Ensure mac address added to iptables is always in unix format

When a allowed address pair entry is added with a mac format
other than unix format the ovs-vs agent keeps on restarting as
it is not able to save the proper iptables due to the error
"Error while processing VIF ports". This fix makes sure
that the mac address sent to the iptables firewall is always
in the unix format

Change-Id: I86bbf3cb2adf9b998190e472691c01d068ebab9c
Closes-Bug: #1457971

diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
index dc1d8901baeffc7ba815ca543a09e29100199ebb..840fba7f6f79a41bb39e17afd0065f3625fb3c85 100644 (file)
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -313,6 +313,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
 
     def _build_ipv4v6_mac_ip_list(self, mac, ip_address, mac_ipv4_pairs,
                                   mac_ipv6_pairs):
+        mac = str(netaddr.EUI(mac, dialect=netaddr.mac_unix))
         if netaddr.IPNetwork(ip_address).version == 4:
             mac_ipv4_pairs.append((mac, ip_address))
         else:

diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
index 77d98e8b185fd7ead5b1af2111d2fda879031933..97fd19208095db9df5a92f8e8d2858312abc29bc 100644 (file)
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@@ -1674,3 +1674,23 @@ class IptablesFirewallEnhancedIpsetTestCase(BaseIptablesFirewallTestCase):
                          [dict(rule.items() +
                                [('source_ip_prefix', '%s/32' % ip)])
                           for ip in other_ips])
+
+    def test_build_ipv4v6_mac_ip_list(self):
+        mac_oth = 'ffff-ffff-ffff'
+        mac_unix = 'ff:ff:ff:ff:ff:ff'
+        ipv4 = FAKE_IP['IPv4']
+        ipv6 = FAKE_IP['IPv6']
+        fake_ipv4_pair = []
+        fake_ipv4_pair.append((mac_unix, ipv4))
+        fake_ipv6_pair = []
+        fake_ipv6_pair.append((mac_unix, ipv6))
+
+        mac_ipv4_pairs = []
+        mac_ipv6_pairs = []
+
+        self.firewall._build_ipv4v6_mac_ip_list(mac_oth, ipv4,
+                                                mac_ipv4_pairs, mac_ipv6_pairs)
+        self.assertEqual(fake_ipv4_pair, mac_ipv4_pairs)
+        self.firewall._build_ipv4v6_mac_ip_list(mac_oth, ipv6,
+                                                mac_ipv4_pairs, mac_ipv6_pairs)
+        self.assertEqual(fake_ipv6_pair, mac_ipv6_pairs)