Merge "Fix rule generation for single and all host rules"

This commit is contained in:
Jenkins 2015-10-09 18:46:46 +00:00 committed by Gerrit Code Review
commit 17429ac5c8
2 changed files with 17 additions and 6 deletions

View File

@ -30,6 +30,7 @@ from neutron.agent.linux import utils
from neutron.common import constants
from neutron.common import exceptions as n_exc
from neutron.common import ipv6_utils
from neutron.common import utils as c_utils
from neutron.extensions import portsecurity as psec
from neutron.i18n import _LI
@ -365,6 +366,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
'-m mac --mac-source %s -j RETURN'
% mac.upper(), comment=ic.PAIR_ALLOW)
else:
# we need to convert it into a prefix to match iptables
ip = c_utils.ip_to_cidr(ip)
table.add_rule(chain_name,
'-s %s -m mac --mac-source %s -j RETURN'
% (ip, mac.upper()), comment=ic.PAIR_ALLOW)
@ -622,6 +625,13 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
#NOTE (nati) : source_group_id is converted to list of source_
# ip_prefix in server side
if ip_prefix:
if '/' not in ip_prefix:
# we need to convert it into a prefix to match iptables
ip_prefix = c_utils.ip_to_cidr(ip_prefix)
elif ip_prefix.endswith('/0'):
# an allow for every address is not a constraint so
# iptables drops it
return []
return ['-%s' % direction, ip_prefix]
return []

View File

@ -27,6 +27,7 @@ from neutron.agent.linux import iptables_firewall
from neutron.agent import securitygroups_rpc as sg_cfg
from neutron.common import constants
from neutron.common import exceptions as n_exc
from neutron.common import utils
from neutron.tests import base
from neutron.tests.unit.api.v2 import test_base
@ -149,7 +150,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
mock.call.add_chain('sfake_dev'),
mock.call.add_rule(
'sfake_dev',
'-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-s 10.0.0.1/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-j RETURN',
comment=ic.PAIR_ALLOW),
mock.call.add_rule(
@ -933,7 +934,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
egress_expected_call=None):
port = self._fake_port()
ethertype = rule['ethertype']
prefix = FAKE_IP[ethertype]
prefix = utils.ip_to_cidr(FAKE_IP[ethertype])
filter_inst = self.v4filter_inst
dhcp_rule = [mock.call.add_rule(
'ofake_dev',
@ -1180,7 +1181,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
mock.call.add_chain('sfake_dev'),
mock.call.add_rule(
'sfake_dev',
'-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-s 10.0.0.1/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-j RETURN',
comment=ic.PAIR_ALLOW),
mock.call.add_rule(
@ -1252,7 +1253,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
mock.call.add_chain('sfake_dev'),
mock.call.add_rule(
'sfake_dev',
'-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-s 10.0.0.1/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-j RETURN',
comment=ic.PAIR_ALLOW),
mock.call.add_rule(
@ -1422,12 +1423,12 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
mock.call.add_chain('sfake_dev'),
mock.call.add_rule(
'sfake_dev',
'-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-s 10.0.0.1/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-j RETURN',
comment=ic.PAIR_ALLOW),
mock.call.add_rule(
'sfake_dev',
'-s 10.0.0.2 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-s 10.0.0.2/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-j RETURN',
comment=ic.PAIR_ALLOW),
mock.call.add_rule(