diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 246c51858ad..a1c4a9541eb 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -155,6 +155,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): jump_rule = self._generate_trusted_port_rules(port) self._add_rules_to_chain_v4v6( 'FORWARD', jump_rule, jump_rule, comment=ic.TRUSTED_ACCEPT) + self._add_nat_short_ciruit(port) self.trusted_ports.append(port) def remove_trusted_ports(self, port_ids): @@ -163,8 +164,15 @@ class IptablesFirewallDriver(firewall.FirewallDriver): jump_rule = self._generate_trusted_port_rules(port) self._remove_rule_from_chain_v4v6( 'FORWARD', jump_rule, jump_rule) + self._remove_nat_short_ciruit(port) self.trusted_ports.remove(port) + def _generate_nat_shortcircuit_port_rules(self, port): + rt = '-m physdev --%%s %s -j ACCEPT' % ( + self._get_device_name(port)) + return [rt % (self.IPTABLES_DIRECTION[constants.INGRESS_DIRECTION]), + rt % (self.IPTABLES_DIRECTION[constants.EGRESS_DIRECTION])] + def _generate_trusted_port_rules(self, port): rt = '-m physdev --%%s %s --physdev-is-bridged -j ACCEPT' % ( self._get_device_name(port)) @@ -248,12 +256,13 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _remove_rule_port_sec(self, port, direction): self._update_port_sec_rules(port, direction, add=False) - def _remove_rule_from_chain_v4v6(self, chain_name, ipv4_rules, ipv6_rules): + def _remove_rule_from_chain_v4v6(self, chain_name, ipv4_rules, ipv6_rules, + table='filter'): for rule in ipv4_rules: - self.iptables.ipv4['filter'].remove_rule(chain_name, rule) + self.iptables.ipv4[table].remove_rule(chain_name, rule) for rule in ipv6_rules: - self.iptables.ipv6['filter'].remove_rule(chain_name, rule) + self.iptables.ipv6[table].remove_rule(chain_name, rule) def _setup_chains(self): """Setup ingress and egress chain for a port.""" @@ -268,6 +277,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): for pname in sorted(ports): port = ports[pname] self._add_conntrack_jump(port) + self._add_nat_short_ciruit(port) self._setup_chain(port, constants.INGRESS_DIRECTION) self._setup_chain(port, constants.EGRESS_DIRECTION) self.iptables.ipv4['filter'].add_rule(SG_CHAIN, '-j ACCEPT') @@ -276,6 +286,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): for port in unfiltered_ports.values(): self._add_accept_rule_port_sec(port, constants.INGRESS_DIRECTION) self._add_accept_rule_port_sec(port, constants.EGRESS_DIRECTION) + self._add_nat_short_ciruit(port) def _remove_chains(self): """Remove ingress and egress chain for a port.""" @@ -289,9 +300,11 @@ class IptablesFirewallDriver(firewall.FirewallDriver): self._remove_chain(port, constants.EGRESS_DIRECTION) self._remove_chain(port, SPOOF_FILTER) self._remove_conntrack_jump(port) + self._remove_nat_short_ciruit(port) for port in unfiltered_ports.values(): self._remove_rule_port_sec(port, constants.INGRESS_DIRECTION) self._remove_rule_port_sec(port, constants.EGRESS_DIRECTION) + self._remove_nat_short_ciruit(port) self._remove_chain_by_name_v4v6(SG_CHAIN) def _setup_chain(self, port, DIRECTION): @@ -319,14 +332,14 @@ class IptablesFirewallDriver(firewall.FirewallDriver): self.iptables.ipv6['filter'].remove_chain(chain_name) def _add_rules_to_chain_v4v6(self, chain_name, ipv4_rules, ipv6_rules, - top=False, comment=None): + top=False, comment=None, table='filter'): for rule in ipv4_rules: - self.iptables.ipv4['filter'].add_rule(chain_name, rule, - top=top, comment=comment) + self.iptables.ipv4[table].add_rule(chain_name, rule, + top=top, comment=comment) for rule in ipv6_rules: - self.iptables.ipv6['filter'].add_rule(chain_name, rule, - top=top, comment=comment) + self.iptables.ipv6[table].add_rule(chain_name, rule, + top=top, comment=comment) def _get_device_name(self, port): if not isinstance(port, dict): @@ -465,6 +478,16 @@ class IptablesFirewallDriver(firewall.FirewallDriver): self.iptables.ipv4['raw'].remove_rule(chain, rule) self.iptables.ipv6['raw'].remove_rule(chain, rule) + def _add_nat_short_ciruit(self, port): + jump_rule = self._generate_nat_shortcircuit_port_rules(port) + self._add_rules_to_chain_v4v6('PREROUTING', jump_rule, jump_rule, + comment=ic.TRUSTED_ACCEPT, table='nat') + + def _remove_nat_short_ciruit(self, port): + jump_rule = self._generate_nat_shortcircuit_port_rules(port) + self._remove_rule_from_chain_v4v6('PREROUTING', jump_rule, + jump_rule, table='nat') + def _split_sgr_by_ethertype(self, security_group_rules): ipv4_sg_rules = [] ipv6_sg_rules = [] diff --git a/neutron/agent/linux/iptables_manager.py b/neutron/agent/linux/iptables_manager.py index 1e09d66951d..f933f827387 100644 --- a/neutron/agent/linux/iptables_manager.py +++ b/neutron/agent/linux/iptables_manager.py @@ -335,11 +335,16 @@ class IptablesManager(object): self.ipv4.update({'raw': IptablesTable(binary_name=self.wrap_name)}) self.ipv6.update({'raw': IptablesTable(binary_name=self.wrap_name)}) + self.ipv4.update({'nat': IptablesTable(binary_name=self.wrap_name)}) + self.ipv6.update({'nat': IptablesTable(binary_name=self.wrap_name)}) + # Wrap the built-in chains builtin_chains = {4: {'filter': ['INPUT', 'OUTPUT', 'FORWARD']}, 6: {'filter': ['INPUT', 'OUTPUT', 'FORWARD']}} builtin_chains[4].update({'raw': ['PREROUTING', 'OUTPUT']}) builtin_chains[6].update({'raw': ['PREROUTING', 'OUTPUT']}) + builtin_chains[4].update({'nat': ['PREROUTING']}) + builtin_chains[6].update({'nat': ['PREROUTING']}) self._configure_builtin_chains(builtin_chains) if not state_less: diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index b177c7ee06c..8e0dcf04573 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -84,10 +84,12 @@ class BaseIptablesFirewallTestCase(base.BaseTestCase): self.v4filter_inst = mock.Mock() self.v6filter_inst = mock.Mock() self.iptables_inst.ipv4 = {'filter': self.v4filter_inst, - 'raw': self.v4filter_inst + 'raw': self.v4filter_inst, + 'nat': self.v4filter_inst } self.iptables_inst.ipv6 = {'filter': self.v6filter_inst, - 'raw': self.v6filter_inst + 'raw': self.v6filter_inst, + 'nat': self.v6filter_inst } iptables_cls.return_value = self.iptables_inst @@ -141,6 +143,14 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=None), mock.call.add_rule('PREROUTING', mock.ANY, # zone set comment=None), + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT', + top=False, comment=ic.TRUSTED_ACCEPT), + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT', + top=False, comment=ic.TRUSTED_ACCEPT), mock.call.add_chain('ifake_dev'), mock.call.add_rule('FORWARD', '-m physdev --physdev-out tapfake_dev ' @@ -1172,6 +1182,16 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): '-m physdev --physdev-in tapfake_dev ' '--physdev-is-bridged -j ACCEPT', top=False, comment=ic.TRUSTED_ACCEPT)) + calls.append( + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT', + top=False, comment=ic.TRUSTED_ACCEPT)) + calls.append( + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT', + top=False, comment=ic.TRUSTED_ACCEPT)) self.firewall.process_trusted_ports([port['id']]) @@ -1262,6 +1282,16 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=None), mock.call.add_rule('PREROUTING', mock.ANY, # zone set comment=None), + mock.call.add_rule('PREROUTING', + "-m physdev --physdev-out tapfake_dev " + "-j ACCEPT", + comment=ic.TRUSTED_ACCEPT, + top=False), + mock.call.add_rule('PREROUTING', + "-m physdev --physdev-in tapfake_dev " + "-j ACCEPT", + comment=ic.TRUSTED_ACCEPT, + top=False), mock.call.add_chain('ifake_dev'), mock.call.add_rule('FORWARD', '-m physdev --physdev-out tapfake_dev ' @@ -1615,6 +1645,16 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=None), # zone set mock.call.add_rule('PREROUTING', mock.ANY, comment=None), # zone set + mock.call.add_rule( + 'PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT', + comment=ic.TRUSTED_ACCEPT, top=False), + mock.call.add_rule( + 'PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT', + comment=ic.TRUSTED_ACCEPT, top=False), mock.call.add_chain('ifake_dev'), mock.call.add_rule( 'FORWARD', @@ -1696,6 +1736,14 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): mock.call.remove_rule('PREROUTING', mock.ANY), # zone set mock.call.remove_rule('PREROUTING', mock.ANY), # zone set mock.call.remove_rule('PREROUTING', mock.ANY), # zone set + mock.call.remove_rule( + 'PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT'), + mock.call.remove_rule( + 'PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT'), mock.call.remove_chain('sg-chain'), mock.call.add_chain('sg-chain'), mock.call.add_rule('PREROUTING', mock.ANY, @@ -1704,6 +1752,16 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=None), # zone set mock.call.add_rule('PREROUTING', mock.ANY, comment=None), # zone set + mock.call.add_rule( + 'PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT', + comment=ic.TRUSTED_ACCEPT, top=False), + mock.call.add_rule( + 'PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT', + comment=ic.TRUSTED_ACCEPT, top=False), mock.call.add_chain('ifake_dev'), mock.call.add_rule( 'FORWARD', @@ -1786,6 +1844,14 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): mock.call.remove_rule('PREROUTING', mock.ANY), # zone set mock.call.remove_rule('PREROUTING', mock.ANY), # zone set mock.call.remove_rule('PREROUTING', mock.ANY), # zone set + mock.call.remove_rule( + 'PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT'), + mock.call.remove_rule( + 'PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT'), mock.call.remove_chain('sg-chain'), mock.call.add_chain('sg-chain')] @@ -1926,6 +1992,14 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=None), mock.call.add_rule('PREROUTING', mock.ANY, # zone set comment=None), + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT', + top=False, comment=ic.TRUSTED_ACCEPT), + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT', + top=False, comment=ic.TRUSTED_ACCEPT), mock.call.add_chain('ifake_dev'), mock.call.add_rule('FORWARD', '-m physdev --physdev-out tapfake_dev ' @@ -2019,6 +2093,14 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=None), mock.call.add_rule('PREROUTING', mock.ANY, # zone set comment=None), + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-out ' + 'tapfake_dev -j ACCEPT', + comment=ic.TRUSTED_ACCEPT, top=False), + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-in ' + 'tapfake_dev -j ACCEPT', + comment=ic.TRUSTED_ACCEPT, top=False), mock.call.add_chain('ifake_dev'), mock.call.add_rule('FORWARD', '-m physdev --physdev-out tapfake_dev ' diff --git a/neutron/tests/unit/agent/linux/test_iptables_manager.py b/neutron/tests/unit/agent/linux/test_iptables_manager.py index 2d0743e2e1c..9d95ca4a66d 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_manager.py +++ b/neutron/tests/unit/agent/linux/test_iptables_manager.py @@ -1358,8 +1358,8 @@ class IptablesManagerStateLessTestCase(base.BaseTestCase): cfg.CONF.set_override('comment_iptables_rules', False, 'AGENT') self.iptables = (iptables_manager.IptablesManager(state_less=True)) - def test_nat_not_found(self): - self.assertNotIn('nat', self.iptables.ipv4) + def test_nat_found(self): + self.assertIn('nat', self.iptables.ipv4) def test_mangle_not_found(self): self.assertNotIn('mangle', self.iptables.ipv4) @@ -1368,7 +1368,7 @@ class IptablesManagerStateLessTestCase(base.BaseTestCase): iptables = iptables_manager.IptablesManager(state_less=True) iptables.initialize_mangle_table() self.assertIn('mangle', iptables.ipv4) - self.assertNotIn('nat', iptables.ipv4) + self.assertIn('nat', iptables.ipv4) def test_initialize_nat_table(self): iptables = iptables_manager.IptablesManager(state_less=True) @@ -1384,8 +1384,8 @@ class IptablesManagerNoNatTestCase(base.BaseTestCase): cfg.CONF.set_override('comment_iptables_rules', False, 'AGENT') self.iptables = (iptables_manager.IptablesManager(nat=False)) - def test_nat_not_found(self): - self.assertNotIn('nat', self.iptables.ipv4) + def test_nat_found(self): + self.assertIn('nat', self.iptables.ipv4) def test_mangle_found(self): self.assertIn('mangle', self.iptables.ipv4) diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py index 83c8efc54ed..f66b30f827f 100644 --- a/neutron/tests/unit/agent/test_securitygroups_rpc.py +++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py @@ -1627,6 +1627,54 @@ COMMIT # Completed by iptables_manager """ % IPTABLES_ARG +IPTABLES_NAT_EMPTY = """# Generated by iptables_manager +*nat +:PREROUTING - [0:0] +:%(bn)s-PREROUTING - [0:0] +-I PREROUTING 1 -j %(bn)s-PREROUTING +COMMIT +# Completed by iptables_manager +""" % IPTABLES_ARG + +IPTABLES_NAT_1 = """# Generated by iptables_manager +*nat +:PREROUTING - [0:0] +:%(bn)s-PREROUTING - [0:0] +-I PREROUTING 1 -j %(bn)s-PREROUTING +-I %(bn)s-PREROUTING 1 -m physdev --physdev-out tap_port1 -j ACCEPT +-I %(bn)s-PREROUTING 2 -m physdev --physdev-in tap_port1 -j ACCEPT +COMMIT +# Completed by iptables_manager +""" % IPTABLES_ARG + +IPTABLES_NAT_2 = """# Generated by iptables_manager +*nat +:PREROUTING - [0:0] +:%(bn)s-PREROUTING - [0:0] +-I PREROUTING 1 -j %(bn)s-PREROUTING +-I %(bn)s-PREROUTING 1 -m physdev --physdev-out tap_port1 -j ACCEPT +-I %(bn)s-PREROUTING 2 -m physdev --physdev-in tap_port1 -j ACCEPT +-I %(bn)s-PREROUTING 3 -m physdev --physdev-out tap_port2 -j ACCEPT +-I %(bn)s-PREROUTING 4 -m physdev --physdev-in tap_port2 -j ACCEPT +COMMIT +# Completed by iptables_manager +""" % IPTABLES_ARG + +IPTABLES_NAT_3 = """# Generated by iptables_manager +*nat +:PREROUTING - [0:0] +:%(bn)s-PREROUTING - [0:0] +-I PREROUTING 1 -j %(bn)s-PREROUTING +-I %(bn)s-PREROUTING 1 -m physdev --physdev-out tap_port3 -j ACCEPT +-I %(bn)s-PREROUTING 2 -m physdev --physdev-in tap_port3 -j ACCEPT +-I %(bn)s-PREROUTING 3 -m physdev --physdev-out tap_port1 -j ACCEPT +-I %(bn)s-PREROUTING 4 -m physdev --physdev-in tap_port1 -j ACCEPT +-I %(bn)s-PREROUTING 5 -m physdev --physdev-out tap_port2 -j ACCEPT +-I %(bn)s-PREROUTING 6 -m physdev --physdev-in tap_port2 -j ACCEPT +COMMIT +# Completed by iptables_manager +""" % IPTABLES_ARG + CHAINS_EMPTY = 'FORWARD|INPUT|OUTPUT|local|sg-chain|sg-fallback' CHAINS_1 = CHAINS_EMPTY + '|i_port1|o_port1|s_port1' CHAINS_2 = CHAINS_1 + '|i_port2|o_port2|s_port2' @@ -2951,21 +2999,27 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): self.assertThat(kwargs['process_input'], matchers.MatchesRegex(expected_regex)) - def _replay_iptables(self, v4_filter, v6_filter, raw): + def _replay_iptables(self, v4_filter, v6_filter, raw, nat): self._register_mock_call( ['iptables-save'], run_as_root=True, privsep_exec=True, return_value='') self._register_mock_call( ['iptables-restore', '-n'], - process_input=self._regex(v4_filter + raw), run_as_root=True, - privsep_exec=True, log_fail_as_error=False, return_value='') + process_input=self._regex(v4_filter + nat + raw), + run_as_root=True, + privsep_exec=True, + log_fail_as_error=False, + return_value='') self._register_mock_call( ['ip6tables-save'], run_as_root=True, privsep_exec=True, return_value='') self._register_mock_call( ['ip6tables-restore', '-n'], - process_input=self._regex(v6_filter + raw), run_as_root=True, - privsep_exec=True, log_fail_as_error=False, return_value='') + process_input=self._regex(v6_filter + nat + raw), + run_as_root=True, + privsep_exec=True, + log_fail_as_error=False, + return_value='') def test_prepare_remove_port(self): self.ipconntrack._device_zone_map = {} @@ -2973,9 +3027,9 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): 'devices': self.devices1, 'security_groups': {}, 'sg_member_ips': {}} self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.agent.remove_devices_filter(['tap_port1']) @@ -2987,17 +3041,17 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): 'devices': self.devices1, 'security_groups': {}, 'sg_member_ips': {}} self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_1_2, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_2) self._replay_iptables(IPTABLES_FILTER_2_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_2) self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.rpc.security_group_info_for_devices.return_value = { @@ -3020,10 +3074,10 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): 'sg_member_ips': {}} self._replay_iptables( IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_3) self._replay_iptables( IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_3) self.agent.prepare_devices_filter(['tap_port1', 'tap_port3']) self.rpc.security_group_info_for_devices.return_value = { @@ -3108,9 +3162,9 @@ class TestSecurityGroupAgentEnhancedRpcWithIptables( self.ipconntrack._device_zone_map = {} self.sg_info.return_value = self.devices_info1 self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.agent.remove_devices_filter(['tap_port1']) @@ -3120,17 +3174,17 @@ class TestSecurityGroupAgentEnhancedRpcWithIptables( def test_security_group_member_updated(self): self.sg_info.return_value = self.devices_info1 self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_1_2, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_2) self._replay_iptables(IPTABLES_FILTER_2_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_2) self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.sg_info.return_value = self.devices_info2 @@ -3149,10 +3203,10 @@ class TestSecurityGroupAgentEnhancedRpcWithIptables( self.sg_info.return_value = self.devices_info2 self._replay_iptables( IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_3) self._replay_iptables( IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_3) self.agent.prepare_devices_filter(['tap_port1', 'tap_port3']) self.sg_info.return_value = self.devices_info3 @@ -3177,9 +3231,9 @@ class TestSecurityGroupAgentEnhancedIpsetWithIptables( self.ipconntrack._device_zone_map = {} self.sg_info.return_value = self.devices_info1 self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.agent.remove_devices_filter(['tap_port1']) @@ -3191,17 +3245,17 @@ class TestSecurityGroupAgentEnhancedIpsetWithIptables( self.ipset._get_new_set_ips = mock.Mock(return_value=['10.0.0.3']) self.ipset._get_deleted_set_ips = mock.Mock(return_value=[]) self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_2) self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_2) self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.sg_info.return_value = self.devices_info2 @@ -3222,10 +3276,10 @@ class TestSecurityGroupAgentEnhancedIpsetWithIptables( self.sg_info.return_value = self.devices_info2 self._replay_iptables( IPSET_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_3) self._replay_iptables( IPSET_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_3) self.agent.prepare_devices_filter(['tap_port1', 'tap_port3']) self.sg_info.return_value = self.devices_info3 @@ -3307,9 +3361,9 @@ class TestSecurityGroupAgentWithOVSIptables( 'devices': self.devices1, 'security_groups': {}, 'sg_member_ips': {}} self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_DEVICE_1) + IPTABLES_RAW_DEVICE_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.agent.remove_devices_filter(['tap_port1']) @@ -3323,9 +3377,9 @@ class TestSecurityGroupAgentWithOVSIptables( 'devices': self.devices1, 'security_groups': {}, 'sg_member_ips': {}} self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.agent.remove_devices_filter(['tap_port1']) @@ -3338,17 +3392,17 @@ class TestSecurityGroupAgentWithOVSIptables( 'devices': self.devices1, 'security_groups': {}, 'sg_member_ips': {}} self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_DEVICE_1) + IPTABLES_RAW_DEVICE_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_1_2, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_DEVICE_1) + IPTABLES_RAW_DEVICE_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_DEVICE_2) + IPTABLES_RAW_DEVICE_2, IPTABLES_NAT_2) self._replay_iptables(IPTABLES_FILTER_2_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_DEVICE_2) + IPTABLES_RAW_DEVICE_2, IPTABLES_NAT_2) self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_DEVICE_1) + IPTABLES_RAW_DEVICE_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.rpc.security_group_info_for_devices.return_value = { @@ -3372,10 +3426,10 @@ class TestSecurityGroupAgentWithOVSIptables( 'sg_member_ips': {}} self._replay_iptables( IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_DEVICE_2) + IPTABLES_RAW_DEVICE_2, IPTABLES_NAT_3) self._replay_iptables( IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_DEVICE_2) + IPTABLES_RAW_DEVICE_2, IPTABLES_NAT_3) self.agent.prepare_devices_filter(['tap_port1', 'tap_port3']) self.rpc.security_group_info_for_devices.return_value = {