--- /dev/null
+From: Aaron Rosen <aaronorosen@gmail.com>
+Date: Wed, 3 Jun 2015 23:19:39 +0000 (-0700)
+Subject: Provide work around for 0.0.0.0/0 ::/0 for ipset
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fneutron.git;a=commitdiff_plain;h=9ff6138c47c95034ba845e9448ddffd147b51f38
+
+Provide work around for 0.0.0.0/0 ::/0 for ipset
+
+Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if
+these addresses were inputted as allowed address pairs. This causes
+ipset to raise an error as it does not work with zero prefix sizes.
+To solve this problem we use two ipset rules to represent this:
+
+Ipv4: 0.0.0.0/1 and 128.0.0.1/1
+IPv6: ::/1' and '8000::/1
+
+All of this logic is handled via _sanitize_addresses() in the ipset_manager
+which is called to convert the input.
+
+Conflicts:
+ neutron/agent/linux/ipset_manager.py
+ neutron/tests/unit/agent/linux/test_ipset_manager.py
+
+Change-Id: I8c6a08e0cf3b5b5386fe03af9f2174c666b8ac75
+Closes-bug: 1461054
+---
+
+diff --git a/neutron/agent/linux/ipset_manager.py b/neutron/agent/linux/ipset_manager.py
+index 0f76418..af59f1f 100644
+--- a/neutron/agent/linux/ipset_manager.py
++++ b/neutron/agent/linux/ipset_manager.py
+@@ -11,6 +11,8 @@
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+
++import netaddr
++
+ from neutron.agent.linux import utils as linux_utils
+ from neutron.common import utils
+
+@@ -31,6 +33,26 @@ class IpsetManager(object):
+ self.namespace = namespace
+ self.ipset_sets = {}
+
++ def _sanitize_addresses(self, addresses):
++ """This method converts any address to ipset format.
++
++ If an address has a mask of /0 we need to cover to it to a mask of
++ /1 as ipset does not support /0 length addresses. Instead we use two
++ /1's to represent the /0.
++ """
++ sanitized_addresses = []
++ for ip in addresses:
++ if (netaddr.IPNetwork(ip).prefixlen == 0):
++ if(netaddr.IPNetwork(ip).version == 4):
++ sanitized_addresses.append('0.0.0.0/1')
++ sanitized_addresses.append('128.0.0.0/1')
++ elif (netaddr.IPNetwork(ip).version == 6):
++ sanitized_addresses.append('::/1')
++ sanitized_addresses.append('8000::/1')
++ else:
++ sanitized_addresses.append(ip)
++ return sanitized_addresses
++
+ @staticmethod
+ def get_name(id, ethertype):
+ """Returns the given ipset name for an id+ethertype pair.
+@@ -51,6 +73,7 @@ class IpsetManager(object):
+ add / remove new members, or swapped atomically if
+ that's faster.
+ """
++ member_ips = self._sanitize_addresses(member_ips)
+ set_name = self.get_name(id, ethertype)
+ if not self.set_exists(id, ethertype):
+ # The initial creation is handled with create/refresh to
+diff --git a/neutron/tests/unit/agent/linux/test_ipset_manager.py b/neutron/tests/unit/agent/linux/test_ipset_manager.py
+index 4484008..a1c6dc5 100644
+--- a/neutron/tests/unit/agent/linux/test_ipset_manager.py
++++ b/neutron/tests/unit/agent/linux/test_ipset_manager.py
+@@ -38,7 +38,7 @@ class BaseIpsetManagerTest(base.BaseTestCase):
+ def expect_set(self, addresses):
+ temp_input = ['create NETIPv4fake_sgid-new hash:net family inet']
+ temp_input.extend('add NETIPv4fake_sgid-new %s' % ip
+- for ip in addresses)
++ for ip in self.ipset._sanitize_addresses(addresses))
+ input = '\n'.join(temp_input)
+ self.expected_calls.extend([
+ mock.call(['ipset', 'restore', '-exist'],
+@@ -55,13 +55,16 @@ class BaseIpsetManagerTest(base.BaseTestCase):
+ self.expected_calls.extend(
+ mock.call(['ipset', 'add', '-exist', TEST_SET_NAME, ip],
+ process_input=None,
+- run_as_root=True) for ip in addresses)
++ run_as_root=True)
++ for ip in self.ipset._sanitize_addresses(addresses))
+
+ def expect_del(self, addresses):
++
+ self.expected_calls.extend(
+ mock.call(['ipset', 'del', TEST_SET_NAME, ip],
+ process_input=None,
+- run_as_root=True) for ip in addresses)
++ run_as_root=True)
++ for ip in self.ipset._sanitize_addresses(addresses))
+
+ def expect_create(self):
+ self.expected_calls.append(
+@@ -113,6 +116,16 @@ class IpsetManagerTestCase(BaseIpsetManagerTest):
+ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, FAKE_IPS)
+ self.verify_mock_calls()
+
++ def test_set_members_adding_all_zero_ipv4(self):
++ self.expect_set(['0.0.0.0/0'])
++ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['0.0.0.0/0'])
++ self.verify_mock_calls()
++
++ def test_set_members_adding_all_zero_ipv6(self):
++ self.expect_set(['::/0'])
++ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['::/0'])
++ self.verify_mock_calls()
++
+ def test_destroy(self):
+ self.add_first_ip()
+ self.expect_destroy()
Forwarded: not-needed
Last-Update: 2015-04-15
---- neutron-2015.1~rc1.orig/etc/dhcp_agent.ini
-+++ neutron-2015.1~rc1/etc/dhcp_agent.ini
+Index: neutron/etc/dhcp_agent.ini
+===================================================================
+--- neutron.orig/etc/dhcp_agent.ini
++++ neutron/etc/dhcp_agent.ini
@@ -9,14 +9,12 @@
# The DHCP agent requires an interface driver be set. Choose the one that best
# Comma-separated list of DNS servers which will be used by dnsmasq
# as forwarders.
---- neutron-2015.1~rc1.orig/etc/l3_agent.ini
-+++ neutron-2015.1~rc1/etc/l3_agent.ini
+Index: neutron/etc/l3_agent.ini
+===================================================================
+--- neutron.orig/etc/l3_agent.ini
++++ neutron/etc/l3_agent.ini
@@ -4,11 +4,9 @@
# L3 requires that an interface driver be set. Choose the one that best
# ha_vrrp_advert_int = 2
+
+allow_automatic_l3agent_failover = False
---- neutron-2015.1~rc1.orig/etc/metadata_agent.ini
-+++ neutron-2015.1~rc1/etc/metadata_agent.ini
+Index: neutron/etc/metadata_agent.ini
+===================================================================
+--- neutron.orig/etc/metadata_agent.ini
++++ neutron/etc/metadata_agent.ini
@@ -23,7 +23,7 @@ admin_password = %SERVICE_PASSWORD%
# nova_metadata_port = 8775
# Whether insecure SSL connection should be accepted for Nova metadata server
# requests
---- neutron-2015.1~rc1.orig/etc/neutron.conf
-+++ neutron-2015.1~rc1/etc/neutron.conf
+Index: neutron/etc/neutron.conf
+===================================================================
+--- neutron.orig/etc/neutron.conf
++++ neutron/etc/neutron.conf
@@ -57,8 +57,8 @@
# previous versions, the class name of a plugin can be specified instead of its
# entrypoint name.
# Set to true to add comments to generated iptables rules that describe
# each rule's purpose. (System must support the iptables comments module.)
-@@ -702,15 +703,14 @@ admin_password = %SERVICE_PASSWORD%
+@@ -693,15 +694,14 @@ admin_password = %SERVICE_PASSWORD%
[database]
# This line MUST be changed to actually run the plugin.
# Database engine for which script will be generated when using offline
# migration
---- neutron-2015.1~rc1.orig/etc/neutron/plugins/ml2/ml2_conf.ini
-+++ neutron-2015.1~rc1/etc/neutron/plugins/ml2/ml2_conf.ini
+Index: neutron/etc/neutron/plugins/ml2/ml2_conf.ini
+===================================================================
+--- neutron.orig/etc/neutron/plugins/ml2/ml2_conf.ini
++++ neutron/etc/neutron/plugins/ml2/ml2_conf.ini
@@ -1,25 +1,24 @@
[ml2]
# (ListOpt) List of network type driver entrypoints to be loaded from
# requires that ipset is installed on L2 agent node.
-# enable_ipset = True
+enable_ipset = True
---- neutron-2015.1~rc1.orig/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
-+++ neutron-2015.1~rc1/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
+Index: neutron/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
+===================================================================
+--- neutron.orig/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
++++ neutron/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
@@ -5,7 +5,7 @@
# attached to this bridge and then "patched" according to their network
# connectivity.
Code Review / openstack-build / neutron-build.git / commitdiff