Browse Source

Add iptables metadata marking rule on router init

Move the iptables metadata marking rule earlier in
router init, that way any stray metadata requests
that arrive before the filter metadata redirect rule is
installed will just be dropped.  We do this irregardless
of whether we will be running the metadata proxy.

Partial-bug: #1735724

Change-Id: I8982523dbb94a7c5b8a4db88a196fabc4dd2873f
(cherry picked from commit 6941977827)
tags/12.0.5
Brian Haley 1 year ago
parent
commit
e55ff3ec35

+ 17
- 1
neutron/agent/l3/router_info.py View File

@@ -52,6 +52,7 @@ class RouterInfo(object):
52 52
                  use_ipv6=False):
53 53
         self.agent = agent
54 54
         self.router_id = router_id
55
+        self.agent_conf = agent_conf
55 56
         self.ex_gw_port = None
56 57
         self._snat_enabled = None
57 58
         self.fip_map = {}
@@ -73,8 +74,8 @@ class RouterInfo(object):
73 74
             use_ipv6=use_ipv6,
74 75
             namespace=self.ns_name)
75 76
         self.initialize_address_scope_iptables()
77
+        self.initialize_metadata_iptables()
76 78
         self.routes = []
77
-        self.agent_conf = agent_conf
78 79
         self.driver = interface_driver
79 80
         self.process_monitor = None
80 81
         # radvd is a neutron.agent.linux.ra.DaemonMonitor
@@ -1001,6 +1002,21 @@ class RouterInfo(object):
1001 1002
         iptables_manager.ipv6['mangle'].add_rule(
1002 1003
             'PREROUTING', copy_address_scope_for_existing)
1003 1004
 
1005
+    def initialize_metadata_iptables(self):
1006
+        # Always mark incoming metadata requests, that way any stray
1007
+        # requests that arrive before the filter metadata redirect
1008
+        # rule is installed will be dropped.
1009
+        mark_metadata_for_internal_interfaces = (
1010
+            '-d 169.254.169.254/32 '
1011
+            '-i %(interface_name)s '
1012
+            '-p tcp -m tcp --dport 80 '
1013
+            '-j MARK --set-xmark %(value)s/%(mask)s' %
1014
+            {'interface_name': INTERNAL_DEV_PREFIX + '+',
1015
+             'value': self.agent_conf.metadata_access_mark,
1016
+             'mask': n_const.ROUTER_MARK_MASK})
1017
+        self.iptables_manager.ipv4['mangle'].add_rule(
1018
+            'PREROUTING', mark_metadata_for_internal_interfaces)
1019
+
1004 1020
     def _get_port_devicename_scopemark(self, ports, name_generator):
1005 1021
         devicename_scopemark = {lib_constants.IP_VERSION_4: dict(),
1006 1022
                                 lib_constants.IP_VERSION_6: dict()}

+ 0
- 12
neutron/agent/metadata/driver.py View File

@@ -184,16 +184,6 @@ class MetadataDriver(object):
184 184
                 ('INPUT', '-p tcp -m tcp --dport %s '
185 185
                  '-j DROP' % port)]
186 186
 
187
-    @classmethod
188
-    def metadata_mangle_rules(cls, mark):
189
-        return [('PREROUTING', '-d 169.254.169.254/32 '
190
-                 '-i %(interface_name)s '
191
-                 '-p tcp -m tcp --dport 80 '
192
-                 '-j MARK --set-xmark %(value)s/%(mask)s' %
193
-                 {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
194
-                  'value': mark,
195
-                  'mask': constants.ROUTER_MARK_MASK})]
196
-
197 187
     @classmethod
198 188
     def metadata_nat_rules(cls, port):
199 189
         return [('PREROUTING', '-d 169.254.169.254/32 '
@@ -302,8 +292,6 @@ def after_router_added(resource, event, l3_agent, **kwargs):
302 292
     for c, r in proxy.metadata_filter_rules(proxy.metadata_port,
303 293
                                            proxy.metadata_access_mark):
304 294
         router.iptables_manager.ipv4['filter'].add_rule(c, r)
305
-    for c, r in proxy.metadata_mangle_rules(proxy.metadata_access_mark):
306
-        router.iptables_manager.ipv4['mangle'].add_rule(c, r)
307 295
     for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
308 296
         router.iptables_manager.ipv4['nat'].add_rule(c, r)
309 297
     for c, r in proxy.metadata_checksum_rules(proxy.metadata_port):

+ 30
- 0
neutron/tests/unit/agent/l3/test_agent.py View File

@@ -3511,6 +3511,15 @@ class TestBasicRouterOperations(BasicRouterOperationsFramework):
3511 3511
                            [mock.call.add_chain('floatingip'),
3512 3512
                             mock.call.add_chain('float-snat'),
3513 3513
                             mock.call.add_rule('PREROUTING', '-j $floatingip'),
3514
+                            mock.call.add_rule(
3515
+                                'PREROUTING',
3516
+                                '-d 169.254.169.254/32 -i %(interface_name)s '
3517
+                                '-p tcp -m tcp --dport 80 '
3518
+                                '-j MARK --set-xmark %(value)s/%(mask)s' %
3519
+                                {'interface_name':
3520
+                                 namespaces.INTERNAL_DEV_PREFIX + '+',
3521
+                                 'value': self.conf.metadata_access_mark,
3522
+                                 'mask': n_const.ROUTER_MARK_MASK}),
3514 3523
                             mock.call.add_rule(
3515 3524
                                 'float-snat',
3516 3525
                                 '-m connmark --mark 0x0/0xffff0000 '
@@ -3546,6 +3555,27 @@ class TestBasicRouterOperations(BasicRouterOperationsFramework):
3546 3555
             self._verify_address_scopes_iptables_rule(
3547 3556
                 ri.snat_iptables_manager)
3548 3557
 
3558
+    def _verify_metadata_iptables_rule(self, mock_iptables_manager):
3559
+        v4_mangle_calls = ([mock.call.add_rule(
3560
+                                'PREROUTING',
3561
+                                '-d 169.254.169.254/32 -i %(interface_name)s '
3562
+                                '-p tcp -m tcp --dport 80 '
3563
+                                '-j MARK --set-xmark %(value)s/%(mask)s' %
3564
+                                {'interface_name':
3565
+                                 namespaces.INTERNAL_DEV_PREFIX + '+',
3566
+                                 'value': self.conf.metadata_access_mark,
3567
+                                 'mask': n_const.ROUTER_MARK_MASK})])
3568
+        mock_iptables_manager.ipv4['mangle'].assert_has_calls(v4_mangle_calls,
3569
+                                                              any_order=True)
3570
+
3571
+    def test_initialize_metadata_iptables_rules(self):
3572
+        id = _uuid()
3573
+        agent = l3_agent.L3NATAgent(HOSTNAME, self.conf)
3574
+        with mock.patch('neutron.agent.linux.iptables_manager.'
3575
+                        'IptablesManager'):
3576
+            ri = l3router.RouterInfo(agent, id, {}, **self.ri_kwargs)
3577
+            self._verify_metadata_iptables_rule(ri.iptables_manager)
3578
+
3549 3579
     @mock.patch.object(l3router.RouterInfo, 'delete')
3550 3580
     @mock.patch.object(ha_router.HaRouter, 'destroy_state_change_monitor')
3551 3581
     def test_delete_ha_router_initialize_fails(self, mock_dscm, mock_delete):

+ 5
- 1
neutron/tests/unit/agent/l3/test_l3_agent_extension_api.py View File

@@ -21,6 +21,8 @@ from oslo_utils import uuidutils
21 21
 from neutron.agent.l3 import l3_agent_extension_api as l3_agent_api
22 22
 from neutron.agent.l3 import router_info
23 23
 from neutron.agent.linux import ip_lib
24
+from neutron.conf.agent import common as config
25
+from neutron.conf.agent.l3 import config as l3_config
24 26
 from neutron.tests import base
25 27
 
26 28
 
@@ -29,9 +31,11 @@ class TestL3AgentExtensionApi(base.BaseTestCase):
29 31
     def _prepare_router_data(self, ports=None):
30 32
         self.router_id = uuidutils.generate_uuid()
31 33
         self.project_id = uuidutils.generate_uuid()
34
+        self.conf = config.setup_conf()
35
+        l3_config.register_l3_agent_config_opts(l3_config.OPTS, self.conf)
32 36
         ri_kwargs = {'router': {'id': self.router_id,
33 37
                                 'project_id': self.project_id},
34
-                     'agent_conf': mock.ANY,
38
+                     'agent_conf': self.conf,
35 39
                      'interface_driver': mock.ANY,
36 40
                      'use_ipv6': mock.ANY}
37 41
         ri = router_info.RouterInfo(mock.Mock(), self.router_id, **ri_kwargs)

+ 2
- 0
neutron/tests/unit/agent/l3/test_router_info.py View File

@@ -18,6 +18,7 @@ from neutron.agent.l3 import router_info
18 18
 from neutron.agent.linux import ip_lib
19 19
 from neutron.common import exceptions as n_exc
20 20
 from neutron.conf.agent import common as config
21
+from neutron.conf.agent.l3 import config as l3_config
21 22
 from neutron.tests import base
22 23
 
23 24
 
@@ -29,6 +30,7 @@ class TestRouterInfo(base.BaseTestCase):
29 30
         super(TestRouterInfo, self).setUp()
30 31
 
31 32
         conf = config.setup_conf()
33
+        l3_config.register_l3_agent_config_opts(l3_config.OPTS, conf)
32 34
 
33 35
         self.ip_cls_p = mock.patch('neutron.agent.linux.ip_lib.IPWrapper')
34 36
         ip_cls = self.ip_cls_p.start()

+ 0
- 9
neutron/tests/unit/agent/metadata/test_driver.py View File

@@ -52,15 +52,6 @@ class TestMetadataDriverRules(base.BaseTestCase):
52 52
             rules,
53 53
             metadata_driver.MetadataDriver.metadata_filter_rules(9697, '0x1'))
54 54
 
55
-    def test_metadata_mangle_rules(self):
56
-        rule = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ '
57
-                '-p tcp -m tcp --dport 80 '
58
-                '-j MARK --set-xmark 0x1/%s' %
59
-                constants.ROUTER_MARK_MASK)
60
-        self.assertEqual(
61
-            [rule],
62
-            metadata_driver.MetadataDriver.metadata_mangle_rules('0x1'))
63
-
64 55
     def test_metadata_checksum_rules(self):
65 56
         rules = ('POSTROUTING', '-o qr-+ -p tcp -m tcp --sport 9697 '
66 57
                  '-j CHECKSUM --checksum-fill')

Loading…
Cancel
Save