yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1523835] Re: egress sg_rule use 'dest_ip_prefix' but not 'source_ip_prefix'

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1523835@xxxxxxxxxxxxxxxxxx>
Date: Fri, 31 Mar 2017 19:26:29 -0000
Reply-to: Bug 1523835 <1523835@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/254598
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c20ad344da1f51617e631c1768b645ed1e01c1fc
Submitter: Jenkins
Branch:    master

commit c20ad344da1f51617e631c1768b645ed1e01c1fc
Author: yujie <yujie@xxxxxxxxxxxxxxxxxxxx>
Date:   Wed May 18 19:56:04 2016 +0800

    Egress sg_rules should get 'prefix' from 'dest_ip_prefix'
    
    When adding an egress rule to sg assigned remote CIDR, vms using
    this sg will add a rule in iptables like -oxxxxxxxx-x -d CIDR.
    But test cases for egress with prefix always using -s CIDR, which
    is not correct.
    
    Closes-Bug: #1523835
    Change-Id: Ifabfe3278aa0516a222f71153e47149ff4562d5e


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1523835

Title:
  egress sg_rule use 'dest_ip_prefix' but not 'source_ip_prefix'

Status in neutron:
  Fix Released

Bug description:
  When we add sg_rule, if it is an ingress rule, the remote CIRD
  x.x.x.x/x means traffic from source ip belong to the CIRD  satisfy
  this rule; if it is an egress rule, the remote CIRD x.x.x.x/x means
  traffic to dest ip belong to the CIRD satisfy this rule.

  But the test cases for sg egress rule in
  neutron/tests/unit/agent/linux/test_iptables_firewall.py  using wrong
  prefix to add_rule. Which should be fixed. Take one for example:

  def test_filter_ipv4_egress_prefix(self):
          prefix = FAKE_PREFIX['IPv4']
          rule = {'ethertype': 'IPv4',
                  'direction': 'egress',
                  'source_ip_prefix': prefix}
          egress = mock.call.add_rule(
              'ofake_dev', '-s %s -j RETURN' % prefix, comment=None)
          ingress = None
          self._test_prepare_port_filter(rule, ingress, egress)

    'source_ip_prefix'  should changes to 'dest_ip_prefix'.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1523835/+subscriptions

References

[Bug 1523835] [NEW] Call fun _ip_prefix_arg twice but only one play a role
From: yujie, 2015-12-08