cfg.StrOpt('metadata_access_mark',
default='0x1',
help=_('Iptables mangle mark used to mark metadata valid '
- 'requests')),
+ 'requests. This mark will be masked with 0xffff so '
+ 'that only the lower 16 bits will be used.')),
cfg.StrOpt('external_ingress_mark',
default='0x2',
help=_('Iptables mangle mark used to mark ingress from '
- 'external network')),
+ 'external network. This mark will be masked with '
+ '0xffff so that only the lower 16 bits will be used.')),
]
INTERNAL_DEV_PREFIX = namespaces.INTERNAL_DEV_PREFIX
EXTERNAL_DEV_PREFIX = namespaces.EXTERNAL_DEV_PREFIX
-EXTERNAL_INGRESS_MARK_MASK = '0xffffffff'
FLOATINGIP_STATUS_NOCHANGE = object()
# Makes replies come back through the router to reverse DNAT
ext_in_mark = self.agent_conf.external_ingress_mark
snat_internal_traffic_to_floating_ip = (
- 'snat', '-m mark ! --mark %s '
+ 'snat', '-m mark ! --mark %s/%s '
'-m conntrack --ctstate DNAT '
- '-j SNAT --to-source %s' % (ext_in_mark, ex_gw_ip))
+ '-j SNAT --to-source %s'
+ % (ext_in_mark, l3_constants.ROUTER_MARK_MASK, ex_gw_ip))
return [dont_snat_traffic_to_internal_ports_if_not_to_floating_ip,
snat_normal_external_traffic,
mark = self.agent_conf.external_ingress_mark
mark_packets_entering_external_gateway_port = (
'mark', '-i %s -j MARK --set-xmark %s/%s' %
- (interface_name, mark, EXTERNAL_INGRESS_MARK_MASK))
+ (interface_name, mark, l3_constants.ROUTER_MARK_MASK))
return [mark_packets_entering_external_gateway_port]
def _empty_snat_chains(self, iptables_manager):
from neutron.callbacks import events
from neutron.callbacks import registry
from neutron.callbacks import resources
+from neutron.common import constants
from neutron.common import exceptions
LOG = logging.getLogger(__name__)
# Access with redirection to metadata proxy iptables mark mask
-METADATA_ACCESS_MARK_MASK = '0xffffffff'
METADATA_SERVICE_NAME = 'metadata-proxy'
@classmethod
def metadata_filter_rules(cls, port, mark):
- return [('INPUT', '-m mark --mark %s -j ACCEPT' % mark),
+ return [('INPUT', '-m mark --mark %s/%s -j ACCEPT' %
+ (mark, constants.ROUTER_MARK_MASK)),
('INPUT', '-p tcp -m tcp --dport %s '
'-j DROP' % port)]
'-p tcp -m tcp --dport 80 '
'-j MARK --set-xmark %(value)s/%(mask)s' %
{'value': mark,
- 'mask': METADATA_ACCESS_MARK_MASK})]
+ 'mask': constants.ROUTER_MARK_MASK})]
@classmethod
def metadata_nat_rules(cls, port):
# Default network MTU value when not configured
DEFAULT_NETWORK_MTU = 0
+
+ROUTER_MARK_MASK = "0xffff"
'! -i %s ! -o %s -m conntrack ! --ctstate DNAT -j ACCEPT' %
(interface_name, interface_name),
'-o %s -j SNAT --to-source %s' % (interface_name, source_nat_ip),
- '-m mark ! --mark 0x2 -m conntrack --ctstate DNAT '
- '-j SNAT --to-source %s' % source_nat_ip]
+ '-m mark ! --mark 0x2/%s -m conntrack --ctstate DNAT '
+ '-j SNAT --to-source %s' %
+ (l3_constants.ROUTER_MARK_MASK, source_nat_ip)]
for r in nat_rules:
if negate:
self.assertNotIn(r.rule, expected_rules)
else:
self.assertIn(r.rule, expected_rules)
expected_rules = [
- '-i %s -j MARK --set-xmark 0x2/0xffffffff' % interface_name]
+ '-i %s -j MARK --set-xmark 0x2/%s' %
+ (interface_name, l3_constants.ROUTER_MARK_MASK)]
for r in mangle_rules:
if negate:
self.assertNotIn(r.rule, expected_rules)
wrap_name)
snat_rule1 = ("-A %s-snat -o iface -j SNAT --to-source %s") % (
wrap_name, ex_gw_port['fixed_ips'][0]['ip_address'])
- snat_rule2 = ("-A %s-snat -m mark ! --mark 0x2 "
+ snat_rule2 = ("-A %s-snat -m mark ! --mark 0x2/%s "
"-m conntrack --ctstate DNAT "
"-j SNAT --to-source %s") % (
- wrap_name, ex_gw_port['fixed_ips'][0]['ip_address'])
+ wrap_name, l3_constants.ROUTER_MARK_MASK,
+ ex_gw_port['fixed_ips'][0]['ip_address'])
self.assertIn(jump_float_rule, nat_rules)
mangle_rules = map(str, ri.iptables_manager.ipv4['mangle'].rules)
mangle_rule = ("-A %s-mark -i iface "
- "-j MARK --set-xmark 0x2/0xffffffff") % wrap_name
+ "-j MARK --set-xmark 0x2/%s" %
+ (wrap_name, l3_constants.ROUTER_MARK_MASK))
self.assertIn(mangle_rule, mangle_rules)
def test_process_router_delete_stale_internal_devices(self):
from neutron.agent.linux import iptables_comments as ic
from neutron.agent.linux import iptables_manager
+from neutron.common import constants
from neutron.common import exceptions as n_exc
from neutron.tests import base
from neutron.tests import tools
IPTABLES_ARG = {'bn': iptables_manager.binary_name,
'snat_out_comment': ic.SNAT_OUT,
- 'filter_rules': ''}
+ 'filter_rules': '',
+ 'mark': constants.ROUTER_MARK_MASK}
NAT_TEMPLATE = ('# Generated by iptables_manager\n'
'*nat\n'
'[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
'[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING\n'
'[0:0] -A %(bn)s-PREROUTING -j %(bn)s-mark\n'
- '[0:0] -A %(bn)s-PREROUTING -j MARK --set-xmark 0x1/0xffffffff\n'
+ '[0:0] -A %(bn)s-PREROUTING -j MARK --set-xmark 0x1/%(mark)s\n'
'COMMIT\n'
- '# Completed by iptables_manager\n'
- % IPTABLES_ARG)
+ '# Completed by iptables_manager\n' % IPTABLES_ARG)
expected_calls_and_values = [
(mock.call(['iptables-save', '-c'],
self.iptables.ipv4['mangle'].add_chain('mangle')
self.iptables.ipv4['mangle'].add_rule(
'PREROUTING',
- '-j MARK --set-xmark 0x1/0xffffffff')
+ '-j MARK --set-xmark 0x1/%s' % constants.ROUTER_MARK_MASK)
self.iptables.apply()
self.iptables.ipv4['mangle'].remove_rule(
'PREROUTING',
- '-j MARK --set-xmark 0x1/0xffffffff')
+ '-j MARK --set-xmark 0x1/%s' % constants.ROUTER_MARK_MASK)
self.iptables.ipv4['mangle'].remove_chain('mangle')
self.iptables.apply()
from neutron.agent.l3 import ha as l3_ha_agent
from neutron.agent.metadata import config
from neutron.agent.metadata import driver as metadata_driver
+from neutron.common import constants
from neutron.tests import base
metadata_driver.MetadataDriver.metadata_nat_rules(8775))
def test_metadata_filter_rules(self):
- rules = [('INPUT', '-m mark --mark 0x1 -j ACCEPT'),
+ rules = [('INPUT', '-m mark --mark 0x1/%s -j ACCEPT' %
+ constants.ROUTER_MARK_MASK),
('INPUT', '-p tcp -m tcp --dport 8775 -j DROP')]
self.assertEqual(
rules,
rule = ('PREROUTING', '-d 169.254.169.254/32 '
'-p tcp -m tcp --dport 80 '
'-j MARK --set-xmark 0x1/%s' %
- metadata_driver.METADATA_ACCESS_MARK_MASK)
+ constants.ROUTER_MARK_MASK)
self.assertEqual(
[rule],
metadata_driver.MetadataDriver.metadata_mangle_rules('0x1'))
Code Review / openstack-build / neutron-build.git / commitdiff