ipt_mgr.ipv6 written in the wrong ipt_mgr.ipv4

This patch fixes the issue of writing the wrong firewall rule where an IP6
rule is written to IP4.

Change-Id: Ie7c75c71c9dcfbd9feabaffe4416ede80ff350d8
Closes-Bug:#1263877

diff --git a/neutron/services/firewall/drivers/linux/iptables_fwaas.py b/neutron/services/firewall/drivers/linux/iptables_fwaas.py
index ffc467c7ca47a3062ed49682b8ca1b5309fdb642..df71a44d3949dbe32fe365460a511d6ba5cca4b9 100644 (file)
--- a/neutron/services/firewall/drivers/linux/iptables_fwaas.py
+++ b/neutron/services/firewall/drivers/linux/iptables_fwaas.py
@@ -210,7 +210,7 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
         bname = iptables_manager.binary_name
 
         for (ver, tbl) in [(IPV4, ipt_mgr.ipv4['filter']),
-                           (IPV6, ipt_mgr.ipv4['filter'])]:
+                           (IPV6, ipt_mgr.ipv6['filter'])]:
             for direction in [INGRESS_DIRECTION, EGRESS_DIRECTION]:
                 chain_name = self._get_chain_name(fwid, ver, direction)
                 chain_name = iptables_manager.get_chain_name(chain_name)

diff --git a/neutron/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py b/neutron/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py
index f58a0300ea7cf856f0f0dc48ac499a2ee16ecffd..85a6c155c0d4abbaa3c545a3d26851705ef20941 100644 (file)
--- a/neutron/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py
+++ b/neutron/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py
@@ -158,23 +158,32 @@ class IptablesFwaasTestCase(base.BaseTestCase):
         self.firewall.create_firewall(apply_list, firewall)
         invalid_rule = '-m state --state INVALID -j DROP'
         est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'
-        ingress_chain = ('iv4%s' % firewall['id'])
-        egress_chain = ('ov4%s' % firewall['id'])
         bname = fwaas.iptables_manager.binary_name
-        calls = [call.ensure_remove_chain('iv4fake-fw-uuid'),
-                 call.ensure_remove_chain('ov4fake-fw-uuid'),
-                 call.ensure_remove_chain('fwaas-default-policy'),
-                 call.add_chain('fwaas-default-policy'),
-                 call.add_rule('fwaas-default-policy', '-j DROP'),
-                 call.add_chain(ingress_chain),
-                 call.add_rule(ingress_chain, invalid_rule),
-                 call.add_rule(ingress_chain, est_rule),
-                 call.add_chain(egress_chain),
-                 call.add_rule(egress_chain, invalid_rule),
-                 call.add_rule(egress_chain, est_rule),
-                 call.add_rule('FORWARD', '-o qr-+ -j %s-fwaas-defau' % bname),
-                 call.add_rule('FORWARD', '-i qr-+ -j %s-fwaas-defau' % bname)]
-        apply_list[0].iptables_manager.ipv4['filter'].assert_has_calls(calls)
+
+        for ip_version in (4, 6):
+            ingress_chain = ('iv%s%s' % (ip_version, firewall['id']))
+            egress_chain = ('ov%s%s' % (ip_version, firewall['id']))
+            calls = [call.ensure_remove_chain('iv%sfake-fw-uuid' % ip_version),
+                     call.ensure_remove_chain('ov%sfake-fw-uuid' % ip_version),
+                     call.ensure_remove_chain('fwaas-default-policy'),
+                     call.add_chain('fwaas-default-policy'),
+                     call.add_rule('fwaas-default-policy', '-j DROP'),
+                     call.add_chain(ingress_chain),
+                     call.add_rule(ingress_chain, invalid_rule),
+                     call.add_rule(ingress_chain, est_rule),
+                     call.add_chain(egress_chain),
+                     call.add_rule(egress_chain, invalid_rule),
+                     call.add_rule(egress_chain, est_rule),
+                     call.add_rule('FORWARD',
+                                   '-o qr-+ -j %s-fwaas-defau' % bname),
+                     call.add_rule('FORWARD',
+                                   '-i qr-+ -j %s-fwaas-defau' % bname)]
+            if ip_version == 4:
+                v4filter_inst = apply_list[0].iptables_manager.ipv4['filter']
+                v4filter_inst.assert_has_calls(calls)
+            else:
+                v6filter_inst = apply_list[0].iptables_manager.ipv6['filter']
+                v6filter_inst.assert_has_calls(calls)
 
     def test_create_firewall_with_rules(self):
         self._setup_firewall_with_rules(self.firewall.create_firewall)