]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 01debad)
Should not add metadata filter rules if disable metadata proxy
authorHui HX Xiang <xianghui@cn.ibm.com>
Mon, 30 Sep 2013 02:48:51 +0000 (19:48 -0700)
committerHui HX Xiang <xianghui@cn.ibm.com>
Mon, 30 Sep 2013 02:48:56 +0000 (19:48 -0700)
The metadata filter rules should not be added into iptables if Neutron
metadata proxy is disabled.
This patchset fixes this issue by adding a condition when adding metadata
filter rules to iptables.

Closes-Bug #1224290

Change-Id: I7f14d281c31c1828a90abac8821635773238b2d0

neutron/agent/l3_agent.py patch | blob | history
neutron/tests/unit/test_l3_agent.py patch | blob | history

diff --git a/neutron/agent/l3_agent.py b/neutron/agent/l3_agent.py
index 69b4ea0cede3ddcf01da0ad6d7d0de57228eb2c2..d6c54fc69ffbe6de7ef3814dbe4bd545ed20cbb5 100644 (file)
--- a/neutron/agent/l3_agent.py
+++ b/neutron/agent/l3_agent.py
@@ -544,9 +544,10 @@ class L3NATAgent(firewall_l3_agent.FWaaSL3AgentRpcCallback, manager.Manager):
 
     def metadata_filter_rules(self):
         rules = []
-        rules.append(('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
-                      '-p tcp -m tcp --dport %s '
-                      '-j ACCEPT' % self.conf.metadata_port))
+        if self.conf.enable_metadata_proxy:
+            rules.append(('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
+                          '-p tcp -m tcp --dport %s '
+                          '-j ACCEPT' % self.conf.metadata_port))
         return rules
 
     def metadata_nat_rules(self):
diff --git a/neutron/tests/unit/test_l3_agent.py b/neutron/tests/unit/test_l3_agent.py
index 4e40675fb2ce2caf6f1b3d663a9ab5ccfabd152e..3497a5ef89849b62fa622e8979b3a5c80620c630 100644 (file)
--- a/neutron/tests/unit/test_l3_agent.py
+++ b/neutron/tests/unit/test_l3_agent.py
@@ -672,6 +672,18 @@ class TestBasicRouterOperations(base.BaseTestCase):
             msg = "Error importing interface driver 'wrong_driver'"
             log.error.assert_called_once_with(msg)
 
+    def test_metadata_filter_rules(self):
+        self.conf.set_override('enable_metadata_proxy', False)
+        agent = l3_agent.L3NATAgent(HOSTNAME, self.conf)
+        self.assertEqual([], agent.metadata_filter_rules())
+
+        self.conf.set_override('metadata_port', '8775')
+        self.conf.set_override('enable_metadata_proxy', True)
+        agent = l3_agent.L3NATAgent(HOSTNAME, self.conf)
+        rules = ('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
+                 '-p tcp -m tcp --dport 8775 -j ACCEPT')
+        self.assertEqual([rules], agent.metadata_filter_rules())
+
 
 class TestL3AgentEventHandler(base.BaseTestCase):