Remove references to 0.0.0.0/0 in iptable rules

Iptables removes 0.0.0.0/0 as rule source (-s) because any packet
matches the filter. Based on the discussion in the patch [1],
references to 0.0.0.0/0 are removed in the current patch.

[1] https://review.openstack.org/#/c/160782/

Closes-Bug: #1428127
Change-Id: I8cd96438ef21edfd75483eec3ebfebcee24a8300

diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py
index 130a2ce34fbee8029cbd3c3b11c1e8c9ea9684e5..674100343ab982efc0531ee19217e79198eb865d 100644 (file)
--- a/neutron/agent/metadata/driver.py
+++ b/neutron/agent/metadata/driver.py
@@ -82,12 +82,12 @@ class MetadataDriver(advanced_service.AdvancedService):
     @classmethod
     def metadata_filter_rules(cls, port, mark):
         return [('INPUT', '-m mark --mark %s -j ACCEPT' % mark),
-                ('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport %s '
+                ('INPUT', '-p tcp -m tcp --dport %s '
                  '-j DROP' % port)]
 
     @classmethod
     def metadata_mangle_rules(cls, mark):
-        return [('PREROUTING', '-s 0.0.0.0/0 -d 169.254.169.254/32 '
+        return [('PREROUTING', '-d 169.254.169.254/32 '
                  '-p tcp -m tcp --dport 80 '
                  '-j MARK --set-xmark %(value)s/%(mask)s' %
                  {'value': mark,
@@ -95,7 +95,7 @@ class MetadataDriver(advanced_service.AdvancedService):
 
     @classmethod
     def metadata_nat_rules(cls, port):
-        return [('PREROUTING', '-s 0.0.0.0/0 -d 169.254.169.254/32 '
+        return [('PREROUTING', '-d 169.254.169.254/32 '
                  '-p tcp -m tcp --dport 80 -j REDIRECT '
                  '--to-port %s' % port)]
 

diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py
index 568ac0a9a12f83e4e821d011e744f1333045f08b..de46a785b7842d5b4e940e5fc7e864e51b8617b0 100644 (file)
--- a/neutron/tests/unit/agent/metadata/test_driver.py
+++ b/neutron/tests/unit/agent/metadata/test_driver.py
@@ -39,7 +39,7 @@ class TestMetadataDriver(base.BaseTestCase):
         cfg.CONF.register_opts(metadata_driver.MetadataDriver.OPTS)
 
     def test_metadata_nat_rules(self):
-        rules = ('PREROUTING', '-s 0.0.0.0/0 -d 169.254.169.254/32 '
+        rules = ('PREROUTING', '-d 169.254.169.254/32 '
                  '-p tcp -m tcp --dport 80 -j REDIRECT --to-port 8775')
         self.assertEqual(
             [rules],
@@ -47,13 +47,13 @@ class TestMetadataDriver(base.BaseTestCase):
 
     def test_metadata_filter_rules(self):
         rules = [('INPUT', '-m mark --mark 0x1 -j ACCEPT'),
-                 ('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport 8775 -j DROP')]
+                 ('INPUT', '-p tcp -m tcp --dport 8775 -j DROP')]
         self.assertEqual(
             rules,
             metadata_driver.MetadataDriver.metadata_filter_rules(8775, '0x1'))
 
     def test_metadata_mangle_rules(self):
-        rule = ('PREROUTING', '-s 0.0.0.0/0 -d 169.254.169.254/32 '
+        rule = ('PREROUTING', '-d 169.254.169.254/32 '
                 '-p tcp -m tcp --dport 80 '
                 '-j MARK --set-xmark 0x1/%s' %
                 metadata_driver.METADATA_ACCESS_MARK_MASK)