From be3b9a471d6678cb1471f3c36330d856f0df2a63 Mon Sep 17 00:00:00 2001 From: Gary Kotton Date: Mon, 25 Feb 2013 16:57:17 +0000 Subject: [PATCH] Limit chain name to 28 characters Fixes bug 1103838 Change-Id: I90c0690433bac3ebe2de5b4cbbad3c358a889283 --- quantum/agent/linux/iptables_firewall.py | 10 ++-------- quantum/agent/linux/iptables_manager.py | 10 ++++++++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/quantum/agent/linux/iptables_firewall.py b/quantum/agent/linux/iptables_firewall.py index 246fd87566..df26369cbb 100644 --- a/quantum/agent/linux/iptables_firewall.py +++ b/quantum/agent/linux/iptables_firewall.py @@ -274,11 +274,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver): return [] def _port_chain_name(self, port, direction): - #Note (nati) make chain name short less than 28 char - # with extra prefix - # ( see comment in iptables_manager ) return '%s%s' % (CHAIN_NAME_PREFIX[direction], - port['device'][3:13]) + port['device'][3:]) def filter_defer_apply_on(self): self.iptables.defer_apply_on() @@ -291,11 +288,8 @@ class OVSHybridIptablesFirewallDriver(IptablesFirewallDriver): OVS_HYBRID_TAP_PREFIX = 'tap' def _port_chain_name(self, port, direction): - #Note (nati) make chain name short less than 28 char - # with extra prefix - # ( see comment in iptables_manager ) return '%s%s' % (CHAIN_NAME_PREFIX[direction], - port['device'][0:10]) + port['device']) def _get_device_name(self, port): return (self.OVS_HYBRID_TAP_PREFIX + port['device'])[:LINUX_DEV_LEN] diff --git a/quantum/agent/linux/iptables_manager.py b/quantum/agent/linux/iptables_manager.py index 8c63d8d68d..b7b4eca5a2 100644 --- a/quantum/agent/linux/iptables_manager.py +++ b/quantum/agent/linux/iptables_manager.py @@ -37,6 +37,7 @@ LOG = logging.getLogger(__name__) # (max_chain_name_length - len('-POSTROUTING') == 16) binary_name = os.path.basename(inspect.stack()[-1][1])[:16] cfg.CONF.set_default('lock_path', '$state_path/lock') +MAX_CHAIN_LEN = 28 class IptablesRule(object): @@ -48,7 +49,7 @@ class IptablesRule(object): """ def __init__(self, chain, rule, wrap=True, top=False): - self.chain = chain + self.chain = chain[:MAX_CHAIN_LEN] self.rule = rule self.wrap = wrap self.top = top @@ -67,6 +68,7 @@ class IptablesRule(object): chain = '%s-%s' % (binary_name, self.chain) else: chain = self.chain + chain = chain[:MAX_CHAIN_LEN] return '-A %s %s' % (chain, self.rule) @@ -90,6 +92,7 @@ class IptablesTable(object): end up named 'nova-compute-OUTPUT'. """ + name = name[:MAX_CHAIN_LEN] if wrap: self.chains.add(name) else: @@ -107,6 +110,7 @@ class IptablesTable(object): This removal "cascades". All rule in the chain are removed, as are all rules in other chains that jump to it. """ + name = name[:MAX_CHAIN_LEN] chain_set = self._select_chain_set(wrap) if name not in chain_set: return @@ -122,6 +126,7 @@ class IptablesTable(object): If the chain is not found, this is merely logged. """ + name = name[:MAX_CHAIN_LEN] chain_set = self._select_chain_set(wrap) if name not in chain_set: @@ -159,7 +164,7 @@ class IptablesTable(object): def _wrap_target_chain(self, s): if s.startswith('$'): - return '%s-%s' % (binary_name, s[1:]) + return ('%s-%s' % (binary_name, s[1:]))[:MAX_CHAIN_LEN] return s def remove_rule(self, chain, rule, wrap=True, top=False): @@ -180,6 +185,7 @@ class IptablesTable(object): def empty_chain(self, chain, wrap=True): """Remove all rules from a chain.""" + chain = chain[:MAX_CHAIN_LEN] chained_rules = [rule for rule in self.rules if rule.chain == chain and rule.wrap == wrap] for rule in chained_rules: