openstack/neutron
Code Issues Proposed changes

Merge "Always fill UDP checksums in DHCP replies"

Browse Source
This commit is contained in:
Jenkins 2015-03-20 21:24:16 +00:00 committed by Gerrit Code Review
commit 7620159c78
2 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
neutron/agent/linux/dhcp.py
View File

@ -27,6 +27,7 @@ import six
from neutron.agent.linux import external_process from neutron.agent.linux import external_process
from neutron.agent.linux import ip_lib from neutron.agent.linux import ip_lib
from neutron.agent.linux import iptables_manager
from neutron.agent.linux import utils from neutron.agent.linux import utils
from neutron.common import constants from neutron.common import constants
from neutron.common import exceptions from neutron.common import exceptions
@ -935,6 +936,7 @@ class DeviceManager(object):
interface_name, interface_name,
port.mac_address, port.mac_address,
namespace=network.namespace) namespace=network.namespace)
self.fill_dhcp_udp_checksums(namespace=network.namespace)
ip_cidrs = [] ip_cidrs = []
for fixed_ip in port.fixed_ips: for fixed_ip in port.fixed_ips:
subnet = fixed_ip.subnet subnet = fixed_ip.subnet
@ -971,3 +973,12 @@ class DeviceManager(object):
self.plugin.release_dhcp_port(network.id, self.plugin.release_dhcp_port(network.id,
self.get_device_id(network)) self.get_device_id(network))
def fill_dhcp_udp_checksums(self, namespace):
"""Ensure DHCP reply packets always have correct UDP checksums."""
iptables_mgr = iptables_manager.IptablesManager(use_ipv6=False,
namespace=namespace)
ipv4_rule = ('-p udp --dport %d -j CHECKSUM --checksum-fill'
% constants.DHCP_RESPONSE_PORT)
iptables_mgr.ipv4['mangle'].add_rule('POSTROUTING', ipv4_rule)
iptables_mgr.apply()

15
neutron/tests/unit/test_dhcp_agent.py
View File

@ -1167,6 +1167,14 @@ class TestDeviceManager(base.BaseTestCase):
driver_cls.return_value = self.mock_driver driver_cls.return_value = self.mock_driver
iproute_cls.return_value = self.mock_iproute iproute_cls.return_value = self.mock_iproute
iptables_cls_p = mock.patch(
'neutron.agent.linux.iptables_manager.IptablesManager')
iptables_cls = iptables_cls_p.start()
self.iptables_inst = mock.Mock()
iptables_cls.return_value = self.iptables_inst
self.mangle_inst = mock.Mock()
self.iptables_inst.ipv4 = {'mangle': self.mangle_inst}
def _test_setup_helper(self, device_is_ready, net=None, port=None): def _test_setup_helper(self, device_is_ready, net=None, port=None):
net = net or fake_network net = net or fake_network
port = port or fake_port1 port = port or fake_port1
@ -1218,6 +1226,13 @@ class TestDeviceManager(base.BaseTestCase):
cfg.CONF.set_override('enable_metadata_network', True) cfg.CONF.set_override('enable_metadata_network', True)
self._test_setup_helper(False) self._test_setup_helper(False)
def test_setup_calls_fill_dhcp_udp_checksums(self):
self._test_setup_helper(False)
rule = ('-p udp --dport %d -j CHECKSUM --checksum-fill'
% const.DHCP_RESPONSE_PORT)
expected = [mock.call.add_rule('POSTROUTING', rule)]
self.mangle_inst.assert_has_calls(expected)
def test_setup_ipv6(self): def test_setup_ipv6(self):
self._test_setup_helper(True, net=fake_network_ipv6, self._test_setup_helper(True, net=fake_network_ipv6,
port=fake_ipv6_port) port=fake_ipv6_port)