Fix rule generation for single and all host rules

iptables outputs single-host rules with a prefix on the
end (/32 or /128) and completely omits /0 rules since they
allow everything.

This patch fixes our rule generation to match that pattern
so iptables counters don't get destroyed on these rules on
every reload.

Closes-Bug: #1502917
Change-Id: Ifbdfbafd6cf37c6ef7385cd5f1d2df65cc19797a

diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
index b0ac0f793287432b0d1e73c91509edb8ee1e492d..a0dd73a98262c90a6a9bdf94423b8d8928554552 100644 (file)
--- a/neutron/agent/linux/iptables_firewall.py
+++ b/neutron/agent/linux/iptables_firewall.py
@@ -30,6 +30,7 @@ from neutron.agent.linux import utils
 from neutron.common import constants
 from neutron.common import exceptions as n_exc
 from neutron.common import ipv6_utils
+from neutron.common import utils as c_utils
 from neutron.extensions import portsecurity as psec
 from neutron.i18n import _LI
 
@@ -360,6 +361,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
                                    '-m mac --mac-source %s -j RETURN'
                                    % mac.upper(), comment=ic.PAIR_ALLOW)
                 else:
+                    # we need to convert it into a prefix to match iptables
+                    ip = c_utils.ip_to_cidr(ip)
                     table.add_rule(chain_name,
                                    '-s %s -m mac --mac-source %s -j RETURN'
                                    % (ip, mac.upper()), comment=ic.PAIR_ALLOW)
@@ -617,6 +620,13 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
         #NOTE (nati) : source_group_id is converted to list of source_
         # ip_prefix in server side
         if ip_prefix:
+            if '/' not in ip_prefix:
+                # we need to convert it into a prefix to match iptables
+                ip_prefix = c_utils.ip_to_cidr(ip_prefix)
+            elif ip_prefix.endswith('/0'):
+                # an allow for every address is not a constraint so
+                # iptables drops it
+                return []
             return ['-%s' % direction, ip_prefix]
         return []
 

diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
index 24c1b5d8b07ff497e73622da0d78097c572847dc..037f1cf1a79f2e3da7d6cd9ceb56c9fa497005ae 100644 (file)
--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
@@ -27,6 +27,7 @@ from neutron.agent.linux import iptables_firewall
 from neutron.agent import securitygroups_rpc as sg_cfg
 from neutron.common import constants
 from neutron.common import exceptions as n_exc
+from neutron.common import utils
 from neutron.tests import base
 from neutron.tests.unit.api.v2 import test_base
 
@@ -149,7 +150,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                  mock.call.add_chain('sfake_dev'),
                  mock.call.add_rule(
                      'sfake_dev',
-                     '-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
+                     '-s 10.0.0.1/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
                      '-j RETURN',
                      comment=ic.PAIR_ALLOW),
                  mock.call.add_rule(
@@ -933,7 +934,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                                   egress_expected_call=None):
         port = self._fake_port()
         ethertype = rule['ethertype']
-        prefix = FAKE_IP[ethertype]
+        prefix = utils.ip_to_cidr(FAKE_IP[ethertype])
         filter_inst = self.v4filter_inst
         dhcp_rule = [mock.call.add_rule(
             'ofake_dev',
@@ -1180,7 +1181,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                  mock.call.add_chain('sfake_dev'),
                  mock.call.add_rule(
                      'sfake_dev',
-                     '-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
+                     '-s 10.0.0.1/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
                      '-j RETURN',
                      comment=ic.PAIR_ALLOW),
                  mock.call.add_rule(
@@ -1252,7 +1253,7 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                  mock.call.add_chain('sfake_dev'),
                  mock.call.add_rule(
                      'sfake_dev',
-                     '-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
+                     '-s 10.0.0.1/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
                      '-j RETURN',
                      comment=ic.PAIR_ALLOW),
                  mock.call.add_rule(
@@ -1422,12 +1423,12 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
                  mock.call.add_chain('sfake_dev'),
                  mock.call.add_rule(
                      'sfake_dev',
-                     '-s 10.0.0.1 -m mac --mac-source FF:FF:FF:FF:FF:FF '
+                     '-s 10.0.0.1/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
                      '-j RETURN',
                      comment=ic.PAIR_ALLOW),
                  mock.call.add_rule(
                      'sfake_dev',
-                     '-s 10.0.0.2 -m mac --mac-source FF:FF:FF:FF:FF:FF '
+                     '-s 10.0.0.2/32 -m mac --mac-source FF:FF:FF:FF:FF:FF '
                      '-j RETURN',
                      comment=ic.PAIR_ALLOW),
                  mock.call.add_rule(