Checksum-fill proxied metadata replies

Sometimes a proxied metadata reply can be dropped by the hypervisor because of an invalid checksum. Always fill-in the checksum just like we do for DHCP replies. Change-Id: I46987da3bf05577ff0a51a490f26cf2be3c3c266 Closes-bug: #1722584 (cherry picked from commit ed1c3b0217)
2017-10-10 14:36:33 -04:00 · 2017-10-10 14:36:33 -04:00 · b0c7a64143
commit b0c7a64143
parent adc344c065
2 changed files with 21 additions and 4 deletions
--- a/neutron/agent/metadata/driver.py
+++ b/neutron/agent/metadata/driver.py
@ -195,6 +195,14 @@ class MetadataDriver(object):
                 {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
                  'port': port})]

+    @classmethod
+    def metadata_checksum_rules(cls, port):
+        return [('POSTROUTING', '-o %(interface_name)s '
+                 '-p tcp -m tcp --sport %(port)s -j CHECKSUM '
+                 '--checksum-fill' %
+                 {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
+                  'port': port})]
+
    @classmethod
    def _get_metadata_proxy_user_group(cls, conf):
        user = conf.metadata_proxy_user or str(os.geteuid())
@ -290,6 +298,8 @@ def after_router_added(resource, event, l3_agent, **kwargs):
        router.iptables_manager.ipv4['mangle'].add_rule(c, r)
    for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
        router.iptables_manager.ipv4['nat'].add_rule(c, r)
+    for c, r in proxy.metadata_checksum_rules(proxy.metadata_port):
+        router.iptables_manager.ipv4['mangle'].add_rule(c, r)
    router.iptables_manager.apply()

    if not isinstance(router, ha_router.HaRouter):
--- a/neutron/tests/unit/agent/metadata/test_driver.py
+++ b/neutron/tests/unit/agent/metadata/test_driver.py
@ -39,18 +39,18 @@ class TestMetadataDriverRules(base.BaseTestCase):

    def test_metadata_nat_rules(self):
        rules = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ '
-                 '-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775')
+                 '-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697')
        self.assertEqual(
            [rules],
-            metadata_driver.MetadataDriver.metadata_nat_rules(8775))
+            metadata_driver.MetadataDriver.metadata_nat_rules(9697))

    def test_metadata_filter_rules(self):
        rules = [('INPUT', '-m mark --mark 0x1/%s -j ACCEPT' %
                  constants.ROUTER_MARK_MASK),
-                 ('INPUT', '-p tcp -m tcp --dport 8775 -j DROP')]
+                 ('INPUT', '-p tcp -m tcp --dport 9697 -j DROP')]
        self.assertEqual(
            rules,
-            metadata_driver.MetadataDriver.metadata_filter_rules(8775, '0x1'))
+            metadata_driver.MetadataDriver.metadata_filter_rules(9697, '0x1'))

    def test_metadata_mangle_rules(self):
        rule = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ '
@ -61,6 +61,13 @@ class TestMetadataDriverRules(base.BaseTestCase):
            [rule],
            metadata_driver.MetadataDriver.metadata_mangle_rules('0x1'))

+    def test_metadata_checksum_rules(self):
+        rules = ('POSTROUTING', '-o qr-+ -p tcp -m tcp --sport 9697 '
+                 '-j CHECKSUM --checksum-fill')
+        self.assertEqual(
+            [rules],
+            metadata_driver.MetadataDriver.metadata_checksum_rules(9697))
+

 class TestMetadataDriverProcess(base.BaseTestCase):