]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: fcf0322)
Correct l3-agent iptables rule for metadata proxy
authorCedric Brandily <zzelle@gmail.com>
Thu, 11 Dec 2014 13:10:30 +0000 (13:10 +0000)
committerCedric Brandily <zzelle@gmail.com>
Wed, 7 Jan 2015 21:09:26 +0000 (21:09 +0000)
2 iptables rules are defined to ensure the metadata proxy is reachable
from vms on 169.254.169.254:80:
* REDIRECT 169.254.169.254:80 packets to the router on port 9697
* ACCEPT traffic to 127.0.0.1 on port 9697

The REDIRECT rule replaces destination ip by:
 * 127.0.0.1 if the packet is local,
 * router ip (the one on the input interface, metadata proxy case).

So ACCEPT rule filter is not matched ... the metadata proxy is only
reachable because INPUT policy is ACCEPT.

This change removes the destination constraint in the ACCEPT rule.

Change-Id: Iea700bdd121bbc56a3489a63e2a5391867fad0d6
Closes-Bug: #1399462

neutron/agent/metadata/driver.py patch | blob | history
neutron/tests/unit/agent/metadata/test_driver.py patch | blob | history

diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py
index 16f1ea8129fdb3c0a9ebe6f2332d0a8994f50cc2..da5b3eb510c7f4173388df08f63aaa8bdf7801c6 100644 (file)
--- a/neutron/agent/metadata/driver.py
+++ b/neutron/agent/metadata/driver.py
@@ -53,8 +53,7 @@ class MetadataDriver(advanced_service.AdvancedService):
 
     @classmethod
     def metadata_filter_rules(cls, port):
-        return [('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
-                 '-p tcp -m tcp --dport %s '
+        return [('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport %s '
                  '-j ACCEPT' % port)]
 
     @classmethod
diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py
index 05549ab3a7e3f0650d481f89cd0ea983d686c8e9..fda074c6b60c912c0358d83b88c57e5575d9a9fb 100644 (file)
--- a/neutron/tests/unit/agent/metadata/test_driver.py
+++ b/neutron/tests/unit/agent/metadata/test_driver.py
@@ -47,8 +47,7 @@ class TestMetadataDriver(base.BaseTestCase):
             metadata_driver.MetadataDriver.metadata_nat_rules(8775))
 
     def test_metadata_filter_rules(self):
-        rules = ('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
-                 '-p tcp -m tcp --dport 8775 -j ACCEPT')
+        rules = ('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport 8775 -j ACCEPT')
         self.assertEqual(
             [rules],
             metadata_driver.MetadataDriver.metadata_filter_rules(8775))