openstack
/
neutron
Code Issues Proposed changes

Handle CIDR IP address in allowed address pairs 

A CIDR IP address in allowed address pairs causing init
and update operation failures on OFPort.
This is because those operations are not handling CIDR IP addresses.

This patch fixes that problem.

Change-Id: Ic4513859364403555e13593fb34bd2e58ea6377b
Closes-Bug: #1652729
This commit is contained in:
Ravi Kota 2016-12-27 05:34:19 -05:00 committed by Kevin Benton
parent 12191ed9cd
commit 864a8a7ce8
3 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
neutron/agent/linux/openvswitch_firewall/firewall.py
View File

@ -99,7 +99,7 @@ class OFPort(object):
def _get_allowed_pairs(port_dict, version):
aap_dict = port_dict.get('allowed_address_pairs', set())
return {(aap['mac_address'], aap['ip_address']) for aap in aap_dict
if netaddr.IPAddress(aap['ip_address']).version == version}
if netaddr.IPNetwork(aap['ip_address']).version == version}
@property
def ipv4_addresses(self):

2
neutron/tests/functional/agent/test_firewall.py
View File

@ -390,7 +390,7 @@ class FirewallTestCase(BaseFirewallTestCase):
not_allowed_ip = "%s/24" % (allowed_ip + 1)
self.src_port_desc['allowed_address_pairs'] = [
{'mac_address': port_mac,
'ip_address': allowed_ip}]
'ip_address': "%s/32" % allowed_ip}]
allowed_ip = "%s/24" % allowed_ip
self.firewall.update_port_filter(self.src_port_desc)

4
neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
View File

@ -98,11 +98,13 @@ class TestOFPort(base.BaseTestCase):
'allowed_address_pairs': [
{'mac_address': 'foo', 'ip_address': '10.0.0.1'},
{'mac_address': 'bar', 'ip_address': '192.168.0.1'},
{'mac_address': 'qux', 'ip_address': '169.254.0.0/16'},
{'mac_address': 'baz', 'ip_address': '2003::f'},
]}
allowed_pairs_v4 = ovsfw.OFPort._get_allowed_pairs(port, version=4)
allowed_pairs_v6 = ovsfw.OFPort._get_allowed_pairs(port, version=6)
expected_aap_v4 = {('foo', '10.0.0.1'), ('bar', '192.168.0.1')}
expected_aap_v4 = {('foo', '10.0.0.1'), ('bar', '192.168.0.1'),
('qux', '169.254.0.0/16')}
expected_aap_v6 = {('baz', '2003::f')}
self.assertEqual(expected_aap_v4, allowed_pairs_v4)
self.assertEqual(expected_aap_v6, allowed_pairs_v6)