def _check_compute_node_nat_table(self, ns_q, ns_fip): """ Check the snat rules in the given ns :param ns_q: :param ns_fip: :return: """ ipt = IPtables(ns_q) nat = ipt.get_table(table='nat') chains = [ 'neutron-postrouting-bottom', 'neutron-l3-agent-OUTPUT', 'POSTROUTING', 'neutron-l3-agent-PREROUTING', 'PREROUTING', 'neutron-l3-agent-float-snat', 'OUTPUT', 'INPUT', 'neutron-l3-agent-POSTROUTING', 'neutron-l3-agent-snat', ] for c_name in chains: c = nat.get_chain(c_name) if not c: warn(r("Not found chain %s\n" % c_name)) return False if c.get_policy() != 'ACCEPT': warn(r("Chain %s's policy is not ACCEPT\n" % c.name)) for c_name in [ 'neutron-postrouting-bottom', 'OUTPUT', 'neutron-l3-agent-snat' ]: if not self._check_chain_rule_num(nat, c_name, 1): return False c_name = 'neutron-postrouting-bottom' rule = { 'in': '*', 'source': '*', 'out': '*', 'destination': '*', 'target': 'neutron-l3-agent-snat', 'prot': '*' } if not self._check_chain_has_rule(nat, c_name, rule): return False c_name = 'PREROUTING' rule = { 'in': '*', 'source': '*', 'out': '*', 'destination': '*', 'target': 'neutron-l3-agent-PREROUTING', 'prot': '*' } if not self._check_chain_has_rule(nat, c_name, rule): return False c_name = 'OUTPUT' rule = { 'in': '*', 'source': '*', 'out': '*', 'destination': '*', 'target': 'neutron-l3-agent-OUTPUT', 'prot': '*' } if not self._check_chain_has_rule(nat, c_name, rule): return False c_name = 'POSTROUTING' rule = { 'in': '*', 'source': '*', 'out': '*', 'destination': '*', 'target': 'neutron-l3-agent-POSTROUTING', 'prot': '*' } if not self._check_chain_has_rule(nat, c_name, rule): return False rule = { 'in': '*', 'source': '*', 'out': '*', 'destination': '*', 'target': 'neutron-postrouting-bottom', 'prot': '*' } if not self._check_chain_has_rule(nat, c_name, rule): return False c_name = 'neutron-l3-agent-POSTROUTING' rfp_intfs = NameSpace(ns_q).find_intfs('rfp-') for intf in rfp_intfs: rule = { 'in': '!' + intf['intf'], 'source': '*', 'out': '!' + intf['intf'], 'destination': '*', 'target': 'ACCEPT', 'prot': '*', 'flags': '! ctstate DNAT' } if not self._check_chain_has_rule(nat, c_name, rule): return False qr_intfs = NameSpace(ns_q).find_intfs('qr-') if not self._check_compute_node_nat_rules(qr_intfs, rfp_intfs, nat, ns_fip): return False return True