Skip unknown protocols while deleting conntrack

This patch updates the legacy conntrack driver to skip any conntrack entries in the virtual router with an unknown protocol. The conntrack driver currently handles sessions for TCP/UDP/ICMP/ICMP6 protocols only Change-Id: Ic2572086a13ea9c3acc3aee1350b569740aa0d8f Closes-Bug: #1753507
2018-03-06 08:47:35 +00:00 · 2018-03-06 08:47:35 +00:00 · 9b89d4802c
parent 17276cca63
commit 9b89d4802c
2 changed files with 9 additions and 2 deletions
--- a/neutron_fwaas/services/firewall/drivers/linux/legacy_conntrack.py
+++ b/neutron_fwaas/services/firewall/drivers/linux/legacy_conntrack.py
@ -77,7 +77,8 @@ class ConntrackLegacy(conntrack_base.ConntrackDriverBase):
            raw_entries = self._execute_command(cmd).splitlines()
            for raw_entry in raw_entries:
                parsed_entry = self._parse_entry(raw_entry.split(), ip_version)
-                parsed_entries.append(parsed_entry)
+                if parsed_entry is not None:
+                    parsed_entries.append(parsed_entry)
        return sorted(parsed_entries)

    def _get_conntrack_cmd_from_entry(self, entry, namespace):
@ -109,6 +110,11 @@ class ConntrackLegacy(conntrack_base.ConntrackDriverBase):
        and compare with firewall rule
        """
        protocol = entry[0]
+        if protocol in ATTR_POSITIONS:
+            LOG.info('Skipping conntrack entry %s with unsupported protocol',
+                     entry)
+            return None
+
        parsed_entry = [ip_version, protocol]
        for attr, position in ATTR_POSITIONS[protocol]:
            val = entry[position].partition('=')[2]
--- a/neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_legacy_conntrack.py
+++ b/neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_legacy_conntrack.py
@ -80,6 +80,7 @@ FW_RULES = [
 ICMP_ENTRY = (4, 'icmp', 8, 0, '1.1.1.1', '2.2.2.2', '1234')
 TCP_ENTRY = (4, 'tcp', 1, 2, '1.1.1.1', '2.2.2.2')
 UDP_ENTRY = (4, 'udp', 1, 2, '1.1.1.1', '2.2.2.2')
+UNKNOWN_ENTRY = (4, 'unknown', 1, 2, '1.1.1.1', '2.2.2.2')

 ROUTER_NAMESPACE = 'qrouter-fake-namespace'

@ -112,7 +113,7 @@ class ConntrackLegacyTestCase(base.BaseTestCase):

    def test_delete_entries(self):
        self.conntrack_driver.list_entries.return_value = [
-            ICMP_ENTRY, TCP_ENTRY, UDP_ENTRY]
+            ICMP_ENTRY, TCP_ENTRY, UDP_ENTRY, UNKNOWN_ENTRY]
        self.conntrack_driver.delete_entries(FW_RULES, ROUTER_NAMESPACE)
        calls = [
            mock.call(['ip', 'netns', 'exec', ROUTER_NAMESPACE,