From 786a752c660fec2f9671b95e5ce6e37ef709b8db Mon Sep 17 00:00:00 2001 From: Michael Still Date: Sun, 31 Mar 2013 15:09:23 +1100 Subject: Better iptables DROP removal. With the introduction of configurable iptables DROP rules in nova-network, we need to cleanup possibly more than one drop rule, depending on what DROP action was in place when the rule was created. This patch handles this for the simple case where the drop action has just been configured. More complicated scenarios will need to be handled manually. Change-Id: I660607ff6e23ca545f96e536d1084d972bc7c7a2 --- nova/network/linux_net.py | 68 +++++++++++++++++++++++++++-------------------- 1 file changed, 39 insertions(+), 29 deletions(-) diff --git a/nova/network/linux_net.py b/nova/network/linux_net.py index a56bbfe25..28d63e674 100644 --- a/nova/network/linux_net.py +++ b/nova/network/linux_net.py @@ -1513,14 +1513,17 @@ class LinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver): for rule in get_gateway_rules(bridge): ipv4_filter.remove_rule(*rule) else: - ipv4_filter.remove_rule('FORWARD', - ('--in-interface %s -j %s' - % (bridge, - CONF.iptables_drop_action))) - ipv4_filter.remove_rule('FORWARD', - ('--out-interface %s -j %s' - % (bridge, - CONF.iptables_drop_action))) + drop_actions = ['DROP'] + if CONF.iptables_drop_action != 'DROP': + drop_actions.append(CONF.iptables_drop_action) + + for drop_action in drop_actions: + ipv4_filter.remove_rule('FORWARD', + ('--in-interface %s -j %s' + % (bridge, drop_action))) + ipv4_filter.remove_rule('FORWARD', + ('--out-interface %s -j %s' + % (bridge, drop_action))) try: utils.execute('ip', 'link', 'delete', bridge, run_as_root=True, check_exit_code=[0, 2, 254]) @@ -1591,27 +1594,34 @@ def remove_isolate_dhcp_address(interface, address): # NOTE(vish): the above is not possible with iptables/arptables # block dhcp broadcast traffic across the interface ipv4_filter = iptables_manager.ipv4['filter'] - ipv4_filter.remove_rule('FORWARD', - ('-m physdev --physdev-in %s -d 255.255.255.255 ' - '-p udp --dport 67 -j %s' - % (interface, CONF.iptables_drop_action)), - top=True) - ipv4_filter.remove_rule('FORWARD', - ('-m physdev --physdev-out %s -d 255.255.255.255 ' - '-p udp --dport 67 -j %s' - % (interface, CONF.iptables_drop_action)), - top=True) - # block ip traffic to address across the interface - ipv4_filter.remove_rule('FORWARD', - ('-m physdev --physdev-in %s -d %s -j %s' - % (interface, address, - CONF.iptables_drop_action)), - top=True) - ipv4_filter.remove_rule('FORWARD', - ('-m physdev --physdev-out %s -s %s -j %s' - % (interface, address, - CONF.iptables_drop_action)), - top=True) + + drop_actions = ['DROP'] + if CONF.iptables_drop_action != 'DROP': + drop_actions.append(CONF.iptables_drop_action) + + for drop_action in drop_actions: + ipv4_filter.remove_rule('FORWARD', + ('-m physdev --physdev-in %s ' + '-d 255.255.255.255 ' + '-p udp --dport 67 -j %s' + % (interface, drop_action)), + top=True) + ipv4_filter.remove_rule('FORWARD', + ('-m physdev --physdev-out %s ' + '-d 255.255.255.255 ' + '-p udp --dport 67 -j %s' + % (interface, drop_action)), + top=True) + + # block ip traffic to address across the interface + ipv4_filter.remove_rule('FORWARD', + ('-m physdev --physdev-in %s -d %s -j %s' + % (interface, address, drop_action)), + top=True) + ipv4_filter.remove_rule('FORWARD', + ('-m physdev --physdev-out %s -s %s -j %s' + % (interface, address, drop_action)), + top=True) def get_gateway_rules(bridge): -- cgit