From 2a4b5f938d038bd73a70f1fc86cc71e819e288b0 Mon Sep 17 00:00:00 2001
From: Kevin Benton <blak111@gmail.com>
Date: Mon, 5 Oct 2015 08:07:56 -0700
Subject: [PATCH] Fix iptables comments for bare jump rules

This fixes the order of arguments in iptables rules that
are bare jumps (e.g. '-j other-chain').

The previous code was only catching jump rules that appeared
after a chain definition.

Closes-Bug: #1502932
Change-Id: I490792eb08c67a32f9b286d933a776fb76840b6b
---
 neutron/agent/linux/iptables_manager.py            | 12 +++++++-----
 .../unit/agent/linux/test_iptables_manager.py      | 14 ++++++++++++++
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/neutron/agent/linux/iptables_manager.py b/neutron/agent/linux/iptables_manager.py
index d72cdd587..4735ac771 100644
--- a/neutron/agent/linux/iptables_manager.py
+++ b/neutron/agent/linux/iptables_manager.py
@@ -67,13 +67,15 @@ def comment_rule(rule, comment):
         return rule
     # iptables-save outputs the comment before the jump so we need to match
     # that order so _find_last_entry works
+    comment = '-m comment --comment "%s"' % comment
+    if rule.startswith('-j'):
+        # this is a jump only rule so we just put the comment first
+        return '%s %s' % (comment, rule)
     try:
-        start_of_jump = rule.index(' -j ')
+        jpos = rule.index(' -j ')
+        return ' '.join((rule[:jpos], comment, rule[jpos + 1:]))
     except ValueError:
-        return '%s -m comment --comment "%s"' % (rule, comment)
-    return ' '.join([rule[0:start_of_jump],
-                     '-m comment --comment "%s"' % comment,
-                     rule[start_of_jump + 1:]])
+        return '%s %s' % (rule, comment)
 
 
 def get_chain_name(chain_name, wrap=True):
diff --git a/neutron/tests/unit/agent/linux/test_iptables_manager.py b/neutron/tests/unit/agent/linux/test_iptables_manager.py
index d6a1f9116..8d0afde3d 100644
--- a/neutron/tests/unit/agent/linux/test_iptables_manager.py
+++ b/neutron/tests/unit/agent/linux/test_iptables_manager.py
@@ -143,6 +143,20 @@ class IptablesCommentsTestCase(base.BaseTestCase):
                 self.fail("Iptables comment %s is longer than 255 characters."
                           % attr)
 
+    def test_reordering_of_jump_rule_comments(self):
+        # jump at the start
+        self.assertEqual(
+            '-m comment --comment "aloha" -j sg-chain',
+            iptables_manager.comment_rule('-j sg-chain', 'aloha'))
+        # jump in the middle
+        self.assertEqual(
+            '-s source -m comment --comment "aloha" -j sg-chain',
+            iptables_manager.comment_rule('-s source -j sg-chain', 'aloha'))
+        # no jump rule
+        self.assertEqual(
+            '-s source -m comment --comment "aloha"',
+            iptables_manager.comment_rule('-s source', 'aloha'))
+
     def test_add_filter_rule(self):
         iptables_args = {}
         iptables_args.update(IPTABLES_ARG)
-- 
2.45.2