From e123bd7e1d60d399072828391534096e50b2d1cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C5=82awek=20Kap=C5=82o=C5=84ski?= Date: Tue, 5 Dec 2017 14:37:50 +0100 Subject: [PATCH] Iptables firewall driver adds forward rules for trusted ports Iptables firewall driver can now add process trusted ports and adds rules for them to FORWARD chain. Change-Id: I67d0f17b4b56671fc2e2dd6e2fc4518dc42cd131 Closes-Bug: #1720205 (cherry picked from commit 97b30494a9263db684e5901113b53c25e55d1854) --- neutron/agent/linux/iptables_comments.py | 1 + neutron/agent/linux/iptables_firewall.py | 33 +- neutron/agent/securitygroups_rpc.py | 16 +- .../unit/agent/test_securitygroups_rpc.py | 418 +++++++++++++++++- 4 files changed, 445 insertions(+), 23 deletions(-) diff --git a/neutron/agent/linux/iptables_comments.py b/neutron/agent/linux/iptables_comments.py index b8883e06b03..569a8d7641f 100644 --- a/neutron/agent/linux/iptables_comments.py +++ b/neutron/agent/linux/iptables_comments.py @@ -33,5 +33,6 @@ INVALID_DROP = ("Drop packets that appear related to an existing connection " ALLOW_ASSOC = ('Direct packets associated with a known session to the RETURN ' 'chain.') PORT_SEC_ACCEPT = 'Accept all packets when port security is disabled.' +TRUSTED_ACCEPT = 'Accept all packets when port is trusted.' IPV6_RA_DROP = 'Drop IPv6 Router Advts from VM Instance.' IPV6_ICMP_ALLOW = 'Allow IPv6 ICMP traffic.' diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 7ece5752401..be9e3dfff14 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -108,6 +108,33 @@ class IptablesFirewallDriver(firewall.FirewallDriver): else: self._update_remote_security_group_members(sec_group_ids) + def process_trusted_ports(self, port_ids): + """Process ports that are trusted and shouldn't be filtered.""" + for port in port_ids: + self._add_trusted_port_rules(port) + + def remove_trusted_ports(self, port_ids): + for port in port_ids: + self._remove_trusted_port_rules(port) + + def _add_trusted_port_rules(self, port): + device = self._get_device_name(port) + jump_rule = [ + '-m physdev --%s %s --physdev-is-bridged -j ACCEPT' % ( + self.IPTABLES_DIRECTION[constants.INGRESS_DIRECTION], + device)] + self._add_rules_to_chain_v4v6( + 'FORWARD', jump_rule, jump_rule, comment=ic.TRUSTED_ACCEPT) + + def _remove_trusted_port_rules(self, port): + device = self._get_device_name(port) + + jump_rule = [ + '-m physdev --%s %s --physdev-is-bridged -j ACCEPT' % ( + self.IPTABLES_DIRECTION[constants.INGRESS_DIRECTION], + device)] + self._remove_rule_from_chain_v4v6('FORWARD', jump_rule, jump_rule) + def update_security_group_rules(self, sg_id, sg_rules): LOG.debug("Update rules of security group (%s)", sg_id) self.sg_rules[sg_id] = sg_rules @@ -266,6 +293,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver): comment=comment) def _get_device_name(self, port): + if not isinstance(port, dict): + return port return port['device'] def _update_port_sec_rules(self, port, direction, add=False): @@ -871,4 +900,6 @@ class OVSHybridIptablesFirewallDriver(IptablesFirewallDriver): return ('qvb' + port['device'])[:n_const.LINUX_DEV_LEN] def _get_device_name(self, port): - return get_hybrid_port_name(port['device']) + device_name = super( + OVSHybridIptablesFirewallDriver, self)._get_device_name(port) + return get_hybrid_port_name(device_name) diff --git a/neutron/agent/securitygroups_rpc.py b/neutron/agent/securitygroups_rpc.py index 48da746de43..61b58274071 100644 --- a/neutron/agent/securitygroups_rpc.py +++ b/neutron/agent/securitygroups_rpc.py @@ -58,6 +58,20 @@ class SecurityGroupAgentRpc(object): self.plugin_rpc = plugin_rpc self.init_firewall(defer_refresh_firewall, integration_bridge) + def _get_trusted_devices(self, device_ids, devices): + trusted_devices = [] + # Devices which are already added in firewall ports should + # not be treated as trusted devices but as regular ports + all_devices = devices.copy() + all_devices.update(self.firewall.ports) + device_names = [ + dev['device'] for dev in all_devices.values()] + for device_id in device_ids: + if (device_id not in all_devices.keys() and + device_id not in device_names): + trusted_devices.append(device_id) + return trusted_devices + def init_firewall(self, defer_refresh_firewall=False, integration_bridge=None): firewall_driver = cfg.CONF.SECURITYGROUP.firewall_driver or 'noop' @@ -127,7 +141,7 @@ class SecurityGroupAgentRpc(object): else: devices = self.plugin_rpc.security_group_rules_for_devices( self.context, list(device_ids)) - trusted_devices = list(set(device_ids) - set(devices.keys())) + trusted_devices = self._get_trusted_devices(device_ids, devices) with self.firewall.defer_apply(): if self.use_enhanced_rpc: diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py index 0d6dddf20c9..4861b39aa93 100644 --- a/neutron/tests/unit/agent/test_securitygroups_rpc.py +++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py @@ -828,6 +828,18 @@ class SecurityGroupAgentRpcTestCaseForNoneDriver(base.BaseTestCase): self.assertEqual(agent.firewall.__class__.__name__, 'NoopFirewallDriver') + def test_get_trusted_devices(self): + agent = sg_rpc.SecurityGroupAgentRpc( + context=None, plugin_rpc=mock.Mock()) + device_ids = ['port_1_id', 'tap_2', 'tap_3', 'port_4_id'] + devices = { + 'port_1_id': {'device': 'tap_1'}, + 'port_3_id': {'device': 'tap_3'}, + } + trusted_devices = agent._get_trusted_devices( + device_ids, devices) + self.assertEqual(['tap_2', 'port_4_id'], trusted_devices) + class BaseSecurityGroupAgentRpcTestCase(base.BaseTestCase): def setUp(self, defer_refresh_firewall=False): @@ -1460,6 +1472,7 @@ CHAINS_NAT = 'OUTPUT|POSTROUTING|PREROUTING|float-snat|snat' IPTABLES_ARG['port1'] = 'port1' IPTABLES_ARG['port2'] = 'port2' +IPTABLES_ARG['port3'] = 'port3' IPTABLES_ARG['mac1'] = '12:34:56:78:9A:BC' IPTABLES_ARG['mac2'] = '12:34:56:78:9A:BD' IPTABLES_ARG['ip1'] = '10.0.0.3/32' @@ -1840,7 +1853,7 @@ COMMIT # Completed by iptables_manager """ % IPTABLES_ARG -IPSET_FILTER_2_3 = """# Generated by iptables_manager +IPSET_FILTER_2_TRUSTED = """# Generated by iptables_manager *filter :FORWARD - [0:0] :INPUT - [0:0] @@ -1864,13 +1877,103 @@ IPSET_FILTER_2_3 = """# Generated by iptables_manager -I OUTPUT 1 -j neutron-filter-top -I OUTPUT 2 -j %(bn)s-OUTPUT -I neutron-filter-top 1 -j %(bn)s-local --I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \ +-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \ +%(physdev_is_bridged)s -j ACCEPT +-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \ %(physdev_is_bridged)s -j %(bn)s-sg-chain --I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ %(physdev_is_bridged)s -j %(bn)s-sg-chain --I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \ +-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \ %(physdev_is_bridged)s -j %(bn)s-sg-chain --I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s +-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s +-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \ +--dport 68 -j RETURN +-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN +-I %(bn)s-i_%(port1)s 4 -m set --match-set NIPv4security_group1 src -j RETURN +-I %(bn)s-i_%(port1)s 5 -m state --state INVALID -j DROP +-I %(bn)s-i_%(port1)s 6 -j %(bn)s-sg-fallback +-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \ +--dport 68 -j RETURN +-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN +-I %(bn)s-i_%(port2)s 4 -m set --match-set NIPv4security_group1 src -j RETURN +-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP +-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s +-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP +-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port1)s 6 -j RETURN +-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s +-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP +-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port2)s 6 -j RETURN +-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback +-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN +-I %(bn)s-s_%(port1)s 2 -j DROP +-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN +-I %(bn)s-s_%(port2)s 2 -j DROP +-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s +-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s +-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s +-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s +-I %(bn)s-sg-chain 5 -j ACCEPT +-I %(bn)s-sg-fallback 1 -j DROP +COMMIT +# Completed by iptables_manager +""" % IPTABLES_ARG + +IPSET_FILTER_2_3_TRUSTED = """# Generated by iptables_manager +*filter +:FORWARD - [0:0] +:INPUT - [0:0] +:OUTPUT - [0:0] +:neutron-filter-top - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +-I FORWARD 1 -j neutron-filter-top +-I FORWARD 2 -j %(bn)s-FORWARD +-I INPUT 1 -j %(bn)s-INPUT +-I OUTPUT 1 -j neutron-filter-top +-I OUTPUT 2 -j %(bn)s-OUTPUT +-I neutron-filter-top 1 -j %(bn)s-local +-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \ +%(physdev_is_bridged)s -j ACCEPT +-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ %(physdev_is_bridged)s -j %(bn)s-sg-chain -I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ %(physdev_is_bridged)s -j %(bn)s-o_%(port1)s @@ -2014,6 +2117,94 @@ COMMIT # Completed by iptables_manager """ % IPTABLES_ARG +IPTABLES_FILTER_2_TRUSTED = """# Generated by iptables_manager +*filter +:FORWARD - [0:0] +:INPUT - [0:0] +:OUTPUT - [0:0] +:neutron-filter-top - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +-I FORWARD 1 -j neutron-filter-top +-I FORWARD 2 -j %(bn)s-FORWARD +-I INPUT 1 -j %(bn)s-INPUT +-I OUTPUT 1 -j neutron-filter-top +-I OUTPUT 2 -j %(bn)s-OUTPUT +-I neutron-filter-top 1 -j %(bn)s-local +-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \ +%(physdev_is_bridged)s -j ACCEPT +-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s +-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s +-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \ +--dport 68 -j RETURN +-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN +-I %(bn)s-i_%(port1)s 4 -s %(ip2)s -j RETURN +-I %(bn)s-i_%(port1)s 5 -m state --state INVALID -j DROP +-I %(bn)s-i_%(port1)s 6 -j %(bn)s-sg-fallback +-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \ +--dport 68 -j RETURN +-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN +-I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN +-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP +-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s +-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP +-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port1)s 6 -j RETURN +-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s +-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP +-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port2)s 6 -j RETURN +-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback +-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN +-I %(bn)s-s_%(port1)s 2 -j DROP +-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN +-I %(bn)s-s_%(port2)s 2 -j DROP +-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s +-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s +-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s +-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s +-I %(bn)s-sg-chain 5 -j ACCEPT +-I %(bn)s-sg-fallback 1 -j DROP +COMMIT +# Completed by iptables_manager +""" % IPTABLES_ARG + IPTABLES_FILTER_2_2 = """# Generated by iptables_manager *filter :FORWARD - [0:0] @@ -2187,6 +2378,95 @@ COMMIT # Completed by iptables_manager """ % IPTABLES_ARG +IPTABLES_FILTER_2_3_TRUSTED = """# Generated by iptables_manager +*filter +:FORWARD - [0:0] +:INPUT - [0:0] +:OUTPUT - [0:0] +:neutron-filter-top - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +-I FORWARD 1 -j neutron-filter-top +-I FORWARD 2 -j %(bn)s-FORWARD +-I INPUT 1 -j %(bn)s-INPUT +-I OUTPUT 1 -j neutron-filter-top +-I OUTPUT 2 -j %(bn)s-OUTPUT +-I neutron-filter-top 1 -j %(bn)s-local +-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \ +%(physdev_is_bridged)s -j ACCEPT +-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s +-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s +-I %(bn)s-i_%(port1)s 1 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-i_%(port1)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \ +--dport 68 -j RETURN +-I %(bn)s-i_%(port1)s 3 -p tcp -m tcp --dport 22 -j RETURN +-I %(bn)s-i_%(port1)s 4 -s %(ip2)s -j RETURN +-I %(bn)s-i_%(port1)s 5 -p icmp -j RETURN +-I %(bn)s-i_%(port1)s 6 -m state --state INVALID -j DROP +-I %(bn)s-i_%(port1)s 7 -j %(bn)s-sg-fallback +-I %(bn)s-i_%(port2)s 1 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-i_%(port2)s 2 -s 10.0.0.2/32 -p udp -m udp --sport 67 \ +--dport 68 -j RETURN +-I %(bn)s-i_%(port2)s 3 -p tcp -m tcp --dport 22 -j RETURN +-I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN +-I %(bn)s-i_%(port2)s 5 -p icmp -j RETURN +-I %(bn)s-i_%(port2)s 6 -m state --state INVALID -j DROP +-I %(bn)s-i_%(port2)s 7 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s +-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP +-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port1)s 6 -j RETURN +-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s +-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 --dport 68 -j DROP +-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port2)s 6 -j RETURN +-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback +-I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN +-I %(bn)s-s_%(port1)s 2 -j DROP +-I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN +-I %(bn)s-s_%(port2)s 2 -j DROP +-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s +-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s +-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s +-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s +-I %(bn)s-sg-chain 5 -j ACCEPT +-I %(bn)s-sg-fallback 1 -j DROP +COMMIT +# Completed by iptables_manager +""" % IPTABLES_ARG IPTABLES_ARG['chains'] = CHAINS_EMPTY IPTABLES_FILTER_EMPTY = """# Generated by iptables_manager @@ -2358,6 +2638,94 @@ COMMIT # Completed by iptables_manager """ % IPTABLES_ARG +IPTABLES_FILTER_V6_2_TRUSTED = """# Generated by iptables_manager +*filter +:FORWARD - [0:0] +:INPUT - [0:0] +:OUTPUT - [0:0] +:neutron-filter-top - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +:%(bn)s-(%(chains)s) - [0:0] +-I FORWARD 1 -j neutron-filter-top +-I FORWARD 2 -j %(bn)s-FORWARD +-I INPUT 1 -j %(bn)s-INPUT +-I OUTPUT 1 -j neutron-filter-top +-I OUTPUT 2 -j %(bn)s-OUTPUT +-I neutron-filter-top 1 -j %(bn)s-local +-I %(bn)s-FORWARD 1 %(physdev_mod)s --physdev-INGRESS tap_%(port3)s \ +%(physdev_is_bridged)s -j ACCEPT +-I %(bn)s-FORWARD 2 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-FORWARD 3 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-FORWARD 4 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-FORWARD 5 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-sg-chain +-I %(bn)s-INPUT 1 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s +-I %(bn)s-INPUT 2 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s +-I %(bn)s-i_%(port1)s 1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN +-I %(bn)s-i_%(port1)s 2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN +-I %(bn)s-i_%(port1)s 3 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN +-I %(bn)s-i_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-i_%(port1)s 5 -m state --state INVALID -j DROP +-I %(bn)s-i_%(port1)s 6 -j %(bn)s-sg-fallback +-I %(bn)s-i_%(port2)s 1 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j RETURN +-I %(bn)s-i_%(port2)s 2 -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j RETURN +-I %(bn)s-i_%(port2)s 3 -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j RETURN +-I %(bn)s-i_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP +-I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port1)s 1 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \ +--icmpv6-type 131 -j RETURN +-I %(bn)s-o_%(port1)s 2 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \ +--icmpv6-type 135 -j RETURN +-I %(bn)s-o_%(port1)s 3 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \ +--icmpv6-type 143 -j RETURN +-I %(bn)s-o_%(port1)s 4 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP +-I %(bn)s-o_%(port1)s 5 -p ipv6-icmp -j RETURN +-I %(bn)s-o_%(port1)s 6 -p udp -m udp --sport 546 --dport 547 -j RETURN +-I %(bn)s-o_%(port1)s 7 -p udp -m udp --sport 547 --dport 546 -j DROP +-I %(bn)s-o_%(port1)s 8 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port1)s 9 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port1)s 10 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 1 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \ +--icmpv6-type 131 -j RETURN +-I %(bn)s-o_%(port2)s 2 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \ +--icmpv6-type 135 -j RETURN +-I %(bn)s-o_%(port2)s 3 -s ::/128 -d ff02::/16 -p ipv6-icmp -m icmp6 \ +--icmpv6-type 143 -j RETURN +-I %(bn)s-o_%(port2)s 4 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP +-I %(bn)s-o_%(port2)s 5 -p ipv6-icmp -j RETURN +-I %(bn)s-o_%(port2)s 6 -p udp -m udp --sport 546 --dport 547 -j RETURN +-I %(bn)s-o_%(port2)s 7 -p udp -m udp --sport 547 --dport 546 -j DROP +-I %(bn)s-o_%(port2)s 8 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port2)s 9 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port2)s 10 -j %(bn)s-sg-fallback +-I %(bn)s-sg-chain 1 %(physdev_mod)s --physdev-INGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-i_%(port1)s +-I %(bn)s-sg-chain 2 %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port1)s +-I %(bn)s-sg-chain 3 %(physdev_mod)s --physdev-INGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-i_%(port2)s +-I %(bn)s-sg-chain 4 %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \ +%(physdev_is_bridged)s -j %(bn)s-o_%(port2)s +-I %(bn)s-sg-chain 5 -j ACCEPT +-I %(bn)s-sg-fallback 1 -j DROP +COMMIT +# Completed by iptables_manager +""" % IPTABLES_ARG + IPTABLES_ARG['chains'] = CHAINS_EMPTY IPTABLES_FILTER_V6_EMPTY = """# Generated by iptables_manager *filter @@ -2607,10 +2975,12 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): def test_security_group_rule_updated(self): self.rpc.security_group_rules_for_devices.return_value = self.devices2 - self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) - self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + self._replay_iptables( + IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, + IPTABLES_RAW_BRIDGE_NET_2) + self._replay_iptables( + IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, + IPTABLES_RAW_BRIDGE_NET_2) self.agent.prepare_devices_filter(['tap_port1', 'tap_port3']) self.rpc.security_group_rules_for_devices.return_value = self.devices3 @@ -2724,10 +3094,12 @@ class TestSecurityGroupAgentEnhancedRpcWithIptables( def test_security_group_rule_updated(self): self.sg_info.return_value = self.devices_info2 - self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) - self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + self._replay_iptables( + IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, + IPTABLES_RAW_BRIDGE_NET_2) + self._replay_iptables( + IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, + IPTABLES_RAW_BRIDGE_NET_2) self.agent.prepare_devices_filter(['tap_port1', 'tap_port3']) self.sg_info.return_value = self.devices_info3 @@ -2795,10 +3167,12 @@ class TestSecurityGroupAgentEnhancedIpsetWithIptables( self.ipset._get_new_set_ips = mock.Mock(return_value=['10.0.0.3']) self.ipset._get_deleted_set_ips = mock.Mock(return_value=[]) self.sg_info.return_value = self.devices_info2 - self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) - self._replay_iptables(IPSET_FILTER_2_3, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + self._replay_iptables( + IPSET_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, + IPTABLES_RAW_BRIDGE_NET_2) + self._replay_iptables( + IPSET_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, + IPTABLES_RAW_BRIDGE_NET_2) self.agent.prepare_devices_filter(['tap_port1', 'tap_port3']) self.sg_info.return_value = self.devices_info3 @@ -2918,10 +3292,12 @@ class TestSecurityGroupAgentWithOVSIptables( def test_security_group_rule_updated(self): self.ipconntrack._device_zone_map = {} self.rpc.security_group_rules_for_devices.return_value = self.devices2 - self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_DEVICE_2) - self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_DEVICE_2) + self._replay_iptables( + IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, + IPTABLES_RAW_DEVICE_2) + self._replay_iptables( + IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, + IPTABLES_RAW_DEVICE_2) self.agent.prepare_devices_filter(['tap_port1', 'tap_port3']) self.rpc.security_group_rules_for_devices.return_value = self.devices3