diff options
| author | Jenkins <jenkins@review.openstack.org> | 2013-04-01 19:48:46 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-04-01 19:48:46 +0000 |
| commit | 3d12cf5c1fbc8fd30d4a4aa30d1c7f6c16782b1b (patch) | |
| tree | 406c3a2159ceeed5e5ef3d14317a61d7f4db466c | |
| parent | d9394f4a606608faaa2f314232b904c7b8e70858 (diff) | |
| parent | 786a752c660fec2f9671b95e5ce6e37ef709b8db (diff) | |
Merge "Better iptables DROP removal."
| -rw-r--r-- | nova/network/linux_net.py | 68 |
1 files changed, 39 insertions, 29 deletions
diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py index e8237fdbf..4a63f275d 100644 --- a/nova/network/linux_net.py +++ b/nova/network/linux_net.py @@ -1517,14 +1517,17 @@ class LinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver): for rule in get_gateway_rules(bridge): ipv4_filter.remove_rule(*rule) else: - ipv4_filter.remove_rule('FORWARD', - ('--in-interface %s -j %s' - % (bridge, - CONF.iptables_drop_action))) - ipv4_filter.remove_rule('FORWARD', - ('--out-interface %s -j %s' - % (bridge, - CONF.iptables_drop_action))) + drop_actions = ['DROP'] + if CONF.iptables_drop_action != 'DROP': + drop_actions.append(CONF.iptables_drop_action) + + for drop_action in drop_actions: + ipv4_filter.remove_rule('FORWARD', + ('--in-interface %s -j %s' + % (bridge, drop_action))) + ipv4_filter.remove_rule('FORWARD', + ('--out-interface %s -j %s' + % (bridge, drop_action))) try: utils.execute('ip', 'link', 'delete', bridge, run_as_root=True, check_exit_code=[0, 2, 254]) @@ -1595,27 +1598,34 @@ def remove_isolate_dhcp_address(interface, address): # NOTE(vish): the above is not possible with iptables/arptables # block dhcp broadcast traffic across the interface ipv4_filter = iptables_manager.ipv4['filter'] - ipv4_filter.remove_rule('FORWARD', - ('-m physdev --physdev-in %s -d 255.255.255.255 ' - '-p udp --dport 67 -j %s' - % (interface, CONF.iptables_drop_action)), - top=True) - ipv4_filter.remove_rule('FORWARD', - ('-m physdev --physdev-out %s -d 255.255.255.255 ' - '-p udp --dport 67 -j %s' - % (interface, CONF.iptables_drop_action)), - top=True) - # block ip traffic to address across the interface - ipv4_filter.remove_rule('FORWARD', - ('-m physdev --physdev-in %s -d %s -j %s' - % (interface, address, - CONF.iptables_drop_action)), - top=True) - ipv4_filter.remove_rule('FORWARD', - ('-m physdev --physdev-out %s -s %s -j %s' - % (interface, address, - CONF.iptables_drop_action)), - top=True) + + drop_actions = ['DROP'] + if CONF.iptables_drop_action != 'DROP': + drop_actions.append(CONF.iptables_drop_action) + + for drop_action in drop_actions: + ipv4_filter.remove_rule('FORWARD', + ('-m physdev --physdev-in %s ' + '-d 255.255.255.255 ' + '-p udp --dport 67 -j %s' + % (interface, drop_action)), + top=True) + ipv4_filter.remove_rule('FORWARD', + ('-m physdev --physdev-out %s ' + '-d 255.255.255.255 ' + '-p udp --dport 67 -j %s' + % (interface, drop_action)), + top=True) + + # block ip traffic to address across the interface + ipv4_filter.remove_rule('FORWARD', + ('-m physdev --physdev-in %s -d %s -j %s' + % (interface, address, drop_action)), + top=True) + ipv4_filter.remove_rule('FORWARD', + ('-m physdev --physdev-out %s -s %s -j %s' + % (interface, address, drop_action)), + top=True) def get_gateway_rules(bridge): |