From 85aac04704350566d6b06aa7a3b99649946c672c Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Fri, 19 Jul 2013 10:23:59 -0700 Subject: [PATCH] Use cached nwinfo for secgroup rules This stops a potential DOS with source security groups by using the db cached version of the network info instead of calling out to the network api multiple times. Fixes bug 1184041 Change-Id: Id5f24ecf0e8cce60c27a9aecbc6e606c4c44d6b6 --- nova/db/sqlalchemy/api.py | 2 ++ nova/tests/virt/libvirt/test_libvirt.py | 4 +++- nova/tests/virt/xenapi/test_xenapi.py | 5 +++-- nova/virt/firewall.py | 13 +++---------- 4 files changed, 11 insertions(+), 13 deletions(-) diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py index d58b5faf410f..04a1f270e436 100644 --- a/nova/db/sqlalchemy/api.py +++ b/nova/db/sqlalchemy/api.py @@ -3658,6 +3658,8 @@ def security_group_rule_get_by_security_group(context, security_group_id): filter_by(parent_group_id=security_group_id). options(joinedload_all('grantee_group.instances.' 'system_metadata')). + options(joinedload('grantee_group.instances.' + 'info_cache')). all()) diff --git a/nova/tests/virt/libvirt/test_libvirt.py b/nova/tests/virt/libvirt/test_libvirt.py index 8443a6ed6c23..7538a135f49b 100644 --- a/nova/tests/virt/libvirt/test_libvirt.py +++ b/nova/tests/virt/libvirt/test_libvirt.py @@ -4504,7 +4504,9 @@ class IptablesFirewallTestCase(test.TestCase): from nova.network import linux_net linux_net.iptables_manager.execute = fake_iptables_execute - _fake_stub_out_get_nw_info(self.stubs, lambda *a, **kw: network_model) + from nova.compute import utils as compute_utils + self.stubs.Set(compute_utils, 'get_nw_info_for_instance', + lambda instance: network_model) network_info = network_model.legacy() self.fw.prepare_instance_filter(instance_ref, network_info) diff --git a/nova/tests/virt/xenapi/test_xenapi.py b/nova/tests/virt/xenapi/test_xenapi.py index 069dd87b24f4..d74890a9ccca 100644 --- a/nova/tests/virt/xenapi/test_xenapi.py +++ b/nova/tests/virt/xenapi/test_xenapi.py @@ -2480,8 +2480,9 @@ class XenAPIDom0IptablesFirewallTestCase(stubs.XenAPITestBase): network_model = fake_network.fake_get_instance_nw_info(self.stubs, 1, spectacular=True) - fake_network.stub_out_nw_api_get_instance_nw_info(self.stubs, - lambda *a, **kw: network_model) + from nova.compute import utils as compute_utils + self.stubs.Set(compute_utils, 'get_nw_info_for_instance', + lambda instance: network_model) network_info = network_model.legacy() self.fw.prepare_instance_filter(instance_ref, network_info) diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py index 5ba6293437b0..852d7eeacd5b 100644 --- a/nova/virt/firewall.py +++ b/nova/virt/firewall.py @@ -19,8 +19,8 @@ from oslo.config import cfg +from nova.compute import utils as compute_utils from nova import context -from nova import network from nova.network import linux_net from nova.openstack.common.gettextutils import _ from nova.openstack.common import importutils @@ -415,16 +415,9 @@ class IptablesFirewallDriver(FirewallDriver): fw_rules += [' '.join(args)] else: if rule['grantee_group']: - # FIXME(jkoelker) This needs to be ported up into - # the compute manager which already - # has access to a nw_api handle, - # and should be the only one making - # making rpc calls. - nw_api = network.API() for instance in rule['grantee_group']['instances']: - nw_info = nw_api.get_instance_nw_info( - ctxt, - instance) + nw_info = compute_utils.get_nw_info_for_instance( + instance) ips = [ip['address'] for ip in nw_info.fixed_ips()