review.fuel-infra Code Review - openstack-build/neutron-build.git/commit

author	Kevin Benton <blak111@gmail.com>
	Fri, 28 Aug 2015 07:50:59 +0000 (00:50 -0700)
committer	Kevin Benton <blak111@gmail.com>
	Wed, 2 Sep 2015 05:10:32 +0000 (22:10 -0700)
commit	0a258afc7ee3c03974dffa2c0dd0b7b367034cc7
tree	27256f094b643e246eb9fe69dbe12c24fb46f1c4	tree \| snapshot
parent	fa96e67a95c3fe6e48988b54b088c95d28438e71	commit \| diff

Process user iptables rules before INVALID

Process user-defined iptables rules before the INVALID DROP
rule. This is to allow scenarios where the VMs need to
legitimately receive packets that conntrack doesn't have an
entry for (e.g. SYN-ACK where the SYN wasn't sent by the VM).
A user can accomplish this by adding an allow rule that matches
the headers of these INVALID packets so they get permitted before
they hit the INVALID DROP rule.

Closes-Bug: #1460741
Change-Id: Ie6ce5f3fa688f1bf25b77db5955211922d9fe85b

neutron/agent/linux/iptables_firewall.py		diff \| blob \| history
neutron/tests/unit/agent/linux/test_iptables_firewall.py		diff \| blob \| history
neutron/tests/unit/agent/test_securitygroups_rpc.py		diff \| blob \| history