From d4796c818afe9109a7d93cf7c4276e9c1997e485 Mon Sep 17 00:00:00 2001
From: Anonymous Coward <anonymous@coward.example.com>
Date: Thu, 21 Jan 2016 09:45:31 -0500
Subject: [PATCH] Revert "Operator can now properly set allow/deny networks"

This reverts commit db7c2bd87af715e153096e5423befddb6ab21140.
---
 warden/root/linux/net.sh          | 10 ++++++----
 warden/root/linux/skeleton/net.sh |  6 ++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/warden/root/linux/net.sh b/warden/root/linux/net.sh
index 2acdc41f..17c30415 100755
--- a/warden/root/linux/net.sh
+++ b/warden/root/linux/net.sh
@@ -100,24 +100,26 @@ function setup_filter() {
   # Always allow established connections to warden containers
   iptables -w -A ${filter_default_chain} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
-  for n in ${DENY_NETWORKS}; do
+  for n in ${ALLOW_NETWORKS}; do
     if [ "$n" == "" ]
     then
       break
     fi
 
-    iptables -w -A ${filter_default_chain} --destination "$n" --jump DROP
+    iptables -w -A ${filter_default_chain} --destination "$n" --jump RETURN
   done
 
-  for n in ${ALLOW_NETWORKS}; do
+  for n in ${DENY_NETWORKS}; do
     if [ "$n" == "" ]
     then
       break
     fi
 
-    iptables -w -A ${filter_default_chain} --destination "$n" --jump ACCEPT
+    iptables -w -A ${filter_default_chain} --destination "$n" --jump DROP
   done
 
+  iptables -w -A ${filter_default_chain} --jump REJECT
+
   # Accept packets related to previously established connections
   iptables -w -I INPUT -m state --state ESTABLISHED,RELATED --jump ACCEPT -m comment --comment 'related-traffic'
 
diff --git a/warden/root/linux/skeleton/net.sh b/warden/root/linux/skeleton/net.sh
index 44ccae7f..354747b4 100755
--- a/warden/root/linux/skeleton/net.sh
+++ b/warden/root/linux/skeleton/net.sh
@@ -41,9 +41,7 @@ function setup_filter() {
   # Create instance chain
   iptables -w -N ${filter_instance_chain}
   iptables -w -A ${filter_instance_chain} \
-    --jump ${filter_default_chain}
-
-  iptables -w -A ${filter_instance_chain} --jump REJECT
+    --goto ${filter_default_chain}
 
   # Bind instance chain to forward chain
   iptables -w -I ${filter_forward_chain} 2 \
@@ -158,7 +156,7 @@ case "${1}" in
       target="--jump RETURN"
     fi
 
-    iptables -w -I ${filter_instance_chain} 2 ${opts} ${target}
+    iptables -w -I ${filter_instance_chain} 1 ${opts} ${target}
 
     ;;
   "get_ingress_info")