From b0c7a641439c2a61ce90e36f5b8bc46e60e669ef Mon Sep 17 00:00:00 2001
From: Brian Haley <bhaley@redhat.com>
Date: Tue, 10 Oct 2017 14:36:33 -0400
Subject: [PATCH] Checksum-fill proxied metadata replies

Sometimes a proxied metadata reply can be dropped by
the hypervisor because of an invalid checksum.  Always
fill-in the checksum just like we do for DHCP replies.

Change-Id: I46987da3bf05577ff0a51a490f26cf2be3c3c266
Closes-bug: #1722584
(cherry picked from commit ed1c3b021751273e427d47fcf544c56bdabf97bb)
---
 neutron/agent/metadata/driver.py                 | 10 ++++++++++
 neutron/tests/unit/agent/metadata/test_driver.py | 15 +++++++++++----
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py
index c8d960e288b..d29ecd1f38d 100644
--- a/neutron/agent/metadata/driver.py
+++ b/neutron/agent/metadata/driver.py
@@ -195,6 +195,14 @@ class MetadataDriver(object):
                  {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
                   'port': port})]
 
+    @classmethod
+    def metadata_checksum_rules(cls, port):
+        return [('POSTROUTING', '-o %(interface_name)s '
+                 '-p tcp -m tcp --sport %(port)s -j CHECKSUM '
+                 '--checksum-fill' %
+                 {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
+                  'port': port})]
+
     @classmethod
     def _get_metadata_proxy_user_group(cls, conf):
         user = conf.metadata_proxy_user or str(os.geteuid())
@@ -290,6 +298,8 @@ def after_router_added(resource, event, l3_agent, **kwargs):
         router.iptables_manager.ipv4['mangle'].add_rule(c, r)
     for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
         router.iptables_manager.ipv4['nat'].add_rule(c, r)
+    for c, r in proxy.metadata_checksum_rules(proxy.metadata_port):
+        router.iptables_manager.ipv4['mangle'].add_rule(c, r)
     router.iptables_manager.apply()
 
     if not isinstance(router, ha_router.HaRouter):
diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py
index 09556bb1c7d..1f883a63827 100644
--- a/neutron/tests/unit/agent/metadata/test_driver.py
+++ b/neutron/tests/unit/agent/metadata/test_driver.py
@@ -39,18 +39,18 @@ class TestMetadataDriverRules(base.BaseTestCase):
 
     def test_metadata_nat_rules(self):
         rules = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ '
-                 '-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775')
+                 '-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697')
         self.assertEqual(
             [rules],
-            metadata_driver.MetadataDriver.metadata_nat_rules(8775))
+            metadata_driver.MetadataDriver.metadata_nat_rules(9697))
 
     def test_metadata_filter_rules(self):
         rules = [('INPUT', '-m mark --mark 0x1/%s -j ACCEPT' %
                   constants.ROUTER_MARK_MASK),
-                 ('INPUT', '-p tcp -m tcp --dport 8775 -j DROP')]
+                 ('INPUT', '-p tcp -m tcp --dport 9697 -j DROP')]
         self.assertEqual(
             rules,
-            metadata_driver.MetadataDriver.metadata_filter_rules(8775, '0x1'))
+            metadata_driver.MetadataDriver.metadata_filter_rules(9697, '0x1'))
 
     def test_metadata_mangle_rules(self):
         rule = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ '
@@ -61,6 +61,13 @@ class TestMetadataDriverRules(base.BaseTestCase):
             [rule],
             metadata_driver.MetadataDriver.metadata_mangle_rules('0x1'))
 
+    def test_metadata_checksum_rules(self):
+        rules = ('POSTROUTING', '-o qr-+ -p tcp -m tcp --sport 9697 '
+                 '-j CHECKSUM --checksum-fill')
+        self.assertEqual(
+            [rules],
+            metadata_driver.MetadataDriver.metadata_checksum_rules(9697))
+
 
 class TestMetadataDriverProcess(base.BaseTestCase):