Prevent duplicate LLA iptables rules

Check if lla,mac tuple is in pairs before appending it again. Otherwise we end up generating duplicate iptables rules. Closes-Bug: #1622938 Change-Id: I43658a31f9853cbc94784f497193210990f769dd
2016-09-12 23:51:11 -07:00 · 2016-09-12 23:51:11 -07:00 · d1b9026729
parent dedb632ba5
commit d1b9026729
2 changed files with 9 additions and 1 deletions
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@ -389,7 +389,9 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
            mac_ipv6_pairs.append((mac, ip_address))
            lla = str(netutils.get_ipv6_addr_by_EUI64(
                    constants.IPv6_LLA_PREFIX, mac))
-            mac_ipv6_pairs.append((mac, lla))
+            if (mac, lla) not in mac_ipv6_pairs:
+                # only add once so we don't generate duplicate rules
+                mac_ipv6_pairs.append((mac, lla))

    def _spoofing_rule(self, port, ipv4_rules, ipv6_rules):
        # Fixed rules for traffic sourced from unspecified addresses: 0.0.0.0
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@ -1910,6 +1910,12 @@ class IptablesFirewallEnhancedIpsetTestCase(BaseIptablesFirewallTestCase):
        self.firewall._build_ipv4v6_mac_ip_list(mac_oth, ipv6,
                                                mac_ipv4_pairs, mac_ipv6_pairs)
        self.assertEqual(fake_ipv6_pair, mac_ipv6_pairs)
+        # ensure that LLA is not added again for another v6 addr
+        ipv62 = 'fe81::1'
+        self.firewall._build_ipv4v6_mac_ip_list(mac_oth, ipv62,
+                                                mac_ipv4_pairs, mac_ipv6_pairs)
+        fake_ipv6_pair.append((mac_unix, ipv62))
+        self.assertEqual(fake_ipv6_pair, mac_ipv6_pairs)


 class OVSHybridIptablesFirewallTestCase(BaseIptablesFirewallTestCase):