Add option to control where bridges forward

This adds a new config option to control where bridges can forward.
The default behavior is unchanged, but if you specify:

forward_bridge_interface=foo

Then only traffic on the same bridge or going to and from the foo
interface will be allowed. This is useful in vlan mode when a
deployer doesn't want traffic to be routed between vlans. Note
that forward_bridge_interface can be specified multiple times and
should be specified once for each interface that supports floating
ips. i.e.:

forward_bridge_interface=eth0.10
forward_bridge_interface=eth0.20

DocImpact

Change-Id: I82d6b288b60cd6deae64690b55546730b1c2da55

1 files changed, 31 insertions, 16 deletions

diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py
index a9b44e94a..3b4eaed72 100644
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -85,6 +85,11 @@ linux_net_opts = [
                 default=False,
                 help='Use single default gateway. Only first nic of vm will '
                      'get default gateway from dhcp server'),
+    cfg.ListOpt('forward_bridge_interface',
+               default=['all'],
+               help='An interface that bridges can forward to. If this is '
+                    'set to all then all traffic will be forwarded. Can be '
+                    'specified multiple times.'),
     cfg.StrOpt('metadata_host',
                default='$my_ip',
                help='the ip for the metadata api server'),
@@ -1381,10 +1386,8 @@ class LinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver):
             # Don't forward traffic unless we were told to be a gateway
             ipv4_filter = iptables_manager.ipv4['filter']
             if gateway:
-                ipv4_filter.add_rule('FORWARD',
-                                     '--in-interface %s -j ACCEPT' % bridge)
-                ipv4_filter.add_rule('FORWARD',
-                                     '--out-interface %s -j ACCEPT' % bridge)
+                for rule in get_gateway_rules(bridge):
+                    ipv4_filter.add_rule(*rule)
             else:
                 ipv4_filter.add_rule('FORWARD',
                                      '--in-interface %s -j DROP' % bridge)
@@ -1401,10 +1404,8 @@ class LinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver):
             if filtering:
                 ipv4_filter = iptables_manager.ipv4['filter']
                 if gateway:
-                    ipv4_filter.remove_rule('FORWARD',
-                                    '--in-interface %s -j ACCEPT' % bridge)
-                    ipv4_filter.remove_rule('FORWARD',
-                                    '--out-interface %s -j ACCEPT' % bridge)
+                    for rule in get_gateway_rules(bridge):
+                        ipv4_filter.remove_rule(*rule)
                 else:
                     ipv4_filter.remove_rule('FORWARD',
                                     '--in-interface %s -j DROP' % bridge)
@@ -1488,6 +1489,24 @@ def remove_isolate_dhcp_address(interface, address):
                          % (interface, address), top=True)
 
 
+def get_gateway_rules(bridge):
+    interfaces = CONF.forward_bridge_interface
+    if 'all' in interfaces:
+        return [('FORWARD', '-i %s -j ACCEPT' % bridge),
+                ('FORWARD', '-o %s -j ACCEPT' % bridge)]
+    rules = []
+    for iface in CONF.forward_bridge_interface:
+        if iface:
+            rules.append(('FORWARD', '-i %s -o %s -j ACCEPT' % (bridge,
+                                                                iface)))
+            rules.append(('FORWARD', '-i %s -o %s -j ACCEPT' % (iface,
+                                                                bridge)))
+    rules.append(('FORWARD', '-i %s -o %s -j ACCEPT' % (bridge, bridge)))
+    rules.append(('FORWARD', '-i %s -j DROP' % bridge))
+    rules.append(('FORWARD', '-o %s -j DROP' % bridge))
+    return rules
+
+
 # plugs interfaces using Open vSwitch
 class LinuxOVSInterfaceDriver(LinuxNetInterfaceDriver):
 
@@ -1526,10 +1545,8 @@ class LinuxOVSInterfaceDriver(LinuxNetInterfaceDriver):
                 iptables_manager.ipv4['filter'].add_rule('FORWARD',
                         '--out-interface %s -j DROP' % bridge)
             else:
-                iptables_manager.ipv4['filter'].add_rule('FORWARD',
-                        '--in-interface %s -j ACCEPT' % bridge)
-                iptables_manager.ipv4['filter'].add_rule('FORWARD',
-                        '--out-interface %s -j ACCEPT' % bridge)
+                for rule in get_gateway_rules(bridge):
+                    iptables_manager.ipv4['filter'].add_rule(*rule)
 
         return dev
 
@@ -1564,10 +1581,8 @@ class QuantumLinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver):
                     '--out-interface %s -j DROP' % bridge)
             return bridge
         else:
-            iptables_manager.ipv4['filter'].add_rule('FORWARD',
-                    '--in-interface %s -j ACCEPT' % bridge)
-            iptables_manager.ipv4['filter'].add_rule('FORWARD',
-                    '--out-interface %s -j ACCEPT' % bridge)
+            for rule in get_gateway_rules(bridge):
+                iptables_manager.ipv4['filter'].add_rule(*rule)
 
         create_tap_dev(dev, mac_address)