Fix iptables comments for bare jump rules

This fixes the order of arguments in iptables rules that
are bare jumps (e.g. '-j other-chain').

The previous code was only catching jump rules that appeared
after a chain definition.

Closes-Bug: #1502932
Change-Id: I490792eb08c67a32f9b286d933a776fb76840b6b

diff --git a/neutron/agent/linux/iptables_manager.py b/neutron/agent/linux/iptables_manager.py
index d72cdd587274e4f2e4dcee7bcf04f29bdc49ece4..4735ac771a1dc9656d6bdc67b9d3379c86c135f3 100644 (file)
--- a/neutron/agent/linux/iptables_manager.py
+++ b/neutron/agent/linux/iptables_manager.py
@@ -67,13 +67,15 @@ def comment_rule(rule, comment):
         return rule
     # iptables-save outputs the comment before the jump so we need to match
     # that order so _find_last_entry works
+    comment = '-m comment --comment "%s"' % comment
+    if rule.startswith('-j'):
+        # this is a jump only rule so we just put the comment first
+        return '%s %s' % (comment, rule)
     try:
-        start_of_jump = rule.index(' -j ')
+        jpos = rule.index(' -j ')
+        return ' '.join((rule[:jpos], comment, rule[jpos + 1:]))
     except ValueError:
-        return '%s -m comment --comment "%s"' % (rule, comment)
-    return ' '.join([rule[0:start_of_jump],
-                     '-m comment --comment "%s"' % comment,
-                     rule[start_of_jump + 1:]])
+        return '%s %s' % (rule, comment)
 
 
 def get_chain_name(chain_name, wrap=True):

diff --git a/neutron/tests/unit/agent/linux/test_iptables_manager.py b/neutron/tests/unit/agent/linux/test_iptables_manager.py
index d6a1f9116f70a92a5117a35e424bd08324185229..8d0afde3d9110c8656e33cb3b1768ce0876efbe9 100644 (file)
--- a/neutron/tests/unit/agent/linux/test_iptables_manager.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_manager.py
@@ -143,6 +143,20 @@ class IptablesCommentsTestCase(base.BaseTestCase):
                 self.fail("Iptables comment %s is longer than 255 characters."
                           % attr)
 
+    def test_reordering_of_jump_rule_comments(self):
+        # jump at the start
+        self.assertEqual(
+            '-m comment --comment "aloha" -j sg-chain',
+            iptables_manager.comment_rule('-j sg-chain', 'aloha'))
+        # jump in the middle
+        self.assertEqual(
+            '-s source -m comment --comment "aloha" -j sg-chain',
+            iptables_manager.comment_rule('-s source -j sg-chain', 'aloha'))
+        # no jump rule
+        self.assertEqual(
+            '-s source -m comment --comment "aloha"',
+            iptables_manager.comment_rule('-s source', 'aloha'))
+
     def test_add_filter_rule(self):
         iptables_args = {}
         iptables_args.update(IPTABLES_ARG)