Browse Source

Add iptables metadata marking rule on router init

Move the iptables metadata marking rule earlier in
router init, that way any stray metadata requests
that arrive before the filter metadata redirect rule is
installed will just be dropped.  We do this irregardless
of whether we will be running the metadata proxy.

Partial-bug: #1735724

Change-Id: I8982523dbb94a7c5b8a4db88a196fabc4dd2873f
tags/13.0.0.0b1
Brian Haley 1 year ago
parent
commit
6941977827

+ 17
- 1
neutron/agent/l3/router_info.py View File

@@ -52,6 +52,7 @@ class RouterInfo(object):
52 52
                  use_ipv6=False):
53 53
         self.agent = agent
54 54
         self.router_id = router_id
55
+        self.agent_conf = agent_conf
55 56
         self.ex_gw_port = None
56 57
         self._snat_enabled = None
57 58
         self.fip_map = {}
@@ -73,8 +74,8 @@ class RouterInfo(object):
73 74
             use_ipv6=use_ipv6,
74 75
             namespace=self.ns_name)
75 76
         self.initialize_address_scope_iptables()
77
+        self.initialize_metadata_iptables()
76 78
         self.routes = []
77
-        self.agent_conf = agent_conf
78 79
         self.driver = interface_driver
79 80
         self.process_monitor = None
80 81
         # radvd is a neutron.agent.linux.ra.DaemonMonitor
@@ -992,6 +993,21 @@ class RouterInfo(object):
992 993
         iptables_manager.ipv6['mangle'].add_rule(
993 994
             'PREROUTING', copy_address_scope_for_existing)
994 995
 
996
+    def initialize_metadata_iptables(self):
997
+        # Always mark incoming metadata requests, that way any stray
998
+        # requests that arrive before the filter metadata redirect
999
+        # rule is installed will be dropped.
1000
+        mark_metadata_for_internal_interfaces = (
1001
+            '-d 169.254.169.254/32 '
1002
+            '-i %(interface_name)s '
1003
+            '-p tcp -m tcp --dport 80 '
1004
+            '-j MARK --set-xmark %(value)s/%(mask)s' %
1005
+            {'interface_name': INTERNAL_DEV_PREFIX + '+',
1006
+             'value': self.agent_conf.metadata_access_mark,
1007
+             'mask': n_const.ROUTER_MARK_MASK})
1008
+        self.iptables_manager.ipv4['mangle'].add_rule(
1009
+            'PREROUTING', mark_metadata_for_internal_interfaces)
1010
+
995 1011
     def _get_port_devicename_scopemark(self, ports, name_generator):
996 1012
         devicename_scopemark = {lib_constants.IP_VERSION_4: dict(),
997 1013
                                 lib_constants.IP_VERSION_6: dict()}

+ 0
- 12
neutron/agent/metadata/driver.py View File

@@ -176,16 +176,6 @@ class MetadataDriver(object):
176 176
                 ('INPUT', '-p tcp -m tcp --dport %s '
177 177
                  '-j DROP' % port)]
178 178
 
179
-    @classmethod
180
-    def metadata_mangle_rules(cls, mark):
181
-        return [('PREROUTING', '-d 169.254.169.254/32 '
182
-                 '-i %(interface_name)s '
183
-                 '-p tcp -m tcp --dport 80 '
184
-                 '-j MARK --set-xmark %(value)s/%(mask)s' %
185
-                 {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
186
-                  'value': mark,
187
-                  'mask': constants.ROUTER_MARK_MASK})]
188
-
189 179
     @classmethod
190 180
     def metadata_nat_rules(cls, port):
191 181
         return [('PREROUTING', '-d 169.254.169.254/32 '
@@ -294,8 +284,6 @@ def after_router_added(resource, event, l3_agent, **kwargs):
294 284
     for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
295 285
                                            proxy.metadata_access_mark):
296 286
         router.iptables_manager.ipv4['filter'].add_rule(c, r)
297
-    for c, r in proxy.metadata_mangle_rules(proxy.metadata_access_mark):
298
-        router.iptables_manager.ipv4['mangle'].add_rule(c, r)
299 287
     for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
300 288
         router.iptables_manager.ipv4['nat'].add_rule(c, r)
301 289
     for c, r in proxy.metadata_checksum_rules(proxy.metadata_port):

+ 30
- 0
neutron/tests/unit/agent/l3/test_agent.py View File

@@ -3506,6 +3506,15 @@ class TestBasicRouterOperations(BasicRouterOperationsFramework):
3506 3506
                            [mock.call.add_chain('floatingip'),
3507 3507
                             mock.call.add_chain('float-snat'),
3508 3508
                             mock.call.add_rule('PREROUTING', '-j $floatingip'),
3509
+                            mock.call.add_rule(
3510
+                                'PREROUTING',
3511
+                                '-d 169.254.169.254/32 -i %(interface_name)s '
3512
+                                '-p tcp -m tcp --dport 80 '
3513
+                                '-j MARK --set-xmark %(value)s/%(mask)s' %
3514
+                                {'interface_name':
3515
+                                 namespaces.INTERNAL_DEV_PREFIX + '+',
3516
+                                 'value': self.conf.metadata_access_mark,
3517
+                                 'mask': n_const.ROUTER_MARK_MASK}),
3509 3518
                             mock.call.add_rule(
3510 3519
                                 'float-snat',
3511 3520
                                 '-m connmark --mark 0x0/0xffff0000 '
@@ -3541,6 +3550,27 @@ class TestBasicRouterOperations(BasicRouterOperationsFramework):
3541 3550
             self._verify_address_scopes_iptables_rule(
3542 3551
                 ri.snat_iptables_manager)
3543 3552
 
3553
+    def _verify_metadata_iptables_rule(self, mock_iptables_manager):
3554
+        v4_mangle_calls = ([mock.call.add_rule(
3555
+                                'PREROUTING',
3556
+                                '-d 169.254.169.254/32 -i %(interface_name)s '
3557
+                                '-p tcp -m tcp --dport 80 '
3558
+                                '-j MARK --set-xmark %(value)s/%(mask)s' %
3559
+                                {'interface_name':
3560
+                                 namespaces.INTERNAL_DEV_PREFIX + '+',
3561
+                                 'value': self.conf.metadata_access_mark,
3562
+                                 'mask': n_const.ROUTER_MARK_MASK})])
3563
+        mock_iptables_manager.ipv4['mangle'].assert_has_calls(v4_mangle_calls,
3564
+                                                              any_order=True)
3565
+
3566
+    def test_initialize_metadata_iptables_rules(self):
3567
+        id = _uuid()
3568
+        agent = l3_agent.L3NATAgent(HOSTNAME, self.conf)
3569
+        with mock.patch('neutron.agent.linux.iptables_manager.'
3570
+                        'IptablesManager'):
3571
+            ri = l3router.RouterInfo(agent, id, {}, **self.ri_kwargs)
3572
+            self._verify_metadata_iptables_rule(ri.iptables_manager)
3573
+
3544 3574
     @mock.patch.object(l3router.RouterInfo, 'delete')
3545 3575
     @mock.patch.object(ha_router.HaRouter, 'destroy_state_change_monitor')
3546 3576
     def test_delete_ha_router_initialize_fails(self, mock_dscm, mock_delete):

+ 5
- 1
neutron/tests/unit/agent/l3/test_l3_agent_extension_api.py View File

@@ -21,6 +21,8 @@ from oslo_utils import uuidutils
21 21
 from neutron.agent.l3 import l3_agent_extension_api as l3_agent_api
22 22
 from neutron.agent.l3 import router_info
23 23
 from neutron.agent.linux import ip_lib
24
+from neutron.conf.agent import common as config
25
+from neutron.conf.agent.l3 import config as l3_config
24 26
 from neutron.tests import base
25 27
 
26 28
 
@@ -29,9 +31,11 @@ class TestL3AgentExtensionApi(base.BaseTestCase):
29 31
     def _prepare_router_data(self, ports=None):
30 32
         self.router_id = uuidutils.generate_uuid()
31 33
         self.project_id = uuidutils.generate_uuid()
34
+        self.conf = config.setup_conf()
35
+        l3_config.register_l3_agent_config_opts(l3_config.OPTS, self.conf)
32 36
         ri_kwargs = {'router': {'id': self.router_id,
33 37
                                 'project_id': self.project_id},
34
-                     'agent_conf': mock.ANY,
38
+                     'agent_conf': self.conf,
35 39
                      'interface_driver': mock.ANY,
36 40
                      'use_ipv6': mock.ANY}
37 41
         ri = router_info.RouterInfo(mock.Mock(), self.router_id, **ri_kwargs)

+ 2
- 0
neutron/tests/unit/agent/l3/test_router_info.py View File

@@ -18,6 +18,7 @@ from neutron.agent.l3 import router_info
18 18
 from neutron.agent.linux import ip_lib
19 19
 from neutron.common import exceptions as n_exc
20 20
 from neutron.conf.agent import common as config
21
+from neutron.conf.agent.l3 import config as l3_config
21 22
 from neutron.tests import base
22 23
 
23 24
 
@@ -29,6 +30,7 @@ class TestRouterInfo(base.BaseTestCase):
29 30
         super(TestRouterInfo, self).setUp()
30 31
 
31 32
         conf = config.setup_conf()
33
+        l3_config.register_l3_agent_config_opts(l3_config.OPTS, conf)
32 34
 
33 35
         self.ip_cls_p = mock.patch('neutron.agent.linux.ip_lib.IPWrapper')
34 36
         ip_cls = self.ip_cls_p.start()

+ 0
- 9
neutron/tests/unit/agent/metadata/test_driver.py View File

@@ -52,15 +52,6 @@ class TestMetadataDriverRules(base.BaseTestCase):
52 52
             rules,
53 53
             metadata_driver.MetadataDriver.metadata_filter_rules(9697, '0x1'))
54 54
 
55
-    def test_metadata_mangle_rules(self):
56
-        rule = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ '
57
-                '-p tcp -m tcp --dport 80 '
58
-                '-j MARK --set-xmark 0x1/%s' %
59
-                constants.ROUTER_MARK_MASK)
60
-        self.assertEqual(
61
-            [rule],
62
-            metadata_driver.MetadataDriver.metadata_mangle_rules('0x1'))
63
-
64 55
     def test_metadata_checksum_rules(self):
65 56
         rules = ('POSTROUTING', '-o qr-+ -p tcp -m tcp --sport 9697 '
66 57
                  '-j CHECKSUM --checksum-fill')

Loading…
Cancel
Save