neutron

ipt_mgr.ipv6 written in the wrong ipt_mgr.ipv4 in iptables_fwaas.py

Bug #1263877 reported by Lee Li
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Lee Li
neutron 2014.1 "icehouse"

Bug Description

In method _enable_policy_chain in neutron/services/firewall/drivers/linux/iptables_fwaas.py, the ipv6 should use ipt_mgr.ipv6, but it written in the wrong ipt_mgr.ipv4. The code likes:

    def _enable_policy_chain(self, fwid, ipt_mgr):
        bname = iptables_manager.binary_name

        for (ver, tbl) in [(IPV4, ipt_mgr.ipv4['filter']),
                           (IPV6, ipt_mgr.ipv4['filter'])]: # here should use ipt_mgr.ipv6
            for direction in [INGRESS_DIRECTION, EGRESS_DIRECTION]:
                chain_name = self._get_chain_name(fwid, ver, direction)

Lee Li (lilinguo)
Changed in openstack-manuals:
assignee: nobody → Lee Li (lilinguo)
Andreas Jaeger (jaegerandi)
affects: openstack-manuals → neutron
Lee Li (lilinguo)
Changed in neutron:
status: New → In Progress
Revision history for this message
Lee Li (lilinguo) wrote :

How about the unit test:
    def test_create_firewall_no_rules(self):
        apply_list = self._fake_apply_list()
        firewall = self._fake_firewall_no_rule()
        self.firewall.create_firewall(apply_list, firewall)
        invalid_rule = '-m state --state INVALID -j DROP'
        est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT'

        filter_inst_dict = {"4":self.v4filter_inst, "6":self.v6filter_inst}
        for ver in ["4","6"]:
            ingress_chain = ('iv%s%s' % (ver, firewall['id']))
            egress_chain = ('ov%s%s' % (ver, firewall['id']))
            bname = fwaas.iptables_manager.binary_name
            ipt_mgr_ichain = '%s-%s' % (bname, ingress_chain[:11])
            ipt_mgr_echain = '%s-%s' % (bname, egress_chain[:11])
            calls = [call.ensure_remove_chain('iv%sfake-fw-uuid' % ver),
                     call.ensure_remove_chain('ov%sfake-fw-uuid' % ver),
                     call.ensure_remove_chain('fwaas-default-policy'),
                     call.add_chain('fwaas-default-policy'),
                     call.add_rule('fwaas-default-policy', '-j DROP'),
                     call.add_chain(ingress_chain),
                     call.add_rule(ingress_chain, invalid_rule),
                     call.add_rule(ingress_chain, est_rule),
                     call.add_chain(egress_chain),
                     call.add_rule(egress_chain, invalid_rule),
                     call.add_rule(egress_chain, est_rule),
                     call.add_rule('FORWARD', '-o qr-+ -j %s' % ipt_mgr_ichain),
                     call.add_rule('FORWARD', '-i qr-+ -j %s' % ipt_mgr_echain),
                     call.add_rule('FORWARD', '-o qr-+ -j %s-fwaas-defau' % bname),
                     call.add_rule('FORWARD', '-i qr-+ -j %s-fwaas-defau' % bname)]
            filter_inst_dict[ver].assert_has_calls(calls)

Revision history for this message
Lee Li (lilinguo) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/63981

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/63981
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=5c06d87588cdde0a1683a8ee40eb1809bd11c57c
Submitter: Jenkins
Branch: master

commit 5c06d87588cdde0a1683a8ee40eb1809bd11c57c
Author: llg8212 <email address hidden>
Date: Wed Dec 25 09:57:21 2013 +0800

    ipt_mgr.ipv6 written in the wrong ipt_mgr.ipv4

    This patch fixes the issue of writing the wrong firewall rule where an IP6
    rule is written to IP4.

    Change-Id: Ie7c75c71c9dcfbd9feabaffe4416ede80ff350d8
    Closes-Bug:#1263877

Changed in neutron:
status: In Progress → Fix Committed
Mark McClain (markmcclain)
Changed in neutron:
importance: Undecided → High
milestone: none → icehouse-3
Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: icehouse-3 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.