From dde99aa719d623b4cc20b2f850ea9f519da85a87 Mon Sep 17 00:00:00 2001
From: Brian Haley <bhaley@redhat.com>
Date: Mon, 22 Apr 2019 18:53:45 -0400
Subject: [PATCH] Revert iptables TCP checksum-fill code

To fix bug 1722584 we inserted a checksum-fill rule for
metadata proxy replies.  Recent kernels have disabled
this support for TCP because it was invalid, and
supposedly not doing anything, so let's get ahead of
things and remove the code.

Kernel mailing list discussion is at
https://lore.kernel.org/patchwork/patch/824819/

Partially reverts ed1c3b021751273e427d47fcf544c56bdabf97bb

Change-Id: Ib7cc8f82a91972f17987fb95130edc4069d9423f
Related-bug: #1722584
(cherry picked from commit b1b8a438fe3cdc422b8deb61548f47d383ee2fe8)
---
 neutron/agent/metadata/driver.py                 | 10 ----------
 neutron/tests/unit/agent/metadata/test_driver.py |  7 -------
 2 files changed, 17 deletions(-)

diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py
index fdcbac8691f..8bc2826b0ac 100644
--- a/neutron/agent/metadata/driver.py
+++ b/neutron/agent/metadata/driver.py
@@ -196,14 +196,6 @@ class MetadataDriver(object):
                  {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
                   'port': port})]
 
-    @classmethod
-    def metadata_checksum_rules(cls, port):
-        return [('POSTROUTING', '-o %(interface_name)s '
-                 '-p tcp -m tcp --sport %(port)s -j CHECKSUM '
-                 '--checksum-fill' %
-                 {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
-                  'port': port})]
-
     @classmethod
     def _get_metadata_proxy_user_group(cls, conf):
         user = conf.metadata_proxy_user or str(os.geteuid())
@@ -279,8 +271,6 @@ def after_router_added(resource, event, l3_agent, **kwargs):
         router.iptables_manager.ipv4['filter'].add_rule(c, r)
     for c, r in proxy.metadata_nat_rules(proxy.metadata_port):
         router.iptables_manager.ipv4['nat'].add_rule(c, r)
-    for c, r in proxy.metadata_checksum_rules(proxy.metadata_port):
-        router.iptables_manager.ipv4['mangle'].add_rule(c, r)
     router.iptables_manager.apply()
 
     if not isinstance(router, ha_router.HaRouter):
diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py
index be8178037b3..6e8fd5dd87a 100644
--- a/neutron/tests/unit/agent/metadata/test_driver.py
+++ b/neutron/tests/unit/agent/metadata/test_driver.py
@@ -52,13 +52,6 @@ class TestMetadataDriverRules(base.BaseTestCase):
             rules,
             metadata_driver.MetadataDriver.metadata_filter_rules(9697, '0x1'))
 
-    def test_metadata_checksum_rules(self):
-        rules = ('POSTROUTING', '-o qr-+ -p tcp -m tcp --sport 9697 '
-                 '-j CHECKSUM --checksum-fill')
-        self.assertEqual(
-            [rules],
-            metadata_driver.MetadataDriver.metadata_checksum_rules(9697))
-
 
 class TestMetadataDriverProcess(base.BaseTestCase):