File nova-network-filter-bnc777488.patch of Package openstack-nova

Index: nova-2014.2.3.dev53/nova/network/linux_net.py
===================================================================
--- nova-2014.2.3.dev53.orig/nova/network/linux_net.py
+++ nova-2014.2.3.dev53/nova/network/linux_net.py
@@ -365,6 +365,9 @@ class IptablesManager(object):
         # among the various nova components. It sits at the very top
         # of FORWARD and OUTPUT.
         for tables in [self.ipv4, self.ipv6]:
+            tables['filter'].add_chain('nova-filter-FORWARD-sitelocl', wrap=False)
+            tables['filter'].add_rule('FORWARD', '-j nova-filter-FORWARD-sitelocl', wrap=False, top=True)
+
             tables['filter'].add_chain('nova-filter-top', wrap=False)
             tables['filter'].add_rule('FORWARD', '-j nova-filter-top',
                                       wrap=False, top=True)
Index: nova-2014.2.3.dev53/nova/tests/test_iptables_network.py
===================================================================
--- nova-2014.2.3.dev53.orig/nova/tests/test_iptables_network.py
+++ nova-2014.2.3.dev53/nova/tests/test_iptables_network.py
@@ -35,6 +35,8 @@ class IptablesManagerTestCase(test.NoDBT
                      ':%s-local - [0:0]' % (binary_name),
                      ':%s-OUTPUT - [0:0]' % (binary_name),
                      ':nova-filter-top - [0:0]',
+                     ':nova-filter-FORWARD-sitelocl - [0:0]',
+                     '[0:0] -A FORWARD -j nova-filter-FORWARD-sitelocl',
                      '[0:0] -A FORWARD -j nova-filter-top',
                      '[0:0] -A OUTPUT -j nova-filter-top',
                      '[0:0] -A nova-filter-top -j %s-local' % (binary_name),
@@ -208,7 +210,15 @@ class IptablesManagerTestCase(test.NoDBT
                             "Duplicate line: %s" % line)
             seen_lines.add(line)
 
-        for chain in ['FORWARD', 'OUTPUT']:
+        for chain in ['FORWARD']:
+            for line in new_lines:
+                if line.startswith('[0:0] -A %s' % chain):
+                    self.assertTrue('-j nova-filter-FORWARD-sitelocl' in line,
+                                    "First %s rule does not "
+                                    "jump to nova-filter-FORWARD-sitelocl" % chain)
+                    break
+
+        for chain in ['OUTPUT']:
             for line in new_lines:
                 if line.startswith('[0:0] -A %s' % chain):
                     self.assertTrue('-j nova-filter-top' in line,
@@ -247,7 +257,7 @@ class IptablesManagerTestCase(test.NoDBT
     def test_iptables_top_order(self):
         # Test iptables_top_regex
         current_lines = list(self.sample_filter)
-        current_lines[12:12] = ['[0:0] -A FORWARD -j iptables-top-rule']
+        current_lines[13:13] = ['[0:0] -A FORWARD -j iptables-top-rule']
         self.flags(iptables_top_regex='-j iptables-top-rule')
         new_lines = self.manager._modify_rules(current_lines,
                                                self.manager.ipv4['filter'],
@@ -257,7 +267,7 @@ class IptablesManagerTestCase(test.NoDBT
     def test_iptables_bottom_order(self):
         # Test iptables_bottom_regex
         current_lines = list(self.sample_filter)
-        current_lines[26:26] = ['[0:0] -A FORWARD -j iptables-bottom-rule']
+        current_lines[28:28] = ['[0:0] -A FORWARD -j iptables-bottom-rule']
         self.flags(iptables_bottom_regex='-j iptables-bottom-rule')
         new_lines = self.manager._modify_rules(current_lines,
                                                self.manager.ipv4['filter'],
@@ -267,8 +277,8 @@ class IptablesManagerTestCase(test.NoDBT
     def test_iptables_preserve_order(self):
         # Test both iptables_top_regex and iptables_bottom_regex
         current_lines = list(self.sample_filter)
-        current_lines[12:12] = ['[0:0] -A FORWARD -j iptables-top-rule']
-        current_lines[27:27] = ['[0:0] -A FORWARD -j iptables-bottom-rule']
+        current_lines[13:13] = ['[0:0] -A FORWARD -j iptables-top-rule']
+        current_lines[29:29] = ['[0:0] -A FORWARD -j iptables-bottom-rule']
         self.flags(iptables_top_regex='-j iptables-top-rule')
         self.flags(iptables_bottom_regex='-j iptables-bottom-rule')
         new_lines = self.manager._modify_rules(current_lines,
openSUSE Build Service is sponsored by