Don't install iptables rules if neutron is filtering
Don't setup iptables rules in the Linux Bridge driver
if Neutron is providing security groups filtering.
When neutron is providing filtering, it handles everything
ranging from security-group enforcement to anti-spoofing
rules so Nova/os-vif shouldn't need to do anything on plug.
Closes-Bug: #1694769
Change-Id: I19d62a8ac730aba2586b9f8eb08e153746ec2bcb
(cherry picked from commit 10e6b6bd1b
)
This commit is contained in:
parent
f5f2071fe5
commit
a267c1d2a9
|
@ -102,7 +102,10 @@ class LinuxBridgePlugin(plugin.PluginBase):
|
|||
bridge_name, iface, mtu=mtu)
|
||||
else:
|
||||
iface = self.config.flat_interface or network.bridge_interface
|
||||
linux_net.ensure_bridge(bridge_name, iface)
|
||||
# only put in iptables rules if Neutron not filtering
|
||||
install_filters = not vif.has_traffic_filtering
|
||||
linux_net.ensure_bridge(bridge_name, iface,
|
||||
filtering=install_filters)
|
||||
|
||||
def unplug(self, vif, instance_info):
|
||||
# Nothing required to unplug a port for a VIF using standard
|
||||
|
|
|
@ -66,14 +66,20 @@ class PluginTest(testtools.TestCase):
|
|||
address='ca:fe:de:ad:be:ef',
|
||||
network=network,
|
||||
dev_name='tap-xxx-yyy-zzz',
|
||||
has_traffic_filtering=True,
|
||||
bridge_name="br0")
|
||||
|
||||
plugin = linux_bridge.LinuxBridgePlugin.load("linux_bridge")
|
||||
plugin.plug(vif, self.instance)
|
||||
|
||||
mock_ensure_bridge.assert_called_with("br0", "eth0")
|
||||
mock_ensure_bridge.assert_called_with("br0", "eth0", filtering=False)
|
||||
self.assertEqual(len(mock_ensure_vlan_bridge.calls), 0)
|
||||
|
||||
mock_ensure_bridge.reset_mock()
|
||||
vif.has_traffic_filtering = False
|
||||
plugin.plug(vif, self.instance)
|
||||
mock_ensure_bridge.assert_called_with("br0", "eth0", filtering=True)
|
||||
|
||||
def test_plug_bridge_create_br_vlan_mtu_in_model(self):
|
||||
self._test_plug_bridge_create_br_vlan(mtu=1234)
|
||||
|
||||
|
|
Loading…
Reference in New Issue