Browse Source

When converting sg rules to iptables, do not emit dport if not supported

Since iptables-restore doesn't support --dport with protocol vrrp,
it errors out setting the security groups on the hypervisor.

Marking this a partial fix, since we need a change to prevent
adding those incompatible rules in the first place, but this
patch will stop the bleeding.

Change-Id: If5e557a8e61c3aa364ba1e2c60be4cbe74c1ec8f
Partial-Bug: #1818385
(cherry picked from commit 8c213e4590)
changes/91/640791/5
Doug Wiegley 2 months ago
parent
commit
f6be9d7ad9

+ 15
- 5
neutron/agent/linux/iptables_firewall.py View File

@@ -50,6 +50,15 @@ IPSET_DIRECTION = {firewall.INGRESS_DIRECTION: 'src',
50 50
 comment_rule = iptables_manager.comment_rule
51 51
 libc = ctypes.CDLL(util.find_library('libc.so.6'))
52 52
 
53
+# iptables protocols that support --dport and --sport
54
+IPTABLES_PORT_PROTOCOLS = [
55
+    constants.PROTO_NAME_DCCP,
56
+    constants.PROTO_NAME_SCTP,
57
+    constants.PROTO_NAME_TCP,
58
+    constants.PROTO_NAME_UDP,
59
+    constants.PROTO_NAME_UDPLITE
60
+]
61
+
53 62
 
54 63
 def get_hybrid_port_name(port_name):
55 64
     return (constants.TAP_DEVICE_PREFIX + port_name)[:n_const.LINUX_DEV_LEN]
@@ -756,11 +765,12 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
756 765
             # icmp code can be 0 so we cannot use "if port_range_max" here
757 766
             if port_range_max is not None:
758 767
                 args[-1] += '/%s' % port_range_max
759
-        elif port_range_min == port_range_max:
760
-            args += ['--%s' % direction, '%s' % (port_range_min,)]
761
-        else:
762
-            args += ['-m', 'multiport', '--%ss' % direction,
763
-                     '%s:%s' % (port_range_min, port_range_max)]
768
+        elif protocol in IPTABLES_PORT_PROTOCOLS:
769
+            if port_range_min == port_range_max:
770
+                args += ['--%s' % direction, '%s' % (port_range_min,)]
771
+            else:
772
+                args += ['-m', 'multiport', '--%ss' % direction,
773
+                         '%s:%s' % (port_range_min, port_range_max)]
764 774
         return args
765 775
 
766 776
     def _ip_prefix_arg(self, direction, ip_prefix):

+ 14
- 0
neutron/tests/unit/agent/linux/test_iptables_firewall.py View File

@@ -276,6 +276,20 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
276 276
         egress = None
277 277
         self._test_prepare_port_filter(rule, ingress, egress)
278 278
 
279
+    def test_filter_bad_vrrp_with_dport(self):
280
+        rule = {'ethertype': 'IPv4',
281
+                'direction': 'ingress',
282
+                'protocol': 'vrrp',
283
+                'port_range_min': 10,
284
+                'port_range_max': 10}
285
+        # Dest port isn't support with VRRP, so don't send it
286
+        # down to iptables.
287
+        ingress = mock.call.add_rule('ifake_dev',
288
+                                     '-p vrrp -j RETURN',
289
+                                     comment=None)
290
+        egress = None
291
+        self._test_prepare_port_filter(rule, ingress, egress)
292
+
279 293
     def test_filter_ipv4_ingress_tcp_port_by_num(self):
280 294
         rule = {'ethertype': 'IPv4',
281 295
                 'direction': 'ingress',

Loading…
Cancel
Save