]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 3829ec5)
Correct MAC representation to match iptables output
authorKevin Benton <blak111@gmail.com>
Mon, 5 Oct 2015 13:37:40 +0000 (06:37 -0700)
committerKevin Benton <kevinbenton@buttewifi.com>
Tue, 6 Oct 2015 07:15:02 +0000 (07:15 +0000)
We were previously using the netaddr's mac_unix format
(which leaves off leading 0's) to generate iptables rules
based on MAC addresses. While iptables accepts this format,
it's not returned this way in the output so the iptables
rule matching code would never find the match for these
rules, causing the loss of counters on these rules on every
reload.

This patch corrects this with a custom dialect that matches
the iptables format.

Closes-Bug: #1502901
Change-Id: Ia45ebde8c4684e12030469323e18367a54d1518b

neutron/agent/linux/iptables_firewall.py patch | blob | history
neutron/tests/unit/agent/linux/test_iptables_firewall.py patch | blob | history

diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
index b0ac0f793287432b0d1e73c91509edb8ee1e492d..a1ac960a30bf7a64b65bfeb08386d07a1ec2a3b9 100644 (file)
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -51,6 +51,11 @@ MAX_CONNTRACK_ZONES = 65535
 comment_rule = iptables_manager.comment_rule
 
 
+class mac_iptables(netaddr.mac_eui48):
+    """mac format class for netaddr to match iptables representation."""
+    word_sep = ':'
+
+
 class IptablesFirewallDriver(firewall.FirewallDriver):
     """Driver which enforces security groups through iptables rules."""
     IPTABLES_DIRECTION = {firewall.INGRESS_DIRECTION: 'physdev-out',
@@ -368,7 +373,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
 
     def _build_ipv4v6_mac_ip_list(self, mac, ip_address, mac_ipv4_pairs,
                                   mac_ipv6_pairs):
-        mac = str(netaddr.EUI(mac, dialect=netaddr.mac_unix))
+        mac = str(netaddr.EUI(mac, dialect=mac_iptables))
         if netaddr.IPNetwork(ip_address).version == 4:
             mac_ipv4_pairs.append((mac, ip_address))
         else:
diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
index 24c1b5d8b07ff497e73622da0d78097c572847dc..320d35889964717721285c6e6abfe15ade4644ed 100644 (file)
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@@ -1805,8 +1805,8 @@ class IptablesFirewallEnhancedIpsetTestCase(BaseIptablesFirewallTestCase):
                           for ip in other_ips])
 
     def test_build_ipv4v6_mac_ip_list(self):
-        mac_oth = 'ffff-ffff-ffff'
-        mac_unix = 'ff:ff:ff:ff:ff:ff'
+        mac_oth = 'ffff-ff0f-ffff'
+        mac_unix = 'FF:FF:FF:0F:FF:FF'
         ipv4 = FAKE_IP['IPv4']
         ipv6 = FAKE_IP['IPv6']
         fake_ipv4_pair = []