Deal with the '-m protocol' flag in iptables FwAAS v1 and v2

Iptables automatically add a '-m protocol' flag for rules containing a source or a destination port. FwAAS do not add this flag so that, on apply, rules are always different from iptables-save output. This induce a very long loop in neutron-l3-agent hosting the router as the comparison of each line is just slightly different. This patch only add one '-m protocol' flag before port. Closes-Bug: #1618430 Change-Id: Ia3fa3889dbf3ee10425e7e7fce8a3b8351f14e60
2016-10-11 13:34:00 +02:00 · 2016-10-11 13:34:00 +02:00 · b80de376d4
parent 9cd48703bb
commit b80de376d4
4 changed files with 10 additions and 8 deletions
--- a/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py
+++ b/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py
@ -420,7 +420,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
    def _port_arg(self, direction, protocol, port):
        if not (protocol in ['udp', 'tcp'] and port):
            return ''
-        return '--%s %s' % (direction, port)
+        # iptables adds '-m protocol' when the port number is specified
+        return '-m %s --%s %s' % (protocol, direction, port)

    def _ip_prefix_arg(self, direction, ip_prefix):
        if ip_prefix:
--- a/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas_v2.py
+++ b/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas_v2.py
@ -451,7 +451,8 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
    def _port_arg(self, direction, protocol, port):
        if not (protocol in ['udp', 'tcp'] and port):
            return ''
-        return '--%s %s' % (direction, port)
+        # iptables adds '-m protocol' when the port number is specified
+        return '-m %s --%s %s' % (protocol, direction, port)

    def _ip_prefix_arg(self, direction, ip_prefix):
        if ip_prefix:
--- a/neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py
+++ b/neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py
@ -144,9 +144,9 @@ class IptablesFwaasTestCase(base.BaseTestCase):
        func(distributed_mode, apply_list, firewall)
        invalid_rule = '-m state --state INVALID -j DROP'
        est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
-        rule1 = '-p tcp --dport 80  -s 10.24.4.2  -j ACCEPT'
-        rule2 = '-p tcp --dport 22    -j DROP'
-        rule3 = '-p tcp --dport 23    -j REJECT'
+        rule1 = '-p tcp -m tcp --dport 80  -s 10.24.4.2  -j ACCEPT'
+        rule2 = '-p tcp -m tcp --dport 22    -j DROP'
+        rule3 = '-p tcp -m tcp --dport 23    -j REJECT'
        ingress_chain = 'iv4%s' % firewall['id']
        egress_chain = 'ov4%s' % firewall['id']
        bname = fwaas.iptables_manager.binary_name
--- a/neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas_v2.py
+++ b/neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas_v2.py
@ -153,9 +153,9 @@ class IptablesFwaasTestCase(base.BaseTestCase):
        func(distributed_mode, apply_list, firewall)
        invalid_rule = '-m state --state INVALID -j DROP'
        est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
-        rule1 = '-p tcp --dport 80  -s 10.24.4.2  -j ACCEPT'
-        rule2 = '-p tcp --dport 22    -j DROP'
-        rule3 = '-p tcp --dport 23    -j REJECT'
+        rule1 = '-p tcp -m tcp --dport 80  -s 10.24.4.2  -j ACCEPT'
+        rule2 = '-p tcp -m tcp --dport 22    -j DROP'
+        rule3 = '-p tcp -m tcp --dport 23    -j REJECT'
        ingress_chain = 'iv4%s' % firewall['id']
        egress_chain = 'ov4%s' % firewall['id']
        bname = fwaas.iptables_manager.binary_name