Only mark metadata packets on internal interfaces

Currently iptables rules set on L3 agent with metadata_proxy enabled
mark all packets coming from all interfaces including external interfaces.

This change updates PREROUTING rules from MANGLE table to mark packets
only from internal interfaces.

Change-Id: I01549df7b99be84cd46b6f97a5fd62aec1f43275
Closes-Bug: #1477553

diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py
index 338a78c94d2f28ae63122e5ff788f342c6264438..e7b291c29e756779b0b82a5e5c6aecbd64fb5b81 100644 (file)
--- a/neutron/agent/metadata/driver.py
+++ b/neutron/agent/metadata/driver.py
@@ -53,9 +53,11 @@ class MetadataDriver(object):
     @classmethod
     def metadata_mangle_rules(cls, mark):
         return [('PREROUTING', '-d 169.254.169.254/32 '
+                 '-i %(interface_name)s '
                  '-p tcp -m tcp --dport 80 '
                  '-j MARK --set-xmark %(value)s/%(mask)s' %
-                 {'value': mark,
+                 {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
+                  'value': mark,
                   'mask': constants.ROUTER_MARK_MASK})]
 
     @classmethod

diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py
index d86c4fbce015929ab4be756adeb6b8a14a27e441..896639b6b103b57768380a54ddf31f1fc5496de4 100644 (file)
--- a/neutron/tests/unit/agent/metadata/test_driver.py
+++ b/neutron/tests/unit/agent/metadata/test_driver.py
@@ -48,7 +48,7 @@ class TestMetadataDriverRules(base.BaseTestCase):
             metadata_driver.MetadataDriver.metadata_filter_rules(8775, '0x1'))
 
     def test_metadata_mangle_rules(self):
-        rule = ('PREROUTING', '-d 169.254.169.254/32 '
+        rule = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ '
                 '-p tcp -m tcp --dport 80 '
                 '-j MARK --set-xmark 0x1/%s' %
                 constants.ROUTER_MARK_MASK)