Merge "Improve iptables handling"
This commit is contained in:
commit
9d32e88ff5
|
@ -366,26 +366,29 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
|||
def _convert_fwaas_to_iptables_rule(self, rule):
|
||||
action = FWAAS_TO_IPTABLE_ACTION_MAP[rule.get('action')]
|
||||
|
||||
# Output ordering is important here as it must exactly match what
|
||||
# is returned by iptables-save. If not we risk unnecessarily removing
|
||||
# and readding rules.
|
||||
args = []
|
||||
|
||||
args += self._protocol_arg(rule.get('protocol'))
|
||||
|
||||
args += self._ip_prefix_arg('s', rule.get('source_ip_address'))
|
||||
args += self._ip_prefix_arg('d', rule.get('destination_ip_address'))
|
||||
|
||||
# iptables adds '-m protocol' when any source
|
||||
# or destination port number is specified
|
||||
if not((rule.get('source_port') is None)
|
||||
and (rule.get('destination_port') is None)):
|
||||
args += self._match_arg(rule.get('protocol'))
|
||||
|
||||
args += self._port_arg('dport',
|
||||
rule.get('protocol'),
|
||||
rule.get('destination_port'))
|
||||
|
||||
args += self._port_arg('sport',
|
||||
rule.get('protocol'),
|
||||
rule.get('source_port'))
|
||||
|
||||
args += self._ip_prefix_arg('s', rule.get('source_ip_address'))
|
||||
args += self._ip_prefix_arg('d', rule.get('destination_ip_address'))
|
||||
args += self._port_arg('dport',
|
||||
rule.get('protocol'),
|
||||
rule.get('destination_port'))
|
||||
|
||||
args += self._action_arg(action)
|
||||
|
||||
|
@ -396,7 +399,7 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
|||
return '-m state --state INVALID -j DROP'
|
||||
|
||||
def _allow_established_rule(self):
|
||||
return '-m state --state ESTABLISHED,RELATED -j ACCEPT'
|
||||
return '-m state --state RELATED,ESTABLISHED -j ACCEPT'
|
||||
|
||||
def _action_arg(self, action):
|
||||
if not action:
|
||||
|
@ -438,5 +441,5 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
|||
if not(ip_prefix):
|
||||
return []
|
||||
|
||||
args = ['-%s' % direction, '%s' % ip_prefix]
|
||||
args = ['-%s' % direction, '%s' % utils.ip_to_cidr(ip_prefix)]
|
||||
return args
|
||||
|
|
|
@ -17,6 +17,7 @@ from neutron.agent.linux import iptables_manager
|
|||
from neutron.agent.linux import utils as linux_utils
|
||||
from oslo_log import log as logging
|
||||
|
||||
from neutron.common import utils
|
||||
from neutron_fwaas._i18n import _LE
|
||||
from neutron_fwaas.extensions import firewall as fw_ext
|
||||
from neutron_fwaas.services.firewall.drivers import fwaas_base_v2
|
||||
|
@ -418,26 +419,29 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
|
|||
def _convert_fwaas_to_iptables_rule(self, rule):
|
||||
action = FWAAS_TO_IPTABLE_ACTION_MAP[rule.get('action')]
|
||||
|
||||
# Output ordering is important here as it must exactly match what
|
||||
# is returned by iptables-save. If not we risk unnecessarily removing
|
||||
# and readding rules.
|
||||
args = []
|
||||
|
||||
args += self._protocol_arg(rule.get('protocol'))
|
||||
|
||||
args += self._ip_prefix_arg('s', rule.get('source_ip_address'))
|
||||
args += self._ip_prefix_arg('d', rule.get('destination_ip_address'))
|
||||
|
||||
# iptables adds '-m protocol' when any source
|
||||
# or destination port number is specified
|
||||
if not((rule.get('source_port') is None)
|
||||
and (rule.get('destination_port') is None)):
|
||||
args += self._match_arg(rule.get('protocol'))
|
||||
|
||||
args += self._port_arg('dport',
|
||||
rule.get('protocol'),
|
||||
rule.get('destination_port'))
|
||||
|
||||
args += self._port_arg('sport',
|
||||
rule.get('protocol'),
|
||||
rule.get('source_port'))
|
||||
|
||||
args += self._ip_prefix_arg('s', rule.get('source_ip_address'))
|
||||
args += self._ip_prefix_arg('d', rule.get('destination_ip_address'))
|
||||
args += self._port_arg('dport',
|
||||
rule.get('protocol'),
|
||||
rule.get('destination_port'))
|
||||
|
||||
args += self._action_arg(action)
|
||||
|
||||
|
@ -448,7 +452,7 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
|
|||
return '-m state --state INVALID -j DROP'
|
||||
|
||||
def _allow_established_rule(self):
|
||||
return '-m state --state ESTABLISHED,RELATED -j ACCEPT'
|
||||
return '-m state --state RELATED,ESTABLISHED -j ACCEPT'
|
||||
|
||||
def _action_arg(self, action):
|
||||
if not action:
|
||||
|
@ -491,5 +495,5 @@ class IptablesFwaasDriver(fwaas_base_v2.FwaasDriverBase):
|
|||
if not(ip_prefix):
|
||||
return []
|
||||
|
||||
args = ['-%s' % direction, '%s' % ip_prefix]
|
||||
args = ['-%s' % direction, '%s' % utils.ip_to_cidr(ip_prefix)]
|
||||
return args
|
||||
|
|
|
@ -142,8 +142,8 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||
distributed_mode = 'legacy'
|
||||
func(distributed_mode, apply_list, firewall)
|
||||
invalid_rule = '-m state --state INVALID -j DROP'
|
||||
est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
|
||||
rule1 = '-p tcp -m tcp --dport 80 -s 10.24.4.2 -j ACCEPT'
|
||||
est_rule = '-m state --state RELATED,ESTABLISHED -j ACCEPT'
|
||||
rule1 = '-p tcp -s 10.24.4.2/32 -m tcp --dport 80 -j ACCEPT'
|
||||
rule2 = '-p tcp -m tcp --dport 22 -j DROP'
|
||||
rule3 = '-p tcp -m tcp --dport 23 -j REJECT'
|
||||
ingress_chain = 'iv4%s' % firewall['id']
|
||||
|
@ -189,7 +189,7 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||
firewall = self._fake_firewall_no_rule()
|
||||
self.firewall.create_firewall('legacy', apply_list, firewall)
|
||||
invalid_rule = '-m state --state INVALID -j DROP'
|
||||
est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
|
||||
est_rule = '-m state --state RELATED,ESTABLISHED -j ACCEPT'
|
||||
bname = fwaas.iptables_manager.binary_name
|
||||
for ip_version in (4, 6):
|
||||
ingress_chain = ('iv%s%s' % (ip_version, firewall['id']))
|
||||
|
|
|
@ -149,8 +149,8 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||
distributed_mode = 'legacy'
|
||||
func(distributed_mode, apply_list, firewall)
|
||||
invalid_rule = '-m state --state INVALID -j DROP'
|
||||
est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
|
||||
rule1 = '-p tcp -m tcp --dport 80 -s 10.24.4.2 -j ACCEPT'
|
||||
est_rule = '-m state --state RELATED,ESTABLISHED -j ACCEPT'
|
||||
rule1 = '-p tcp -s 10.24.4.2/32 -m tcp --dport 80 -j ACCEPT'
|
||||
rule2 = '-p tcp -m tcp --dport 22 -j DROP'
|
||||
rule3 = '-p tcp -m tcp --dport 23 -j REJECT'
|
||||
ingress_chain = 'iv4%s' % firewall['id']
|
||||
|
@ -201,7 +201,7 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||
firewall = self._fake_firewall_no_rule()
|
||||
self.firewall.create_firewall_group('legacy', apply_list, firewall)
|
||||
invalid_rule = '-m state --state INVALID -j DROP'
|
||||
est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
|
||||
est_rule = '-m state --state RELATED,ESTABLISHED -j ACCEPT'
|
||||
bname = fwaas.iptables_manager.binary_name
|
||||
for ip_version in (4, 6):
|
||||
ingress_chain = ('iv%s%s' % (ip_version, firewall['id']))
|
||||
|
|
Loading…
Reference in New Issue