From de810e04fb1d243ad4f82f6b35a7821fefe0a2cc Mon Sep 17 00:00:00 2001 From: Brian Haley Date: Tue, 19 Mar 2019 14:28:56 -0400 Subject: [PATCH] Use '-p ip' instead of '-p 0' with conntrack The conntrack command does not allow '-p 0' as an argument, but does allow it's equivalent '-p ip'. Use it instead so it doesn't generate an error. Change-Id: Ica69eb85a6835952904a6390bb8a31e6afdecf69 Closes-bug: #1820744 --- neutron/agent/linux/ip_conntrack.py | 5 ++++- .../unit/agent/linux/test_iptables_firewall.py | 14 +++++++++++--- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/neutron/agent/linux/ip_conntrack.py b/neutron/agent/linux/ip_conntrack.py index a68d5e44188..c4ee7983c90 100644 --- a/neutron/agent/linux/ip_conntrack.py +++ b/neutron/agent/linux/ip_conntrack.py @@ -117,7 +117,10 @@ class IpConntrackManager(object): protocol = rule.get('protocol') direction = rule.get('direction') cmd = ['conntrack', '-D'] - if protocol: + if protocol is not None: + # 0 is IP in /etc/protocols, but conntrack will throw an error + if str(protocol) == '0': + protocol = 'ip' cmd.extend(['-p', str(protocol)]) cmd.extend(['-f', str(ethertype).lower()]) cmd.append('-d' if direction == 'ingress' else '-s') diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index 2400c181400..92e5b3fd42b 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -1389,8 +1389,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): while not self.firewall.ipconntrack._queue.empty(): self.firewall.ipconntrack._process_queue() cmd = ['conntrack', '-D'] - if protocol: - cmd.extend(['-p', protocol]) + if protocol is not None: + if str(protocol) == '0': + protocol = 'ip' + cmd.extend(['-p', str(protocol)]) if ethertype == 'IPv4': cmd.extend(['-f', 'ipv4']) if direction == 'ingress': @@ -1412,7 +1414,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): def test_remove_conntrack_entries_for_delete_rule_ipv4(self): for direction in ['ingress', 'egress']: - for pro in [None, 'tcp', 'icmp', 'udp']: + for pro in [None, 'ip', 'tcp', 'icmp', 'udp', '0']: + self._test_remove_conntrack_entries( + 'IPv4', pro, direction, ct_zone=10) + + def test_remove_conntrack_entries_for_delete_rule_ipv4_by_num(self): + for direction in ['ingress', 'egress']: + for pro in [None, 0, 6, 1, 17]: self._test_remove_conntrack_entries( 'IPv4', pro, direction, ct_zone=10)