Merge "Fix rule generation for single and all host rules"
This commit is contained in:
commit
17429ac5c8
|
@ -30,6 +30,7 @@ from neutron.agent.linux import utils
|
|||
from neutron.common import constants
|
||||
from neutron.common import exceptions as n_exc
|
||||
from neutron.common import ipv6_utils
|
||||
from neutron.common import utils as c_utils
|
||||
from neutron.extensions import portsecurity as psec
|
||||
from neutron.i18n import _LI
|
||||
|
||||
|
@ -365,6 +366,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||
'-m mac --mac-source %s -j RETURN'
|
||||
% mac.upper(), comment=ic.PAIR_ALLOW)
|
||||
else:
|
||||
# we need to convert it into a prefix to match iptables
|
||||
ip = c_utils.ip_to_cidr(ip)
|
||||
table.add_rule(chain_name,
|
||||
'-s %s -m mac --mac-source %s -j RETURN'
|
||||
% (ip, mac.upper()), comment=ic.PAIR_ALLOW)
|
||||
|
@ -622,6 +625,13 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||
#NOTE (nati) : source_group_id is converted to list of source_
|
||||
# ip_prefix in server side
|
||||
if ip_prefix:
|
||||
if '/' not in ip_prefix:
|
||||
# we need to convert it into a prefix to match iptables
|
||||
ip_prefix = c_utils.ip_to_cidr(ip_prefix)
|
||||
elif ip_prefix.endswith('/0'):
|
||||
# an allow for every address is not a constraint so
|
||||
# iptables drops it
|
||||
return []
|
||||
return ['-%s' % direction, ip_prefix]
|
||||
return []
|
||||
|
||||
|
|
|
@ -27,6 +27,7 @@ from neutron.agent.linux import iptables_firewall
|
|||
from neutron.agent import securitygroups_rpc as sg_cfg
|
||||
from neutron.common import constants
|
||||
from neutron.common import exceptions as n_exc
|
||||
from neutron.common import utils
|
||||
from neutron.tests import base
|
||||
from neutron.tests.unit.api.v2 import test_base
|
||||
|
||||
|
@ -149,7 +150,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
mock.call.add_chain('sfake_dev'),
|
||||
mock.call.add_rule(
|
||||
'sfake_dev',
|
||||
'-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
|
||||
'-s 10.0.0.1/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
|
||||
'-j RETURN',
|
||||
comment=ic.PAIR_ALLOW),
|
||||
mock.call.add_rule(
|
||||
|
@ -933,7 +934,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
egress_expected_call=None):
|
||||
port = self._fake_port()
|
||||
ethertype = rule['ethertype']
|
||||
prefix = FAKE_IP[ethertype]
|
||||
prefix = utils.ip_to_cidr(FAKE_IP[ethertype])
|
||||
filter_inst = self.v4filter_inst
|
||||
dhcp_rule = [mock.call.add_rule(
|
||||
'ofake_dev',
|
||||
|
@ -1180,7 +1181,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
mock.call.add_chain('sfake_dev'),
|
||||
mock.call.add_rule(
|
||||
'sfake_dev',
|
||||
'-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
|
||||
'-s 10.0.0.1/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
|
||||
'-j RETURN',
|
||||
comment=ic.PAIR_ALLOW),
|
||||
mock.call.add_rule(
|
||||
|
@ -1252,7 +1253,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
mock.call.add_chain('sfake_dev'),
|
||||
mock.call.add_rule(
|
||||
'sfake_dev',
|
||||
'-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
|
||||
'-s 10.0.0.1/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
|
||||
'-j RETURN',
|
||||
comment=ic.PAIR_ALLOW),
|
||||
mock.call.add_rule(
|
||||
|
@ -1422,12 +1423,12 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
|||
mock.call.add_chain('sfake_dev'),
|
||||
mock.call.add_rule(
|
||||
'sfake_dev',
|
||||
'-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
|
||||
'-s 10.0.0.1/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
|
||||
'-j RETURN',
|
||||
comment=ic.PAIR_ALLOW),
|
||||
mock.call.add_rule(
|
||||
'sfake_dev',
|
||||
'-s 10.0.0.2 -m mac --mac-source FF:FF:FF:FF:FF:FF '
|
||||
'-s 10.0.0.2/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
|
||||
'-j RETURN',
|
||||
comment=ic.PAIR_ALLOW),
|
||||
mock.call.add_rule(
|
||||
|
|
Loading…
Reference in New Issue