From: Cedric Brandily <zzelle@gmail.com>
Date: Thu, 11 Dec 2014 13:10:30 +0000 (+0000)
Subject: Correct l3-agent iptables rule for metadata proxy
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=2d9d77747d2a16a1bf944e15bf5a7b6fc5e3fe08;p=openstack-build%2Fneutron-build.git

Correct l3-agent iptables rule for metadata proxy

2 iptables rules are defined to ensure the metadata proxy is reachable
from vms on 169.254.169.254:80:
* REDIRECT 169.254.169.254:80 packets to the router on port 9697
* ACCEPT traffic to 127.0.0.1 on port 9697

The REDIRECT rule replaces destination ip by:
 * 127.0.0.1 if the packet is local,
 * router ip (the one on the input interface, metadata proxy case).

So ACCEPT rule filter is not matched ... the metadata proxy is only
reachable because INPUT policy is ACCEPT.

This change removes the destination constraint in the ACCEPT rule.

Change-Id: Iea700bdd121bbc56a3489a63e2a5391867fad0d6
Closes-Bug: #1399462
---

diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py
index 16f1ea812..da5b3eb51 100644
--- a/neutron/agent/metadata/driver.py
+++ b/neutron/agent/metadata/driver.py
@@ -53,8 +53,7 @@ class MetadataDriver(advanced_service.AdvancedService):
 
     @classmethod
     def metadata_filter_rules(cls, port):
-        return [('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
-                 '-p tcp -m tcp --dport %s '
+        return [('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport %s '
                  '-j ACCEPT' % port)]
 
     @classmethod
diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py
index 05549ab3a..fda074c6b 100644
--- a/neutron/tests/unit/agent/metadata/test_driver.py
+++ b/neutron/tests/unit/agent/metadata/test_driver.py
@@ -47,8 +47,7 @@ class TestMetadataDriver(base.BaseTestCase):
             metadata_driver.MetadataDriver.metadata_nat_rules(8775))
 
     def test_metadata_filter_rules(self):
-        rules = ('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
-                 '-p tcp -m tcp --dport 8775 -j ACCEPT')
+        rules = ('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport 8775 -j ACCEPT')
         self.assertEqual(
             [rules],
             metadata_driver.MetadataDriver.metadata_filter_rules(8775))