From 1bc454b4d49c041e27427a1370ba4b16fd4760e5 Mon Sep 17 00:00:00 2001 From: Brian Haley Date: Tue, 25 Oct 2016 11:19:05 -0400 Subject: [PATCH] Add more protocols to the iptables module map There were a couple of protocols missing from the iptables name to module map - dccp and sctp. Also took the chance to move it to the constants file and use the neutron-lib constants for protocol names. Change-Id: I2b770b029cbfbcb851ea71090b8e3aae314bdb62 --- neutron/agent/linux/iptables_firewall.py | 6 ++--- neutron/common/constants.py | 11 +++++++++ .../agent/linux/test_iptables_firewall.py | 24 +++++++++++++++++++ 3 files changed, 37 insertions(+), 4 deletions(-) diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 2783e0aa58c..4cf5a4ee7e1 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -630,11 +630,9 @@ class IptablesFirewallDriver(firewall.FirewallDriver): protocol = 'ipv6-icmp' iptables_rule = ['-p', protocol] - if (is_port and protocol in ['udp', 'tcp', 'icmp', 'ipv6-icmp']): - protocol_modules = {'udp': 'udp', 'tcp': 'tcp', - 'icmp': 'icmp', 'ipv6-icmp': 'icmp6'} + if (is_port and protocol in n_const.IPTABLES_PROTOCOL_MAP): # iptables adds '-m protocol' when the port number is specified - iptables_rule += ['-m', protocol_modules[protocol]] + iptables_rule += ['-m', n_const.IPTABLES_PROTOCOL_MAP[protocol]] return iptables_rule def _port_arg(self, direction, protocol, port_range_min, port_range_max): diff --git a/neutron/common/constants.py b/neutron/common/constants.py index 759950f3ecb..8c41c10704d 100644 --- a/neutron/common/constants.py +++ b/neutron/common/constants.py @@ -61,6 +61,17 @@ VALID_DSCP_MARKS = [0, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30, 32, 34, IP_PROTOCOL_NUM_TO_NAME_MAP = { str(v): k for k, v in lib_constants.IP_PROTOCOL_MAP.items()} +# When using iptables-save we specify '-p {proto} -m {module}', +# but sometimes those values are not identical. This is a map +# of known protocols that require a '-m {module}', along with +# the module name that should be used. +IPTABLES_PROTOCOL_MAP = {lib_constants.PROTO_NAME_DCCP: 'dccp', + lib_constants.PROTO_NAME_ICMP: 'icmp', + lib_constants.PROTO_NAME_IPV6_ICMP: 'icmp6', + lib_constants.PROTO_NAME_SCTP: 'sctp', + lib_constants.PROTO_NAME_TCP: 'tcp', + lib_constants.PROTO_NAME_UDP: 'udp'} + # Special provisional prefix for IPv6 Prefix Delegation PROVISIONAL_IPV6_PD_PREFIX = '::/64' diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index d1499858661..7aff9bd2211 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -361,6 +361,30 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): egress = None self._test_prepare_port_filter(rule, ingress, egress) + def test_filter_ipv4_ingress_dccp_port(self): + rule = {'ethertype': 'IPv4', + 'direction': 'ingress', + 'protocol': 'dccp', + 'port_range_min': 10, + 'port_range_max': 10} + ingress = mock.call.add_rule('ifake_dev', + '-p dccp -m dccp --dport 10 -j RETURN', + comment=None) + egress = None + self._test_prepare_port_filter(rule, ingress, egress) + + def test_filter_ipv4_ingress_sctp_port(self): + rule = {'ethertype': 'IPv4', + 'direction': 'ingress', + 'protocol': 'sctp', + 'port_range_min': 10, + 'port_range_max': 10} + ingress = mock.call.add_rule('ifake_dev', + '-p sctp -m sctp --dport 10 -j RETURN', + comment=None) + egress = None + self._test_prepare_port_filter(rule, ingress, egress) + def test_filter_ipv4_egress(self): rule = {'ethertype': 'IPv4', 'direction': 'egress'}