From: Jenkins <jenkins@review.openstack.org>
Date: Thu, 5 Feb 2015 12:06:37 +0000 (+0000)
Subject: Merge "Allow to request metadata proxy only with redirection"
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=38f2704a8554d1a7d0107a207ce12f0bf628c2b1;p=openstack-build%2Fneutron-build.git

Merge "Allow to request metadata proxy only with redirection"
---

38f2704a8554d1a7d0107a207ce12f0bf628c2b1
diff --cc neutron/agent/metadata/driver.py
index 31ce764b1,24a2fa9f3..3d017244a
--- a/neutron/agent/metadata/driver.py
+++ b/neutron/agent/metadata/driver.py
@@@ -56,23 -63,37 +63,35 @@@ class MetadataDriver(advanced_service.A
          router.iptables_manager.apply()
  
          if not router.is_ha:
 -            self._spawn_metadata_proxy(router.router_id,
 -                                       router.ns_name,
 -                                       self.l3_agent.conf)
 +            self._spawn_monitored_metadata_proxy(router.router_id,
 +                                                 router.ns_name)
  
      def before_router_removed(self, router):
-         for c, r in self.metadata_filter_rules(self.metadata_port):
+         for c, r in self.metadata_filter_rules(self.metadata_port,
+                                                self.metadata_access_mark):
              router.iptables_manager.ipv4['filter'].remove_rule(c, r)
+         for c, r in self.metadata_mangle_rules(self.metadata_access_mark):
+             router.iptables_manager.ipv4['mangle'].remove_rule(c, r)
          for c, r in self.metadata_nat_rules(self.metadata_port):
              router.iptables_manager.ipv4['nat'].remove_rule(c, r)
          router.iptables_manager.apply()
  
 -        self._destroy_metadata_proxy(router.router['id'],
 -                                     router.ns_name,
 -                                     self.l3_agent.conf)
 +        self._destroy_monitored_metadata_proxy(router.router['id'],
 +                                               router.ns_name)
  
      @classmethod
-     def metadata_filter_rules(cls, port):
-         return [('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport %s '
-                  '-j ACCEPT' % port)]
+     def metadata_filter_rules(cls, port, mark):
+         return [('INPUT', '-m mark --mark %s -j ACCEPT' % mark),
+                 ('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport %s '
+                  '-j DROP' % port)]
+ 
+     @classmethod
+     def metadata_mangle_rules(cls, mark):
+         return [('PREROUTING', '-s 0.0.0.0/0 -d 169.254.169.254/32 '
+                  '-p tcp -m tcp --dport 80 '
+                  '-j MARK --set-xmark %(value)s/%(mask)s' %
+                  {'value': mark,
+                   'mask': METADATA_ACCESS_MARK_MASK})]
  
      @classmethod
      def metadata_nat_rules(cls, port):