iptables-restore error when table not loaded.

When adding openstack rules, if a table module is not loaded, the resulted file doesn't include the section for the missing table, making new rules added to it, out of place and a no valid file for iptables-restore Fixes bug #1103436 Change-Id: I34ae51a23efec57bfec37b8fa378d043fcf62d70
2013-01-23 12:53:43 +01:00
parent e1ce3878b9
commit 7d7fcf1d12
2 changed files with 31 additions and 2 deletions
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -378,7 +378,7 @@ class IptablesManager(object):
            for table in tables:
                start, end = self._find_table(all_lines, table)
                all_lines[start:end] = self._modify_rules(
-                        all_lines[start:end], tables[table])
+                        all_lines[start:end], tables[table], table_name=table)
            self.execute('%s-restore' % (cmd,), '-c', run_as_root=True,
                         process_input='\n'.join(all_lines),
                         attempts=5)
@@ -397,13 +397,20 @@ class IptablesManager(object):
        end = lines[start:].index('COMMIT') + start + 2
        return (start, end)

-    def _modify_rules(self, current_lines, table, binary=None):
+    def _modify_rules(self, current_lines, table, binary=None,
+                      table_name=None):
        unwrapped_chains = table.unwrapped_chains
        chains = table.chains
        remove_chains = table.remove_chains
        rules = table.rules
        remove_rules = table.remove_rules

+        if not current_lines:
+            fake_table = ['#Generated by nova',
+                          '*' + table_name, 'COMMIT',
+                          '#Completed by nova']
+            current_lines = fake_table
+
        # Remove any trace of our rules
        new_filter = filter(lambda line: binary_name not in line,
                            current_lines)
@@ -418,6 +425,9 @@ class IptablesManager(object):
                if not rule.startswith(':'):
                    break

+        if not seen_chains:
+            rules_index = 2
+
        our_rules = []
        bot_rules = []
        for rule in rules:
--- a/nova/tests/test_iptables_network.py
+++ b/nova/tests/test_iptables_network.py
@@ -170,3 +170,22 @@ class IptablesManagerTestCase(test.TestCase):
            self.assertTrue('[0:0] -A %s -j %s-%s' %
                            (chain, self.binary_name, chain) in new_lines,
                            "Built-in chain %s not wrapped" % (chain,))
+
+    def test_missing_table(self):
+        current_lines = []
+        new_lines = self.manager._modify_rules(current_lines,
+                                               self.manager.ipv4['filter'],
+                                               table_name='filter')
+
+        for line in ['*filter',
+                     'COMMIT']:
+            self.assertTrue(line in new_lines, "One of iptables key lines"
+                            "went missing.")
+
+        self.assertTrue(len(new_lines) > 4, "No iptables rules added")
+
+        self.assertTrue("#Generated by nova" == new_lines[0] and
+                        "*filter" == new_lines[1] and
+                        "COMMIT" == new_lines[-2] and
+                        "#Completed by nova" == new_lines[-1],
+                        "iptables rules not generated in the correct order")