# HG changeset patch
# User Girish Moodalbail <Girish.Moodalbail@oracle.COM>
# Date 1414602509 25200
# Node ID 40c3d53194f6bb74d0b35e0121f569217b1c3ba9
# Parent  6c1c26005852a353a7f467b8aa07ca0fb418eeec
19898528 PBR rule must not forward packets addressed to internal default gateway

diff -r 6c1c26005852 -r 40c3d53194f6 components/openstack/neutron/files/agent/evs_l3_agent.py
--- a/components/openstack/neutron/files/agent/evs_l3_agent.py	Wed Oct 29 00:53:18 2014 -0700
+++ b/components/openstack/neutron/files/agent/evs_l3_agent.py	Wed Oct 29 10:08:29 2014 -0700
@@ -264,8 +264,9 @@
             # Routing (PBR) rule
             for port in ri.internal_ports:
                 internal_dlname = self.get_internal_device_name(port['id'])
-                rules = ['pass in on %s to %s:%s from any to any' %
-                         (internal_dlname, external_dlname, gw_ip)]
+                rules = ['pass in on %s to %s:%s from any to !%s' %
+                         (internal_dlname, external_dlname, gw_ip,
+                          port['subnet']['cidr'])]
                 ipversion = netaddr.IPNetwork(port['subnet']['cidr']).version
                 ri.ipfilters_manager.add_ipf_rules(rules, ipversion)
 
@@ -277,8 +278,9 @@
             # remove PBR rules
             for port in ri.internal_ports:
                 internal_dlname = self.get_internal_device_name(port['id'])
-                rules = ['pass in on %s to %s:%s from any to any' %
-                         (internal_dlname, external_dlname, gw_ip)]
+                rules = ['pass in on %s to %s:%s from any to !%s' %
+                         (internal_dlname, external_dlname, gw_ip,
+                          port['subnet']['cidr'])]
                 ipversion = netaddr.IPNetwork(port['subnet']['cidr']).version
                 ri.ipfilters_manager.remove_ipf_rules(rules, ipversion)
 
@@ -359,8 +361,9 @@
         ex_gw_ip = (ex_gw_port['subnet']['gateway_ip'] if ex_gw_port else None)
         if ex_gw_ip:
             external_dlname = self.get_external_device_name(ex_gw_port['id'])
-            rules.append('pass in on %s to %s:%s from any to any' %
-                         (internal_dlname, external_dlname, ex_gw_ip))
+            rules.append('pass in on %s to %s:%s from any to !%s' %
+                         (internal_dlname, external_dlname, ex_gw_ip,
+                          port_subnet))
 
         ipversion = netaddr.IPNetwork(port_subnet).version
         ri.ipfilters_manager.add_ipf_rules(rules, ipversion)
@@ -384,8 +387,9 @@
         ex_gw_ip = (ex_gw_port['subnet']['gateway_ip'] if ex_gw_port else None)
         if ex_gw_ip:
             external_dlname = self.get_external_device_name(ex_gw_port['id'])
-            rules.append('pass in on %s to %s:%s from any to any' %
-                         (internal_dlname, external_dlname, ex_gw_ip))
+            rules.append('pass in on %s to %s:%s from any to !%s' %
+                         (internal_dlname, external_dlname, ex_gw_ip,
+                          port_subnet))
         ipversion = netaddr.IPNetwork(port['subnet']['cidr']).version
         ri.ipfilters_manager.remove_ipf_rules(rules, ipversion)