router.iptables_manager.apply()
if not router.is_ha:
- self._spawn_metadata_proxy(router.router_id,
- router.ns_name,
- self.l3_agent.conf)
+ self._spawn_monitored_metadata_proxy(router.router_id,
+ router.ns_name)
def before_router_removed(self, router):
- for c, r in self.metadata_filter_rules(self.metadata_port):
+ for c, r in self.metadata_filter_rules(self.metadata_port,
+ self.metadata_access_mark):
router.iptables_manager.ipv4['filter'].remove_rule(c, r)
+ for c, r in self.metadata_mangle_rules(self.metadata_access_mark):
+ router.iptables_manager.ipv4['mangle'].remove_rule(c, r)
for c, r in self.metadata_nat_rules(self.metadata_port):
router.iptables_manager.ipv4['nat'].remove_rule(c, r)
router.iptables_manager.apply()
- self._destroy_metadata_proxy(router.router['id'],
- router.ns_name,
- self.l3_agent.conf)
+ self._destroy_monitored_metadata_proxy(router.router['id'],
+ router.ns_name)
@classmethod
- def metadata_filter_rules(cls, port):
- return [('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport %s '
- '-j ACCEPT' % port)]
+ def metadata_filter_rules(cls, port, mark):
+ return [('INPUT', '-m mark --mark %s -j ACCEPT' % mark),
+ ('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport %s '
+ '-j DROP' % port)]
+
+ @classmethod
+ def metadata_mangle_rules(cls, mark):
+ return [('PREROUTING', '-s 0.0.0.0/0 -d 169.254.169.254/32 '
+ '-p tcp -m tcp --dport 80 '
+ '-j MARK --set-xmark %(value)s/%(mask)s' %
+ {'value': mark,
+ 'mask': METADATA_ACCESS_MARK_MASK})]
@classmethod
def metadata_nat_rules(cls, port):