Limit chain name to 28 characters

Fixes bug 1103838

Change-Id: I90c0690433bac3ebe2de5b4cbbad3c358a889283
This commit is contained in:
Gary Kotton 2013-02-25 16:57:17 +00:00
parent f851706511
commit be3b9a471d
2 changed files with 10 additions and 10 deletions

View File

@ -274,11 +274,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
return [] return []
def _port_chain_name(self, port, direction): def _port_chain_name(self, port, direction):
#Note (nati) make chain name short less than 28 char
# with extra prefix
# ( see comment in iptables_manager )
return '%s%s' % (CHAIN_NAME_PREFIX[direction], return '%s%s' % (CHAIN_NAME_PREFIX[direction],
port['device'][3:13]) port['device'][3:])
def filter_defer_apply_on(self): def filter_defer_apply_on(self):
self.iptables.defer_apply_on() self.iptables.defer_apply_on()
@ -291,11 +288,8 @@ class OVSHybridIptablesFirewallDriver(IptablesFirewallDriver):
OVS_HYBRID_TAP_PREFIX = 'tap' OVS_HYBRID_TAP_PREFIX = 'tap'
def _port_chain_name(self, port, direction): def _port_chain_name(self, port, direction):
#Note (nati) make chain name short less than 28 char
# with extra prefix
# ( see comment in iptables_manager )
return '%s%s' % (CHAIN_NAME_PREFIX[direction], return '%s%s' % (CHAIN_NAME_PREFIX[direction],
port['device'][0:10]) port['device'])
def _get_device_name(self, port): def _get_device_name(self, port):
return (self.OVS_HYBRID_TAP_PREFIX + port['device'])[:LINUX_DEV_LEN] return (self.OVS_HYBRID_TAP_PREFIX + port['device'])[:LINUX_DEV_LEN]

View File

@ -37,6 +37,7 @@ LOG = logging.getLogger(__name__)
# (max_chain_name_length - len('-POSTROUTING') == 16) # (max_chain_name_length - len('-POSTROUTING') == 16)
binary_name = os.path.basename(inspect.stack()[-1][1])[:16] binary_name = os.path.basename(inspect.stack()[-1][1])[:16]
cfg.CONF.set_default('lock_path', '$state_path/lock') cfg.CONF.set_default('lock_path', '$state_path/lock')
MAX_CHAIN_LEN = 28
class IptablesRule(object): class IptablesRule(object):
@ -48,7 +49,7 @@ class IptablesRule(object):
""" """
def __init__(self, chain, rule, wrap=True, top=False): def __init__(self, chain, rule, wrap=True, top=False):
self.chain = chain self.chain = chain[:MAX_CHAIN_LEN]
self.rule = rule self.rule = rule
self.wrap = wrap self.wrap = wrap
self.top = top self.top = top
@ -67,6 +68,7 @@ class IptablesRule(object):
chain = '%s-%s' % (binary_name, self.chain) chain = '%s-%s' % (binary_name, self.chain)
else: else:
chain = self.chain chain = self.chain
chain = chain[:MAX_CHAIN_LEN]
return '-A %s %s' % (chain, self.rule) return '-A %s %s' % (chain, self.rule)
@ -90,6 +92,7 @@ class IptablesTable(object):
end up named 'nova-compute-OUTPUT'. end up named 'nova-compute-OUTPUT'.
""" """
name = name[:MAX_CHAIN_LEN]
if wrap: if wrap:
self.chains.add(name) self.chains.add(name)
else: else:
@ -107,6 +110,7 @@ class IptablesTable(object):
This removal "cascades". All rule in the chain are removed, as are This removal "cascades". All rule in the chain are removed, as are
all rules in other chains that jump to it. all rules in other chains that jump to it.
""" """
name = name[:MAX_CHAIN_LEN]
chain_set = self._select_chain_set(wrap) chain_set = self._select_chain_set(wrap)
if name not in chain_set: if name not in chain_set:
return return
@ -122,6 +126,7 @@ class IptablesTable(object):
If the chain is not found, this is merely logged. If the chain is not found, this is merely logged.
""" """
name = name[:MAX_CHAIN_LEN]
chain_set = self._select_chain_set(wrap) chain_set = self._select_chain_set(wrap)
if name not in chain_set: if name not in chain_set:
@ -159,7 +164,7 @@ class IptablesTable(object):
def _wrap_target_chain(self, s): def _wrap_target_chain(self, s):
if s.startswith('$'): if s.startswith('$'):
return '%s-%s' % (binary_name, s[1:]) return ('%s-%s' % (binary_name, s[1:]))[:MAX_CHAIN_LEN]
return s return s
def remove_rule(self, chain, rule, wrap=True, top=False): def remove_rule(self, chain, rule, wrap=True, top=False):
@ -180,6 +185,7 @@ class IptablesTable(object):
def empty_chain(self, chain, wrap=True): def empty_chain(self, chain, wrap=True):
"""Remove all rules from a chain.""" """Remove all rules from a chain."""
chain = chain[:MAX_CHAIN_LEN]
chained_rules = [rule for rule in self.rules chained_rules = [rule for rule in self.rules
if rule.chain == chain and rule.wrap == wrap] if rule.chain == chain and rule.wrap == wrap]
for rule in chained_rules: for rule in chained_rules: