Merge "Use the system-dependent string for IP protocol 4" into stable/2023.2
This commit is contained in:
Zuul
Gerrit Code Review
commit
cc818385a1
|
|
@ -769,10 +769,14 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
||||||
if not self._iptables_protocol_name_map:
|
if not self._iptables_protocol_name_map:
|
||||||
tmp_map = constants.IPTABLES_PROTOCOL_NAME_MAP.copy()
|
tmp_map = constants.IPTABLES_PROTOCOL_NAME_MAP.copy()
|
||||||
tmp_map.update(self._local_protocol_name_map())
|
tmp_map.update(self._local_protocol_name_map())
|
||||||
# TODO(haleyb): remove once neutron-lib with fix is available
|
# iptables-save uses different strings for 'ipip' (protocol 4)
|
||||||
# - 'ipip' uses 'ipencap' to match IPPROTO_IPIP from in.h,
|
# depending on the distro, which corresponds to the entry for
|
||||||
# which is IP-ENCAP/'4' in /etc/protocols (see bug #2054324)
|
# '4' in /etc/protocols. For example:
|
||||||
tmp_map[constants.PROTO_NAME_IPIP] = 'ipencap'
|
# - 'ipencap' in Ubuntu
|
||||||
|
# - 'ipv4' in CentOS/Fedora
|
||||||
|
# For this reason, we need to map the string for 'ipip' to the
|
||||||
|
# system-dependent string for '4', see bug #2054324.
|
||||||
|
tmp_map[constants.PROTO_NAME_IPIP] = tmp_map['4']
|
||||||
self._iptables_protocol_name_map = tmp_map
|
self._iptables_protocol_name_map = tmp_map
|
||||||
return self._iptables_protocol_name_map
|
return self._iptables_protocol_name_map
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -490,37 +490,43 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
|
||||||
self._test_prepare_port_filter(rule, ingress, egress)
|
self._test_prepare_port_filter(rule, ingress, egress)
|
||||||
|
|
||||||
def test_filter_ipv4_ingress_protocol_ipip(self):
|
def test_filter_ipv4_ingress_protocol_ipip(self):
|
||||||
# 'ipip' via the API uses 'ipencap' to match what iptables-save
|
# We want to use what the system-dependent string here is for 'ipip',
|
||||||
# uses, which is IP-ENCAP/'4' from /etc/protocols (see bug #2054324)
|
# as it could be 'ipencap' or 'ipv4' depending on the distro.
|
||||||
|
# See bug #2054324.
|
||||||
rule = {'ethertype': 'IPv4',
|
rule = {'ethertype': 'IPv4',
|
||||||
'direction': 'ingress',
|
'direction': 'ingress',
|
||||||
'protocol': 'ipip'}
|
'protocol': 'ipip'}
|
||||||
|
expected_proto_name = self.firewall._iptables_protocol_name('ipip')
|
||||||
ingress = mock.call.add_rule('ifake_dev',
|
ingress = mock.call.add_rule('ifake_dev',
|
||||||
'-p ipencap -j RETURN',
|
'-p %s -j RETURN' % expected_proto_name,
|
||||||
top=False, comment=None)
|
top=False, comment=None)
|
||||||
egress = None
|
egress = None
|
||||||
self._test_prepare_port_filter(rule, ingress, egress)
|
self._test_prepare_port_filter(rule, ingress, egress)
|
||||||
|
|
||||||
def test_filter_ipv4_ingress_protocol_ipip_by_num(self):
|
def test_filter_ipv4_ingress_protocol_4(self):
|
||||||
# '4' via the API uses 'ipencap' to match what iptables-save
|
# We want to use what the system-dependent string here is for '4',
|
||||||
# uses, which is IP-ENCAP/'4' from /etc/protocols (see bug #2054324)
|
# as it could be 'ipencap' or 'ipv4' depending on the distro.
|
||||||
|
# See bug #2054324.
|
||||||
rule = {'ethertype': 'IPv4',
|
rule = {'ethertype': 'IPv4',
|
||||||
'direction': 'ingress',
|
'direction': 'ingress',
|
||||||
'protocol': '4'}
|
'protocol': '4'}
|
||||||
|
expected_proto_name = self.firewall._iptables_protocol_name('4')
|
||||||
ingress = mock.call.add_rule('ifake_dev',
|
ingress = mock.call.add_rule('ifake_dev',
|
||||||
'-p ipencap -j RETURN',
|
'-p %s -j RETURN' % expected_proto_name,
|
||||||
top=False, comment=None)
|
top=False, comment=None)
|
||||||
egress = None
|
egress = None
|
||||||
self._test_prepare_port_filter(rule, ingress, egress)
|
self._test_prepare_port_filter(rule, ingress, egress)
|
||||||
|
|
||||||
def test_filter_ipv4_ingress_protocol_ipencap_by_num(self):
|
def test_filter_ipv4_ingress_protocol_94(self):
|
||||||
# '94' via the API uses 'ipip' to match what iptables-save
|
# We want to use what the system-dependent string here is for '94',
|
||||||
# uses, which is IPIP/'94' from /etc/protocols (see bug #2054324)
|
# as it could be 'ipip' or something else depending on the distro.
|
||||||
|
# See bug #2054324.
|
||||||
rule = {'ethertype': 'IPv4',
|
rule = {'ethertype': 'IPv4',
|
||||||
'direction': 'ingress',
|
'direction': 'ingress',
|
||||||
'protocol': '94'}
|
'protocol': '94'}
|
||||||
|
expected_proto_name = self.firewall._iptables_protocol_name('94')
|
||||||
ingress = mock.call.add_rule('ifake_dev',
|
ingress = mock.call.add_rule('ifake_dev',
|
||||||
'-p ipip -j RETURN',
|
'-p %s -j RETURN' % expected_proto_name,
|
||||||
top=False, comment=None)
|
top=False, comment=None)
|
||||||
egress = None
|
egress = None
|
||||||
self._test_prepare_port_filter(rule, ingress, egress)
|
self._test_prepare_port_filter(rule, ingress, egress)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue