diff options
| author | Jenkins <jenkins@review.openstack.org> | 2013-02-02 17:59:33 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-02-02 17:59:33 +0000 |
| commit | dfd3658c1767862f5610c2e430b1c0c81f168f39 (patch) | |
| tree | 25df47c9fb5b199210f620f91650628954486707 /nova | |
| parent | 087336b4bb66113a9c3e0b5f14669c7a91879011 (diff) | |
| parent | 79653366177a02a476cfe170d8a3d89ce99e1ac0 (diff) | |
Merge "Add option to control where bridges forward"
Diffstat (limited to 'nova')
| -rw-r--r-- | nova/network/linux_net.py | 47 |
1 files changed, 31 insertions, 16 deletions
diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py index b43b97465..f8a2f058b 100644 --- a/nova/network/linux_net.py +++ b/nova/network/linux_net.py @@ -86,6 +86,11 @@ linux_net_opts = [ default=False, help='Use single default gateway. Only first nic of vm will ' 'get default gateway from dhcp server'), + cfg.ListOpt('forward_bridge_interface', + default=['all'], + help='An interface that bridges can forward to. If this is ' + 'set to all then all traffic will be forwarded. Can be ' + 'specified multiple times.'), cfg.StrOpt('metadata_host', default='$my_ip', help='the ip for the metadata api server'), @@ -1401,10 +1406,8 @@ class LinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver): # Don't forward traffic unless we were told to be a gateway ipv4_filter = iptables_manager.ipv4['filter'] if gateway: - ipv4_filter.add_rule('FORWARD', - '--in-interface %s -j ACCEPT' % bridge) - ipv4_filter.add_rule('FORWARD', - '--out-interface %s -j ACCEPT' % bridge) + for rule in get_gateway_rules(bridge): + ipv4_filter.add_rule(*rule) else: ipv4_filter.add_rule('FORWARD', '--in-interface %s -j DROP' % bridge) @@ -1421,10 +1424,8 @@ class LinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver): if filtering: ipv4_filter = iptables_manager.ipv4['filter'] if gateway: - ipv4_filter.remove_rule('FORWARD', - '--in-interface %s -j ACCEPT' % bridge) - ipv4_filter.remove_rule('FORWARD', - '--out-interface %s -j ACCEPT' % bridge) + for rule in get_gateway_rules(bridge): + ipv4_filter.remove_rule(*rule) else: ipv4_filter.remove_rule('FORWARD', '--in-interface %s -j DROP' % bridge) @@ -1508,6 +1509,24 @@ def remove_isolate_dhcp_address(interface, address): % (interface, address), top=True) +def get_gateway_rules(bridge): + interfaces = CONF.forward_bridge_interface + if 'all' in interfaces: + return [('FORWARD', '-i %s -j ACCEPT' % bridge), + ('FORWARD', '-o %s -j ACCEPT' % bridge)] + rules = [] + for iface in CONF.forward_bridge_interface: + if iface: + rules.append(('FORWARD', '-i %s -o %s -j ACCEPT' % (bridge, + iface))) + rules.append(('FORWARD', '-i %s -o %s -j ACCEPT' % (iface, + bridge))) + rules.append(('FORWARD', '-i %s -o %s -j ACCEPT' % (bridge, bridge))) + rules.append(('FORWARD', '-i %s -j DROP' % bridge)) + rules.append(('FORWARD', '-o %s -j DROP' % bridge)) + return rules + + # plugs interfaces using Open vSwitch class LinuxOVSInterfaceDriver(LinuxNetInterfaceDriver): @@ -1546,10 +1565,8 @@ class LinuxOVSInterfaceDriver(LinuxNetInterfaceDriver): iptables_manager.ipv4['filter'].add_rule('FORWARD', '--out-interface %s -j DROP' % bridge) else: - iptables_manager.ipv4['filter'].add_rule('FORWARD', - '--in-interface %s -j ACCEPT' % bridge) - iptables_manager.ipv4['filter'].add_rule('FORWARD', - '--out-interface %s -j ACCEPT' % bridge) + for rule in get_gateway_rules(bridge): + iptables_manager.ipv4['filter'].add_rule(*rule) return dev @@ -1584,10 +1601,8 @@ class QuantumLinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver): '--out-interface %s -j DROP' % bridge) return bridge else: - iptables_manager.ipv4['filter'].add_rule('FORWARD', - '--in-interface %s -j ACCEPT' % bridge) - iptables_manager.ipv4['filter'].add_rule('FORWARD', - '--out-interface %s -j ACCEPT' % bridge) + for rule in get_gateway_rules(bridge): + iptables_manager.ipv4['filter'].add_rule(*rule) create_tap_dev(dev, mac_address) |