From ce36d0e3618840ebe409401204d5b7acdb475e1e Mon Sep 17 00:00:00 2001
From: Vishvananda Ishaya <vishvananda@gmail.com>
Date: Fri, 19 Jul 2013 10:23:59 -0700
Subject: [PATCH] Use cached nwinfo for secgroup rules

This stops a potential DOS with source security groups by using the
db cached version of the network info instead of calling out to
the network api multiple times.

Fixes bug 1184041

Change-Id: Id5f24ecf0e8cce60c27a9aecbc6e606c4c44d6b6
(cherry picked from commit df53a6f5641cb34ad3bce660a6fb08c58b0547ff)

Conflicts:

	nova/db/sqlalchemy/api.py
	nova/virt/firewall.py
---
 nova/db/sqlalchemy/api.py |   11 +++++++++++
 nova/virt/firewall.py     |   12 +++---------
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py
index 7fcc4f8..639f478 100644
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@@ -3644,12 +3644,23 @@ def security_group_rule_get(context, security_group_rule_id, session=None):
 
 
 @require_context
+<<<<<<< HEAD
 def security_group_rule_get_by_security_group(context, security_group_id,
                                               session=None):
     return _security_group_rule_get_query(context, session=session).\
             filter_by(parent_group_id=security_group_id).\
             options(joinedload_all('grantee_group.instances.instance_type')).\
             all()
+=======
+def security_group_rule_get_by_security_group(context, security_group_id):
+    return (_security_group_rule_get_query(context).
+            filter_by(parent_group_id=security_group_id).
+            options(joinedload_all('grantee_group.instances.'
+                                   'system_metadata')).
+            options(joinedload('grantee_group.instances.'
+                               'info_cache')).
+            all())
+>>>>>>> df53a6f... Use cached nwinfo for secgroup rules
 
 
 @require_context
diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py
index a093a35..7c22c86 100644
--- a/nova/virt/firewall.py
+++ b/nova/virt/firewall.py
@@ -17,10 +17,10 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from nova.compute import utils as compute_utils
 from nova import context
 from nova import db
 from nova import flags
-from nova import network
 from nova.network import linux_net
 from nova.openstack.common import cfg
 from nova.openstack.common import importutils
@@ -405,15 +405,9 @@ class IptablesFirewallDriver(FirewallDriver):
                     fw_rules += [' '.join(args)]
                 else:
                     if rule['grantee_group']:
-                        # FIXME(jkoelker) This needs to be ported up into
-                        #                 the compute manager which already
-                        #                 has access to a nw_api handle,
-                        #                 and should be the only one making
-                        #                 making rpc calls.
-                        nw_api = network.API()
                         for instance in rule['grantee_group']['instances']:
-                            nw_info = nw_api.get_instance_nw_info(ctxt,
-                                                                  instance)
+                            nw_info = compute_utils.get_nw_info_for_instance(
+                                    instance)
 
                             ips = [ip['address']
                                 for ip in nw_info.fixed_ips()
-- 
1.7.9.5