openstack/nova
Code Issues Proposed changes

Merge "linux_net.metadata_accept(): IPv6 support"

Browse Source
This commit is contained in:
Jenkins
2015-03-02 04:05:25 +00:00
committed by Gerrit Code Review
parent 9d357dfc66 ea5474d605
commit 1cf19a03e1
2 changed files with 41 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
nova/network/linux_net.py
View File

@@ -678,14 +678,25 @@ def metadata_forward():
iptables_manager.apply() iptables_manager.apply()
def _iptables_dest(ip):
if ((netaddr.IPAddress(ip).version == 4 and ip == '127.0.0.1')
or ip == '::1'):
return '-m addrtype --dst-type LOCAL'
else:
return '-d %s' % ip
def metadata_accept(): def metadata_accept():
"""Create the filter accept rule for metadata.""" """Create the filter accept rule for metadata."""
rule = '-s 0.0.0.0/0 -p tcp -m tcp --dport %s' % CONF.metadata_port
if CONF.metadata_host != '127.0.0.1': rule = ('-p tcp -m tcp --dport %s %s -j ACCEPT' %
rule += ' -d %s -j ACCEPT' % CONF.metadata_host (CONF.metadata_port, _iptables_dest(CONF.metadata_host)))
if netaddr.IPAddress(CONF.metadata_host).version == 4:
iptables_manager.ipv4['filter'].add_rule('INPUT', rule)
else: else:
rule += ' -m addrtype --dst-type LOCAL -j ACCEPT' iptables_manager.ipv6['filter'].add_rule('INPUT', rule)
iptables_manager.ipv4['filter'].add_rule('INPUT', rule)
iptables_manager.apply() iptables_manager.apply()

27
nova/tests/unit/network/test_linux_net.py
View File

@@ -1066,20 +1066,43 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
'add_rule', verify_add_rule) 'add_rule', verify_add_rule)
linux_net.metadata_accept() linux_net.metadata_accept()
def _test_add_metadata_accept_ipv6_rule(self, expected):
def verify_add_rule(chain, rule):
self.assertEqual(chain, 'INPUT')
self.assertEqual(expected, rule)
self.stubs.Set(linux_net.iptables_manager.ipv6['filter'],
'add_rule', verify_add_rule)
linux_net.metadata_accept()
def test_metadata_accept(self): def test_metadata_accept(self):
self.flags(metadata_port='8775') self.flags(metadata_port='8775')
self.flags(metadata_host='10.10.10.1') self.flags(metadata_host='10.10.10.1')
expected = ('-s 0.0.0.0/0 -p tcp -m tcp --dport 8775 ' expected = ('-p tcp -m tcp --dport 8775 '
'-d 10.10.10.1 -j ACCEPT') '-d 10.10.10.1 -j ACCEPT')
self._test_add_metadata_accept_rule(expected) self._test_add_metadata_accept_rule(expected)
def test_metadata_accept_ipv6(self):
self.flags(metadata_port='8775')
self.flags(metadata_host='2600::')
expected = ('-p tcp -m tcp --dport 8775 '
'-d 2600:: -j ACCEPT')
self._test_add_metadata_accept_ipv6_rule(expected)
def test_metadata_accept_localhost(self): def test_metadata_accept_localhost(self):
self.flags(metadata_port='8775') self.flags(metadata_port='8775')
self.flags(metadata_host='127.0.0.1') self.flags(metadata_host='127.0.0.1')
expected = ('-s 0.0.0.0/0 -p tcp -m tcp --dport 8775 ' expected = ('-p tcp -m tcp --dport 8775 '
'-m addrtype --dst-type LOCAL -j ACCEPT') '-m addrtype --dst-type LOCAL -j ACCEPT')
self._test_add_metadata_accept_rule(expected) self._test_add_metadata_accept_rule(expected)
def test_metadata_accept_ipv6_localhost(self):
self.flags(metadata_port='8775')
self.flags(metadata_host='::1')
expected = ('-p tcp -m tcp --dport 8775 '
'-m addrtype --dst-type LOCAL -j ACCEPT')
self._test_add_metadata_accept_ipv6_rule(expected)
def _test_add_metadata_forward_rule(self, expected): def _test_add_metadata_forward_rule(self, expected):
def verify_add_rule(chain, rule): def verify_add_rule(chain, rule):
self.assertEqual(chain, 'PREROUTING') self.assertEqual(chain, 'PREROUTING')