review.fuel-infra Code Review - openstack-build/neutron-build.git/commit

author	Cedric Brandily <zzelle@gmail.com>
	Mon, 10 Nov 2014 13:46:51 +0000 (14:46 +0100)
committer	Cedric Brandily <zzelle@gmail.com>
	Fri, 30 Jan 2015 09:34:49 +0000 (09:34 +0000)
commit	1d776bc16c033f33e61fd6832f2e94e24cdd1c5f
tree	e04c245bfc64ff990bb08eda2dffe5a90943ce43	tree \| snapshot
parent	4143763913096c964e63af9d3789cbb7daa5c32a	commit \| diff

Allow to request metadata proxy only with redirection

metadata service should be requested on 169.254.169.254:80 and router
namespace iptables rules redirect the request to the metadata-ns-proxy
on 127.0.0.1:$metadata_port. But currently the metadata-ns-proxy can be
requested directly on $router-ip:$metadata_port.

To avoid such behavior, this change marks packets redirection in mangle
table (PREROUTING), redirects (PREROUTING) them in nat table, accepts
them in filter table (INPUT) using the mark. Packets send to the
metadata proxy port without mark (so directly) are dropped. The
mark can be configured through the new option metadata_access_mark.

Remark: redirected packets are not local packets (in general), so
setting metadata proxy server host to 127.0.0.1 will disallow direct
queries but so redirected queries.

DocImpact
Partial-Bug: #1187102
Change-Id: I6a9bb12c8bf68c6fcf4e4060f8dfe44a309a41da

etc/l3_agent.ini		diff \| blob \| history
neutron/agent/l3/config.py		diff \| blob \| history
neutron/agent/metadata/driver.py		diff \| blob \| history
neutron/tests/unit/agent/metadata/test_driver.py		diff \| blob \| history