openstack/neutron-fwaas
Code Issues Proposed changes

Drop extra space from nflog-prefix

Browse Source 
iptables-1.8.8+[1] removed the extra space from
nflog-prefix, and with switch to ubuntu noble
which includes iptables-1.8.10 functional tests
failing, removing the extra space fixes these
tests.

[1] http://git.netfilter.org/iptables/commit/?id=05286bab77a6e0f9502e8fb99e1c53ed15663f3f
Related-Issue: #2080933

Change-Id: Id91be59ee78e2b94ea06bb5763e6a94d49de4b15
This commit is contained in:
yatinkarel 2024-12-09 18:44:09 +05:30
parent 1d0a199682
commit 824469b13a
3 changed files with 11 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
neutron_fwaas/services/logapi/agents/drivers/iptables/log.py
View File

@ -511,9 +511,7 @@ class IptablesLoggingDriver(log_ext.LoggingDriver):
match_rule += ['--limit-burst %s' % self.burst_limit]
target = ['-j', 'NFLOG']
if prefix:
# NOTE: There is an extra space after 'nflog-prefix' in
# iptables-save output, account for it here.
target += ['--nflog-prefix ', '%s' % prefix]
target += ['--nflog-prefix', '%s' % prefix]
args = direction_config + match_rule + target
return args

12
neutron_fwaas/tests/functional/services/logapi/agents/drivers/iptables/test_log.py
View File

@ -189,23 +189,23 @@ class FWLoggingTestBase(framework.L3AgentTestFramework):
if event in [ACCEPT, ALL]:
# Generate iptables rules for ACCEPT action
prefix = self._get_log_prefix(port_id, ACCEPT)
rules.add('-A %s -i %s -m %s -j NFLOG --nflog-prefix %s'
rules.add('-A %s -i %s -m %s -j NFLOG --nflog-prefix %s'
% (accept_chain, device, limit, prefix.id))
rules.add('-A %s -o %s -m %s -j NFLOG --nflog-prefix %s'
rules.add('-A %s -o %s -m %s -j NFLOG --nflog-prefix %s'
% (accept_chain, device, limit, prefix.id))
if event in [DROP, ALL]:
# Generate iptables rules for DROP action
prefix = self._get_log_prefix(port_id, DROP)
rules.add('-A %s -i %s -m %s -j NFLOG --nflog-prefix %s'
rules.add('-A %s -i %s -m %s -j NFLOG --nflog-prefix %s'
% (drop_chain, device, limit, prefix.id))
rules.add('-A %s -o %s -m %s -j NFLOG --nflog-prefix %s'
rules.add('-A %s -o %s -m %s -j NFLOG --nflog-prefix %s'
% (drop_chain, device, limit, prefix.id))
# Generate iptables rules for REJECT action
rules.add('-A %s -i %s -m %s -j NFLOG --nflog-prefix %s'
rules.add('-A %s -i %s -m %s -j NFLOG --nflog-prefix %s'
% (reject_chain, device, limit, prefix.id))
rules.add('-A %s -o %s -m %s -j NFLOG --nflog-prefix %s'
rules.add('-A %s -o %s -m %s -j NFLOG --nflog-prefix %s'
% (reject_chain, device, limit, prefix.id))
return rules

8
neutron_fwaas/tests/unit/services/logapi/agents/drivers/iptables/test_log.py
View File

@ -315,16 +315,16 @@ class BaseIptablesLogTestCase(base.BaseTestCase):
def _fake_nflog_rule_v4v6(self, device, tag):
v4_nflog_rule = ['-i %s -m limit --limit %s/sec --limit-burst %s '
'-j NFLOG --nflog-prefix %s'
'-j NFLOG --nflog-prefix %s'
% (device, FAKE_RATE, FAKE_BURST, tag)]
v4_nflog_rule += ['-o %s -m limit --limit %s/sec --limit-burst %s '
'-j NFLOG --nflog-prefix %s'
'-j NFLOG --nflog-prefix %s'
% (device, FAKE_RATE, FAKE_BURST, tag)]
v6_nflog_rule = ['-i %s -m limit --limit %s/sec --limit-burst %s '
'-j NFLOG --nflog-prefix %s'
'-j NFLOG --nflog-prefix %s'
% (device, FAKE_RATE, FAKE_BURST, tag)]
v6_nflog_rule += ['-o %s -m limit --limit %s/sec --limit-burst %s '
'-j NFLOG --nflog-prefix %s'
'-j NFLOG --nflog-prefix %s'
% (device, FAKE_RATE, FAKE_BURST, tag)]
return v4_nflog_rule, v6_nflog_rule