From ec1c6c98a64705385bff5e3e3673b66507e320c9 Mon Sep 17 00:00:00 2001
From: Hui HX Xiang <xianghui@cn.ibm.com>
Date: Sun, 29 Sep 2013 19:48:51 -0700
Subject: [PATCH] Should not add metadata filter rules if disable metadata
 proxy

The metadata filter rules should not be added into iptables if Neutron
metadata proxy is disabled.
This patchset fixes this issue by adding a condition when adding metadata
filter rules to iptables.

Closes-Bug #1224290

Change-Id: I7f14d281c31c1828a90abac8821635773238b2d0
---
 neutron/agent/l3_agent.py           |  7 ++++---
 neutron/tests/unit/test_l3_agent.py | 12 ++++++++++++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/neutron/agent/l3_agent.py b/neutron/agent/l3_agent.py
index 69b4ea0ced..d6c54fc69f 100644
--- a/neutron/agent/l3_agent.py
+++ b/neutron/agent/l3_agent.py
@@ -544,9 +544,10 @@ class L3NATAgent(firewall_l3_agent.FWaaSL3AgentRpcCallback, manager.Manager):
 
     def metadata_filter_rules(self):
         rules = []
-        rules.append(('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
-                      '-p tcp -m tcp --dport %s '
-                      '-j ACCEPT' % self.conf.metadata_port))
+        if self.conf.enable_metadata_proxy:
+            rules.append(('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
+                          '-p tcp -m tcp --dport %s '
+                          '-j ACCEPT' % self.conf.metadata_port))
         return rules
 
     def metadata_nat_rules(self):
diff --git a/neutron/tests/unit/test_l3_agent.py b/neutron/tests/unit/test_l3_agent.py
index 4e40675fb2..3497a5ef89 100644
--- a/neutron/tests/unit/test_l3_agent.py
+++ b/neutron/tests/unit/test_l3_agent.py
@@ -672,6 +672,18 @@ class TestBasicRouterOperations(base.BaseTestCase):
             msg = "Error importing interface driver 'wrong_driver'"
             log.error.assert_called_once_with(msg)
 
+    def test_metadata_filter_rules(self):
+        self.conf.set_override('enable_metadata_proxy', False)
+        agent = l3_agent.L3NATAgent(HOSTNAME, self.conf)
+        self.assertEqual([], agent.metadata_filter_rules())
+
+        self.conf.set_override('metadata_port', '8775')
+        self.conf.set_override('enable_metadata_proxy', True)
+        agent = l3_agent.L3NATAgent(HOSTNAME, self.conf)
+        rules = ('INPUT', '-s 0.0.0.0/0 -d 127.0.0.1 '
+                 '-p tcp -m tcp --dport 8775 -j ACCEPT')
+        self.assertEqual([rules], agent.metadata_filter_rules())
+
 
 class TestL3AgentEventHandler(base.BaseTestCase):