Browse Source

Add iptables metadata marking rule on router init

Move the iptables metadata marking rule earlier in
router init, that way any stray metadata requests
that arrive before the filter metadata redirect rule is
installed will just be dropped.  We do this irregardless
of whether we will be running the metadata proxy.

Partial-bug: #1735724

Change-Id: I8982523dbb94a7c5b8a4db88a196fabc4dd2873f
(cherry picked from commit 6941977827)
tags/11.0.6
Brian Haley 1 year ago
parent
commit
6a8a1f81ae

+ 17
- 1
neutron/agent/l3/router_info.py View File

@@ -52,6 +52,7 @@ class RouterInfo(object):
52 52
                  use_ipv6=False):
53 53
         self.agent = agent
54 54
         self.router_id = router_id
55
+        self.agent_conf = agent_conf
55 56
         self.ex_gw_port = None
56 57
         self._snat_enabled = None
57 58
         self.fip_map = {}
@@ -73,8 +74,8 @@ class RouterInfo(object):
73 74
             use_ipv6=use_ipv6,
74 75
             namespace=self.ns_name)
75 76
         self.initialize_address_scope_iptables()
77
+        self.initialize_metadata_iptables()
76 78
         self.routes = []
77
-        self.agent_conf = agent_conf
78 79
         self.driver = interface_driver
79 80
         self.process_monitor = None
80 81
         # radvd is a neutron.agent.linux.ra.DaemonMonitor
@@ -1000,6 +1001,21 @@ class RouterInfo(object):
1000 1001
         iptables_manager.ipv6['mangle'].add_rule(
1001 1002
             'PREROUTING', copy_address_scope_for_existing)
1002 1003
 
1004
+    def initialize_metadata_iptables(self):
1005
+        # Always mark incoming metadata requests, that way any stray
1006
+        # requests that arrive before the filter metadata redirect
1007
+        # rule is installed will be dropped.
1008
+        mark_metadata_for_internal_interfaces = (
1009
+            '-d 169.254.169.254/32 '
1010
+            '-i %(interface_name)s '
1011
+            '-p tcp -m tcp --dport 80 '
1012
+            '-j MARK --set-xmark %(value)s/%(mask)s' %
1013
+            {'interface_name': INTERNAL_DEV_PREFIX + '+',
1014
+             'value': self.agent_conf.metadata_access_mark,
1015
+             'mask': n_const.ROUTER_MARK_MASK})
1016
+        self.iptables_manager.ipv4['mangle'].add_rule(
1017
+            'PREROUTING', mark_metadata_for_internal_interfaces)
1018
+
1003 1019
     def _get_port_devicename_scopemark(self, ports, name_generator):
1004 1020
         devicename_scopemark = {lib_constants.IP_VERSION_4: dict(),
1005 1021
                                 lib_constants.IP_VERSION_6: dict()}

+ 0
- 12
neutron/agent/metadata/driver.py View File

@@ -184,16 +184,6 @@ class MetadataDriver(object):
184 184
                 ('INPUT', '-p tcp -m tcp --dport %s '
185 185
                  '-j DROP' % port)]
186 186
 
187
-    @classmethod
188
-    def metadata_mangle_rules(cls, mark):
189
-        return [('PREROUTING', '-d 169.254.169.254/32 '
190
-                 '-i %(interface_name)s '
191
-                 '-p tcp -m tcp --dport 80 '
192
-                 '-j MARK --set-xmark %(value)s/%(mask)s' %
193
-                 {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
194
-                  'value': mark,
195
-                  'mask': constants.ROUTER_MARK_MASK})]
196
-
197 187
     @classmethod
198 188
     def metadata_nat_rules(cls, port):
199 189
         return [('PREROUTING', '-d 169.254.169.254/32 '
@@ -302,8 +292,6 @@ def after_router_added(resource, event, l3_agent, **kwargs):
302 292
     for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
303 293
                                            proxy.metadata_access_mark):
304 294
         router.iptables_manager.ipv4['filter'].add_rule(c, r)
305
-    for c, r in proxy.metadata_mangle_rules(proxy.metadata_access_mark):
306
-        router.iptables_manager.ipv4['mangle'].add_rule(c, r)
307 295
     for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
308 296
         router.iptables_manager.ipv4['nat'].add_rule(c, r)
309 297
     for c, r in proxy.metadata_checksum_rules(proxy.metadata_port):

+ 30
- 0
neutron/tests/unit/agent/l3/test_agent.py View File

@@ -3487,6 +3487,15 @@ class TestBasicRouterOperations(BasicRouterOperationsFramework):
3487 3487
                            [mock.call.add_chain('floatingip'),
3488 3488
                             mock.call.add_chain('float-snat'),
3489 3489
                             mock.call.add_rule('PREROUTING', '-j $floatingip'),
3490
+                            mock.call.add_rule(
3491
+                                'PREROUTING',
3492
+                                '-d 169.254.169.254/32 -i %(interface_name)s '
3493
+                                '-p tcp -m tcp --dport 80 '
3494
+                                '-j MARK --set-xmark %(value)s/%(mask)s' %
3495
+                                {'interface_name':
3496
+                                 namespaces.INTERNAL_DEV_PREFIX + '+',
3497
+                                 'value': self.conf.metadata_access_mark,
3498
+                                 'mask': n_const.ROUTER_MARK_MASK}),
3490 3499
                             mock.call.add_rule(
3491 3500
                                 'float-snat',
3492 3501
                                 '-m connmark --mark 0x0/0xffff0000 '
@@ -3522,6 +3531,27 @@ class TestBasicRouterOperations(BasicRouterOperationsFramework):
3522 3531
             self._verify_address_scopes_iptables_rule(
3523 3532
                 ri.snat_iptables_manager)
3524 3533
 
3534
+    def _verify_metadata_iptables_rule(self, mock_iptables_manager):
3535
+        v4_mangle_calls = ([mock.call.add_rule(
3536
+                                'PREROUTING',
3537
+                                '-d 169.254.169.254/32 -i %(interface_name)s '
3538
+                                '-p tcp -m tcp --dport 80 '
3539
+                                '-j MARK --set-xmark %(value)s/%(mask)s' %
3540
+                                {'interface_name':
3541
+                                 namespaces.INTERNAL_DEV_PREFIX + '+',
3542
+                                 'value': self.conf.metadata_access_mark,
3543
+                                 'mask': n_const.ROUTER_MARK_MASK})])
3544
+        mock_iptables_manager.ipv4['mangle'].assert_has_calls(v4_mangle_calls,
3545
+                                                              any_order=True)
3546
+
3547
+    def test_initialize_metadata_iptables_rules(self):
3548
+        id = _uuid()
3549
+        agent = l3_agent.L3NATAgent(HOSTNAME, self.conf)
3550
+        with mock.patch('neutron.agent.linux.iptables_manager.'
3551
+                        'IptablesManager'):
3552
+            ri = l3router.RouterInfo(agent, id, {}, **self.ri_kwargs)
3553
+            self._verify_metadata_iptables_rule(ri.iptables_manager)
3554
+
3525 3555
     @mock.patch.object(l3router.RouterInfo, 'delete')
3526 3556
     @mock.patch.object(ha_router.HaRouter, 'destroy_state_change_monitor')
3527 3557
     def test_delete_ha_router_initialize_fails(self, mock_dscm, mock_delete):

+ 5
- 1
neutron/tests/unit/agent/l3/test_l3_agent_extension_api.py View File

@@ -21,6 +21,8 @@ from oslo_utils import uuidutils
21 21
 from neutron.agent.l3 import l3_agent_extension_api as l3_agent_api
22 22
 from neutron.agent.l3 import router_info
23 23
 from neutron.agent.linux import ip_lib
24
+from neutron.conf.agent import common as config
25
+from neutron.conf.agent.l3 import config as l3_config
24 26
 from neutron.tests import base
25 27
 
26 28
 
@@ -29,9 +31,11 @@ class TestL3AgentExtensionApi(base.BaseTestCase):
29 31
     def _prepare_router_data(self, ports=None):
30 32
         self.router_id = uuidutils.generate_uuid()
31 33
         self.project_id = uuidutils.generate_uuid()
34
+        self.conf = config.setup_conf()
35
+        l3_config.register_l3_agent_config_opts(l3_config.OPTS, self.conf)
32 36
         ri_kwargs = {'router': {'id': self.router_id,
33 37
                                 'project_id': self.project_id},
34
-                     'agent_conf': mock.ANY,
38
+                     'agent_conf': self.conf,
35 39
                      'interface_driver': mock.ANY,
36 40
                      'use_ipv6': mock.ANY}
37 41
         ri = router_info.RouterInfo(mock.Mock(), self.router_id, **ri_kwargs)

+ 2
- 0
neutron/tests/unit/agent/l3/test_router_info.py View File

@@ -18,6 +18,7 @@ from neutron.agent.l3 import router_info
18 18
 from neutron.agent.linux import ip_lib
19 19
 from neutron.common import exceptions as n_exc
20 20
 from neutron.conf.agent import common as config
21
+from neutron.conf.agent.l3 import config as l3_config
21 22
 from neutron.tests import base
22 23
 
23 24
 
@@ -29,6 +30,7 @@ class TestRouterInfo(base.BaseTestCase):
29 30
         super(TestRouterInfo, self).setUp()
30 31
 
31 32
         conf = config.setup_conf()
33
+        l3_config.register_l3_agent_config_opts(l3_config.OPTS, conf)
32 34
 
33 35
         self.ip_cls_p = mock.patch('neutron.agent.linux.ip_lib.IPWrapper')
34 36
         ip_cls = self.ip_cls_p.start()

+ 0
- 9
neutron/tests/unit/agent/metadata/test_driver.py View File

@@ -52,15 +52,6 @@ class TestMetadataDriverRules(base.BaseTestCase):
52 52
             rules,
53 53
             metadata_driver.MetadataDriver.metadata_filter_rules(9697, '0x1'))
54 54
 
55
-    def test_metadata_mangle_rules(self):
56
-        rule = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ '
57
-                '-p tcp -m tcp --dport 80 '
58
-                '-j MARK --set-xmark 0x1/%s' %
59
-                constants.ROUTER_MARK_MASK)
60
-        self.assertEqual(
61
-            [rule],
62
-            metadata_driver.MetadataDriver.metadata_mangle_rules('0x1'))
63
-
64 55
     def test_metadata_checksum_rules(self):
65 56
         rules = ('POSTROUTING', '-o qr-+ -p tcp -m tcp --sport 9697 '
66 57
                  '-j CHECKSUM --checksum-fill')

Loading…
Cancel
Save