From b1b8a438fe3cdc422b8deb61548f47d383ee2fe8 Mon Sep 17 00:00:00 2001
From: Brian Haley <bhaley@redhat.com>
Date: Mon, 22 Apr 2019 18:53:45 -0400
Subject: [PATCH] Revert iptables TCP checksum-fill code

To fix bug 1722584 we inserted a checksum-fill rule for
metadata proxy replies.  Recent kernels have disabled
this support for TCP because it was invalid, and
supposedly not doing anything, so let's get ahead of
things and remove the code.

Kernel mailing list discussion is at
https://lore.kernel.org/patchwork/patch/824819/

Partially reverts ed1c3b021751273e427d47fcf544c56bdabf97bb

Change-Id: Ib7cc8f82a91972f17987fb95130edc4069d9423f
Related-bug: #1722584
---
 neutron/agent/metadata/driver.py                 | 10 ----------
 neutron/tests/unit/agent/metadata/test_driver.py |  7 -------
 2 files changed, 17 deletions(-)

diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py
index 52c3946b57a..16e78a91da2 100644
--- a/neutron/agent/metadata/driver.py
+++ b/neutron/agent/metadata/driver.py
@@ -196,14 +196,6 @@ class MetadataDriver(object):
                  {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
                   'port': port})]
 
-    @classmethod
-    def metadata_checksum_rules(cls, port):
-        return [('POSTROUTING', '-o %(interface_name)s '
-                 '-p tcp -m tcp --sport %(port)s -j CHECKSUM '
-                 '--checksum-fill' %
-                 {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
-                  'port': port})]
-
     @classmethod
     def _get_metadata_proxy_user_group(cls, conf):
         user = conf.metadata_proxy_user or str(os.geteuid())
@@ -279,8 +271,6 @@ def after_router_added(resource, event, l3_agent, **kwargs):
         router.iptables_manager.ipv4['filter'].add_rule(c, r)
     for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
         router.iptables_manager.ipv4['nat'].add_rule(c, r)
-    for c, r in proxy.metadata_checksum_rules(proxy.metadata_port):
-        router.iptables_manager.ipv4['mangle'].add_rule(c, r)
     router.iptables_manager.apply()
 
     if not isinstance(router, ha_router.HaRouter):
diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py
index d0dbdb1bfdf..d14f8dd2fba 100644
--- a/neutron/tests/unit/agent/metadata/test_driver.py
+++ b/neutron/tests/unit/agent/metadata/test_driver.py
@@ -52,13 +52,6 @@ class TestMetadataDriverRules(base.BaseTestCase):
             rules,
             metadata_driver.MetadataDriver.metadata_filter_rules(9697, '0x1'))
 
-    def test_metadata_checksum_rules(self):
-        rules = ('POSTROUTING', '-o qr-+ -p tcp -m tcp --sport 9697 '
-                 '-j CHECKSUM --checksum-fill')
-        self.assertEqual(
-            [rules],
-            metadata_driver.MetadataDriver.metadata_checksum_rules(9697))
-
 
 class TestMetadataDriverProcess(base.BaseTestCase):