openstack
/
neutron
Code Issues Proposed changes

Merge "Match order of iptables arguments to iptables-save" into stable/juno

This commit is contained in:
Jenkins 2015-05-29 16:42:46 +00:00 committed by Gerrit Code Review
parent a890ffac3c cf8f5c9240
commit 8a3cbca72a
3 changed files with 25 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
neutron/agent/linux/iptables_firewall.py
View File

@ -222,11 +222,11 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
# of the list after the allowed_address_pair rules.
table.add_rule(chain_name,
'-m mac --mac-source %s -j RETURN'
% mac)
% mac.upper())
else:
table.add_rule(chain_name,
'-m mac --mac-source %s -s %s -j RETURN'
% (mac, ip))
'-s %s -m mac --mac-source %s -j RETURN'
% (ip, mac.upper()))
table.add_rule(chain_name, '-j DROP')
rules.append('-j $%s' % chain_name)

17
neutron/tests/unit/test_iptables_firewall.py
View File

@ -104,8 +104,9 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
'-j $ofake_dev'),
mock.call.add_chain('sfake_dev'),
mock.call.add_rule(
'sfake_dev', '-m mac --mac-source ff:ff:ff:ff:ff:ff '
'-s 10.0.0.1 -j RETURN'),
'sfake_dev',
'-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-j RETURN'),
mock.call.add_rule('sfake_dev', '-j DROP'),
mock.call.add_rule(
'ofake_dev',
@ -869,7 +870,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
mock.call.add_chain('sfake_dev'),
mock.call.add_rule(
'sfake_dev',
'-m mac --mac-source ff:ff:ff:ff:ff:ff -s %s -j RETURN'
'-s %s -m mac --mac-source FF:FF:FF:FF:FF:FF -j RETURN'
% prefix),
mock.call.add_rule('sfake_dev', '-j DROP')]
calls += dhcp_rule
@ -944,7 +945,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
mock.call.add_chain('sfake_dev'),
mock.call.add_rule(
'sfake_dev',
'-m mac --mac-source ff:ff:ff:ff:ff:ff -s 10.0.0.1 '
'-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-j RETURN'),
mock.call.add_rule('sfake_dev', '-j DROP'),
mock.call.add_rule(
@ -998,7 +999,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
mock.call.add_chain('sfake_dev'),
mock.call.add_rule(
'sfake_dev',
'-m mac --mac-source ff:ff:ff:ff:ff:ff -s 10.0.0.1 '
'-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-j RETURN'),
mock.call.add_rule('sfake_dev', '-j DROP'),
mock.call.add_rule(
@ -1150,11 +1151,11 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
mock.call.add_chain('sfake_dev'),
mock.call.add_rule(
'sfake_dev',
'-m mac --mac-source ff:ff:ff:ff:ff:ff -s 10.0.0.1 '
'-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-j RETURN'),
mock.call.add_rule(
'sfake_dev',
'-m mac --mac-source ff:ff:ff:ff:ff:ff -s 10.0.0.2 '
'-s 10.0.0.2 -m mac --mac-source FF:FF:FF:FF:FF:FF '
'-j RETURN'),
mock.call.add_rule('sfake_dev', '-j DROP'),
mock.call.add_rule(
@ -1213,7 +1214,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
mock.call.add_chain('sfake_dev'),
mock.call.add_rule(
'sfake_dev',
'-m mac --mac-source ff:ff:ff:ff:ff:ff -j RETURN'),
'-m mac --mac-source FF:FF:FF:FF:FF:FF -j RETURN'),
mock.call.add_rule('sfake_dev', '-j DROP'),
mock.call.add_rule(
'ofake_dev',

26
neutron/tests/unit/test_security_groups_rpc.py
View File

@ -1748,7 +1748,7 @@ RETURN
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
[0:0] -A %(bn)s-s_port1 -j DROP
[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
@ -1798,7 +1798,7 @@ IPTABLES_FILTER_1 = """# Generated by iptables_manager
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
[0:0] -A %(bn)s-s_port1 -j DROP
[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
@ -1850,7 +1850,7 @@ IPTABLES_FILTER_1_2 = """# Generated by iptables_manager
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
[0:0] -A %(bn)s-s_port1 -j DROP
[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
@ -1907,7 +1907,7 @@ RETURN
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
[0:0] -A %(bn)s-s_port1 -j DROP
[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
@ -1935,7 +1935,7 @@ RETURN
%(physdev_is_bridged)s -j %(bn)s-o_port2
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
%(physdev_is_bridged)s -j %(bn)s-o_port2
[0:0] -A %(bn)s-s_port2 -m mac --mac-source 12:34:56:78:9a:bd -s 10.0.0.4/32 \
[0:0] -A %(bn)s-s_port2 -s 10.0.0.4/32 -m mac --mac-source 12:34:56:78:9A:BD \
-j RETURN
[0:0] -A %(bn)s-s_port2 -j DROP
[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN
@ -1991,7 +1991,7 @@ RETURN
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
[0:0] -A %(bn)s-s_port1 -j DROP
[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
@ -2020,7 +2020,7 @@ RETURN
%(physdev_is_bridged)s -j %(bn)s-o_port2
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
%(physdev_is_bridged)s -j %(bn)s-o_port2
[0:0] -A %(bn)s-s_port2 -m mac --mac-source 12:34:56:78:9a:bd -s 10.0.0.4/32 \
[0:0] -A %(bn)s-s_port2 -s 10.0.0.4/32 -m mac --mac-source 12:34:56:78:9A:BD \
-j RETURN
[0:0] -A %(bn)s-s_port2 -j DROP
[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN
@ -2074,7 +2074,7 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
[0:0] -A %(bn)s-s_port1 -j DROP
[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
@ -2101,7 +2101,7 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager
%(physdev_is_bridged)s -j %(bn)s-o_port2
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
%(physdev_is_bridged)s -j %(bn)s-o_port2
[0:0] -A %(bn)s-s_port2 -m mac --mac-source 12:34:56:78:9a:bd -s 10.0.0.4/32 \
[0:0] -A %(bn)s-s_port2 -s 10.0.0.4/32 -m mac --mac-source 12:34:56:78:9A:BD \
-j RETURN
[0:0] -A %(bn)s-s_port2 -j DROP
[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN
@ -2154,7 +2154,7 @@ IPTABLES_FILTER_2_2 = """# Generated by iptables_manager
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
[0:0] -A %(bn)s-s_port1 -j DROP
[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
@ -2181,7 +2181,7 @@ IPTABLES_FILTER_2_2 = """# Generated by iptables_manager
%(physdev_is_bridged)s -j %(bn)s-o_port2
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
%(physdev_is_bridged)s -j %(bn)s-o_port2
[0:0] -A %(bn)s-s_port2 -m mac --mac-source 12:34:56:78:9a:bd -s 10.0.0.4/32 \
[0:0] -A %(bn)s-s_port2 -s 10.0.0.4/32 -m mac --mac-source 12:34:56:78:9A:BD \
-j RETURN
[0:0] -A %(bn)s-s_port2 -j DROP
[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN
@ -2236,7 +2236,7 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port1 \
%(physdev_is_bridged)s -j %(bn)s-o_port1
[0:0] -A %(bn)s-s_port1 -m mac --mac-source 12:34:56:78:9a:bc -s 10.0.0.3/32 \
[0:0] -A %(bn)s-s_port1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \
-j RETURN
[0:0] -A %(bn)s-s_port1 -j DROP
[0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN
@ -2264,7 +2264,7 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager
%(physdev_is_bridged)s -j %(bn)s-o_port2
[0:0] -A %(bn)s-INPUT %(physdev_mod)s --physdev-EGRESS tap_port2 \
%(physdev_is_bridged)s -j %(bn)s-o_port2
[0:0] -A %(bn)s-s_port2 -m mac --mac-source 12:34:56:78:9a:bd -s 10.0.0.4/32 \
[0:0] -A %(bn)s-s_port2 -s 10.0.0.4/32 -m mac --mac-source 12:34:56:78:9A:BD \
-j RETURN
[0:0] -A %(bn)s-s_port2 -j DROP
[0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN