Merge "Block metadata requests to not go out from the router"

2021-03-28 19:24:02 +00:00 · 2021-03-28 19:24:02 +00:00 · 3a5abc1050
parent 21ee27c394 24dcbcbe09
commit 3a5abc1050
2 changed files with 19 additions and 0 deletions
--- a/neutron/agent/l3/router_info.py
+++ b/neutron/agent/l3/router_info.py
@ -1089,8 +1089,14 @@ class RouterInfo(BaseRouterInfo):
             'interface_name': INTERNAL_DEV_PREFIX + '+',
             'value': self.agent_conf.metadata_access_mark,
             'mask': lib_constants.ROUTER_MARK_MASK})
+        drop_non_local_metadata = (
+            '-m mark --mark %s/%s -j DROP' % (
+                self.agent_conf.metadata_access_mark,
+                lib_constants.ROUTER_MARK_MASK))
        self.iptables_manager.ipv4['mangle'].add_rule(
            'PREROUTING', mark_metadata_for_internal_interfaces)
+        self.iptables_manager.ipv4['filter'].add_rule(
+            'scope', drop_non_local_metadata)

        if netutils.is_ipv6_enabled():
            mark_metadata_v6_for_internal_interfaces = (
@ -1102,8 +1108,14 @@ class RouterInfo(BaseRouterInfo):
                 'interface_name': INTERNAL_DEV_PREFIX + '+',
                 'value': self.agent_conf.metadata_access_mark,
                 'mask': lib_constants.ROUTER_MARK_MASK})
+            drop_non_local_v6_metadata = (
+                '-m mark --mark %s/%s -j DROP' % (
+                    self.agent_conf.metadata_access_mark,
+                    lib_constants.ROUTER_MARK_MASK))
            self.iptables_manager.ipv6['mangle'].add_rule(
                'PREROUTING', mark_metadata_v6_for_internal_interfaces)
+            self.iptables_manager.ipv6['filter'].add_rule(
+                'scope', drop_non_local_v6_metadata)

    def _get_port_devicename_scopemark(
            self, ports, name_generator, interface_name=None):
--- a/neutron/tests/unit/agent/l3/test_agent.py
+++ b/neutron/tests/unit/agent/l3/test_agent.py
@ -4046,8 +4046,15 @@ class TestBasicRouterOperations(BasicRouterOperationsFramework):
                                 namespaces.INTERNAL_DEV_PREFIX + '+',
                                 'value': self.conf.metadata_access_mark,
                                 'mask': lib_constants.ROUTER_MARK_MASK})])
+        v4_filter_calls = ([mock.call.add_rule(
+                                'scope',
+                                '-m mark --mark %s/%s -j DROP' %
+                                (self.conf.metadata_access_mark,
+                                 lib_constants.ROUTER_MARK_MASK))])
        mock_iptables_manager.ipv4['mangle'].assert_has_calls(v4_mangle_calls,
                                                              any_order=True)
+        mock_iptables_manager.ipv4['filter'].assert_has_calls(v4_filter_calls,
+                                                              any_order=True)

    def test_initialize_metadata_iptables_rules(self):
        id = _uuid()