When converting sg rules to iptables, do not emit dport if not supported

Since iptables-restore doesn't support --dport with protocol vrrp, it errors out setting the security groups on the hypervisor. Marking this a partial fix, since we need a change to prevent adding those incompatible rules in the first place, but this patch will stop the bleeding. Change-Id: If5e557a8e61c3aa364ba1e2c60be4cbe74c1ec8f Partial-Bug: #1818385
2019-03-02 22:35:52 -07:00
parent fe73e8c9b3
commit 8c213e4590
2 changed files with 29 additions and 5 deletions
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@@ -276,6 +276,20 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
        egress = None
        self._test_prepare_port_filter(rule, ingress, egress)

+    def test_filter_bad_vrrp_with_dport(self):
+        rule = {'ethertype': 'IPv4',
+                'direction': 'ingress',
+                'protocol': 'vrrp',
+                'port_range_min': 10,
+                'port_range_max': 10}
+        # Dest port isn't support with VRRP, so don't send it
+        # down to iptables.
+        ingress = mock.call.add_rule('ifake_dev',
+                                     '-p vrrp -j RETURN',
+                                     top=False, comment=None)
+        egress = None
+        self._test_prepare_port_filter(rule, ingress, egress)
+
    def test_filter_ipv4_ingress_tcp_port_by_num(self):
        rule = {'ethertype': 'IPv4',
                'direction': 'ingress',