Deal with the '-m protocol' flag in iptables FwAAS v1 and v2
Iptables automatically add a '-m protocol' flag for rules containing a source or a destination port. FwAAS do not add this flag so that, on apply, rules are always different from iptables-save output. This induce a very long loop in neutron-l3-agent hosting the router as the comparison of each line is just slightly different. This patch only add one '-m protocol' flag before port. Closes-Bug: #1618430 Change-Id: Ia3fa3889dbf3ee10425e7e7fce8a3b8351f14e60
This commit is contained in:
parent
9cd48703bb
commit
b80de376d4
|
@ -420,7 +420,8 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
|||
def _port_arg(self, direction, protocol, port):
|
||||
if not (protocol in ['udp', 'tcp'] and port):
|
||||
return ''
|
||||
return '--%s %s' % (direction, port)
|
||||
# iptables adds '-m protocol' when the port number is specified
|
||||
return '-m %s --%s %s' % (protocol, direction, port)
|
||||
|
||||
def _ip_prefix_arg(self, direction, ip_prefix):
|
||||
if ip_prefix:
|
||||
|
|
|
@ -451,7 +451,8 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
|
|||
def _port_arg(self, direction, protocol, port):
|
||||
if not (protocol in ['udp', 'tcp'] and port):
|
||||
return ''
|
||||
return '--%s %s' % (direction, port)
|
||||
# iptables adds '-m protocol' when the port number is specified
|
||||
return '-m %s --%s %s' % (protocol, direction, port)
|
||||
|
||||
def _ip_prefix_arg(self, direction, ip_prefix):
|
||||
if ip_prefix:
|
||||
|
|
|
@ -144,9 +144,9 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||
func(distributed_mode, apply_list, firewall)
|
||||
invalid_rule = '-m state --state INVALID -j DROP'
|
||||
est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
|
||||
rule1 = '-p tcp --dport 80 -s 10.24.4.2 -j ACCEPT'
|
||||
rule2 = '-p tcp --dport 22 -j DROP'
|
||||
rule3 = '-p tcp --dport 23 -j REJECT'
|
||||
rule1 = '-p tcp -m tcp --dport 80 -s 10.24.4.2 -j ACCEPT'
|
||||
rule2 = '-p tcp -m tcp --dport 22 -j DROP'
|
||||
rule3 = '-p tcp -m tcp --dport 23 -j REJECT'
|
||||
ingress_chain = 'iv4%s' % firewall['id']
|
||||
egress_chain = 'ov4%s' % firewall['id']
|
||||
bname = fwaas.iptables_manager.binary_name
|
||||
|
|
|
@ -153,9 +153,9 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||
func(distributed_mode, apply_list, firewall)
|
||||
invalid_rule = '-m state --state INVALID -j DROP'
|
||||
est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
|
||||
rule1 = '-p tcp --dport 80 -s 10.24.4.2 -j ACCEPT'
|
||||
rule2 = '-p tcp --dport 22 -j DROP'
|
||||
rule3 = '-p tcp --dport 23 -j REJECT'
|
||||
rule1 = '-p tcp -m tcp --dport 80 -s 10.24.4.2 -j ACCEPT'
|
||||
rule2 = '-p tcp -m tcp --dport 22 -j DROP'
|
||||
rule3 = '-p tcp -m tcp --dport 23 -j REJECT'
|
||||
ingress_chain = 'iv4%s' % firewall['id']
|
||||
egress_chain = 'ov4%s' % firewall['id']
|
||||
bname = fwaas.iptables_manager.binary_name
|
||||
|
|
Loading…
Reference in New Issue