From 08032e9cc65fe79a53a217b6f061af745ee374b8 Mon Sep 17 00:00:00 2001 From: shenjiatong Date: Tue, 22 Dec 2020 09:01:50 +0800 Subject: [PATCH] Allow neutron managed ports to bypass PREROUTING chain When deployed with k8s, k8s service types like NodePort or ExternalIP will affect vm traffic on nat table's PREROUTING chain. This PS try to mitigate the effect by allowing vm traffic to bypass those rules. Change-Id: Iae12d9c2f37bc0fca9c3d5e85e46c642263e4a77 Closes-Bug: #1908957 --- neutron/agent/linux/iptables_firewall.py | 39 ++++- neutron/agent/linux/iptables_manager.py | 5 + .../agent/linux/test_iptables_firewall.py | 86 +++++++++- .../unit/agent/linux/test_iptables_manager.py | 10 +- .../unit/agent/test_securitygroups_rpc.py | 148 ++++++++++++------ 5 files changed, 226 insertions(+), 62 deletions(-) diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 631fcc6bc12..972e1749477 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -155,6 +155,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): jump_rule = self._generate_trusted_port_rules(port) self._add_rules_to_chain_v4v6( 'FORWARD', jump_rule, jump_rule, comment=ic.TRUSTED_ACCEPT) + self._add_nat_short_ciruit(port) self.trusted_ports.append(port) def remove_trusted_ports(self, port_ids): @@ -163,8 +164,15 @@ class IptablesFirewallDriver(firewall.FirewallDriver): jump_rule = self._generate_trusted_port_rules(port) self._remove_rule_from_chain_v4v6( 'FORWARD', jump_rule, jump_rule) + self._remove_nat_short_ciruit(port) self.trusted_ports.remove(port) + def _generate_nat_shortcircuit_port_rules(self, port): + rt = '-m physdev --%%s %s -j ACCEPT' % ( + self._get_device_name(port)) + return [rt % (self.IPTABLES_DIRECTION[constants.INGRESS_DIRECTION]), + rt % (self.IPTABLES_DIRECTION[constants.EGRESS_DIRECTION])] + def _generate_trusted_port_rules(self, port): rt = '-m physdev --%%s %s --physdev-is-bridged -j ACCEPT' % ( self._get_device_name(port)) @@ -248,12 +256,13 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _remove_rule_port_sec(self, port, direction): self._update_port_sec_rules(port, direction, add=False) - def _remove_rule_from_chain_v4v6(self, chain_name, ipv4_rules, ipv6_rules): + def _remove_rule_from_chain_v4v6(self, chain_name, ipv4_rules, ipv6_rules, + table='filter'): for rule in ipv4_rules: - self.iptables.ipv4['filter'].remove_rule(chain_name, rule) + self.iptables.ipv4[table].remove_rule(chain_name, rule) for rule in ipv6_rules: - self.iptables.ipv6['filter'].remove_rule(chain_name, rule) + self.iptables.ipv6[table].remove_rule(chain_name, rule) def _setup_chains(self): """Setup ingress and egress chain for a port.""" @@ -268,6 +277,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): for pname in sorted(ports): port = ports[pname] self._add_conntrack_jump(port) + self._add_nat_short_ciruit(port) self._setup_chain(port, constants.INGRESS_DIRECTION) self._setup_chain(port, constants.EGRESS_DIRECTION) self.iptables.ipv4['filter'].add_rule(SG_CHAIN, '-j ACCEPT') @@ -276,6 +286,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): for port in unfiltered_ports.values(): self._add_accept_rule_port_sec(port, constants.INGRESS_DIRECTION) self._add_accept_rule_port_sec(port, constants.EGRESS_DIRECTION) + self._add_nat_short_ciruit(port) def _remove_chains(self): """Remove ingress and egress chain for a port.""" @@ -289,9 +300,11 @@ class IptablesFirewallDriver(firewall.FirewallDriver): self._remove_chain(port, constants.EGRESS_DIRECTION) self._remove_chain(port, SPOOF_FILTER) self._remove_conntrack_jump(port) + self._remove_nat_short_ciruit(port) for port in unfiltered_ports.values(): self._remove_rule_port_sec(port, constants.INGRESS_DIRECTION) self._remove_rule_port_sec(port, constants.EGRESS_DIRECTION) + self._remove_nat_short_ciruit(port) self._remove_chain_by_name_v4v6(SG_CHAIN) def _setup_chain(self, port, DIRECTION): @@ -319,14 +332,14 @@ class IptablesFirewallDriver(firewall.FirewallDriver): self.iptables.ipv6['filter'].remove_chain(chain_name) def _add_rules_to_chain_v4v6(self, chain_name, ipv4_rules, ipv6_rules, - top=False, comment=None): + top=False, comment=None, table='filter'): for rule in ipv4_rules: - self.iptables.ipv4['filter'].add_rule(chain_name, rule, - top=top, comment=comment) + self.iptables.ipv4[table].add_rule(chain_name, rule, + top=top, comment=comment) for rule in ipv6_rules: - self.iptables.ipv6['filter'].add_rule(chain_name, rule, - top=top, comment=comment) + self.iptables.ipv6[table].add_rule(chain_name, rule, + top=top, comment=comment) def _get_device_name(self, port): if not isinstance(port, dict): @@ -465,6 +478,16 @@ class IptablesFirewallDriver(firewall.FirewallDriver): self.iptables.ipv4['raw'].remove_rule(chain, rule) self.iptables.ipv6['raw'].remove_rule(chain, rule) + def _add_nat_short_ciruit(self, port): + jump_rule = self._generate_nat_shortcircuit_port_rules(port) + self._add_rules_to_chain_v4v6('PREROUTING', jump_rule, jump_rule, + comment=ic.TRUSTED_ACCEPT, table='nat') + + def _remove_nat_short_ciruit(self, port): + jump_rule = self._generate_nat_shortcircuit_port_rules(port) + self._remove_rule_from_chain_v4v6('PREROUTING', jump_rule, + jump_rule, table='nat') + def _split_sgr_by_ethertype(self, security_group_rules): ipv4_sg_rules = [] ipv6_sg_rules = [] diff --git a/neutron/agent/linux/iptables_manager.py b/neutron/agent/linux/iptables_manager.py index 3df8e8cfc48..4bdd800a1bb 100644 --- a/neutron/agent/linux/iptables_manager.py +++ b/neutron/agent/linux/iptables_manager.py @@ -335,11 +335,16 @@ class IptablesManager(object): self.ipv4.update({'raw': IptablesTable(binary_name=self.wrap_name)}) self.ipv6.update({'raw': IptablesTable(binary_name=self.wrap_name)}) + self.ipv4.update({'nat': IptablesTable(binary_name=self.wrap_name)}) + self.ipv6.update({'nat': IptablesTable(binary_name=self.wrap_name)}) + # Wrap the built-in chains builtin_chains = {4: {'filter': ['INPUT', 'OUTPUT', 'FORWARD']}, 6: {'filter': ['INPUT', 'OUTPUT', 'FORWARD']}} builtin_chains[4].update({'raw': ['PREROUTING', 'OUTPUT']}) builtin_chains[6].update({'raw': ['PREROUTING', 'OUTPUT']}) + builtin_chains[4].update({'nat': ['PREROUTING']}) + builtin_chains[6].update({'nat': ['PREROUTING']}) self._configure_builtin_chains(builtin_chains) if not state_less: diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index b177c7ee06c..8e0dcf04573 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -84,10 +84,12 @@ class BaseIptablesFirewallTestCase(base.BaseTestCase): self.v4filter_inst = mock.Mock() self.v6filter_inst = mock.Mock() self.iptables_inst.ipv4 = {'filter': self.v4filter_inst, - 'raw': self.v4filter_inst + 'raw': self.v4filter_inst, + 'nat': self.v4filter_inst } self.iptables_inst.ipv6 = {'filter': self.v6filter_inst, - 'raw': self.v6filter_inst + 'raw': self.v6filter_inst, + 'nat': self.v6filter_inst } iptables_cls.return_value = self.iptables_inst @@ -141,6 +143,14 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=None), mock.call.add_rule('PREROUTING', mock.ANY, # zone set comment=None), + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT', + top=False, comment=ic.TRUSTED_ACCEPT), + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT', + top=False, comment=ic.TRUSTED_ACCEPT), mock.call.add_chain('ifake_dev'), mock.call.add_rule('FORWARD', '-m physdev --physdev-out tapfake_dev ' @@ -1172,6 +1182,16 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): '-m physdev --physdev-in tapfake_dev ' '--physdev-is-bridged -j ACCEPT', top=False, comment=ic.TRUSTED_ACCEPT)) + calls.append( + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT', + top=False, comment=ic.TRUSTED_ACCEPT)) + calls.append( + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT', + top=False, comment=ic.TRUSTED_ACCEPT)) self.firewall.process_trusted_ports([port['id']]) @@ -1262,6 +1282,16 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=None), mock.call.add_rule('PREROUTING', mock.ANY, # zone set comment=None), + mock.call.add_rule('PREROUTING', + "-m physdev --physdev-out tapfake_dev " + "-j ACCEPT", + comment=ic.TRUSTED_ACCEPT, + top=False), + mock.call.add_rule('PREROUTING', + "-m physdev --physdev-in tapfake_dev " + "-j ACCEPT", + comment=ic.TRUSTED_ACCEPT, + top=False), mock.call.add_chain('ifake_dev'), mock.call.add_rule('FORWARD', '-m physdev --physdev-out tapfake_dev ' @@ -1615,6 +1645,16 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=None), # zone set mock.call.add_rule('PREROUTING', mock.ANY, comment=None), # zone set + mock.call.add_rule( + 'PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT', + comment=ic.TRUSTED_ACCEPT, top=False), + mock.call.add_rule( + 'PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT', + comment=ic.TRUSTED_ACCEPT, top=False), mock.call.add_chain('ifake_dev'), mock.call.add_rule( 'FORWARD', @@ -1696,6 +1736,14 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): mock.call.remove_rule('PREROUTING', mock.ANY), # zone set mock.call.remove_rule('PREROUTING', mock.ANY), # zone set mock.call.remove_rule('PREROUTING', mock.ANY), # zone set + mock.call.remove_rule( + 'PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT'), + mock.call.remove_rule( + 'PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT'), mock.call.remove_chain('sg-chain'), mock.call.add_chain('sg-chain'), mock.call.add_rule('PREROUTING', mock.ANY, @@ -1704,6 +1752,16 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=None), # zone set mock.call.add_rule('PREROUTING', mock.ANY, comment=None), # zone set + mock.call.add_rule( + 'PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT', + comment=ic.TRUSTED_ACCEPT, top=False), + mock.call.add_rule( + 'PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT', + comment=ic.TRUSTED_ACCEPT, top=False), mock.call.add_chain('ifake_dev'), mock.call.add_rule( 'FORWARD', @@ -1786,6 +1844,14 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): mock.call.remove_rule('PREROUTING', mock.ANY), # zone set mock.call.remove_rule('PREROUTING', mock.ANY), # zone set mock.call.remove_rule('PREROUTING', mock.ANY), # zone set + mock.call.remove_rule( + 'PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT'), + mock.call.remove_rule( + 'PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT'), mock.call.remove_chain('sg-chain'), mock.call.add_chain('sg-chain')] @@ -1926,6 +1992,14 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=None), mock.call.add_rule('PREROUTING', mock.ANY, # zone set comment=None), + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-out tapfake_dev ' + '-j ACCEPT', + top=False, comment=ic.TRUSTED_ACCEPT), + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-in tapfake_dev ' + '-j ACCEPT', + top=False, comment=ic.TRUSTED_ACCEPT), mock.call.add_chain('ifake_dev'), mock.call.add_rule('FORWARD', '-m physdev --physdev-out tapfake_dev ' @@ -2019,6 +2093,14 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=None), mock.call.add_rule('PREROUTING', mock.ANY, # zone set comment=None), + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-out ' + 'tapfake_dev -j ACCEPT', + comment=ic.TRUSTED_ACCEPT, top=False), + mock.call.add_rule('PREROUTING', + '-m physdev --physdev-in ' + 'tapfake_dev -j ACCEPT', + comment=ic.TRUSTED_ACCEPT, top=False), mock.call.add_chain('ifake_dev'), mock.call.add_rule('FORWARD', '-m physdev --physdev-out tapfake_dev ' diff --git a/neutron/tests/unit/agent/linux/test_iptables_manager.py b/neutron/tests/unit/agent/linux/test_iptables_manager.py index f005bfde438..658e040f7f2 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_manager.py +++ b/neutron/tests/unit/agent/linux/test_iptables_manager.py @@ -1358,8 +1358,8 @@ class IptablesManagerStateLessTestCase(base.BaseTestCase): cfg.CONF.set_override('comment_iptables_rules', False, 'AGENT') self.iptables = (iptables_manager.IptablesManager(state_less=True)) - def test_nat_not_found(self): - self.assertNotIn('nat', self.iptables.ipv4) + def test_nat_found(self): + self.assertIn('nat', self.iptables.ipv4) def test_mangle_not_found(self): self.assertNotIn('mangle', self.iptables.ipv4) @@ -1368,7 +1368,7 @@ class IptablesManagerStateLessTestCase(base.BaseTestCase): iptables = iptables_manager.IptablesManager(state_less=True) iptables.initialize_mangle_table() self.assertIn('mangle', iptables.ipv4) - self.assertNotIn('nat', iptables.ipv4) + self.assertIn('nat', iptables.ipv4) def test_initialize_nat_table(self): iptables = iptables_manager.IptablesManager(state_less=True) @@ -1384,8 +1384,8 @@ class IptablesManagerNoNatTestCase(base.BaseTestCase): cfg.CONF.set_override('comment_iptables_rules', False, 'AGENT') self.iptables = (iptables_manager.IptablesManager(nat=False)) - def test_nat_not_found(self): - self.assertNotIn('nat', self.iptables.ipv4) + def test_nat_found(self): + self.assertIn('nat', self.iptables.ipv4) def test_mangle_found(self): self.assertIn('mangle', self.iptables.ipv4) diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py index 85912bc195a..1527ec095df 100644 --- a/neutron/tests/unit/agent/test_securitygroups_rpc.py +++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py @@ -1601,6 +1601,54 @@ COMMIT # Completed by iptables_manager """ % IPTABLES_ARG +IPTABLES_NAT_EMPTY = """# Generated by iptables_manager +*nat +:PREROUTING - [0:0] +:%(bn)s-PREROUTING - [0:0] +-I PREROUTING 1 -j %(bn)s-PREROUTING +COMMIT +# Completed by iptables_manager +""" % IPTABLES_ARG + +IPTABLES_NAT_1 = """# Generated by iptables_manager +*nat +:PREROUTING - [0:0] +:%(bn)s-PREROUTING - [0:0] +-I PREROUTING 1 -j %(bn)s-PREROUTING +-I %(bn)s-PREROUTING 1 -m physdev --physdev-out tap_port1 -j ACCEPT +-I %(bn)s-PREROUTING 2 -m physdev --physdev-in tap_port1 -j ACCEPT +COMMIT +# Completed by iptables_manager +""" % IPTABLES_ARG + +IPTABLES_NAT_2 = """# Generated by iptables_manager +*nat +:PREROUTING - [0:0] +:%(bn)s-PREROUTING - [0:0] +-I PREROUTING 1 -j %(bn)s-PREROUTING +-I %(bn)s-PREROUTING 1 -m physdev --physdev-out tap_port1 -j ACCEPT +-I %(bn)s-PREROUTING 2 -m physdev --physdev-in tap_port1 -j ACCEPT +-I %(bn)s-PREROUTING 3 -m physdev --physdev-out tap_port2 -j ACCEPT +-I %(bn)s-PREROUTING 4 -m physdev --physdev-in tap_port2 -j ACCEPT +COMMIT +# Completed by iptables_manager +""" % IPTABLES_ARG + +IPTABLES_NAT_3 = """# Generated by iptables_manager +*nat +:PREROUTING - [0:0] +:%(bn)s-PREROUTING - [0:0] +-I PREROUTING 1 -j %(bn)s-PREROUTING +-I %(bn)s-PREROUTING 1 -m physdev --physdev-out tap_port3 -j ACCEPT +-I %(bn)s-PREROUTING 2 -m physdev --physdev-in tap_port3 -j ACCEPT +-I %(bn)s-PREROUTING 3 -m physdev --physdev-out tap_port1 -j ACCEPT +-I %(bn)s-PREROUTING 4 -m physdev --physdev-in tap_port1 -j ACCEPT +-I %(bn)s-PREROUTING 5 -m physdev --physdev-out tap_port2 -j ACCEPT +-I %(bn)s-PREROUTING 6 -m physdev --physdev-in tap_port2 -j ACCEPT +COMMIT +# Completed by iptables_manager +""" % IPTABLES_ARG + CHAINS_EMPTY = 'FORWARD|INPUT|OUTPUT|local|sg-chain|sg-fallback' CHAINS_1 = CHAINS_EMPTY + '|i_port1|o_port1|s_port1' CHAINS_2 = CHAINS_1 + '|i_port2|o_port2|s_port2' @@ -2925,21 +2973,27 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): self.assertThat(kwargs['process_input'], matchers.MatchesRegex(expected_regex)) - def _replay_iptables(self, v4_filter, v6_filter, raw): + def _replay_iptables(self, v4_filter, v6_filter, raw, nat): self._register_mock_call( ['iptables-save'], run_as_root=True, privsep_exec=True, return_value='') self._register_mock_call( ['iptables-restore', '-n'], - process_input=self._regex(v4_filter + raw), run_as_root=True, - privsep_exec=True, log_fail_as_error=False, return_value='') + process_input=self._regex(v4_filter + nat + raw), + run_as_root=True, + privsep_exec=True, + log_fail_as_error=False, + return_value='') self._register_mock_call( ['ip6tables-save'], run_as_root=True, privsep_exec=True, return_value='') self._register_mock_call( ['ip6tables-restore', '-n'], - process_input=self._regex(v6_filter + raw), run_as_root=True, - privsep_exec=True, log_fail_as_error=False, return_value='') + process_input=self._regex(v6_filter + nat + raw), + run_as_root=True, + privsep_exec=True, + log_fail_as_error=False, + return_value='') def test_prepare_remove_port(self): self.ipconntrack._device_zone_map = {} @@ -2947,9 +3001,9 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): 'devices': self.devices1, 'security_groups': {}, 'sg_member_ips': {}} self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.agent.remove_devices_filter(['tap_port1']) @@ -2961,17 +3015,17 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): 'devices': self.devices1, 'security_groups': {}, 'sg_member_ips': {}} self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_1_2, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_2) self._replay_iptables(IPTABLES_FILTER_2_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_2) self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.rpc.security_group_info_for_devices.return_value = { @@ -2994,10 +3048,10 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase): 'sg_member_ips': {}} self._replay_iptables( IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_3) self._replay_iptables( IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_3) self.agent.prepare_devices_filter(['tap_port1', 'tap_port3']) self.rpc.security_group_info_for_devices.return_value = { @@ -3082,9 +3136,9 @@ class TestSecurityGroupAgentEnhancedRpcWithIptables( self.ipconntrack._device_zone_map = {} self.sg_info.return_value = self.devices_info1 self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.agent.remove_devices_filter(['tap_port1']) @@ -3094,17 +3148,17 @@ class TestSecurityGroupAgentEnhancedRpcWithIptables( def test_security_group_member_updated(self): self.sg_info.return_value = self.devices_info1 self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_1_2, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_2) self._replay_iptables(IPTABLES_FILTER_2_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_2) self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.sg_info.return_value = self.devices_info2 @@ -3123,10 +3177,10 @@ class TestSecurityGroupAgentEnhancedRpcWithIptables( self.sg_info.return_value = self.devices_info2 self._replay_iptables( IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_3) self._replay_iptables( IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_3) self.agent.prepare_devices_filter(['tap_port1', 'tap_port3']) self.sg_info.return_value = self.devices_info3 @@ -3151,9 +3205,9 @@ class TestSecurityGroupAgentEnhancedIpsetWithIptables( self.ipconntrack._device_zone_map = {} self.sg_info.return_value = self.devices_info1 self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.agent.remove_devices_filter(['tap_port1']) @@ -3165,17 +3219,17 @@ class TestSecurityGroupAgentEnhancedIpsetWithIptables( self.ipset._get_new_set_ips = mock.Mock(return_value=['10.0.0.3']) self.ipset._get_deleted_set_ips = mock.Mock(return_value=[]) self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_2) self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_2) self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_BRIDGE_NET_1) + IPTABLES_RAW_BRIDGE_NET_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.sg_info.return_value = self.devices_info2 @@ -3196,10 +3250,10 @@ class TestSecurityGroupAgentEnhancedIpsetWithIptables( self.sg_info.return_value = self.devices_info2 self._replay_iptables( IPSET_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_3) self._replay_iptables( IPSET_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_BRIDGE_NET_2) + IPTABLES_RAW_BRIDGE_NET_2, IPTABLES_NAT_3) self.agent.prepare_devices_filter(['tap_port1', 'tap_port3']) self.sg_info.return_value = self.devices_info3 @@ -3281,9 +3335,9 @@ class TestSecurityGroupAgentWithOVSIptables( 'devices': self.devices1, 'security_groups': {}, 'sg_member_ips': {}} self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_DEVICE_1) + IPTABLES_RAW_DEVICE_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.agent.remove_devices_filter(['tap_port1']) @@ -3297,9 +3351,9 @@ class TestSecurityGroupAgentWithOVSIptables( 'devices': self.devices1, 'security_groups': {}, 'sg_member_ips': {}} self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.agent.remove_devices_filter(['tap_port1']) @@ -3312,17 +3366,17 @@ class TestSecurityGroupAgentWithOVSIptables( 'devices': self.devices1, 'security_groups': {}, 'sg_member_ips': {}} self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_DEVICE_1) + IPTABLES_RAW_DEVICE_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_1_2, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_DEVICE_1) + IPTABLES_RAW_DEVICE_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_DEVICE_2) + IPTABLES_RAW_DEVICE_2, IPTABLES_NAT_2) self._replay_iptables(IPTABLES_FILTER_2_2, IPTABLES_FILTER_V6_2, - IPTABLES_RAW_DEVICE_2) + IPTABLES_RAW_DEVICE_2, IPTABLES_NAT_2) self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1, - IPTABLES_RAW_DEVICE_1) + IPTABLES_RAW_DEVICE_1, IPTABLES_NAT_1) self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY, - IPTABLES_RAW_DEFAULT) + IPTABLES_RAW_DEFAULT, IPTABLES_NAT_EMPTY) self.agent.prepare_devices_filter(['tap_port1']) self.rpc.security_group_info_for_devices.return_value = { @@ -3346,10 +3400,10 @@ class TestSecurityGroupAgentWithOVSIptables( 'sg_member_ips': {}} self._replay_iptables( IPTABLES_FILTER_2_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_DEVICE_2) + IPTABLES_RAW_DEVICE_2, IPTABLES_NAT_3) self._replay_iptables( IPTABLES_FILTER_2_3_TRUSTED, IPTABLES_FILTER_V6_2_TRUSTED, - IPTABLES_RAW_DEVICE_2) + IPTABLES_RAW_DEVICE_2, IPTABLES_NAT_3) self.agent.prepare_devices_filter(['tap_port1', 'tap_port3']) self.rpc.security_group_info_for_devices.return_value = {