From: Kevin Benton Date: Mon, 5 Oct 2015 13:37:40 +0000 (-0700) Subject: Correct MAC representation to match iptables output X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=5cab062465af06be3827de4e7f9014ab1040bdbf;p=openstack-build%2Fneutron-build.git Correct MAC representation to match iptables output We were previously using the netaddr's mac_unix format (which leaves off leading 0's) to generate iptables rules based on MAC addresses. While iptables accepts this format, it's not returned this way in the output so the iptables rule matching code would never find the match for these rules, causing the loss of counters on these rules on every reload. This patch corrects this with a custom dialect that matches the iptables format. Closes-Bug: #1502901 Change-Id: Ia45ebde8c4684e12030469323e18367a54d1518b --- diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index b0ac0f793..a1ac960a3 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -51,6 +51,11 @@ MAX_CONNTRACK_ZONES = 65535 comment_rule = iptables_manager.comment_rule +class mac_iptables(netaddr.mac_eui48): + """mac format class for netaddr to match iptables representation.""" + word_sep = ':' + + class IptablesFirewallDriver(firewall.FirewallDriver): """Driver which enforces security groups through iptables rules.""" IPTABLES_DIRECTION = {firewall.INGRESS_DIRECTION: 'physdev-out', @@ -368,7 +373,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _build_ipv4v6_mac_ip_list(self, mac, ip_address, mac_ipv4_pairs, mac_ipv6_pairs): - mac = str(netaddr.EUI(mac, dialect=netaddr.mac_unix)) + mac = str(netaddr.EUI(mac, dialect=mac_iptables)) if netaddr.IPNetwork(ip_address).version == 4: mac_ipv4_pairs.append((mac, ip_address)) else: diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index 24c1b5d8b..320d35889 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -1805,8 +1805,8 @@ class IptablesFirewallEnhancedIpsetTestCase(BaseIptablesFirewallTestCase): for ip in other_ips]) def test_build_ipv4v6_mac_ip_list(self): - mac_oth = 'ffff-ffff-ffff' - mac_unix = 'ff:ff:ff:ff:ff:ff' + mac_oth = 'ffff-ff0f-ffff' + mac_unix = 'FF:FF:FF:0F:FF:FF' ipv4 = FAKE_IP['IPv4'] ipv6 = FAKE_IP['IPv6'] fake_ipv4_pair = []