From 82cb80b970e56fc77435850c081fb68207206aa7 Mon Sep 17 00:00:00 2001
From: John Watson <john@familywatson.co.uk>
Date: Thu, 11 Jan 2024 23:57:31 +0000
Subject: [PATCH] fix: add missing iptables rule for default network namespace
 forwarding

---
 .../src/instance/cyclone/firecracker-setup.sh                | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/deadpool-cyclone/src/instance/cyclone/firecracker-setup.sh b/lib/deadpool-cyclone/src/instance/cyclone/firecracker-setup.sh
index 288c6524ac..ea5f451701 100755
--- a/lib/deadpool-cyclone/src/instance/cyclone/firecracker-setup.sh
+++ b/lib/deadpool-cyclone/src/instance/cyclone/firecracker-setup.sh
@@ -210,6 +210,11 @@ execute_configuration_management() {
         if ! iptables -t nat -C POSTROUTING -o $(ip route get 8.8.8.8 | awk -- '{printf $5}') -j MASQUERADE; then
           iptables -t nat -A POSTROUTING -o $(ip route get 8.8.8.8 | awk -- '{printf $5}') -j MASQUERADE
         fi
+
+        # Allow forwarding in the default network namespace to allow NAT'ed traffic leave
+        # NB: iptables doesn't support -C for the rule checking of protocols
+        iptables -P FORWARD ACCEPT
+
         # Block calls to AWS Metadata not coming from the primary network
         if ! iptables -C FORWARD -d 169.254.169.254 -j DROP; then
           iptables -A FORWARD -d 169.254.169.254 -j DROP