Merge "Set IPset hash type to 'net' instead of 'ip'" into stable/kilo
This commit is contained in:
commit
a0d8963286
|
@ -36,7 +36,7 @@ class IpsetManager(object):
|
|||
"""Returns the given ipset name for an id+ethertype pair.
|
||||
This reference can be used from iptables.
|
||||
"""
|
||||
name = ethertype + id
|
||||
name = 'NET' + ethertype + id
|
||||
return name[:IPSET_NAME_MAX_LENGTH]
|
||||
|
||||
def set_exists(self, id, ethertype):
|
||||
|
@ -85,7 +85,7 @@ class IpsetManager(object):
|
|||
def _refresh_set(self, set_name, member_ips, ethertype):
|
||||
new_set_name = set_name + SWAP_SUFFIX
|
||||
set_type = self._get_ipset_set_type(ethertype)
|
||||
process_input = ["create %s hash:ip family %s" % (new_set_name,
|
||||
process_input = ["create %s hash:net family %s" % (new_set_name,
|
||||
set_type)]
|
||||
for ip in member_ips:
|
||||
process_input.append("add %s %s" % (new_set_name, ip))
|
||||
|
@ -101,7 +101,7 @@ class IpsetManager(object):
|
|||
self.ipset_sets[set_name].remove(member_ip)
|
||||
|
||||
def _create_set(self, set_name, ethertype):
|
||||
cmd = ['ipset', 'create', '-exist', set_name, 'hash:ip', 'family',
|
||||
cmd = ['ipset', 'create', '-exist', set_name, 'hash:net', 'family',
|
||||
self._get_ipset_set_type(ethertype)]
|
||||
self._apply(cmd)
|
||||
self.ipset_sets[set_name] = []
|
||||
|
|
|
@ -36,8 +36,9 @@ class BaseIpsetManagerTest(base.BaseTestCase):
|
|||
self.execute.assert_has_calls(self.expected_calls, any_order=False)
|
||||
|
||||
def expect_set(self, addresses):
|
||||
temp_input = ['create IPv4fake_sgid-new hash:ip family inet']
|
||||
temp_input.extend('add IPv4fake_sgid-new %s' % ip for ip in addresses)
|
||||
temp_input = ['create NETIPv4fake_sgid-new hash:net family inet']
|
||||
temp_input.extend('add NETIPv4fake_sgid-new %s' % ip
|
||||
for ip in addresses)
|
||||
input = '\n'.join(temp_input)
|
||||
self.expected_calls.extend([
|
||||
mock.call(['ipset', 'restore', '-exist'],
|
||||
|
@ -65,7 +66,7 @@ class BaseIpsetManagerTest(base.BaseTestCase):
|
|||
def expect_create(self):
|
||||
self.expected_calls.append(
|
||||
mock.call(['ipset', 'create', '-exist', TEST_SET_NAME,
|
||||
'hash:ip', 'family', 'inet'],
|
||||
'hash:net', 'family', 'inet'],
|
||||
process_input=None,
|
||||
run_as_root=True))
|
||||
|
||||
|
|
|
@ -1776,7 +1776,7 @@ IPSET_FILTER_1 = """# Generated by iptables_manager
|
|||
[0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \
|
||||
-j RETURN
|
||||
[0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN
|
||||
[0:0] -A %(bn)s-i_port1 -m set --match-set IPv4security_group1 src -j \
|
||||
[0:0] -A %(bn)s-i_port1 -m set --match-set NETIPv4security_group1 src -j \
|
||||
RETURN
|
||||
[0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback
|
||||
[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \
|
||||
|
@ -1935,7 +1935,7 @@ IPSET_FILTER_2 = """# Generated by iptables_manager
|
|||
[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
|
||||
--dport 68 -j RETURN
|
||||
[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
|
||||
[0:0] -A %(bn)s-i_%(port1)s -m set --match-set IPv4security_group1 src -j \
|
||||
[0:0] -A %(bn)s-i_%(port1)s -m set --match-set NETIPv4security_group1 src -j \
|
||||
RETURN
|
||||
[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
|
||||
[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
|
||||
|
@ -1963,7 +1963,7 @@ RETURN
|
|||
[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
|
||||
--dport 68 -j RETURN
|
||||
[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
|
||||
[0:0] -A %(bn)s-i_%(port2)s -m set --match-set IPv4security_group1 src -j \
|
||||
[0:0] -A %(bn)s-i_%(port2)s -m set --match-set NETIPv4security_group1 src -j \
|
||||
RETURN
|
||||
[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
|
||||
[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
|
||||
|
@ -2018,7 +2018,7 @@ IPSET_FILTER_2_3 = """# Generated by iptables_manager
|
|||
[0:0] -A %(bn)s-i_%(port1)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
|
||||
--dport 68 -j RETURN
|
||||
[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
|
||||
[0:0] -A %(bn)s-i_%(port1)s -m set --match-set IPv4security_group1 src -j \
|
||||
[0:0] -A %(bn)s-i_%(port1)s -m set --match-set NETIPv4security_group1 src -j \
|
||||
RETURN
|
||||
[0:0] -A %(bn)s-i_%(port1)s -p icmp -j RETURN
|
||||
[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
|
||||
|
@ -2047,7 +2047,7 @@ RETURN
|
|||
[0:0] -A %(bn)s-i_%(port2)s -s 10.0.0.2/32 -p udp -m udp --sport 67 \
|
||||
--dport 68 -j RETURN
|
||||
[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
|
||||
[0:0] -A %(bn)s-i_%(port2)s -m set --match-set IPv4security_group1 src -j \
|
||||
[0:0] -A %(bn)s-i_%(port2)s -m set --match-set NETIPv4security_group1 src -j \
|
||||
RETURN
|
||||
[0:0] -A %(bn)s-i_%(port2)s -p icmp -j RETURN
|
||||
[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
|
||||
|
|
Loading…
Reference in New Issue