ipt_mgr.ipv6 written in the wrong ipt_mgr.ipv4

This patch fixes the issue of writing the wrong firewall rule where an IP6 rule is written to IP4. Change-Id: Ie7c75c71c9dcfbd9feabaffe4416ede80ff350d8 Closes-Bug:#1263877
2013-12-25 09:57:21 +08:00 · 2013-12-25 09:57:21 +08:00 · 5c06d87588
parent 7fb2d579ae
commit 5c06d87588
2 changed files with 26 additions and 17 deletions
--- a/neutron/services/firewall/drivers/linux/iptables_fwaas.py
+++ b/neutron/services/firewall/drivers/linux/iptables_fwaas.py
@ -210,7 +210,7 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
        bname = iptables_manager.binary_name

        for (ver, tbl) in [(IPV4, ipt_mgr.ipv4['filter']),
-                           (IPV6, ipt_mgr.ipv4['filter'])]:
+                           (IPV6, ipt_mgr.ipv6['filter'])]:
            for direction in [INGRESS_DIRECTION, EGRESS_DIRECTION]:
                chain_name = self._get_chain_name(fwid, ver, direction)
                chain_name = iptables_manager.get_chain_name(chain_name)
--- a/neutron/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py
+++ b/neutron/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py
@ -158,23 +158,32 @@ class IptablesFwaasTestCase(base.BaseTestCase):
        self.firewall.create_firewall(apply_list, firewall)
        invalid_rule = '-m state --state INVALID -j DROP'
        est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
-        ingress_chain = ('iv4%s' % firewall['id'])
-        egress_chain = ('ov4%s' % firewall['id'])
        bname = fwaas.iptables_manager.binary_name
-        calls = [call.ensure_remove_chain('iv4fake-fw-uuid'),
-                 call.ensure_remove_chain('ov4fake-fw-uuid'),
-                 call.ensure_remove_chain('fwaas-default-policy'),
-                 call.add_chain('fwaas-default-policy'),
-                 call.add_rule('fwaas-default-policy', '-j DROP'),
-                 call.add_chain(ingress_chain),
-                 call.add_rule(ingress_chain, invalid_rule),
-                 call.add_rule(ingress_chain, est_rule),
-                 call.add_chain(egress_chain),
-                 call.add_rule(egress_chain, invalid_rule),
-                 call.add_rule(egress_chain, est_rule),
-                 call.add_rule('FORWARD', '-o qr-+ -j %s-fwaas-defau' % bname),
-                 call.add_rule('FORWARD', '-i qr-+ -j %s-fwaas-defau' % bname)]
-        apply_list[0].iptables_manager.ipv4['filter'].assert_has_calls(calls)
+
+        for ip_version in (4, 6):
+            ingress_chain = ('iv%s%s' % (ip_version, firewall['id']))
+            egress_chain = ('ov%s%s' % (ip_version, firewall['id']))
+            calls = [call.ensure_remove_chain('iv%sfake-fw-uuid' % ip_version),
+                     call.ensure_remove_chain('ov%sfake-fw-uuid' % ip_version),
+                     call.ensure_remove_chain('fwaas-default-policy'),
+                     call.add_chain('fwaas-default-policy'),
+                     call.add_rule('fwaas-default-policy', '-j DROP'),
+                     call.add_chain(ingress_chain),
+                     call.add_rule(ingress_chain, invalid_rule),
+                     call.add_rule(ingress_chain, est_rule),
+                     call.add_chain(egress_chain),
+                     call.add_rule(egress_chain, invalid_rule),
+                     call.add_rule(egress_chain, est_rule),
+                     call.add_rule('FORWARD',
+                                   '-o qr-+ -j %s-fwaas-defau' % bname),
+                     call.add_rule('FORWARD',
+                                   '-i qr-+ -j %s-fwaas-defau' % bname)]
+            if ip_version == 4:
+                v4filter_inst = apply_list[0].iptables_manager.ipv4['filter']
+                v4filter_inst.assert_has_calls(calls)
+            else:
+                v6filter_inst = apply_list[0].iptables_manager.ipv6['filter']
+                v6filter_inst.assert_has_calls(calls)

    def test_create_firewall_with_rules(self):
        self._setup_firewall_with_rules(self.firewall.create_firewall)