diff --git a/neutron/agent/l3/router_info.py b/neutron/agent/l3/router_info.py index f767c7d139e..6544e6eccd6 100644 --- a/neutron/agent/l3/router_info.py +++ b/neutron/agent/l3/router_info.py @@ -140,16 +140,16 @@ class RouterInfo(object): return self.router.get(l3_constants.FLOATINGIP_KEY, []) def floating_forward_rules(self, floating_ip, fixed_ip): - return [('PREROUTING', '-d %s -j DNAT --to %s' % + return [('PREROUTING', '-d %s/32 -j DNAT --to-destination %s' % (floating_ip, fixed_ip)), - ('OUTPUT', '-d %s -j DNAT --to %s' % + ('OUTPUT', '-d %s/32 -j DNAT --to-destination %s' % (floating_ip, fixed_ip)), - ('float-snat', '-s %s -j SNAT --to %s' % + ('float-snat', '-s %s/32 -j SNAT --to-source %s' % (fixed_ip, floating_ip))] def floating_mangle_rules(self, floating_ip, fixed_ip, internal_mark): mark_traffic_to_floating_ip = ( - 'floatingip', '-d %s -j MARK --set-mark %s' % ( + 'floatingip', '-d %s -j MARK --set-xmark %s' % ( floating_ip, internal_mark)) mark_traffic_from_fixed_ip = ( 'FORWARD', '-s %s -j $float-snat' % fixed_ip) @@ -452,7 +452,7 @@ class RouterInfo(object): namespace=self.ns_name) def address_scope_mangle_rule(self, device_name, mark_mask): - return '-i %s -j MARK --set-mark %s' % (device_name, mark_mask) + return '-i %s -j MARK --set-xmark %s' % (device_name, mark_mask) def address_scope_filter_rule(self, device_name, mark_mask): return '-o %s -m mark ! --mark %s -j DROP' % ( diff --git a/neutron/agent/linux/dhcp.py b/neutron/agent/linux/dhcp.py index b1351a8fe09..775f79f45c8 100644 --- a/neutron/agent/linux/dhcp.py +++ b/neutron/agent/linux/dhcp.py @@ -1292,7 +1292,7 @@ class DeviceManager(object): """Ensure DHCP reply packets always have correct UDP checksums.""" iptables_mgr = iptables_manager.IptablesManager(use_ipv6=False, namespace=namespace) - ipv4_rule = ('-p udp --dport %d -j CHECKSUM --checksum-fill' + ipv4_rule = ('-p udp -m udp --dport %d -j CHECKSUM --checksum-fill' % constants.DHCP_RESPONSE_PORT) iptables_mgr.ipv4['mangle'].add_rule('POSTROUTING', ipv4_rule) iptables_mgr.apply() diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py index cee81c0d868..2dd411a8dbc 100644 --- a/neutron/agent/metadata/driver.py +++ b/neutron/agent/metadata/driver.py @@ -63,7 +63,7 @@ class MetadataDriver(object): return [('PREROUTING', '-d 169.254.169.254/32 ' '-i %(interface_name)s ' '-p tcp -m tcp --dport 80 -j REDIRECT ' - '--to-port %(port)s' % + '--to-ports %(port)s' % {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+', 'port': port})] diff --git a/neutron/tests/functional/agent/l3/framework.py b/neutron/tests/functional/agent/l3/framework.py index d3b2e434f9a..eccc51de5c0 100644 --- a/neutron/tests/functional/agent/l3/framework.py +++ b/neutron/tests/functional/agent/l3/framework.py @@ -260,6 +260,7 @@ class L3AgentTestFramework(base.BaseSudoTestCase): self.assertTrue(self.floating_ips_configured(router)) self._assert_snat_chains(router) self._assert_floating_ip_chains(router) + self._assert_iptables_rules_converged(router) self._assert_extra_routes(router) ip_versions = [4, 6] if (ip_version == 6 or dual_stack) else [4] self._assert_onlink_subnet_routes(router, ip_versions) @@ -419,6 +420,12 @@ class L3AgentTestFramework(base.BaseSudoTestCase): self.assertFalse(router.iptables_manager.is_chain_empty( 'nat', 'float-snat')) + def _assert_iptables_rules_converged(self, router): + # if your code is failing on this line, it means you are not generating + # your iptables rules in the same format that iptables-save returns + # them. run iptables-save to see the format they should be in + self.assertFalse(router.iptables_manager.apply()) + def _assert_metadata_chains(self, router): metadata_port_filter = lambda rule: ( str(self.agent.conf.metadata_port) in rule.rule) diff --git a/neutron/tests/functional/agent/linux/test_iptables.py b/neutron/tests/functional/agent/linux/test_iptables.py index 2bbbedd4a92..95f1a9fdb48 100644 --- a/neutron/tests/functional/agent/linux/test_iptables.py +++ b/neutron/tests/functional/agent/linux/test_iptables.py @@ -31,7 +31,8 @@ class IptablesManagerTestCase(functional_base.BaseSudoTestCase): DIRECTION_CHAIN_MAPPER = {'ingress': 'INPUT', 'egress': 'OUTPUT'} PROTOCOL_BLOCK_RULE = '-p %s -j DROP' - PROTOCOL_PORT_BLOCK_RULE = '-p %s --dport %d -j DROP' + PROTOCOL_PORT_BLOCK_RULE = ('-p %(protocol)s -m %(protocol)s ' + '--dport %(port)d -j DROP') def setUp(self): super(IptablesManagerTestCase, self).setUp() @@ -73,7 +74,8 @@ class IptablesManagerTestCase(functional_base.BaseSudoTestCase): def _get_chain_and_rule(self, direction, protocol, port): chain = self.DIRECTION_CHAIN_MAPPER[direction] if port: - rule = self.PROTOCOL_PORT_BLOCK_RULE % (protocol, port) + rule = self.PROTOCOL_PORT_BLOCK_RULE % {'protocol': protocol, + 'port': port} else: rule = self.PROTOCOL_BLOCK_RULE % protocol return chain, rule diff --git a/neutron/tests/unit/agent/dhcp/test_agent.py b/neutron/tests/unit/agent/dhcp/test_agent.py index 286acb470d8..f7320ae0a2f 100644 --- a/neutron/tests/unit/agent/dhcp/test_agent.py +++ b/neutron/tests/unit/agent/dhcp/test_agent.py @@ -1319,7 +1319,7 @@ class TestDeviceManager(base.BaseTestCase): def test_setup_calls_fill_dhcp_udp_checksums(self): self._test_setup_helper(False) - rule = ('-p udp --dport %d -j CHECKSUM --checksum-fill' + rule = ('-p udp -m udp --dport %d -j CHECKSUM --checksum-fill' % const.DHCP_RESPONSE_PORT) expected = [mock.call.add_rule('POSTROUTING', rule)] self.mangle_inst.assert_has_calls(expected) diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py index ea6047eb391..c38f54776c2 100644 --- a/neutron/tests/unit/agent/metadata/test_driver.py +++ b/neutron/tests/unit/agent/metadata/test_driver.py @@ -34,7 +34,7 @@ class TestMetadataDriverRules(base.BaseTestCase): def test_metadata_nat_rules(self): rules = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ ' - '-p tcp -m tcp --dport 80 -j REDIRECT --to-port 8775') + '-p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8775') self.assertEqual( [rules], metadata_driver.MetadataDriver.metadata_nat_rules(8775))