From 1254e841523692c9fa21020bd1e6ed367f0fbddd Mon Sep 17 00:00:00 2001 From: Kevin Benton Date: Wed, 14 Jan 2015 23:45:14 -0800 Subject: [PATCH] Clarify misleading iptables comment Update the comment for the iptables rule matching the conntrack INVALID state. The previous entry was misleading because it sounded like it dropped all new connections. Change-Id: I793c1a7d9fbc261ac361305524de8ad67477815b --- neutron/agent/linux/iptables_comments.py | 3 ++- neutron/agent/linux/iptables_firewall.py | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/neutron/agent/linux/iptables_comments.py b/neutron/agent/linux/iptables_comments.py index 641b2ef86..7d158a9d8 100644 --- a/neutron/agent/linux/iptables_comments.py +++ b/neutron/agent/linux/iptables_comments.py @@ -28,7 +28,8 @@ PAIR_DROP = 'Drop traffic without an IP/MAC allow rule.' DHCP_CLIENT = 'Allow DHCP client traffic.' DHCP_SPOOF = 'Prevent DHCP Spoofing by VM.' UNMATCHED = 'Send unmatched traffic to the fallback chain.' -STATELESS_DROP = 'Drop packets that are not associated with a state.' +INVALID_DROP = ("Drop packets that appear related to an existing connection " + "(e.g. TCP ACK/FIN) but do not have an entry in conntrack.") ALLOW_ASSOC = ('Direct packets associated with a known session to the RETURN ' 'chain.') IPV6_RA_ALLOW = 'Allow IPv6 ICMP traffic to allow RA packets.' diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 33793a0e6..b2a7bf10c 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -429,7 +429,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _drop_invalid_packets(self, iptables_rules): # Always drop invalid packets iptables_rules += [comment_rule('-m state --state ' 'INVALID -j DROP', - comment=ic.STATELESS_DROP)] + comment=ic.INVALID_DROP)] return iptables_rules def _allow_established(self, iptables_rules): -- 2.45.2