Merge "Fix iptables mapping of 'ipip' protocol" into stable/2023.1

2024-04-24 21:06:27 +00:00 · 2024-04-24 21:06:27 +00:00 · 913037a96d
parent 2ec0ef0909 d17b1a6abb
commit 913037a96d
2 changed files with 40 additions and 0 deletions
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@ -775,6 +775,10 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
        if not self._iptables_protocol_name_map:
            tmp_map = constants.IPTABLES_PROTOCOL_NAME_MAP.copy()
            tmp_map.update(self._local_protocol_name_map())
+            # TODO(haleyb): remove once neutron-lib with fix is available
+            # - 'ipip' uses 'ipencap' to match IPPROTO_IPIP from in.h,
+            #   which is IP-ENCAP/'4' in /etc/protocols (see bug #2054324)
+            tmp_map[constants.PROTO_NAME_IPIP] = 'ipencap'
            self._iptables_protocol_name_map = tmp_map
        return self._iptables_protocol_name_map

--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@ -489,6 +489,42 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
        egress = None
        self._test_prepare_port_filter(rule, ingress, egress)

+    def test_filter_ipv4_ingress_protocol_ipip(self):
+        # 'ipip' via the API uses 'ipencap' to match what iptables-save
+        # uses, which is IP-ENCAP/'4' from /etc/protocols (see bug #2054324)
+        rule = {'ethertype': 'IPv4',
+                'direction': 'ingress',
+                'protocol': 'ipip'}
+        ingress = mock.call.add_rule('ifake_dev',
+                                     '-p ipencap -j RETURN',
+                                     top=False, comment=None)
+        egress = None
+        self._test_prepare_port_filter(rule, ingress, egress)
+
+    def test_filter_ipv4_ingress_protocol_ipip_by_num(self):
+        # '4' via the API uses 'ipencap' to match what iptables-save
+        # uses, which is IP-ENCAP/'4' from /etc/protocols (see bug #2054324)
+        rule = {'ethertype': 'IPv4',
+                'direction': 'ingress',
+                'protocol': '4'}
+        ingress = mock.call.add_rule('ifake_dev',
+                                     '-p ipencap -j RETURN',
+                                     top=False, comment=None)
+        egress = None
+        self._test_prepare_port_filter(rule, ingress, egress)
+
+    def test_filter_ipv4_ingress_protocol_ipencap_by_num(self):
+        # '94' via the API uses 'ipip' to match what iptables-save
+        # uses, which is IPIP/'94' from /etc/protocols (see bug #2054324)
+        rule = {'ethertype': 'IPv4',
+                'direction': 'ingress',
+                'protocol': '94'}
+        ingress = mock.call.add_rule('ifake_dev',
+                                     '-p ipip -j RETURN',
+                                     top=False, comment=None)
+        egress = None
+        self._test_prepare_port_filter(rule, ingress, egress)
+
    def test_filter_ipv4_ingress_protocol_999_local(self):
        # There is no protocol 999, so let's return a mapping
        # that says there is and make sure the rule is created