openstack/neutron
Code Issues Proposed changes

Checksum-fill proxied metadata replies

Browse Source 
Sometimes a proxied metadata reply can be dropped by
the hypervisor because of an invalid checksum.  Always
fill-in the checksum just like we do for DHCP replies.

Change-Id: I46987da3bf05577ff0a51a490f26cf2be3c3c266
Closes-bug: #1722584
(cherry picked from commit ed1c3b021751273e427d47fcf544c56bdabf97bb)
This commit is contained in:
Brian Haley 2017-10-10 14:36:33 -04:00 committed by Brian Haley
parent adc344c065
commit b0c7a64143
2 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
neutron/agent/metadata/driver.py
View File

@ -195,6 +195,14 @@ class MetadataDriver(object):
{'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+', {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
'port': port})] 'port': port})]
@classmethod
def metadata_checksum_rules(cls, port):
return [('POSTROUTING', '-o %(interface_name)s '
'-p tcp -m tcp --sport %(port)s -j CHECKSUM '
'--checksum-fill' %
{'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
'port': port})]
@classmethod @classmethod
def _get_metadata_proxy_user_group(cls, conf): def _get_metadata_proxy_user_group(cls, conf):
user = conf.metadata_proxy_user or str(os.geteuid()) user = conf.metadata_proxy_user or str(os.geteuid())
@ -290,6 +298,8 @@ def after_router_added(resource, event, l3_agent, **kwargs):
router.iptables_manager.ipv4['mangle'].add_rule(c, r) router.iptables_manager.ipv4['mangle'].add_rule(c, r)
for c, r in proxy.metadata_nat_rules(proxy.metadata_port): for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
router.iptables_manager.ipv4['nat'].add_rule(c, r) router.iptables_manager.ipv4['nat'].add_rule(c, r)
for c, r in proxy.metadata_checksum_rules(proxy.metadata_port):
router.iptables_manager.ipv4['mangle'].add_rule(c, r)
router.iptables_manager.apply() router.iptables_manager.apply()
if not isinstance(router, ha_router.HaRouter): if not isinstance(router, ha_router.HaRouter):

15
neutron/tests/unit/agent/metadata/test_driver.py
View File

@ -39,18 +39,18 @@ class TestMetadataDriverRules(base.BaseTestCase):
def test_metadata_nat_rules(self): def test_metadata_nat_rules(self):
rules = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ ' rules = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ '
'-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775') '-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697')
self.assertEqual( self.assertEqual(
[rules], [rules],
metadata_driver.MetadataDriver.metadata_nat_rules(8775)) metadata_driver.MetadataDriver.metadata_nat_rules(9697))
def test_metadata_filter_rules(self): def test_metadata_filter_rules(self):
rules = [('INPUT', '-m mark --mark 0x1/%s -j ACCEPT' % rules = [('INPUT', '-m mark --mark 0x1/%s -j ACCEPT' %
constants.ROUTER_MARK_MASK), constants.ROUTER_MARK_MASK),
('INPUT', '-p tcp -m tcp --dport 8775 -j DROP')] ('INPUT', '-p tcp -m tcp --dport 9697 -j DROP')]
self.assertEqual( self.assertEqual(
rules, rules,
metadata_driver.MetadataDriver.metadata_filter_rules(8775, '0x1')) metadata_driver.MetadataDriver.metadata_filter_rules(9697, '0x1'))
def test_metadata_mangle_rules(self): def test_metadata_mangle_rules(self):
rule = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ ' rule = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ '
@ -61,6 +61,13 @@ class TestMetadataDriverRules(base.BaseTestCase):
[rule], [rule],
metadata_driver.MetadataDriver.metadata_mangle_rules('0x1')) metadata_driver.MetadataDriver.metadata_mangle_rules('0x1'))
def test_metadata_checksum_rules(self):
rules = ('POSTROUTING', '-o qr-+ -p tcp -m tcp --sport 9697 '
'-j CHECKSUM --checksum-fill')
self.assertEqual(
[rules],
metadata_driver.MetadataDriver.metadata_checksum_rules(9697))
class TestMetadataDriverProcess(base.BaseTestCase): class TestMetadataDriverProcess(base.BaseTestCase):