From db4b8afd1d7b42d7c6fd4ccbe35531a7dcf4898d Mon Sep 17 00:00:00 2001
From: Hui HX Xiang <xianghui@cn.ibm.com>
Date: Sun, 29 Sep 2013 19:48:51 -0700
Subject: [PATCH] Should not add metadata filter rules if disable metadata
 proxy

The metadata filter rules should not be added into iptables if Neutron
metadata proxy is disabled.
This patchset fixes this issue by adding a condition when adding metadata
filter rules to iptables.

Closes-Bug #1224290

Change-Id: I7f14d281c31c1828a90abac8821635773238b2d0
---
 neutron/agent/l3_agent.py           |  7 ++++---
 neutron/tests/unit/test_l3_agent.py | 12 ++++++++++++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/neutron/agent/l3_agent.py b/neutron/agent/l3_agent.py
index 69b4ea0ce..d6c54fc69 100644
--- a/neutron/agent/l3_agent.py
+++ b/neutron/agent/l3_agent.py
@@ -544,9 +544,10 @@ class L3NATAgent(firewall_l3_agent.FWaaSL3AgentRpcCallback, manager.Manager):
 
     def metadata_filter_rules(self):
         rules = []
-        rules.append(('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
-                      '-p tcp -m tcp --dport %s '
-                      '-j ACCEPT' % self.conf.metadata_port))
+        if self.conf.enable_metadata_proxy:
+            rules.append(('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
+                          '-p tcp -m tcp --dport %s '
+                          '-j ACCEPT' % self.conf.metadata_port))
         return rules
 
     def metadata_nat_rules(self):
diff --git a/neutron/tests/unit/test_l3_agent.py b/neutron/tests/unit/test_l3_agent.py
index 4e40675fb..3497a5ef8 100644
--- a/neutron/tests/unit/test_l3_agent.py
+++ b/neutron/tests/unit/test_l3_agent.py
@@ -672,6 +672,18 @@ class TestBasicRouterOperations(base.BaseTestCase):
             msg = "Error importing interface driver 'wrong_driver'"
             log.error.assert_called_once_with(msg)
 
+    def test_metadata_filter_rules(self):
+        self.conf.set_override('enable_metadata_proxy', False)
+        agent = l3_agent.L3NATAgent(HOSTNAME, self.conf)
+        self.assertEqual([], agent.metadata_filter_rules())
+
+        self.conf.set_override('metadata_port', '8775')
+        self.conf.set_override('enable_metadata_proxy', True)
+        agent = l3_agent.L3NATAgent(HOSTNAME, self.conf)
+        rules = ('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
+                 '-p tcp -m tcp --dport 8775 -j ACCEPT')
+        self.assertEqual([rules], agent.metadata_filter_rules())
+
 
 class TestL3AgentEventHandler(base.BaseTestCase):
 
-- 
2.45.2