Clarify misleading iptables comment

Update the comment for the iptables rule matching the
conntrack INVALID state. The previous entry was misleading
because it sounded like it dropped all new connections.

Change-Id: I793c1a7d9fbc261ac361305524de8ad67477815b

diff --git a/neutron/agent/linux/iptables_comments.py b/neutron/agent/linux/iptables_comments.py
index 641b2ef8652a36639d69c0f6f7d2ec349f33be5c..7d158a9d80ceb8eca645beef1232c4a322092e9c 100644 (file)
--- a/neutron/agent/linux/iptables_comments.py
+++ b/neutron/agent/linux/iptables_comments.py
@@ -28,7 +28,8 @@ PAIR_DROP = 'Drop traffic without an IP/MAC allow rule.'
 DHCP_CLIENT = 'Allow DHCP client traffic.'
 DHCP_SPOOF = 'Prevent DHCP Spoofing by VM.'
 UNMATCHED = 'Send unmatched traffic to the fallback chain.'
-STATELESS_DROP = 'Drop packets that are not associated with a state.'
+INVALID_DROP = ("Drop packets that appear related to an existing connection "
+                "(e.g. TCP ACK/FIN) but do not have an entry in conntrack.")
 ALLOW_ASSOC = ('Direct packets associated with a known session to the RETURN '
                'chain.')
 IPV6_RA_ALLOW = 'Allow IPv6 ICMP traffic to allow RA packets.'

diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
index 33793a0e67284adcec84a0615b959a184f6d511e..b2a7bf10cdfd17b1abdb7c19a846fc3e502339d1 100644 (file)
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -429,7 +429,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
     def _drop_invalid_packets(self, iptables_rules):
         # Always drop invalid packets
         iptables_rules += [comment_rule('-m state --state ' 'INVALID -j DROP',
-                                        comment=ic.STATELESS_DROP)]
+                                        comment=ic.INVALID_DROP)]
         return iptables_rules
 
     def _allow_established(self, iptables_rules):