From f23eb3290a1943c12e0ffbfd812ff5443f57af3c Mon Sep 17 00:00:00 2001 From: Bertrand Lallau Date: Thu, 23 Jul 2015 11:31:49 +0200 Subject: [PATCH] Only mark metadata packets on internal interfaces Currently iptables rules set on L3 agent with metadata_proxy enabled mark all packets coming from all interfaces including external interfaces. This change updates PREROUTING rules from MANGLE table to mark packets only from internal interfaces. Change-Id: I01549df7b99be84cd46b6f97a5fd62aec1f43275 Closes-Bug: #1477553 --- neutron/agent/metadata/driver.py | 4 +++- neutron/tests/unit/agent/metadata/test_driver.py | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/neutron/agent/metadata/driver.py b/neutron/agent/metadata/driver.py index 338a78c94..e7b291c29 100644 --- a/neutron/agent/metadata/driver.py +++ b/neutron/agent/metadata/driver.py @@ -53,9 +53,11 @@ class MetadataDriver(object): @classmethod def metadata_mangle_rules(cls, mark): return [('PREROUTING', '-d 169.254.169.254/32 ' + '-i %(interface_name)s ' '-p tcp -m tcp --dport 80 ' '-j MARK --set-xmark %(value)s/%(mask)s' % - {'value': mark, + {'interface_name': namespaces.INTERNAL_DEV_PREFIX + '+', + 'value': mark, 'mask': constants.ROUTER_MARK_MASK})] @classmethod diff --git a/neutron/tests/unit/agent/metadata/test_driver.py b/neutron/tests/unit/agent/metadata/test_driver.py index d86c4fbce..896639b6b 100644 --- a/neutron/tests/unit/agent/metadata/test_driver.py +++ b/neutron/tests/unit/agent/metadata/test_driver.py @@ -48,7 +48,7 @@ class TestMetadataDriverRules(base.BaseTestCase): metadata_driver.MetadataDriver.metadata_filter_rules(8775, '0x1')) def test_metadata_mangle_rules(self): - rule = ('PREROUTING', '-d 169.254.169.254/32 ' + rule = ('PREROUTING', '-d 169.254.169.254/32 -i qr-+ ' '-p tcp -m tcp --dport 80 ' '-j MARK --set-xmark 0x1/%s' % constants.ROUTER_MARK_MASK) -- 2.45.2