diff options
| author | Jenkins <jenkins@review.openstack.org> | 2015-10-09 01:51:57 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2015-10-09 01:51:57 +0000 |
| commit | b085857829a45d1818c404d8b54cb5fdd643ab01 (patch) | |
| tree | 56c15b0b5b123d2ec4447aa0e45be8f1f40baa29 | |
| parent | f0bb982bfc81bb7c5bafde1430c51bea8f8ab9c9 (diff) | |
| parent | 58904f3626cdf09006bbb8ac9e60f9a24298f01e (diff) | |
| download | neutron-b085857829a45d1818c404d8b54cb5fdd643ab01.tar.gz | |
Merge "Process user iptables rules before INVALID" into stable/juno
| -rw-r--r-- | neutron/agent/linux/iptables_firewall.py | 2 | ||||
| -rw-r--r-- | neutron/tests/unit/test_iptables_firewall.py | 54 | ||||
| -rw-r--r-- | neutron/tests/unit/test_security_groups_rpc.py | 64 |
3 files changed, 60 insertions, 60 deletions
diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 44d2ebfe1d..94672ec73f 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -425,7 +425,6 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _convert_sgr_to_iptables_rules(self, security_group_rules): iptables_rules = [] - self._drop_invalid_packets(iptables_rules) self._allow_established(iptables_rules) for rule in security_group_rules: if self.enable_ipset: @@ -454,6 +453,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): args += ['-j RETURN'] iptables_rules += [' '.join(args)] + self._drop_invalid_packets(iptables_rules) iptables_rules += ['-j $sg-fallback'] return iptables_rules diff --git a/neutron/tests/unit/test_iptables_firewall.py b/neutron/tests/unit/test_iptables_firewall.py index 2279923a02..77a4914af8 100644 --- a/neutron/tests/unit/test_iptables_firewall.py +++ b/neutron/tests/unit/test_iptables_firewall.py @@ -84,10 +84,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): '--physdev-is-bridged ' '-j $ifake_dev'), mock.call.add_rule( - 'ifake_dev', '-m state --state INVALID -j DROP'), - mock.call.add_rule( 'ifake_dev', '-m state --state RELATED,ESTABLISHED -j RETURN'), + mock.call.add_rule( + 'ifake_dev', '-m state --state INVALID -j DROP'), mock.call.add_rule('ifake_dev', '-j $sg-fallback'), mock.call.add_chain('ofake_dev'), mock.call.add_rule('FORWARD', @@ -116,10 +116,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'ofake_dev', '-p udp -m udp --sport 67 --dport 68 -j DROP'), mock.call.add_rule( - 'ofake_dev', '-m state --state INVALID -j DROP'), - mock.call.add_rule( 'ofake_dev', '-m state --state RELATED,ESTABLISHED -j RETURN'), + mock.call.add_rule( + 'ofake_dev', '-m state --state INVALID -j DROP'), mock.call.add_rule('ofake_dev', '-j $sg-fallback'), mock.call.add_rule('sg-chain', '-j ACCEPT')] @@ -844,16 +844,16 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): mock.call.add_rule('ifake_dev', '-p icmpv6 --icmpv6-type %s -j RETURN' % icmp6_type)) - calls += [mock.call.add_rule('ifake_dev', - '-m state --state INVALID -j DROP'), - mock.call.add_rule( + calls += [mock.call.add_rule( 'ifake_dev', '-m state --state RELATED,ESTABLISHED -j RETURN')] if ingress_expected_call: calls.append(ingress_expected_call) - calls += [mock.call.add_rule('ifake_dev', '-j $sg-fallback'), + calls += [mock.call.add_rule('ifake_dev', + '-m state --state INVALID -j DROP'), + mock.call.add_rule('ifake_dev', '-j $sg-fallback'), mock.call.add_chain('ofake_dev'), mock.call.add_rule('FORWARD', '-m physdev --physdev-in tapfake_dev ' @@ -885,15 +885,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): '-p udp -m udp --sport 547 --dport 546 -j DROP')) calls += [mock.call.add_rule( - 'ofake_dev', '-m state --state INVALID -j DROP'), - mock.call.add_rule( 'ofake_dev', '-m state --state RELATED,ESTABLISHED -j RETURN')] if egress_expected_call: calls.append(egress_expected_call) - calls += [mock.call.add_rule('ofake_dev', '-j $sg-fallback'), + calls += [mock.call.add_rule( + 'ofake_dev', '-m state --state INVALID -j DROP'), + mock.call.add_rule('ofake_dev', '-j $sg-fallback'), mock.call.add_rule('sg-chain', '-j ACCEPT')] filter_inst.assert_has_calls(calls) @@ -923,11 +923,11 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): '-m physdev --physdev-out tapfake_dev ' '--physdev-is-bridged -j $ifake_dev'), mock.call.add_rule( - 'ifake_dev', '-m state --state INVALID -j DROP'), - mock.call.add_rule( 'ifake_dev', '-m state --state RELATED,ESTABLISHED -j RETURN'), mock.call.add_rule('ifake_dev', '-j RETURN'), + mock.call.add_rule( + 'ifake_dev', '-m state --state INVALID -j DROP'), mock.call.add_rule('ifake_dev', '-j $sg-fallback'), mock.call.add_chain('ofake_dev'), mock.call.add_rule( @@ -956,10 +956,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'ofake_dev', '-p udp -m udp --sport 67 --dport 68 -j DROP'), mock.call.add_rule( - 'ofake_dev', '-m state --state INVALID -j DROP'), - mock.call.add_rule( 'ofake_dev', '-m state --state RELATED,ESTABLISHED -j RETURN'), + mock.call.add_rule( + 'ofake_dev', '-m state --state INVALID -j DROP'), mock.call.add_rule('ofake_dev', '-j $sg-fallback'), mock.call.add_rule('sg-chain', '-j ACCEPT'), mock.call.ensure_remove_chain('ifake_dev'), @@ -978,10 +978,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): '--physdev-is-bridged -j $ifake_dev'), mock.call.add_rule( 'ifake_dev', - '-m state --state INVALID -j DROP'), + '-m state --state RELATED,ESTABLISHED -j RETURN'), mock.call.add_rule( 'ifake_dev', - '-m state --state RELATED,ESTABLISHED -j RETURN'), + '-m state --state INVALID -j DROP'), mock.call.add_rule('ifake_dev', '-j $sg-fallback'), mock.call.add_chain('ofake_dev'), mock.call.add_rule( @@ -1010,11 +1010,11 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'ofake_dev', '-p udp -m udp --sport 67 --dport 68 -j DROP'), mock.call.add_rule( - 'ofake_dev', '-m state --state INVALID -j DROP'), - mock.call.add_rule( 'ofake_dev', '-m state --state RELATED,ESTABLISHED -j RETURN'), mock.call.add_rule('ofake_dev', '-j RETURN'), + mock.call.add_rule( + 'ofake_dev', '-m state --state INVALID -j DROP'), mock.call.add_rule('ofake_dev', '-j $sg-fallback'), mock.call.add_rule('sg-chain', '-j ACCEPT'), mock.call.ensure_remove_chain('ifake_dev'), @@ -1130,10 +1130,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): '--physdev-is-bridged ' '-j $ifake_dev'), mock.call.add_rule( - 'ifake_dev', '-m state --state INVALID -j DROP'), - mock.call.add_rule( 'ifake_dev', '-m state --state RELATED,ESTABLISHED -j RETURN'), + mock.call.add_rule( + 'ifake_dev', '-m state --state INVALID -j DROP'), mock.call.add_rule('ifake_dev', '-j $sg-fallback'), mock.call.add_chain('ofake_dev'), mock.call.add_rule('FORWARD', @@ -1166,10 +1166,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'ofake_dev', '-p udp -m udp --sport 67 --dport 68 -j DROP'), mock.call.add_rule( - 'ofake_dev', '-m state --state INVALID -j DROP'), - mock.call.add_rule( 'ofake_dev', '-m state --state RELATED,ESTABLISHED -j RETURN'), + mock.call.add_rule( + 'ofake_dev', '-m state --state INVALID -j DROP'), mock.call.add_rule('ofake_dev', '-j $sg-fallback'), mock.call.add_rule('sg-chain', '-j ACCEPT')] self.v4filter_inst.assert_has_calls(calls) @@ -1193,10 +1193,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): '--physdev-is-bridged ' '-j $ifake_dev'), mock.call.add_rule( - 'ifake_dev', '-m state --state INVALID -j DROP'), - mock.call.add_rule( 'ifake_dev', '-m state --state RELATED,ESTABLISHED -j RETURN'), + mock.call.add_rule( + 'ifake_dev', '-m state --state INVALID -j DROP'), mock.call.add_rule('ifake_dev', '-j $sg-fallback'), mock.call.add_chain('ofake_dev'), mock.call.add_rule('FORWARD', @@ -1224,10 +1224,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'ofake_dev', '-p udp -m udp --sport 67 --dport 68 -j DROP'), mock.call.add_rule( - 'ofake_dev', '-m state --state INVALID -j DROP'), - mock.call.add_rule( 'ofake_dev', '-m state --state RELATED,ESTABLISHED -j RETURN'), + mock.call.add_rule( + 'ofake_dev', '-m state --state INVALID -j DROP'), mock.call.add_rule('ofake_dev', '-j $sg-fallback'), mock.call.add_rule('sg-chain', '-j ACCEPT')] self.v4filter_inst.assert_has_calls(calls) diff --git a/neutron/tests/unit/test_security_groups_rpc.py b/neutron/tests/unit/test_security_groups_rpc.py index 651e5e5503..79866409d4 100644 --- a/neutron/tests/unit/test_security_groups_rpc.py +++ b/neutron/tests/unit/test_security_groups_rpc.py @@ -1776,13 +1776,13 @@ IPSET_FILTER_1 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-i_port1 -[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_port1 -m set --match-set NETIPv4security_group1 src -j \ RETURN +[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -1796,9 +1796,9 @@ RETURN [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port1 -j RETURN +[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-sg-chain -j ACCEPT COMMIT @@ -1828,11 +1828,11 @@ IPTABLES_FILTER_1 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-i_port1 -[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN +[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -1846,9 +1846,9 @@ IPTABLES_FILTER_1 = """# Generated by iptables_manager [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port1 -j RETURN +[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-sg-chain -j ACCEPT COMMIT @@ -1879,12 +1879,12 @@ IPTABLES_FILTER_1_2 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-i_port1 -[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_port1 -s 10.0.0.4/32 -j RETURN +[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -1898,9 +1898,9 @@ IPTABLES_FILTER_1_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port1 -j RETURN +[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-sg-chain -j ACCEPT COMMIT @@ -1935,13 +1935,13 @@ IPSET_FILTER_2 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-i_port1 -[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_port1 -m set --match-set NETIPv4security_group1 src -j \ RETURN +[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -1955,21 +1955,21 @@ RETURN [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port1 -j RETURN +[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-i_port2 -[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port2 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN [0:0] -A %(bn)s-i_port2 -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_port2 -m set --match-set NETIPv4security_group1 src -j \ RETURN +[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -1983,9 +1983,9 @@ RETURN [0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port2 -j %(bn)s-s_port2 [0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port2 -j RETURN +[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-sg-chain -j ACCEPT COMMIT @@ -2018,7 +2018,6 @@ IPSET_FILTER_2_3 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-i_port1 -[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN @@ -2026,6 +2025,7 @@ IPSET_FILTER_2_3 = """# Generated by iptables_manager [0:0] -A %(bn)s-i_port1 -m set --match-set NETIPv4security_group1 src -j \ RETURN [0:0] -A %(bn)s-i_port1 -p icmp -j RETURN +[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -2039,15 +2039,14 @@ RETURN [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port1 -j RETURN +[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-i_port2 -[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port2 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN @@ -2055,6 +2054,7 @@ RETURN [0:0] -A %(bn)s-i_port2 -m set --match-set NETIPv4security_group1 src -j \ RETURN [0:0] -A %(bn)s-i_port2 -p icmp -j RETURN +[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -2068,9 +2068,9 @@ RETURN [0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port2 -j %(bn)s-s_port2 [0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port2 -j RETURN +[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-sg-chain -j ACCEPT COMMIT @@ -2103,12 +2103,12 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-i_port1 -[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_port1 -s 10.0.0.4/32 -j RETURN +[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -2122,20 +2122,20 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port1 -j RETURN +[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-i_port2 -[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port2 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN [0:0] -A %(bn)s-i_port2 -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_port2 -s 10.0.0.3/32 -j RETURN +[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -2149,9 +2149,9 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port2 -j %(bn)s-s_port2 [0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port2 -j RETURN +[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-sg-chain -j ACCEPT COMMIT @@ -2184,11 +2184,11 @@ IPTABLES_FILTER_2_2 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-i_port1 -[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN +[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -2202,20 +2202,20 @@ IPTABLES_FILTER_2_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port1 -j RETURN +[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-i_port2 -[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port2 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN [0:0] -A %(bn)s-i_port2 -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_port2 -s 10.0.0.3/32 -j RETURN +[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -2229,9 +2229,9 @@ IPTABLES_FILTER_2_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port2 -j %(bn)s-s_port2 [0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port2 -j RETURN +[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-sg-chain -j ACCEPT COMMIT @@ -2264,13 +2264,13 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-i_port1 -[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port1 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN [0:0] -A %(bn)s-i_port1 -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_port1 -s 10.0.0.4/32 -j RETURN [0:0] -A %(bn)s-i_port1 -p icmp -j RETURN +[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -2284,21 +2284,21 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port1 -j %(bn)s-s_port1 [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port1 -j RETURN +[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain [0:0] -A %(bn)s-sg-chain %(physdev_mod)s --physdev-INGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-i_port2 -[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-i_port2 -s 10.0.0.2/32 -p udp -m udp --sport 67 --dport 68 \ -j RETURN [0:0] -A %(bn)s-i_port2 -p tcp -m tcp --dport 22 -j RETURN [0:0] -A %(bn)s-i_port2 -s 10.0.0.3/32 -j RETURN [0:0] -A %(bn)s-i_port2 -p icmp -j RETURN +[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -2312,9 +2312,9 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager [0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A %(bn)s-o_port2 -j %(bn)s-s_port2 [0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 67 --dport 68 -j DROP -[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN [0:0] -A %(bn)s-o_port2 -j RETURN +[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-sg-chain -j ACCEPT COMMIT @@ -2371,8 +2371,8 @@ IPTABLES_FILTER_V6_1 = """# Generated by iptables_manager [0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 132 -j RETURN [0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 135 -j RETURN [0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 136 -j RETURN -[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN +[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -2383,8 +2383,8 @@ IPTABLES_FILTER_V6_1 = """# Generated by iptables_manager [0:0] -A %(bn)s-o_port1 -p icmpv6 -j RETURN [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 --dport 547 -j RETURN [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 --dport 546 -j DROP -[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN +[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-sg-chain -j ACCEPT COMMIT @@ -2423,8 +2423,8 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 132 -j RETURN [0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 135 -j RETURN [0:0] -A %(bn)s-i_port1 -p icmpv6 --icmpv6-type 136 -j RETURN -[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -m state --state RELATED,ESTABLISHED -j RETURN +[0:0] -A %(bn)s-i_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port1 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -2435,8 +2435,8 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-o_port1 -p icmpv6 -j RETURN [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 546 --dport 547 -j RETURN [0:0] -A %(bn)s-o_port1 -p udp -m udp --sport 547 --dport 546 -j DROP -[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -m state --state RELATED,ESTABLISHED -j RETURN +[0:0] -A %(bn)s-o_port1 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port1 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-INGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -2447,8 +2447,8 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 132 -j RETURN [0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 135 -j RETURN [0:0] -A %(bn)s-i_port2 -p icmpv6 --icmpv6-type 136 -j RETURN -[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port2 -m state --state RELATED,ESTABLISHED -j RETURN +[0:0] -A %(bn)s-i_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-i_port2 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_port2 \ %(physdev_is_bridged)s -j %(bn)s-sg-chain @@ -2459,8 +2459,8 @@ IPTABLES_FILTER_V6_2 = """# Generated by iptables_manager [0:0] -A %(bn)s-o_port2 -p icmpv6 -j RETURN [0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 546 --dport 547 -j RETURN [0:0] -A %(bn)s-o_port2 -p udp -m udp --sport 547 --dport 546 -j DROP -[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port2 -m state --state RELATED,ESTABLISHED -j RETURN +[0:0] -A %(bn)s-o_port2 -m state --state INVALID -j DROP [0:0] -A %(bn)s-o_port2 -j %(bn)s-sg-fallback [0:0] -A %(bn)s-sg-chain -j ACCEPT COMMIT |