From fde6fc3ecdb982235e8aefe879f68253fe921de9 Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Tue, 26 May 2020 14:58:52 +0200
Subject: [PATCH] Fix iptables rules comments

In case when value of port['device'] don't starts with "tap_",
in comments to the conntrack or stateless rules in the iptables there
should be full port['device'] written. It will make things easier to
debug for the operators e.g. when using iptables_hybrid driver.

Change-Id: I427321fbb87865931b2b28abf7687d37e8d01a53
Closes-bug: #1880691
(cherry picked from commit d8eac6fa50f237b94739522bc527a7a5ca93c328)
---
 neutron/agent/linux/iptables_firewall.py                 | 9 +++++++--
 neutron/tests/unit/agent/linux/test_iptables_firewall.py | 9 +++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
index 246f5eef382..fc504b7d3eb 100644
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -387,6 +387,11 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
     def _get_br_device_name(self, port):
         return ('brq' + port['network_id'])[:constants.LINUX_DEV_LEN]
 
+    def _get_port_device_name(self, port):
+        if port['device'].startswith(constants.TAP_DEVICE_PREFIX):
+            return port['device'][4:]
+        return port['device']
+
     def _get_jump_rules(self, port, create=True):
         zone = self.ipconntrack.get_device_zone(port, create=create)
         if not zone:
@@ -400,10 +405,10 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
         if self._are_sg_rules_stateful(port_sg_rules):
             # comment to prevent duplicate warnings for different devices using
             # same bridge. truncate start to remove prefixes
-            comment = 'Set zone for %s' % port['device'][4:]
+            comment = 'Set zone for %s' % self._get_port_device_name(port)
             conntrack = '--zone %s' % self.ipconntrack.get_device_zone(port)
         else:
-            comment = 'Make %s stateless' % port['device'][4:]
+            comment = 'Make %s stateless' % self._get_port_device_name(port)
             conntrack = '--notrack'
         rules = []
         for dev, match in ((br_dev, match_physdev), (br_dev, match_interface),
diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
index 070700fd017..a5ce4da21d9 100644
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@@ -118,6 +118,15 @@ class BaseIptablesFirewallTestCase(base.BaseTestCase):
 
 class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
 
+    def test__get_port_device_name(self):
+        self.assertEqual(
+            "name",
+            self.firewall._get_port_device_name({'device': 'name'}))
+        self.assertEqual(
+            "name",
+            self.firewall._get_port_device_name(
+                {'device': '%s_name' % constants.TAP_DEVICE_PREFIX}))
+
     def test_prepare_port_filter_with_no_sg(self):
         port = self._fake_port()
         self.firewall.prepare_port_filter(port)