Merge "Fix iptables rules when metadata_host=127.0.0.1"

2013-07-25 22:03:46 +00:00
parent bf6709bf2b 15543f7e18
commit a69e30d921
2 changed files with 52 additions and 6 deletions
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -617,12 +617,12 @@ def metadata_forward():

 def metadata_accept():
    """Create the filter accept rule for metadata."""
-    iptables_manager.ipv4['filter'].add_rule('INPUT',
-                                             '-s 0.0.0.0/0 -d %s '
-                                             '-p tcp -m tcp --dport %s '
-                                             '-j ACCEPT' %
-                                             (CONF.metadata_host,
-                                              CONF.metadata_port))
+    rule = '-s 0.0.0.0/0 -p tcp -m tcp --dport %s' % CONF.metadata_port
+    if CONF.metadata_host != '127.0.0.1':
+        rule += ' -d %s -j ACCEPT' % CONF.metadata_host
+    else:
+        rule += ' -m addrtype --dst-type LOCAL -j ACCEPT'
+    iptables_manager.ipv4['filter'].add_rule('INPUT', rule)
    iptables_manager.apply()


--- a/nova/tests/network/test_linux_net.py
+++ b/nova/tests/network/test_linux_net.py
@@ -891,3 +891,49 @@ class LinuxNetworkTestCase(test.TestCase):
        self.mox.ReplayAll()
        manager.defer_apply_off()
        self.assertFalse(manager.iptables_apply_deferred)
+
+    def _test_add_metadata_accept_rule(self, expected):
+        def verify_add_rule(chain, rule):
+            self.assertEqual(chain, 'INPUT')
+            self.assertEqual(expected, rule)
+
+        self.stubs.Set(linux_net.iptables_manager.ipv4['filter'],
+                       'add_rule', verify_add_rule)
+        linux_net.metadata_accept()
+
+    def test_metadata_accept(self):
+        self.flags(metadata_port='8775')
+        self.flags(metadata_host='10.10.10.1')
+        expected = ('-s 0.0.0.0/0 -p tcp -m tcp --dport 8775 '
+                    '-d 10.10.10.1 -j ACCEPT')
+        self._test_add_metadata_accept_rule(expected)
+
+    def test_metadata_accept_localhost(self):
+        self.flags(metadata_port='8775')
+        self.flags(metadata_host='127.0.0.1')
+        expected = ('-s 0.0.0.0/0 -p tcp -m tcp --dport 8775 '
+                    '-m addrtype --dst-type LOCAL -j ACCEPT')
+        self._test_add_metadata_accept_rule(expected)
+
+    def _test_add_metadata_forward_rule(self, expected):
+        def verify_add_rule(chain, rule):
+            self.assertEqual(chain, 'PREROUTING')
+            self.assertEqual(expected, rule)
+
+        self.stubs.Set(linux_net.iptables_manager.ipv4['nat'],
+                       'add_rule', verify_add_rule)
+        linux_net.metadata_forward()
+
+    def test_metadata_forward(self):
+        self.flags(metadata_port='8775')
+        self.flags(metadata_host='10.10.10.1')
+        expected = ('-s 0.0.0.0/0 -d 169.254.169.254/32 -p tcp -m tcp '
+                    '--dport 80 -j DNAT --to-destination 10.10.10.1:8775')
+        self._test_add_metadata_forward_rule(expected)
+
+    def test_metadata_forward_localhost(self):
+        self.flags(metadata_port='8775')
+        self.flags(metadata_host='127.0.0.1')
+        expected = ('-s 0.0.0.0/0 -d 169.254.169.254/32 -p tcp -m tcp '
+                    '--dport 80 -j REDIRECT --to-ports 8775')
+        self._test_add_metadata_forward_rule(expected)