Don't install iptables rules if neutron is filtering

Don't setup iptables rules in the Linux Bridge driver
if Neutron is providing security groups filtering.
When neutron is providing filtering, it handles everything
ranging from security-group enforcement to anti-spoofing
rules so Nova/os-vif shouldn't need to do anything on plug.

Change-Id: I19d62a8ac730aba2586b9f8eb08e153746ec2bcb
This commit is contained in:
Kevin Benton 2017-02-26 07:56:45 -08:00
parent 60a25bb135
commit 10e6b6bd1b
2 changed files with 11 additions and 2 deletions

View File

@ -102,7 +102,10 @@ class LinuxBridgePlugin(plugin.PluginBase):
bridge_name, iface, mtu=mtu)
else:
iface = self.config.flat_interface or network.bridge_interface
linux_net.ensure_bridge(bridge_name, iface)
# only put in iptables rules if Neutron not filtering
install_filters = not vif.has_traffic_filtering
linux_net.ensure_bridge(bridge_name, iface,
filtering=install_filters)
def unplug(self, vif, instance_info):
# Nothing required to unplug a port for a VIF using standard

View File

@ -66,14 +66,20 @@ class PluginTest(testtools.TestCase):
address='ca:fe:de:ad:be:ef',
network=network,
dev_name='tap-xxx-yyy-zzz',
has_traffic_filtering=True,
bridge_name="br0")
plugin = linux_bridge.LinuxBridgePlugin.load("linux_bridge")
plugin.plug(vif, self.instance)
mock_ensure_bridge.assert_called_with("br0", "eth0")
mock_ensure_bridge.assert_called_with("br0", "eth0", filtering=False)
self.assertEqual(len(mock_ensure_vlan_bridge.calls), 0)
mock_ensure_bridge.reset_mock()
vif.has_traffic_filtering = False
plugin.plug(vif, self.instance)
mock_ensure_bridge.assert_called_with("br0", "eth0", filtering=True)
def test_plug_bridge_create_br_vlan_mtu_in_model(self):
self._test_plug_bridge_create_br_vlan(mtu=1234)