From 10e6b6bd1b2b71bf18341719428d68a3f30cb2e9 Mon Sep 17 00:00:00 2001 From: Kevin Benton Date: Sun, 26 Feb 2017 07:56:45 -0800 Subject: [PATCH] Don't install iptables rules if neutron is filtering Don't setup iptables rules in the Linux Bridge driver if Neutron is providing security groups filtering. When neutron is providing filtering, it handles everything ranging from security-group enforcement to anti-spoofing rules so Nova/os-vif shouldn't need to do anything on plug. Change-Id: I19d62a8ac730aba2586b9f8eb08e153746ec2bcb --- vif_plug_linux_bridge/linux_bridge.py | 5 ++++- vif_plug_linux_bridge/tests/test_plugin.py | 8 +++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/vif_plug_linux_bridge/linux_bridge.py b/vif_plug_linux_bridge/linux_bridge.py index 9d8a8d39..aa124655 100644 --- a/vif_plug_linux_bridge/linux_bridge.py +++ b/vif_plug_linux_bridge/linux_bridge.py @@ -102,7 +102,10 @@ class LinuxBridgePlugin(plugin.PluginBase): bridge_name, iface, mtu=mtu) else: iface = self.config.flat_interface or network.bridge_interface - linux_net.ensure_bridge(bridge_name, iface) + # only put in iptables rules if Neutron not filtering + install_filters = not vif.has_traffic_filtering + linux_net.ensure_bridge(bridge_name, iface, + filtering=install_filters) def unplug(self, vif, instance_info): # Nothing required to unplug a port for a VIF using standard diff --git a/vif_plug_linux_bridge/tests/test_plugin.py b/vif_plug_linux_bridge/tests/test_plugin.py index b1f3651e..58083695 100644 --- a/vif_plug_linux_bridge/tests/test_plugin.py +++ b/vif_plug_linux_bridge/tests/test_plugin.py @@ -66,14 +66,20 @@ class PluginTest(testtools.TestCase): address='ca:fe:de:ad:be:ef', network=network, dev_name='tap-xxx-yyy-zzz', + has_traffic_filtering=True, bridge_name="br0") plugin = linux_bridge.LinuxBridgePlugin.load("linux_bridge") plugin.plug(vif, self.instance) - mock_ensure_bridge.assert_called_with("br0", "eth0") + mock_ensure_bridge.assert_called_with("br0", "eth0", filtering=False) self.assertEqual(len(mock_ensure_vlan_bridge.calls), 0) + mock_ensure_bridge.reset_mock() + vif.has_traffic_filtering = False + plugin.plug(vif, self.instance) + mock_ensure_bridge.assert_called_with("br0", "eth0", filtering=True) + def test_plug_bridge_create_br_vlan_mtu_in_model(self): self._test_plug_bridge_create_br_vlan(mtu=1234)