Use cached nwinfo for secgroup rules

This stops a potential DOS with source security groups by using the db cached version of the network info instead of calling out to the network api multiple times. Fixes bug 1184041 Change-Id: Id5f24ecf0e8cce60c27a9aecbc6e606c4c44d6b6
2013-07-19 10:23:59 -07:00
parent aca4ef5b8e
commit 85aac04704
4 changed files with 11 additions and 13 deletions
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@@ -19,8 +19,8 @@

 from oslo.config import cfg

+from nova.compute import utils as compute_utils
 from nova import context
-from nova import network
 from nova.network import linux_net
 from nova.openstack.common.gettextutils import _
 from nova.openstack.common import importutils
@@ -415,16 +415,9 @@ class IptablesFirewallDriver(FirewallDriver):
                    fw_rules += [' '.join(args)]
                else:
                    if rule['grantee_group']:
-                        # FIXME(jkoelker) This needs to be ported up into
-                        #                 the compute manager which already
-                        #                 has access to a nw_api handle,
-                        #                 and should be the only one making
-                        #                 making rpc calls.
-                        nw_api = network.API()
                        for instance in rule['grantee_group']['instances']:
-                            nw_info = nw_api.get_instance_nw_info(
-                                ctxt,
-                                instance)
+                            nw_info = compute_utils.get_nw_info_for_instance(
+                                    instance)

                            ips = [ip['address']
                                for ip in nw_info.fixed_ips()