{"sha":"a418da89c11d9f1a15c7880c443c84a2afed84d7","node_id":"C_kwDOACSgIdoAKGE0MThkYTg5YzExZDlmMWExNWM3ODgwYzQ0M2M4NGEyYWZlZDg0ZDc","commit":{"author":{"name":"Zuul","email":"zuul@review.opendev.org","date":"2024-04-24T10:44:10Z"},"committer":{"name":"Gerrit Code Review","email":"review@openstack.org","date":"2024-04-24T10:44:10Z"},"message":"Merge \"Use the system-dependent string for IP protocol 4\" into stable/zed","tree":{"sha":"ca27f2267c1c12fdb6b2b49bd2408a6299b5b99e","url":"https://api.github.com/repos/openstack/neutron/git/trees/ca27f2267c1c12fdb6b2b49bd2408a6299b5b99e"},"url":"https://api.github.com/repos/openstack/neutron/git/commits/a418da89c11d9f1a15c7880c443c84a2afed84d7","comment_count":0,"verification":{"verified":false,"reason":"unsigned","signature":null,"payload":null,"verified_at":null}},"url":"https://api.github.com/repos/openstack/neutron/commits/a418da89c11d9f1a15c7880c443c84a2afed84d7","html_url":"https://github.com/openstack/neutron/commit/a418da89c11d9f1a15c7880c443c84a2afed84d7","comments_url":"https://api.github.com/repos/openstack/neutron/commits/a418da89c11d9f1a15c7880c443c84a2afed84d7/comments","author":null,"committer":{"login":"openstack-gerrit","id":903479,"node_id":"MDQ6VXNlcjkwMzQ3OQ==","avatar_url":"https://avatars.githubusercontent.com/u/903479?v=4","gravatar_id":"","url":"https://api.github.com/users/openstack-gerrit","html_url":"https://github.com/openstack-gerrit","followers_url":"https://api.github.com/users/openstack-gerrit/followers","following_url":"https://api.github.com/users/openstack-gerrit/following{/other_user}","gists_url":"https://api.github.com/users/openstack-gerrit/gists{/gist_id}","starred_url":"https://api.github.com/users/openstack-gerrit/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/openstack-gerrit/subscriptions","organizations_url":"https://api.github.com/users/openstack-gerrit/orgs","repos_url":"https://api.github.com/users/openstack-gerrit/repos","events_url":"https://api.github.com/users/openstack-gerrit/events{/privacy}","received_events_url":"https://api.github.com/users/openstack-gerrit/received_events","type":"User","user_view_type":"public","site_admin":false},"parents":[{"sha":"49ba6c24732ffbe7b156e9989c5efb13fa810a1b","url":"https://api.github.com/repos/openstack/neutron/commits/49ba6c24732ffbe7b156e9989c5efb13fa810a1b","html_url":"https://github.com/openstack/neutron/commit/49ba6c24732ffbe7b156e9989c5efb13fa810a1b"},{"sha":"386ebde547419a3cd2ba9e2228da000cf43bfa17","url":"https://api.github.com/repos/openstack/neutron/commits/386ebde547419a3cd2ba9e2228da000cf43bfa17","html_url":"https://github.com/openstack/neutron/commit/386ebde547419a3cd2ba9e2228da000cf43bfa17"}],"stats":{"total":40,"additions":25,"deletions":15},"files":[{"sha":"54200a10a7e155e97454949930410fe992019671","filename":"neutron/agent/linux/iptables_firewall.py","status":"modified","additions":8,"deletions":4,"changes":12,"blob_url":"https://github.com/openstack/neutron/blob/a418da89c11d9f1a15c7880c443c84a2afed84d7/neutron%2Fagent%2Flinux%2Fiptables_firewall.py","raw_url":"https://github.com/openstack/neutron/raw/a418da89c11d9f1a15c7880c443c84a2afed84d7/neutron%2Fagent%2Flinux%2Fiptables_firewall.py","contents_url":"https://api.github.com/repos/openstack/neutron/contents/neutron%2Fagent%2Flinux%2Fiptables_firewall.py?ref=a418da89c11d9f1a15c7880c443c84a2afed84d7","patch":"@@ -775,10 +775,14 @@ def _protocol_name_map(self):\n if not self._iptables_protocol_name_map:\n tmp_map = constants.IPTABLES_PROTOCOL_NAME_MAP.copy()\n tmp_map.update(self._local_protocol_name_map())\n- # TODO(haleyb): remove once neutron-lib with fix is available\n- # - 'ipip' uses 'ipencap' to match IPPROTO_IPIP from in.h,\n- # which is IP-ENCAP/'4' in /etc/protocols (see bug #2054324)\n- tmp_map[constants.PROTO_NAME_IPIP] = 'ipencap'\n+ # iptables-save uses different strings for 'ipip' (protocol 4)\n+ # depending on the distro, which corresponds to the entry for\n+ # '4' in /etc/protocols. For example:\n+ # - 'ipencap' in Ubuntu\n+ # - 'ipv4' in CentOS/Fedora\n+ # For this reason, we need to map the string for 'ipip' to the\n+ # system-dependent string for '4', see bug #2054324.\n+ tmp_map[constants.PROTO_NAME_IPIP] = tmp_map['4']\n self._iptables_protocol_name_map = tmp_map\n return self._iptables_protocol_name_map\n "},{"sha":"35b1e9ba2f88e51ba3e465daa345753ea9c3bfea","filename":"neutron/tests/unit/agent/linux/test_iptables_firewall.py","status":"modified","additions":17,"deletions":11,"changes":28,"blob_url":"https://github.com/openstack/neutron/blob/a418da89c11d9f1a15c7880c443c84a2afed84d7/neutron%2Ftests%2Funit%2Fagent%2Flinux%2Ftest_iptables_firewall.py","raw_url":"https://github.com/openstack/neutron/raw/a418da89c11d9f1a15c7880c443c84a2afed84d7/neutron%2Ftests%2Funit%2Fagent%2Flinux%2Ftest_iptables_firewall.py","contents_url":"https://api.github.com/repos/openstack/neutron/contents/neutron%2Ftests%2Funit%2Fagent%2Flinux%2Ftest_iptables_firewall.py?ref=a418da89c11d9f1a15c7880c443c84a2afed84d7","patch":"@@ -490,37 +490,43 @@ def test_filter_ipv4_ingress_protocol_encap_by_num(self):\n self._test_prepare_port_filter(rule, ingress, egress)\n \n def test_filter_ipv4_ingress_protocol_ipip(self):\n- # 'ipip' via the API uses 'ipencap' to match what iptables-save\n- # uses, which is IP-ENCAP/'4' from /etc/protocols (see bug #2054324)\n+ # We want to use what the system-dependent string here is for 'ipip',\n+ # as it could be 'ipencap' or 'ipv4' depending on the distro.\n+ # See bug #2054324.\n rule = {'ethertype': 'IPv4',\n 'direction': 'ingress',\n 'protocol': 'ipip'}\n+ expected_proto_name = self.firewall._iptables_protocol_name('ipip')\n ingress = mock.call.add_rule('ifake_dev',\n- '-p ipencap -j RETURN',\n+ '-p %s -j RETURN' % expected_proto_name,\n top=False, comment=None)\n egress = None\n self._test_prepare_port_filter(rule, ingress, egress)\n \n- def test_filter_ipv4_ingress_protocol_ipip_by_num(self):\n- # '4' via the API uses 'ipencap' to match what iptables-save\n- # uses, which is IP-ENCAP/'4' from /etc/protocols (see bug #2054324)\n+ def test_filter_ipv4_ingress_protocol_4(self):\n+ # We want to use what the system-dependent string here is for '4',\n+ # as it could be 'ipencap' or 'ipv4' depending on the distro.\n+ # See bug #2054324.\n rule = {'ethertype': 'IPv4',\n 'direction': 'ingress',\n 'protocol': '4'}\n+ expected_proto_name = self.firewall._iptables_protocol_name('4')\n ingress = mock.call.add_rule('ifake_dev',\n- '-p ipencap -j RETURN',\n+ '-p %s -j RETURN' % expected_proto_name,\n top=False, comment=None)\n egress = None\n self._test_prepare_port_filter(rule, ingress, egress)\n \n- def test_filter_ipv4_ingress_protocol_ipencap_by_num(self):\n- # '94' via the API uses 'ipip' to match what iptables-save\n- # uses, which is IPIP/'94' from /etc/protocols (see bug #2054324)\n+ def test_filter_ipv4_ingress_protocol_94(self):\n+ # We want to use what the system-dependent string here is for '94',\n+ # as it could be 'ipip' or something else depending on the distro.\n+ # See bug #2054324.\n rule = {'ethertype': 'IPv4',\n 'direction': 'ingress',\n 'protocol': '94'}\n+ expected_proto_name = self.firewall._iptables_protocol_name('94')\n ingress = mock.call.add_rule('ifake_dev',\n- '-p ipip -j RETURN',\n+ '-p %s -j RETURN' % expected_proto_name,\n top=False, comment=None)\n egress = None\n self._test_prepare_port_filter(rule, ingress, egress)"}]}