From 5cab062465af06be3827de4e7f9014ab1040bdbf Mon Sep 17 00:00:00 2001 From: Kevin Benton Date: Mon, 5 Oct 2015 06:37:40 -0700 Subject: [PATCH] Correct MAC representation to match iptables output We were previously using the netaddr's mac_unix format (which leaves off leading 0's) to generate iptables rules based on MAC addresses. While iptables accepts this format, it's not returned this way in the output so the iptables rule matching code would never find the match for these rules, causing the loss of counters on these rules on every reload. This patch corrects this with a custom dialect that matches the iptables format. Closes-Bug: #1502901 Change-Id: Ia45ebde8c4684e12030469323e18367a54d1518b --- neutron/agent/linux/iptables_firewall.py | 7 ++++++- neutron/tests/unit/agent/linux/test_iptables_firewall.py | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index b0ac0f79328..a1ac960a30b 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -51,6 +51,11 @@ MAX_CONNTRACK_ZONES = 65535 comment_rule = iptables_manager.comment_rule +class mac_iptables(netaddr.mac_eui48): + """mac format class for netaddr to match iptables representation.""" + word_sep = ':' + + class IptablesFirewallDriver(firewall.FirewallDriver): """Driver which enforces security groups through iptables rules.""" IPTABLES_DIRECTION = {firewall.INGRESS_DIRECTION: 'physdev-out', @@ -368,7 +373,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _build_ipv4v6_mac_ip_list(self, mac, ip_address, mac_ipv4_pairs, mac_ipv6_pairs): - mac = str(netaddr.EUI(mac, dialect=netaddr.mac_unix)) + mac = str(netaddr.EUI(mac, dialect=mac_iptables)) if netaddr.IPNetwork(ip_address).version == 4: mac_ipv4_pairs.append((mac, ip_address)) else: diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index 24c1b5d8b07..320d3588996 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -1805,8 +1805,8 @@ class IptablesFirewallEnhancedIpsetTestCase(BaseIptablesFirewallTestCase): for ip in other_ips]) def test_build_ipv4v6_mac_ip_list(self): - mac_oth = 'ffff-ffff-ffff' - mac_unix = 'ff:ff:ff:ff:ff:ff' + mac_oth = 'ffff-ff0f-ffff' + mac_unix = 'FF:FF:FF:0F:FF:FF' ipv4 = FAKE_IP['IPv4'] ipv6 = FAKE_IP['IPv6'] fake_ipv4_pair = []