From 1ddb9906afaf9c6a87aeb0c4201aa7126e2a9cd0 Mon Sep 17 00:00:00 2001 From: llg8212 Date: Wed, 25 Dec 2013 09:57:21 +0800 Subject: [PATCH] ipt_mgr.ipv6 written in the wrong ipt_mgr.ipv4 This patch fixes the issue of writing the wrong firewall rule where an IP6 rule is written to IP4. Change-Id: Ie7c75c71c9dcfbd9feabaffe4416ede80ff350d8 Closes-Bug:#1263877 --- .../firewall/drivers/linux/iptables_fwaas.py | 2 +- .../drivers/linux/test_iptables_fwaas.py | 41 +++++++++++-------- 2 files changed, 26 insertions(+), 17 deletions(-) diff --git a/neutron/services/firewall/drivers/linux/iptables_fwaas.py b/neutron/services/firewall/drivers/linux/iptables_fwaas.py index ffc467c7ca..df71a44d39 100644 --- a/neutron/services/firewall/drivers/linux/iptables_fwaas.py +++ b/neutron/services/firewall/drivers/linux/iptables_fwaas.py @@ -210,7 +210,7 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase): bname = iptables_manager.binary_name for (ver, tbl) in [(IPV4, ipt_mgr.ipv4['filter']), - (IPV6, ipt_mgr.ipv4['filter'])]: + (IPV6, ipt_mgr.ipv6['filter'])]: for direction in [INGRESS_DIRECTION, EGRESS_DIRECTION]: chain_name = self._get_chain_name(fwid, ver, direction) chain_name = iptables_manager.get_chain_name(chain_name) diff --git a/neutron/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py b/neutron/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py index f58a0300ea..85a6c155c0 100644 --- a/neutron/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py +++ b/neutron/tests/unit/services/firewall/drivers/linux/test_iptables_fwaas.py @@ -158,23 +158,32 @@ class IptablesFwaasTestCase(base.BaseTestCase): self.firewall.create_firewall(apply_list, firewall) invalid_rule = '-m state --state INVALID -j DROP' est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT' - ingress_chain = ('iv4%s' % firewall['id']) - egress_chain = ('ov4%s' % firewall['id']) bname = fwaas.iptables_manager.binary_name - calls = [call.ensure_remove_chain('iv4fake-fw-uuid'), - call.ensure_remove_chain('ov4fake-fw-uuid'), - call.ensure_remove_chain('fwaas-default-policy'), - call.add_chain('fwaas-default-policy'), - call.add_rule('fwaas-default-policy', '-j DROP'), - call.add_chain(ingress_chain), - call.add_rule(ingress_chain, invalid_rule), - call.add_rule(ingress_chain, est_rule), - call.add_chain(egress_chain), - call.add_rule(egress_chain, invalid_rule), - call.add_rule(egress_chain, est_rule), - call.add_rule('FORWARD', '-o qr-+ -j %s-fwaas-defau' % bname), - call.add_rule('FORWARD', '-i qr-+ -j %s-fwaas-defau' % bname)] - apply_list[0].iptables_manager.ipv4['filter'].assert_has_calls(calls) + + for ip_version in (4, 6): + ingress_chain = ('iv%s%s' % (ip_version, firewall['id'])) + egress_chain = ('ov%s%s' % (ip_version, firewall['id'])) + calls = [call.ensure_remove_chain('iv%sfake-fw-uuid' % ip_version), + call.ensure_remove_chain('ov%sfake-fw-uuid' % ip_version), + call.ensure_remove_chain('fwaas-default-policy'), + call.add_chain('fwaas-default-policy'), + call.add_rule('fwaas-default-policy', '-j DROP'), + call.add_chain(ingress_chain), + call.add_rule(ingress_chain, invalid_rule), + call.add_rule(ingress_chain, est_rule), + call.add_chain(egress_chain), + call.add_rule(egress_chain, invalid_rule), + call.add_rule(egress_chain, est_rule), + call.add_rule('FORWARD', + '-o qr-+ -j %s-fwaas-defau' % bname), + call.add_rule('FORWARD', + '-i qr-+ -j %s-fwaas-defau' % bname)] + if ip_version == 4: + v4filter_inst = apply_list[0].iptables_manager.ipv4['filter'] + v4filter_inst.assert_has_calls(calls) + else: + v6filter_inst = apply_list[0].iptables_manager.ipv6['filter'] + v6filter_inst.assert_has_calls(calls) def test_create_firewall_with_rules(self): self._setup_firewall_with_rules(self.firewall.create_firewall)