Use '-p ip' instead of '-p 0' with conntrack

The conntrack command does not allow '-p 0' as an argument, but does allow it's equivalent '-p ip'. Use it instead so it doesn't generate an error. Change-Id: Ica69eb85a6835952904a6390bb8a31e6afdecf69 Closes-bug: #1820744
2019-03-19 14:28:56 -04:00 · 2019-03-19 14:28:56 -04:00 · de810e04fb
parent ac4e28478a
commit de810e04fb
2 changed files with 15 additions and 4 deletions
--- a/neutron/agent/linux/ip_conntrack.py
+++ b/neutron/agent/linux/ip_conntrack.py
@ -117,7 +117,10 @@ class IpConntrackManager(object):
        protocol = rule.get('protocol')
        direction = rule.get('direction')
        cmd = ['conntrack', '-D']
-        if protocol:
+        if protocol is not None:
+            # 0 is IP in /etc/protocols, but conntrack will throw an error
+            if str(protocol) == '0':
+                protocol = 'ip'
            cmd.extend(['-p', str(protocol)])
        cmd.extend(['-f', str(ethertype).lower()])
        cmd.append('-d' if direction == 'ingress' else '-s')
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@ -1389,8 +1389,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
            while not self.firewall.ipconntrack._queue.empty():
                self.firewall.ipconntrack._process_queue()
            cmd = ['conntrack', '-D']
-            if protocol:
-                cmd.extend(['-p', protocol])
+            if protocol is not None:
+                if str(protocol) == '0':
+                    protocol = 'ip'
+                cmd.extend(['-p', str(protocol)])
            if ethertype == 'IPv4':
                cmd.extend(['-f', 'ipv4'])
                if direction == 'ingress':
@ -1412,7 +1414,13 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):

    def test_remove_conntrack_entries_for_delete_rule_ipv4(self):
        for direction in ['ingress', 'egress']:
-            for pro in [None, 'tcp', 'icmp', 'udp']:
+            for pro in [None, 'ip', 'tcp', 'icmp', 'udp', '0']:
+                self._test_remove_conntrack_entries(
+                    'IPv4', pro, direction, ct_zone=10)
+
+    def test_remove_conntrack_entries_for_delete_rule_ipv4_by_num(self):
+        for direction in ['ingress', 'egress']:
+            for pro in [None, 0, 6, 1, 17]:
                self._test_remove_conntrack_entries(
                    'IPv4', pro, direction, ct_zone=10)