From 2969fa13fbd93097259e88a0edf9d34bdd9107ae Mon Sep 17 00:00:00 2001 From: Adam Gandelman Date: Tue, 18 Dec 2012 09:50:46 -0800 Subject: [PATCH] Add an iptables mangle rule per-bridge for DHCP. When vhost-net is present on a host, and DHCP services are run on the same system as guests (multi_host), an iptables rule is needed to fill packet checksums. This adds a rule per-bridge for multi_host networks when vhost-net is present, similar to how newer versions of libvirt handle the issue for bridges/networks that it manages. Fixes LP: #1029430 EDIT: Updated tests and pep8. Change-Id: I1a51c1d808fa47a77e713dbfe384ffad183d6031 --- nova/tests/test_libvirt.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py index fbafe27f..a7df2c93 100644 --- a/nova/tests/test_libvirt.py +++ b/nova/tests/test_libvirt.py @@ -3218,6 +3218,20 @@ class IptablesFirewallTestCase(test.TestCase): ':POSTROUTING ACCEPT [5063:386098]', ] + in_mangle_rules = [ + '# Generated by iptables-save v1.4.12 on Tue Dec 18 15:50:25 201;', + '*mangle', + ':PREROUTING ACCEPT [241:39722]', + ':INPUT ACCEPT [230:39282]', + ':FORWARD ACCEPT [0:0]', + ':OUTPUT ACCEPT [266:26558]', + ':POSTROUTING ACCEPT [267:26590]', + '-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM ' + '--checksum-fill', + 'COMMIT', + '# Completed on Tue Dec 18 15:50:25 2012', + ] + in_filter_rules = [ '# Generated by iptables-save v1.4.4 on Mon Dec 6 11:54:13 2010', '*filter', @@ -3319,6 +3333,8 @@ class IptablesFirewallTestCase(test.TestCase): return '\n'.join(self.in_filter_rules), None if cmd == ('iptables-save', '-c', '-t', 'nat'): return '\n'.join(self.in_nat_rules), None + if cmd == ('iptables-save', '-c', '-t', 'mangle'): + return '\n'.join(self.in_mangle_rules), None if cmd == ('iptables-restore', '-c',): lines = process_input.split('\n') if '*filter' in lines: