Use cached nwinfo for secgroup rules

This stops a potential DOS with source security groups by using the db cached version of the network info instead of calling out to the network api multiple times. Fixes bug 1184041 Change-Id: Id5f24ecf0e8cce60c27a9aecbc6e606c4c44d6b6
2013-07-19 10:23:59 -07:00 · 2013-07-19 10:23:59 -07:00 · 85aac04704
parent aca4ef5b8e
commit 85aac04704
4 changed files with 11 additions and 13 deletions
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@ -3658,6 +3658,8 @@ def security_group_rule_get_by_security_group(context, security_group_id):
            filter_by(parent_group_id=security_group_id).
            options(joinedload_all('grantee_group.instances.'
                                   'system_metadata')).
+            options(joinedload('grantee_group.instances.'
+                               'info_cache')).
            all())


--- a/nova/tests/virt/libvirt/test_libvirt.py
+++ b/nova/tests/virt/libvirt/test_libvirt.py
@ -4504,7 +4504,9 @@ class IptablesFirewallTestCase(test.TestCase):
        from nova.network import linux_net
        linux_net.iptables_manager.execute = fake_iptables_execute

-        _fake_stub_out_get_nw_info(self.stubs, lambda *a, **kw: network_model)
+        from nova.compute import utils as compute_utils
+        self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
+                       lambda instance: network_model)

        network_info = network_model.legacy()
        self.fw.prepare_instance_filter(instance_ref, network_info)
--- a/nova/tests/virt/xenapi/test_xenapi.py
+++ b/nova/tests/virt/xenapi/test_xenapi.py
@ -2480,8 +2480,9 @@ class XenAPIDom0IptablesFirewallTestCase(stubs.XenAPITestBase):
        network_model = fake_network.fake_get_instance_nw_info(self.stubs,
                                                      1, spectacular=True)

-        fake_network.stub_out_nw_api_get_instance_nw_info(self.stubs,
-                                      lambda *a, **kw: network_model)
+        from nova.compute import utils as compute_utils
+        self.stubs.Set(compute_utils, 'get_nw_info_for_instance',
+                       lambda instance: network_model)

        network_info = network_model.legacy()
        self.fw.prepare_instance_filter(instance_ref, network_info)
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@ -19,8 +19,8 @@

 from oslo.config import cfg

+from nova.compute import utils as compute_utils
 from nova import context
-from nova import network
 from nova.network import linux_net
 from nova.openstack.common.gettextutils import _
 from nova.openstack.common import importutils
@ -415,16 +415,9 @@ class IptablesFirewallDriver(FirewallDriver):
                    fw_rules += [' '.join(args)]
                else:
                    if rule['grantee_group']:
-                        # FIXME(jkoelker) This needs to be ported up into
-                        #                 the compute manager which already
-                        #                 has access to a nw_api handle,
-                        #                 and should be the only one making
-                        #                 making rpc calls.
-                        nw_api = network.API()
                        for instance in rule['grantee_group']['instances']:
-                            nw_info = nw_api.get_instance_nw_info(
-                                ctxt,
-                                instance)
+                            nw_info = compute_utils.get_nw_info_for_instance(
+                                    instance)

                            ips = [ip['address']
                                for ip in nw_info.fixed_ips()