The previous code was generating a fallback ACCEPT rule for every
port when there should only be one at the very end. The reason that
this wasn't causing a bug is because we have a duplicate rule remover
that was silently throwing away the extras and it happened to get them
in the right order.
Closes-Bug: #
1502906
Change-Id: I83cf574f93b512be1ccefdc8da63e1783d279233
for port in ports.values():
self._setup_chain(port, firewall.INGRESS_DIRECTION)
self._setup_chain(port, firewall.EGRESS_DIRECTION)
- self.iptables.ipv4['filter'].add_rule(SG_CHAIN, '-j ACCEPT')
- self.iptables.ipv6['filter'].add_rule(SG_CHAIN, '-j ACCEPT')
+ self.iptables.ipv4['filter'].add_rule(SG_CHAIN, '-j ACCEPT')
+ self.iptables.ipv6['filter'].add_rule(SG_CHAIN, '-j ACCEPT')
for port in unfiltered_ports.values():
self._add_accept_rule_port_sec(port, firewall.INGRESS_DIRECTION)
self.assertFalse(self.firewall.sg_members)
self.assertFalse(self.firewall.sg_rules)
+ def test_single_fallback_accept_rule(self):
+ p1, p2 = self._fake_port(), self._fake_port()
+ self.firewall._setup_chains_apply(dict(p1=p1, p2=p2), {})
+ v4_adds = self.firewall.iptables.ipv4['filter'].add_rule.mock_calls
+ v6_adds = self.firewall.iptables.ipv6['filter'].add_rule.mock_calls
+ sg_chain_v4_accept = [call for call in v4_adds
+ if call == mock.call('sg-chain', '-j ACCEPT')]
+ sg_chain_v6_accept = [call for call in v6_adds
+ if call == mock.call('sg-chain', '-j ACCEPT')]
+ self.assertEqual(1, len(sg_chain_v4_accept))
+ self.assertEqual(1, len(sg_chain_v6_accept))
+
def test_prepare_port_filter_with_deleted_member(self):
self.firewall.sg_rules = self._fake_sg_rules()
self.firewall.pre_sg_rules = self._fake_sg_rules()
[0:0] -A OUTPUT -j %(bn)s-OUTPUT
[0:0] -A FORWARD -j %(bn)s-FORWARD
[0:0] -A %(bn)s-sg-fallback -j DROP
+[0:0] -A %(bn)s-sg-chain -j ACCEPT
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
[0:0] -A OUTPUT -j %(bn)s-OUTPUT
[0:0] -A FORWARD -j %(bn)s-FORWARD
[0:0] -A %(bn)s-sg-fallback -j DROP
+[0:0] -A %(bn)s-sg-chain -j ACCEPT
COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
Code Review / openstack-build / neutron-build.git / commitdiff