Don't install iptables rules if neutron is filtering

Don't setup iptables rules in the Linux Bridge driver if Neutron is providing security groups filtering. When neutron is providing filtering, it handles everything ranging from security-group enforcement to anti-spoofing rules so Nova/os-vif shouldn't need to do anything on plug. Closes-Bug: #1694769 Change-Id: I19d62a8ac730aba2586b9f8eb08e153746ec2bcb (cherry picked from commit 10e6b6bd1b)
2017-02-26 07:56:45 -08:00 · 2017-02-26 07:56:45 -08:00 · a267c1d2a9
parent f5f2071fe5
commit a267c1d2a9
2 changed files with 11 additions and 2 deletions
--- a/vif_plug_linux_bridge/linux_bridge.py
+++ b/vif_plug_linux_bridge/linux_bridge.py
@ -102,7 +102,10 @@ class LinuxBridgePlugin(plugin.PluginBase):
                                             bridge_name, iface, mtu=mtu)
            else:
                iface = self.config.flat_interface or network.bridge_interface
-                linux_net.ensure_bridge(bridge_name, iface)
+                # only put in iptables rules if Neutron not filtering
+                install_filters = not vif.has_traffic_filtering
+                linux_net.ensure_bridge(bridge_name, iface,
+                                        filtering=install_filters)

    def unplug(self, vif, instance_info):
        # Nothing required to unplug a port for a VIF using standard
--- a/vif_plug_linux_bridge/tests/test_plugin.py
+++ b/vif_plug_linux_bridge/tests/test_plugin.py
@ -66,14 +66,20 @@ class PluginTest(testtools.TestCase):
            address='ca:fe:de:ad:be:ef',
            network=network,
            dev_name='tap-xxx-yyy-zzz',
+            has_traffic_filtering=True,
            bridge_name="br0")

        plugin = linux_bridge.LinuxBridgePlugin.load("linux_bridge")
        plugin.plug(vif, self.instance)

-        mock_ensure_bridge.assert_called_with("br0", "eth0")
+        mock_ensure_bridge.assert_called_with("br0", "eth0", filtering=False)
        self.assertEqual(len(mock_ensure_vlan_bridge.calls), 0)

+        mock_ensure_bridge.reset_mock()
+        vif.has_traffic_filtering = False
+        plugin.plug(vif, self.instance)
+        mock_ensure_bridge.assert_called_with("br0", "eth0", filtering=True)
+
    def test_plug_bridge_create_br_vlan_mtu_in_model(self):
        self._test_plug_bridge_create_br_vlan(mtu=1234)