Add an iptables mangle rule per-bridge for DHCP.

When vhost-net is present on a host, and DHCP services are run on the same system as guests (multi_host), an iptables rule is needed to fill packet checksums. This adds a rule per-bridge for multi_host networks when vhost-net is present, similar to how newer versions of libvirt handle the issue for bridges/networks that it manages. Fixes LP: #1029430 EDIT: Updated tests and pep8. Change-Id: I1a51c1d808fa47a77e713dbfe384ffad183d6031
2012-12-18 09:50:46 -08:00
parent ce391ec027
commit 2969fa13fb
1 changed files with 16 additions and 0 deletions
--- a/nova/tests/test_libvirt.py
+++ b/nova/tests/test_libvirt.py
@@ -3218,6 +3218,20 @@ class IptablesFirewallTestCase(test.TestCase):
      ':POSTROUTING ACCEPT [5063:386098]',
    ]

+    in_mangle_rules = [
+        '# Generated by iptables-save v1.4.12 on Tue Dec 18 15:50:25 201;',
+        '*mangle',
+        ':PREROUTING ACCEPT [241:39722]',
+        ':INPUT ACCEPT [230:39282]',
+        ':FORWARD ACCEPT [0:0]',
+        ':OUTPUT ACCEPT [266:26558]',
+        ':POSTROUTING ACCEPT [267:26590]',
+        '-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM '
+        '--checksum-fill',
+        'COMMIT',
+        '# Completed on Tue Dec 18 15:50:25 2012',
+    ]
+
    in_filter_rules = [
      '# Generated by iptables-save v1.4.4 on Mon Dec  6 11:54:13 2010',
      '*filter',
@@ -3319,6 +3333,8 @@ class IptablesFirewallTestCase(test.TestCase):
                return '\n'.join(self.in_filter_rules), None
            if cmd == ('iptables-save', '-c', '-t', 'nat'):
                return '\n'.join(self.in_nat_rules), None
+            if cmd == ('iptables-save', '-c', '-t', 'mangle'):
+                return '\n'.join(self.in_mangle_rules), None
            if cmd == ('iptables-restore', '-c',):
                lines = process_input.split('\n')
                if '*filter' in lines: