From: vijaychundury Date: Wed, 4 Mar 2015 13:41:14 +0000 (+0000) Subject: Remove references to 0.0.0.0/0 in iptable rules X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=deaa70bd75352f6c1974a01bc971086912c74e9e;p=openstack-build%2Fneutron-build.git Remove references to 0.0.0.0/0 in iptable rules Iptables removes 0.0.0.0/0 as rule source (-s) because any packet matches the filter. Based on the discussion in the patch [1], references to 0.0.0.0/0 are removed in the current patch. [1] https://review.openstack.org/#/c/160782/ Closes-Bug: #1428127 Change-Id: I8cd96438ef21edfd75483eec3ebfebcee24a8300 --- diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py index 130a2ce34..674100343 100644 --- a/neutron/agent/metadata/driver.py +++ b/neutron/agent/metadata/driver.py @@ -82,12 +82,12 @@ class MetadataDriver(advanced_service.AdvancedService): @classmethod def metadata_filter_rules(cls, port, mark): return [('INPUT', '-m mark --mark %s -j ACCEPT' % mark), - ('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport %s ' + ('INPUT', '-p tcp -m tcp --dport %s ' '-j DROP' % port)] @classmethod def metadata_mangle_rules(cls, mark): - return [('PREROUTING', '-s 0.0.0.0/0 -d 169.254.169.254/32 ' + return [('PREROUTING', '-d 169.254.169.254/32 ' '-p tcp -m tcp --dport 80 ' '-j MARK --set-xmark %(value)s/%(mask)s' % {'value': mark, @@ -95,7 +95,7 @@ class MetadataDriver(advanced_service.AdvancedService): @classmethod def metadata_nat_rules(cls, port): - return [('PREROUTING', '-s 0.0.0.0/0 -d 169.254.169.254/32 ' + return [('PREROUTING', '-d 169.254.169.254/32 ' '-p tcp -m tcp --dport 80 -j REDIRECT ' '--to-port %s' % port)] diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py index 568ac0a9a..de46a785b 100644 --- a/neutron/tests/unit/agent/metadata/test_driver.py +++ b/neutron/tests/unit/agent/metadata/test_driver.py @@ -39,7 +39,7 @@ class TestMetadataDriver(base.BaseTestCase): cfg.CONF.register_opts(metadata_driver.MetadataDriver.OPTS) def test_metadata_nat_rules(self): - rules = ('PREROUTING', '-s 0.0.0.0/0 -d 169.254.169.254/32 ' + rules = ('PREROUTING', '-d 169.254.169.254/32 ' '-p tcp -m tcp --dport 80 -j REDIRECT --to-port 8775') self.assertEqual( [rules], @@ -47,13 +47,13 @@ class TestMetadataDriver(base.BaseTestCase): def test_metadata_filter_rules(self): rules = [('INPUT', '-m mark --mark 0x1 -j ACCEPT'), - ('INPUT', '-s 0.0.0.0/0 -p tcp -m tcp --dport 8775 -j DROP')] + ('INPUT', '-p tcp -m tcp --dport 8775 -j DROP')] self.assertEqual( rules, metadata_driver.MetadataDriver.metadata_filter_rules(8775, '0x1')) def test_metadata_mangle_rules(self): - rule = ('PREROUTING', '-s 0.0.0.0/0 -d 169.254.169.254/32 ' + rule = ('PREROUTING', '-d 169.254.169.254/32 ' '-p tcp -m tcp --dport 80 ' '-j MARK --set-xmark 0x1/%s' % metadata_driver.METADATA_ACCESS_MARK_MASK)