From: Hui HX Xiang <xianghui@cn.ibm.com>
Date: Mon, 30 Sep 2013 02:48:51 +0000 (-0700)
Subject: Should not add metadata filter rules if disable metadata proxy
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=db4b8afd1d7b42d7c6fd4ccbe35531a7dcf4898d;p=openstack-build%2Fneutron-build.git

Should not add metadata filter rules if disable metadata proxy

The metadata filter rules should not be added into iptables if Neutron
metadata proxy is disabled.
This patchset fixes this issue by adding a condition when adding metadata
filter rules to iptables.

Closes-Bug #1224290

Change-Id: I7f14d281c31c1828a90abac8821635773238b2d0
---

diff --git a/neutron/agent/l3_agent.py b/neutron/agent/l3_agent.py
index 69b4ea0ce..d6c54fc69 100644
--- a/neutron/agent/l3_agent.py
+++ b/neutron/agent/l3_agent.py
@@ -544,9 +544,10 @@ class L3NATAgent(firewall_l3_agent.FWaaSL3AgentRpcCallback, manager.Manager):
 
     def metadata_filter_rules(self):
         rules = []
-        rules.append(('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
-                      '-p tcp -m tcp --dport %s '
-                      '-j ACCEPT' % self.conf.metadata_port))
+        if self.conf.enable_metadata_proxy:
+            rules.append(('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
+                          '-p tcp -m tcp --dport %s '
+                          '-j ACCEPT' % self.conf.metadata_port))
         return rules
 
     def metadata_nat_rules(self):
diff --git a/neutron/tests/unit/test_l3_agent.py b/neutron/tests/unit/test_l3_agent.py
index 4e40675fb..3497a5ef8 100644
--- a/neutron/tests/unit/test_l3_agent.py
+++ b/neutron/tests/unit/test_l3_agent.py
@@ -672,6 +672,18 @@ class TestBasicRouterOperations(base.BaseTestCase):
             msg = "Error importing interface driver 'wrong_driver'"
             log.error.assert_called_once_with(msg)
 
+    def test_metadata_filter_rules(self):
+        self.conf.set_override('enable_metadata_proxy', False)
+        agent = l3_agent.L3NATAgent(HOSTNAME, self.conf)
+        self.assertEqual([], agent.metadata_filter_rules())
+
+        self.conf.set_override('metadata_port', '8775')
+        self.conf.set_override('enable_metadata_proxy', True)
+        agent = l3_agent.L3NATAgent(HOSTNAME, self.conf)
+        rules = ('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
+                 '-p tcp -m tcp --dport 8775 -j ACCEPT')
+        self.assertEqual([rules], agent.metadata_filter_rules())
+
 
 class TestL3AgentEventHandler(base.BaseTestCase):