diff options
| author | Michael Still <mikal@stillhq.com> | 2013-03-31 15:09:23 +1100 |
|---|---|---|
| committer | Michael Still <mikal@stillhq.com> | 2013-03-31 15:09:23 +1100 |
| commit | 786a752c660fec2f9671b95e5ce6e37ef709b8db (patch) | |
| tree | b59ea7630d0dee23f9c3ab35ccb029726e465fe8 | |
| parent | a831e9d2608aa9fd6200ea873e3cb766322a6c3c (diff) | |
Better iptables DROP removal.
With the introduction of configurable iptables DROP rules in
nova-network, we need to cleanup possibly more than one drop
rule, depending on what DROP action was in place when the rule
was created. This patch handles this for the simple case where
the drop action has just been configured. More complicated
scenarios will need to be handled manually.
Change-Id: I660607ff6e23ca545f96e536d1084d972bc7c7a2
| -rw-r--r-- | nova/network/linux_net.py | 68 |
1 files changed, 39 insertions, 29 deletions
diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py index a56bbfe25..28d63e674 100644 --- a/nova/network/linux_net.py +++ b/nova/network/linux_net.py @@ -1513,14 +1513,17 @@ class LinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver): for rule in get_gateway_rules(bridge): ipv4_filter.remove_rule(*rule) else: - ipv4_filter.remove_rule('FORWARD', - ('--in-interface %s -j %s' - % (bridge, - CONF.iptables_drop_action))) - ipv4_filter.remove_rule('FORWARD', - ('--out-interface %s -j %s' - % (bridge, - CONF.iptables_drop_action))) + drop_actions = ['DROP'] + if CONF.iptables_drop_action != 'DROP': + drop_actions.append(CONF.iptables_drop_action) + + for drop_action in drop_actions: + ipv4_filter.remove_rule('FORWARD', + ('--in-interface %s -j %s' + % (bridge, drop_action))) + ipv4_filter.remove_rule('FORWARD', + ('--out-interface %s -j %s' + % (bridge, drop_action))) try: utils.execute('ip', 'link', 'delete', bridge, run_as_root=True, check_exit_code=[0, 2, 254]) @@ -1591,27 +1594,34 @@ def remove_isolate_dhcp_address(interface, address): # NOTE(vish): the above is not possible with iptables/arptables # block dhcp broadcast traffic across the interface ipv4_filter = iptables_manager.ipv4['filter'] - ipv4_filter.remove_rule('FORWARD', - ('-m physdev --physdev-in %s -d 255.255.255.255 ' - '-p udp --dport 67 -j %s' - % (interface, CONF.iptables_drop_action)), - top=True) - ipv4_filter.remove_rule('FORWARD', - ('-m physdev --physdev-out %s -d 255.255.255.255 ' - '-p udp --dport 67 -j %s' - % (interface, CONF.iptables_drop_action)), - top=True) - # block ip traffic to address across the interface - ipv4_filter.remove_rule('FORWARD', - ('-m physdev --physdev-in %s -d %s -j %s' - % (interface, address, - CONF.iptables_drop_action)), - top=True) - ipv4_filter.remove_rule('FORWARD', - ('-m physdev --physdev-out %s -s %s -j %s' - % (interface, address, - CONF.iptables_drop_action)), - top=True) + + drop_actions = ['DROP'] + if CONF.iptables_drop_action != 'DROP': + drop_actions.append(CONF.iptables_drop_action) + + for drop_action in drop_actions: + ipv4_filter.remove_rule('FORWARD', + ('-m physdev --physdev-in %s ' + '-d 255.255.255.255 ' + '-p udp --dport 67 -j %s' + % (interface, drop_action)), + top=True) + ipv4_filter.remove_rule('FORWARD', + ('-m physdev --physdev-out %s ' + '-d 255.255.255.255 ' + '-p udp --dport 67 -j %s' + % (interface, drop_action)), + top=True) + + # block ip traffic to address across the interface + ipv4_filter.remove_rule('FORWARD', + ('-m physdev --physdev-in %s -d %s -j %s' + % (interface, address, drop_action)), + top=True) + ipv4_filter.remove_rule('FORWARD', + ('-m physdev --physdev-out %s -s %s -j %s' + % (interface, address, drop_action)), + top=True) def get_gateway_rules(bridge): |