Merge "Improve iptables handling"

2017-06-29 06:26:25 +00:00 · 2017-06-29 06:26:25 +00:00 · 9d32e88ff5
parent 034c18cd5f 69d39f79fd
commit 9d32e88ff5
4 changed files with 29 additions and 22 deletions
--- a/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py
+++ b/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas.py
@ -366,26 +366,29 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
    def _convert_fwaas_to_iptables_rule(self, rule):
        action = FWAAS_TO_IPTABLE_ACTION_MAP[rule.get('action')]

+        # Output ordering is important here as it must exactly match what
+        # is returned by iptables-save.  If not we risk unnecessarily removing
+        # and readding rules.
        args = []

        args += self._protocol_arg(rule.get('protocol'))

+        args += self._ip_prefix_arg('s', rule.get('source_ip_address'))
+        args += self._ip_prefix_arg('d', rule.get('destination_ip_address'))
+
        # iptables adds '-m protocol' when any source
        # or destination port number is specified
        if not((rule.get('source_port') is None)
           and (rule.get('destination_port') is None)):
                args += self._match_arg(rule.get('protocol'))

-        args += self._port_arg('dport',
-                               rule.get('protocol'),
-                               rule.get('destination_port'))
-
        args += self._port_arg('sport',
                               rule.get('protocol'),
                               rule.get('source_port'))

-        args += self._ip_prefix_arg('s', rule.get('source_ip_address'))
-        args += self._ip_prefix_arg('d', rule.get('destination_ip_address'))
+        args += self._port_arg('dport',
+                               rule.get('protocol'),
+                               rule.get('destination_port'))

        args += self._action_arg(action)

@ -396,7 +399,7 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
        return '-m state --state INVALID -j DROP'

    def _allow_established_rule(self):
-        return '-m state --state ESTABLISHED,RELATED -j ACCEPT'
+        return '-m state --state RELATED,ESTABLISHED -j ACCEPT'

    def _action_arg(self, action):
        if not action:
@ -438,5 +441,5 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
        if not(ip_prefix):
            return []

-        args = ['-%s' % direction, '%s' % ip_prefix]
+        args = ['-%s' % direction, '%s' % utils.ip_to_cidr(ip_prefix)]
        return args
--- a/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas_v2.py
+++ b/neutron_fwaas/services/firewall/drivers/linux/iptables_fwaas_v2.py
@ -17,6 +17,7 @@ from neutron.agent.linux import iptables_manager
 from neutron.agent.linux import utils as linux_utils
 from oslo_log import log as logging

+from neutron.common import utils
 from neutron_fwaas._i18n import _LE
 from neutron_fwaas.extensions import firewall as fw_ext
 from neutron_fwaas.services.firewall.drivers import fwaas_base_v2
@ -418,26 +419,29 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
    def _convert_fwaas_to_iptables_rule(self, rule):
        action = FWAAS_TO_IPTABLE_ACTION_MAP[rule.get('action')]

+        # Output ordering is important here as it must exactly match what
+        # is returned by iptables-save.  If not we risk unnecessarily removing
+        # and readding rules.
        args = []

        args += self._protocol_arg(rule.get('protocol'))

+        args += self._ip_prefix_arg('s', rule.get('source_ip_address'))
+        args += self._ip_prefix_arg('d', rule.get('destination_ip_address'))
+
        # iptables adds '-m protocol' when any source
        # or destination port number is specified
        if not((rule.get('source_port') is None)
           and (rule.get('destination_port') is None)):
                args += self._match_arg(rule.get('protocol'))

-        args += self._port_arg('dport',
-                               rule.get('protocol'),
-                               rule.get('destination_port'))
-
        args += self._port_arg('sport',
                               rule.get('protocol'),
                               rule.get('source_port'))

-        args += self._ip_prefix_arg('s', rule.get('source_ip_address'))
-        args += self._ip_prefix_arg('d', rule.get('destination_ip_address'))
+        args += self._port_arg('dport',
+                               rule.get('protocol'),
+                               rule.get('destination_port'))

        args += self._action_arg(action)

@ -448,7 +452,7 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
        return '-m state --state INVALID -j DROP'

    def _allow_established_rule(self):
-        return '-m state --state ESTABLISHED,RELATED -j ACCEPT'
+        return '-m state --state RELATED,ESTABLISHED -j ACCEPT'

    def _action_arg(self, action):
        if not action:
@ -491,5 +495,5 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
        if not(ip_prefix):
            return []

-        args = ['-%s' % direction, '%s' % ip_prefix]
+        args = ['-%s' % direction, '%s' % utils.ip_to_cidr(ip_prefix)]
        return args
--- a/neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py
+++ b/neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py
@ -142,8 +142,8 @@ class IptablesFwaasTestCase(base.BaseTestCase):
            distributed_mode = 'legacy'
        func(distributed_mode, apply_list, firewall)
        invalid_rule = '-m state --state INVALID -j DROP'
-        est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
-        rule1 = '-p tcp -m tcp --dport 80 -s 10.24.4.2 -j ACCEPT'
+        est_rule = '-m state --state RELATED,ESTABLISHED -j ACCEPT'
+        rule1 = '-p tcp -s 10.24.4.2/32 -m tcp --dport 80 -j ACCEPT'
        rule2 = '-p tcp -m tcp --dport 22 -j DROP'
        rule3 = '-p tcp -m tcp --dport 23 -j REJECT'
        ingress_chain = 'iv4%s' % firewall['id']
@ -189,7 +189,7 @@ class IptablesFwaasTestCase(base.BaseTestCase):
        firewall = self._fake_firewall_no_rule()
        self.firewall.create_firewall('legacy', apply_list, firewall)
        invalid_rule = '-m state --state INVALID -j DROP'
-        est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
+        est_rule = '-m state --state RELATED,ESTABLISHED -j ACCEPT'
        bname = fwaas.iptables_manager.binary_name
        for ip_version in (4, 6):
            ingress_chain = ('iv%s%s' % (ip_version, firewall['id']))
--- a/neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas_v2.py
+++ b/neutron_fwaas/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas_v2.py
@ -149,8 +149,8 @@ class IptablesFwaasTestCase(base.BaseTestCase):
            distributed_mode = 'legacy'
        func(distributed_mode, apply_list, firewall)
        invalid_rule = '-m state --state INVALID -j DROP'
-        est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
-        rule1 = '-p tcp -m tcp --dport 80 -s 10.24.4.2 -j ACCEPT'
+        est_rule = '-m state --state RELATED,ESTABLISHED -j ACCEPT'
+        rule1 = '-p tcp -s 10.24.4.2/32 -m tcp --dport 80 -j ACCEPT'
        rule2 = '-p tcp -m tcp --dport 22 -j DROP'
        rule3 = '-p tcp -m tcp --dport 23 -j REJECT'
        ingress_chain = 'iv4%s' % firewall['id']
@ -201,7 +201,7 @@ class IptablesFwaasTestCase(base.BaseTestCase):
        firewall = self._fake_firewall_no_rule()
        self.firewall.create_firewall_group('legacy', apply_list, firewall)
        invalid_rule = '-m state --state INVALID -j DROP'
-        est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
+        est_rule = '-m state --state RELATED,ESTABLISHED -j ACCEPT'
        bname = fwaas.iptables_manager.binary_name
        for ip_version in (4, 6):
            ingress_chain = ('iv%s%s' % (ip_version, firewall['id']))