Merge "Add more protocols to the iptables module map"

2017-02-10 02:31:02 +00:00 · 2017-02-10 02:31:02 +00:00 · 3d7fc906a9
commit 3d7fc906a9
parent 0fc644b179 1bc454b4d4
3 changed files with 37 additions and 4 deletions
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@ -654,11 +654,9 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
            protocol = 'ipv6-icmp'
        iptables_rule = ['-p', protocol]

-        if (is_port and protocol in ['udp', 'tcp', 'icmp', 'ipv6-icmp']):
-            protocol_modules = {'udp': 'udp', 'tcp': 'tcp',
-                                'icmp': 'icmp', 'ipv6-icmp': 'icmp6'}
+        if (is_port and protocol in n_const.IPTABLES_PROTOCOL_MAP):
            # iptables adds '-m protocol' when the port number is specified
-            iptables_rule += ['-m', protocol_modules[protocol]]
+            iptables_rule += ['-m', n_const.IPTABLES_PROTOCOL_MAP[protocol]]
        return iptables_rule

    def _port_arg(self, direction, protocol, port_range_min, port_range_max):
--- a/neutron/common/constants.py
+++ b/neutron/common/constants.py
@ -54,6 +54,17 @@ VALID_DSCP_MARKS = [0, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30, 32, 34,
 IP_PROTOCOL_NUM_TO_NAME_MAP = {
    str(v): k for k, v in lib_constants.IP_PROTOCOL_MAP.items()}

+# When using iptables-save we specify '-p {proto} -m {module}',
+# but sometimes those values are not identical.  This is a map
+# of known protocols that require a '-m {module}', along with
+# the module name that should be used.
+IPTABLES_PROTOCOL_MAP = {lib_constants.PROTO_NAME_DCCP: 'dccp',
+                         lib_constants.PROTO_NAME_ICMP: 'icmp',
+                         lib_constants.PROTO_NAME_IPV6_ICMP: 'icmp6',
+                         lib_constants.PROTO_NAME_SCTP: 'sctp',
+                         lib_constants.PROTO_NAME_TCP: 'tcp',
+                         lib_constants.PROTO_NAME_UDP: 'udp'}
+
 # Special provisional prefix for IPv6 Prefix Delegation
 PROVISIONAL_IPV6_PD_PREFIX = '::/64'

--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@ -360,6 +360,30 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
        egress = None
        self._test_prepare_port_filter(rule, ingress, egress)

+    def test_filter_ipv4_ingress_dccp_port(self):
+        rule = {'ethertype': 'IPv4',
+                'direction': 'ingress',
+                'protocol': 'dccp',
+                'port_range_min': 10,
+                'port_range_max': 10}
+        ingress = mock.call.add_rule('ifake_dev',
+                                     '-p dccp -m dccp --dport 10 -j RETURN',
+                                     comment=None)
+        egress = None
+        self._test_prepare_port_filter(rule, ingress, egress)
+
+    def test_filter_ipv4_ingress_sctp_port(self):
+        rule = {'ethertype': 'IPv4',
+                'direction': 'ingress',
+                'protocol': 'sctp',
+                'port_range_min': 10,
+                'port_range_max': 10}
+        ingress = mock.call.add_rule('ifake_dev',
+                                     '-p sctp -m sctp --dport 10 -j RETURN',
+                                     comment=None)
+        egress = None
+        self._test_prepare_port_filter(rule, ingress, egress)
+
    def test_filter_ipv4_egress(self):
        rule = {'ethertype': 'IPv4',
                'direction': 'egress'}