From: Kevin Benton Date: Thu, 15 Jan 2015 07:45:14 +0000 (-0800) Subject: Clarify misleading iptables comment X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=1254e841523692c9fa21020bd1e6ed367f0fbddd;p=openstack-build%2Fneutron-build.git Clarify misleading iptables comment Update the comment for the iptables rule matching the conntrack INVALID state. The previous entry was misleading because it sounded like it dropped all new connections. Change-Id: I793c1a7d9fbc261ac361305524de8ad67477815b --- diff --git a/neutron/agent/linux/iptables_comments.py b/neutron/agent/linux/iptables_comments.py index 641b2ef86..7d158a9d8 100644 --- a/neutron/agent/linux/iptables_comments.py +++ b/neutron/agent/linux/iptables_comments.py @@ -28,7 +28,8 @@ PAIR_DROP = 'Drop traffic without an IP/MAC allow rule.' DHCP_CLIENT = 'Allow DHCP client traffic.' DHCP_SPOOF = 'Prevent DHCP Spoofing by VM.' UNMATCHED = 'Send unmatched traffic to the fallback chain.' -STATELESS_DROP = 'Drop packets that are not associated with a state.' +INVALID_DROP = ("Drop packets that appear related to an existing connection " + "(e.g. TCP ACK/FIN) but do not have an entry in conntrack.") ALLOW_ASSOC = ('Direct packets associated with a known session to the RETURN ' 'chain.') IPV6_RA_ALLOW = 'Allow IPv6 ICMP traffic to allow RA packets.' diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 33793a0e6..b2a7bf10c 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -429,7 +429,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _drop_invalid_packets(self, iptables_rules): # Always drop invalid packets iptables_rules += [comment_rule('-m state --state ' 'INVALID -j DROP', - comment=ic.STATELESS_DROP)] + comment=ic.INVALID_DROP)] return iptables_rules def _allow_established(self, iptables_rules):