openstack
/
neutron
Code Issues Proposed changes

Merge "Flush ebtables arp protect chains before deleting them" into stable/train

This commit is contained in:
Zuul 2021-01-20 05:27:15 +00:00 committed by Gerrit Code Review
parent 09cb81f748 a5d8623a2a
commit 0f7f96e7d5
2 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py
View File

@ -87,8 +87,7 @@ def _delete_arp_spoofing_protection(vifs, current_rules, table, chain):
ebtables(['-D', chain, '-i', vif, '-j',
chain_name(vif), '-p', 'ARP'], table=table)
for vif in vifs:
if chain_exists(chain_name(vif), current_rules):
ebtables(['-X', chain_name(vif)], table=table)
chain_delete(chain_name(vif), table, current_rules)
_delete_mac_spoofing_protection(vifs, current_rules, table=table,
chain=chain)
@ -154,6 +153,13 @@ def chain_exists(chain, current_rules):
return False
def chain_delete(chain, table, current_rules):
# flush and delete chain if exists
if chain_exists(chain, current_rules):
ebtables(['-F', chain], table=table)
ebtables(['-X', chain], table=table)
def vif_jump_present(vif, current_rules):
searches = (('-i %s' % vif), ('-j %s' % chain_name(vif)), ('-p ARP'))
for line in current_rules:
@ -212,9 +218,7 @@ def _delete_mac_spoofing_protection(vifs, current_rules, table, chain):
ebtables(['-D', chain, '-i', vif, '-j',
_mac_chain_name(vif)], table=table)
for vif in vifs:
chain = _mac_chain_name(vif)
if chain_exists(chain, current_rules):
ebtables(['-X', chain], table=table)
chain_delete(_mac_chain_name(vif), table, current_rules)
# Used to scope ebtables commands in testing

16
neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py
View File

@ -135,11 +135,19 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
'-p', 'ARP'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True),
mock.ANY,
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
mac_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X',
mac_chain],
check_exit_code=True, extra_ok_codes=None,
@ -153,11 +161,19 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
'-p', 'ARP'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True),
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True),
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True),
mock.ANY,
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F',
mac_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True),
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X',
mac_chain],
check_exit_code=True, extra_ok_codes=None,