From b049971c5652adc8e6146f15180ceccc58f8ae9a Mon Sep 17 00:00:00 2001
From: Assaf Muller <amuller@redhat.com>
Date: Mon, 22 Dec 2014 17:01:37 +0200
Subject: [PATCH] Allow to request metadata proxy only from internal interfaces

Currently the metadata service can be requested on 169.254.169.254:80
from all interfaces including external interfaces. This change updates
PREROUTING rules to allow request on 169.254.169.254:80 only from
internal interfaces.

Change-Id: I44a9e03992f9e2a7bd4d798ae69d8aa7d75d3078
Closes-Bug: #1187102
---
 neutron/agent/metadata/driver.py                 | 6 +++++-
 neutron/tests/unit/agent/metadata/test_driver.py | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py
index 1e36460ee..bdb01354c 100644
--- a/neutron/agent/metadata/driver.py
+++ b/neutron/agent/metadata/driver.py
@@ -19,6 +19,7 @@ from oslo_config import cfg
 from oslo_log import log as logging
 
 from neutron.agent.common import config
+from neutron.agent.l3 import namespaces
 from neutron.agent.linux import external_process
 from neutron.common import exceptions
 from neutron.services import advanced_service
@@ -104,8 +105,11 @@ class MetadataDriver(advanced_service.AdvancedService):
     @classmethod
     def metadata_nat_rules(cls, port):
         return [('PREROUTING', '-d 169.254.169.254/32 '
+                 '-i %(interface_name)s '
                  '-p tcp -m tcp --dport 80 -j REDIRECT '
-                 '--to-port %s' % port)]
+                 '--to-port %(port)s' %
+                 {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+',
+                  'port': port})]
 
     @classmethod
     def _get_metadata_proxy_user_group(cls, conf):
diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py
index afd97d9c2..efd8ed564 100644
--- a/neutron/tests/unit/agent/metadata/test_driver.py
+++ b/neutron/tests/unit/agent/metadata/test_driver.py
@@ -33,7 +33,7 @@ _uuid = uuidutils.generate_uuid
 class TestMetadataDriverRules(base.BaseTestCase):
 
     def test_metadata_nat_rules(self):
-        rules = ('PREROUTING', '-d 169.254.169.254/32 '
+        rules = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ '
                  '-p tcp -m tcp --dport 80 -j REDIRECT --to-port 8775')
         self.assertEqual(
             [rules],
-- 
2.45.2