Skip to content

Commit 386ebde

Browse files
committed
Use the system-dependent string for IP protocol 4
iptables-save uses a system-dependent value, usually that found in /etc/protocols, when 'ipip' is given as the security group protocol. The intent is to always use the string value for IP protocol '4', as iptables-save has no '-n' flag to print values numerically. This updates a previous change (793dfb0) that hard-coded that string to 'ipencap', which broke CentOS/Fedora, which uses 'ipv4'. For this reason we cannot hard-code anything in neutron-lib, this needs to be added dynamically, so this one-line change needs to stay here, and effectively closes the bug. Closes-bug: #2054324 Change-Id: Ic40b539c9ef5cfa4cbbd6575e19e653342e8342b (cherry picked from commit cd1d191)
1 parent 7c7b020 commit 386ebde

File tree

2 files changed

+25
-15
lines changed

2 files changed

+25
-15
lines changed

neutron/agent/linux/iptables_firewall.py

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -769,10 +769,14 @@ def _protocol_name_map(self):
769769
if not self._iptables_protocol_name_map:
770770
tmp_map = constants.IPTABLES_PROTOCOL_NAME_MAP.copy()
771771
tmp_map.update(self._local_protocol_name_map())
772-
# TODO(haleyb): remove once neutron-lib with fix is available
773-
# - 'ipip' uses 'ipencap' to match IPPROTO_IPIP from in.h,
774-
# which is IP-ENCAP/'4' in /etc/protocols (see bug #2054324)
775-
tmp_map[constants.PROTO_NAME_IPIP] = 'ipencap'
772+
# iptables-save uses different strings for 'ipip' (protocol 4)
773+
# depending on the distro, which corresponds to the entry for
774+
# '4' in /etc/protocols. For example:
775+
# - 'ipencap' in Ubuntu
776+
# - 'ipv4' in CentOS/Fedora
777+
# For this reason, we need to map the string for 'ipip' to the
778+
# system-dependent string for '4', see bug #2054324.
779+
tmp_map[constants.PROTO_NAME_IPIP] = tmp_map['4']
776780
self._iptables_protocol_name_map = tmp_map
777781
return self._iptables_protocol_name_map
778782

neutron/tests/unit/agent/linux/test_iptables_firewall.py

Lines changed: 17 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -490,37 +490,43 @@ def test_filter_ipv4_ingress_protocol_encap_by_num(self):
490490
self._test_prepare_port_filter(rule, ingress, egress)
491491

492492
def test_filter_ipv4_ingress_protocol_ipip(self):
493-
# 'ipip' via the API uses 'ipencap' to match what iptables-save
494-
# uses, which is IP-ENCAP/'4' from /etc/protocols (see bug #2054324)
493+
# We want to use what the system-dependent string here is for 'ipip',
494+
# as it could be 'ipencap' or 'ipv4' depending on the distro.
495+
# See bug #2054324.
495496
rule = {'ethertype': 'IPv4',
496497
'direction': 'ingress',
497498
'protocol': 'ipip'}
499+
expected_proto_name = self.firewall._iptables_protocol_name('ipip')
498500
ingress = mock.call.add_rule('ifake_dev',
499-
'-p ipencap -j RETURN',
501+
'-p %s -j RETURN' % expected_proto_name,
500502
top=False, comment=None)
501503
egress = None
502504
self._test_prepare_port_filter(rule, ingress, egress)
503505

504-
def test_filter_ipv4_ingress_protocol_ipip_by_num(self):
505-
# '4' via the API uses 'ipencap' to match what iptables-save
506-
# uses, which is IP-ENCAP/'4' from /etc/protocols (see bug #2054324)
506+
def test_filter_ipv4_ingress_protocol_4(self):
507+
# We want to use what the system-dependent string here is for '4',
508+
# as it could be 'ipencap' or 'ipv4' depending on the distro.
509+
# See bug #2054324.
507510
rule = {'ethertype': 'IPv4',
508511
'direction': 'ingress',
509512
'protocol': '4'}
513+
expected_proto_name = self.firewall._iptables_protocol_name('4')
510514
ingress = mock.call.add_rule('ifake_dev',
511-
'-p ipencap -j RETURN',
515+
'-p %s -j RETURN' % expected_proto_name,
512516
top=False, comment=None)
513517
egress = None
514518
self._test_prepare_port_filter(rule, ingress, egress)
515519

516-
def test_filter_ipv4_ingress_protocol_ipencap_by_num(self):
517-
# '94' via the API uses 'ipip' to match what iptables-save
518-
# uses, which is IPIP/'94' from /etc/protocols (see bug #2054324)
520+
def test_filter_ipv4_ingress_protocol_94(self):
521+
# We want to use what the system-dependent string here is for '94',
522+
# as it could be 'ipip' or something else depending on the distro.
523+
# See bug #2054324.
519524
rule = {'ethertype': 'IPv4',
520525
'direction': 'ingress',
521526
'protocol': '94'}
527+
expected_proto_name = self.firewall._iptables_protocol_name('94')
522528
ingress = mock.call.add_rule('ifake_dev',
523-
'-p ipip -j RETURN',
529+
'-p %s -j RETURN' % expected_proto_name,
524530
top=False, comment=None)
525531
egress = None
526532
self._test_prepare_port_filter(rule, ingress, egress)

0 commit comments

Comments
 (0)