From 8f280339096ed702928f704fd20543ce4370c0d4 Mon Sep 17 00:00:00 2001
From: Brian Haley <bhaley@redhat.com>
Date: Mon, 22 Apr 2019 18:53:45 -0400
Subject: [PATCH] Revert iptables TCP checksum-fill code

To fix bug 1722584 we inserted a checksum-fill rule for
metadata proxy replies.  Recent kernels have disabled
this support for TCP because it was invalid, and
supposedly not doing anything, so let's get ahead of
things and remove the code.

Kernel mailing list discussion is at
https://lore.kernel.org/patchwork/patch/824819/

Partially reverts ed1c3b021751273e427d47fcf544c56bdabf97bb

Depends-On: https://review.opendev.org/#/c/725213/
Change-Id: Ib7cc8f82a91972f17987fb95130edc4069d9423f
Related-bug: #1722584
(cherry picked from commit b1b8a438fe3cdc422b8deb61548f47d383ee2fe8)
(cherry picked from commit 31320156e464d27d8dfb9df82777b92e9eed1e2c)
---
 neutron/agent/metadata/driver.py                 | 10 ----------
 neutron/tests/unit/agent/metadata/test_driver.py |  7 -------
 2 files changed, 17 deletions(-)

diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py
index 79f6d2f138e..6d96a8ac4c0 100644
--- a/neutron/agent/metadata/driver.py
+++ b/neutron/agent/metadata/driver.py
@@ -193,14 +193,6 @@ class MetadataDriver(object):
                  {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
                   'port': port})]
 
-    @classmethod
-    def metadata_checksum_rules(cls, port):
-        return [('POSTROUTING', '-o %(interface_name)s '
-                 '-p tcp -m tcp --sport %(port)s -j CHECKSUM '
-                 '--checksum-fill' %
-                 {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
-                  'port': port})]
-
     @classmethod
     def _get_metadata_proxy_user_group(cls, conf):
         user = conf.metadata_proxy_user or str(os.geteuid())
@@ -294,8 +286,6 @@ def after_router_added(resource, event, l3_agent, **kwargs):
         router.iptables_manager.ipv4['filter'].add_rule(c, r)
     for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
         router.iptables_manager.ipv4['nat'].add_rule(c, r)
-    for c, r in proxy.metadata_checksum_rules(proxy.metadata_port):
-        router.iptables_manager.ipv4['mangle'].add_rule(c, r)
     router.iptables_manager.apply()
 
     if not isinstance(router, ha_router.HaRouter):
diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py
index 037c75ec75f..2833b3697a4 100644
--- a/neutron/tests/unit/agent/metadata/test_driver.py
+++ b/neutron/tests/unit/agent/metadata/test_driver.py
@@ -52,13 +52,6 @@ class TestMetadataDriverRules(base.BaseTestCase):
             rules,
             metadata_driver.MetadataDriver.metadata_filter_rules(9697, '0x1'))
 
-    def test_metadata_checksum_rules(self):
-        rules = ('POSTROUTING', '-o qr-+ -p tcp -m tcp --sport 9697 '
-                 '-j CHECKSUM --checksum-fill')
-        self.assertEqual(
-            [rules],
-            metadata_driver.MetadataDriver.metadata_checksum_rules(9697))
-
 
 class TestMetadataDriverProcess(base.BaseTestCase):