else
-                chain = vars[:chain_out]
-                set = "#{vars[:set_sg_out]}-nr-#{family}"
-                dir = "dst,dst"
-            end
-
-            cmds.add :ipset, "create #{set} hash:net,port family #{family}"
-            cmds.add command, "-A #{chain} -m set --match-set" \
-                " #{set} #{dir} -j RETURN"
+            sets = []
 
             the_nets.each do |n|
+                if IPAddr.new(the_nets[n]).ipv6?
+                    command = :ip6tables
+                    family  = "inet6"
+                else
+                    command = :iptables
+                    family  = "inet"
+                end
+
+                if @rule_type == :inbound
+                    chain = vars[:chain_in]
+                    set = "#{vars[:set_sg_in]}-nr-#{family}"
+                    dir = "src,dst"
+                else
+                    chain = vars[:chain_out]
+                    set = "#{vars[:set_sg_out]}-nr-#{family}"
+                    dir = "dst,dst"
+                end
+
+                if !sets.include?(set)
+                    cmds.add :ipset, "create #{set} hash:net,port family #{family}"
+                    cmds.add command, "-A #{chain} -m set --match-set" \
+                        " #{set} #{dir} -j RETURN"
+
+                    sets << set
+                end
+
                 @range.split(",").each do |r|
                     r.gsub!(":","-")
                     net_range = "#{n},#{@protocol}:#{r}"
+
                     cmds.add :ipset, "add -exist #{set} #{net_range}"
                 end
             end