Merge "use EGRESS_DIRECTION and INGRESS_DIRECTION from neutron-lib"
This commit is contained in:
Zuul
Gerrit Code Review
commit
20760bcdf5
@ -23,11 +23,8 @@ from neutron_lib import constants as n_const
|
||||
from neutron_lib.utils import runtime
|
||||
|
||||
|
||||
INGRESS_DIRECTION = n_const.INGRESS_DIRECTION
|
||||
EGRESS_DIRECTION = n_const.EGRESS_DIRECTION
|
||||
|
||||
DIRECTION_IP_PREFIX = {INGRESS_DIRECTION: 'source_ip_prefix',
|
||||
EGRESS_DIRECTION: 'dest_ip_prefix'}
|
||||
DIRECTION_IP_PREFIX = {n_const.INGRESS_DIRECTION: 'source_ip_prefix',
|
||||
n_const.EGRESS_DIRECTION: 'dest_ip_prefix'}
|
||||
|
||||
# List of ICMPv6 types that should be permitted (ingress) by default. This list
|
||||
# depends on iptables conntrack behavior of recognizing ICMP errors (types 1-4)
|
||||
|
||||
@ -34,11 +34,11 @@ from neutron.common import utils as c_utils
|
||||
LOG = logging.getLogger(__name__)
|
||||
SG_CHAIN = 'sg-chain'
|
||||
SPOOF_FILTER = 'spoof-filter'
|
||||
CHAIN_NAME_PREFIX = {firewall.INGRESS_DIRECTION: 'i',
|
||||
firewall.EGRESS_DIRECTION: 'o',
|
||||
CHAIN_NAME_PREFIX = {constants.INGRESS_DIRECTION: 'i',
|
||||
constants.EGRESS_DIRECTION: 'o',
|
||||
SPOOF_FILTER: 's'}
|
||||
IPSET_DIRECTION = {firewall.INGRESS_DIRECTION: 'src',
|
||||
firewall.EGRESS_DIRECTION: 'dst'}
|
||||
IPSET_DIRECTION = {constants.INGRESS_DIRECTION: 'src',
|
||||
constants.EGRESS_DIRECTION: 'dst'}
|
||||
comment_rule = iptables_manager.comment_rule
|
||||
|
||||
|
||||
@ -53,8 +53,8 @@ class mac_iptables(netaddr.mac_eui48):
|
||||
|
||||
class IptablesFirewallDriver(firewall.FirewallDriver):
|
||||
"""Driver which enforces security groups through iptables rules."""
|
||||
IPTABLES_DIRECTION = {firewall.INGRESS_DIRECTION: 'physdev-out',
|
||||
firewall.EGRESS_DIRECTION: 'physdev-in'}
|
||||
IPTABLES_DIRECTION = {constants.INGRESS_DIRECTION: 'physdev-out',
|
||||
constants.EGRESS_DIRECTION: 'physdev-in'}
|
||||
CONNTRACK_ZONE_PER_PORT = False
|
||||
|
||||
def __init__(self, namespace=None):
|
||||
@ -205,14 +205,14 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
||||
for pname in sorted(ports):
|
||||
port = ports[pname]
|
||||
self._add_conntrack_jump(port)
|
||||
self._setup_chain(port, firewall.INGRESS_DIRECTION)
|
||||
self._setup_chain(port, firewall.EGRESS_DIRECTION)
|
||||
self._setup_chain(port, constants.INGRESS_DIRECTION)
|
||||
self._setup_chain(port, constants.EGRESS_DIRECTION)
|
||||
self.iptables.ipv4['filter'].add_rule(SG_CHAIN, '-j ACCEPT')
|
||||
self.iptables.ipv6['filter'].add_rule(SG_CHAIN, '-j ACCEPT')
|
||||
|
||||
for port in unfiltered_ports.values():
|
||||
self._add_accept_rule_port_sec(port, firewall.INGRESS_DIRECTION)
|
||||
self._add_accept_rule_port_sec(port, firewall.EGRESS_DIRECTION)
|
||||
self._add_accept_rule_port_sec(port, constants.INGRESS_DIRECTION)
|
||||
self._add_accept_rule_port_sec(port, constants.EGRESS_DIRECTION)
|
||||
|
||||
def _remove_chains(self):
|
||||
"""Remove ingress and egress chain for a port."""
|
||||
@ -222,13 +222,13 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
||||
|
||||
def _remove_chains_apply(self, ports, unfiltered_ports):
|
||||
for port in ports.values():
|
||||
self._remove_chain(port, firewall.INGRESS_DIRECTION)
|
||||
self._remove_chain(port, firewall.EGRESS_DIRECTION)
|
||||
self._remove_chain(port, constants.INGRESS_DIRECTION)
|
||||
self._remove_chain(port, constants.EGRESS_DIRECTION)
|
||||
self._remove_chain(port, SPOOF_FILTER)
|
||||
self._remove_conntrack_jump(port)
|
||||
for port in unfiltered_ports.values():
|
||||
self._remove_rule_port_sec(port, firewall.INGRESS_DIRECTION)
|
||||
self._remove_rule_port_sec(port, firewall.EGRESS_DIRECTION)
|
||||
self._remove_rule_port_sec(port, constants.INGRESS_DIRECTION)
|
||||
self._remove_rule_port_sec(port, constants.EGRESS_DIRECTION)
|
||||
self._remove_chain_by_name_v4v6(SG_CHAIN)
|
||||
|
||||
def _setup_chain(self, port, DIRECTION):
|
||||
@ -281,7 +281,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
||||
else:
|
||||
self._remove_rule_from_chain_v4v6('FORWARD', jump_rule, jump_rule)
|
||||
|
||||
if direction == firewall.EGRESS_DIRECTION:
|
||||
if direction == constants.EGRESS_DIRECTION:
|
||||
if add:
|
||||
self._add_rules_to_chain_v4v6('INPUT', jump_rule, jump_rule,
|
||||
comment=ic.PORT_SEC_ACCEPT)
|
||||
@ -315,7 +315,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
||||
self._add_rules_to_chain_v4v6(SG_CHAIN, jump_rule, jump_rule,
|
||||
comment=ic.SG_TO_VM_SG)
|
||||
|
||||
if direction == firewall.EGRESS_DIRECTION:
|
||||
if direction == constants.EGRESS_DIRECTION:
|
||||
self._add_rules_to_chain_v4v6('INPUT', jump_rule, jump_rule,
|
||||
comment=ic.INPUT_TO_SG)
|
||||
|
||||
@ -532,11 +532,11 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
||||
ipv4_iptables_rules = []
|
||||
ipv6_iptables_rules = []
|
||||
# include fixed egress/ingress rules
|
||||
if direction == firewall.EGRESS_DIRECTION:
|
||||
if direction == constants.EGRESS_DIRECTION:
|
||||
self._add_fixed_egress_rules(port,
|
||||
ipv4_iptables_rules,
|
||||
ipv6_iptables_rules)
|
||||
elif direction == firewall.INGRESS_DIRECTION:
|
||||
elif direction == constants.INGRESS_DIRECTION:
|
||||
ipv6_iptables_rules += self._accept_inbound_icmpv6()
|
||||
# include IPv4 and IPv6 iptable rules from security group
|
||||
ipv4_iptables_rules += self._convert_sgr_to_iptables_rules(
|
||||
|
||||
@ -236,8 +236,8 @@ class ConjIdMap(object):
|
||||
as there are 4 priority levels (see rules.flow_priority_offset)
|
||||
and 2 conjunction IDs are needed per priority.
|
||||
"""
|
||||
if direction not in [firewall.EGRESS_DIRECTION,
|
||||
firewall.INGRESS_DIRECTION]:
|
||||
if direction not in [lib_const.EGRESS_DIRECTION,
|
||||
lib_const.INGRESS_DIRECTION]:
|
||||
raise ValueError("Invalid direction '%s'" % direction)
|
||||
if ethertype not in [lib_const.IPv4, lib_const.IPv6]:
|
||||
raise ValueError("Invalid ethertype '%s'" % ethertype)
|
||||
|
||||
@ -18,7 +18,6 @@ import collections
|
||||
import netaddr
|
||||
from neutron_lib import constants as n_consts
|
||||
|
||||
from neutron.agent import firewall
|
||||
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
||||
from neutron.common import utils
|
||||
from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \
|
||||
@ -29,10 +28,10 @@ CT_STATES = [
|
||||
ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED]
|
||||
|
||||
FLOW_FIELD_FOR_IPVER_AND_DIRECTION = {
|
||||
(n_consts.IP_VERSION_4, firewall.EGRESS_DIRECTION): 'nw_dst',
|
||||
(n_consts.IP_VERSION_6, firewall.EGRESS_DIRECTION): 'ipv6_dst',
|
||||
(n_consts.IP_VERSION_4, firewall.INGRESS_DIRECTION): 'nw_src',
|
||||
(n_consts.IP_VERSION_6, firewall.INGRESS_DIRECTION): 'ipv6_src',
|
||||
(n_consts.IP_VERSION_4, n_consts.EGRESS_DIRECTION): 'nw_dst',
|
||||
(n_consts.IP_VERSION_6, n_consts.EGRESS_DIRECTION): 'ipv6_dst',
|
||||
(n_consts.IP_VERSION_4, n_consts.INGRESS_DIRECTION): 'nw_src',
|
||||
(n_consts.IP_VERSION_6, n_consts.INGRESS_DIRECTION): 'ipv6_src',
|
||||
}
|
||||
|
||||
FORBIDDEN_PREFIXES = (n_consts.IPv4_ANY, n_consts.IPv6_ANY)
|
||||
@ -185,12 +184,12 @@ def create_flows_from_rule_and_port(rule, port, conjunction=False):
|
||||
|
||||
if is_valid_prefix(dst_ip_prefix):
|
||||
flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[(
|
||||
utils.get_ip_version(dst_ip_prefix), firewall.EGRESS_DIRECTION)]
|
||||
utils.get_ip_version(dst_ip_prefix), n_consts.EGRESS_DIRECTION)]
|
||||
] = dst_ip_prefix
|
||||
|
||||
if is_valid_prefix(src_ip_prefix):
|
||||
flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[(
|
||||
utils.get_ip_version(src_ip_prefix), firewall.INGRESS_DIRECTION)]
|
||||
utils.get_ip_version(src_ip_prefix), n_consts.INGRESS_DIRECTION)]
|
||||
] = src_ip_prefix
|
||||
|
||||
flows = create_protocol_flows(direction, flow_template, port, rule)
|
||||
@ -200,12 +199,12 @@ def create_flows_from_rule_and_port(rule, port, conjunction=False):
|
||||
|
||||
def populate_flow_common(direction, flow_template, port):
|
||||
"""Initialize common flow fields."""
|
||||
if direction == firewall.INGRESS_DIRECTION:
|
||||
if direction == n_consts.INGRESS_DIRECTION:
|
||||
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
|
||||
flow_template['actions'] = "output:{:d},resubmit(,{:d})".format(
|
||||
port.ofport,
|
||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||
elif direction == firewall.EGRESS_DIRECTION:
|
||||
elif direction == n_consts.EGRESS_DIRECTION:
|
||||
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
|
||||
# Traffic can be both ingress and egress, check that no ingress rules
|
||||
# should be applied
|
||||
@ -309,9 +308,9 @@ def create_flows_for_ip_address(ip_address, direction, ethertype,
|
||||
|
||||
ip_ver = utils.get_ip_version(ip_prefix)
|
||||
|
||||
if direction == firewall.EGRESS_DIRECTION:
|
||||
if direction == n_consts.EGRESS_DIRECTION:
|
||||
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
|
||||
elif direction == firewall.INGRESS_DIRECTION:
|
||||
elif direction == n_consts.INGRESS_DIRECTION:
|
||||
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
|
||||
|
||||
flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[(
|
||||
|
||||
@ -22,7 +22,6 @@ from oslo_log import log as logging
|
||||
from ryu.base import app_manager
|
||||
from ryu.lib.packet import packet
|
||||
|
||||
from neutron.agent import firewall
|
||||
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
||||
from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw
|
||||
from neutron.agent.linux.openvswitch_firewall import rules
|
||||
@ -381,9 +380,9 @@ class OVSFirewallLoggingDriver(log_ext.LoggingDriver):
|
||||
'reg_remote_group': self.conj_id_map.get_conj_id(
|
||||
secgroup_id, remote_sg_id, direction, ethertype) + 1,
|
||||
}
|
||||
if direction == firewall.INGRESS_DIRECTION:
|
||||
if direction == lib_const.INGRESS_DIRECTION:
|
||||
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
|
||||
elif direction == firewall.EGRESS_DIRECTION:
|
||||
elif direction == lib_const.EGRESS_DIRECTION:
|
||||
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
|
||||
return [flow_template]
|
||||
|
||||
|
||||
@ -19,7 +19,6 @@ import netaddr
|
||||
from neutron_lib import constants
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from neutron.agent import firewall
|
||||
from neutron.common import constants as n_consts
|
||||
from neutron.common import utils as common_utils
|
||||
from neutron.plugins.ml2.drivers.openvswitch.agent.common import (
|
||||
@ -46,8 +45,8 @@ class ConnectionTesterException(Exception):
|
||||
def _validate_direction(f):
|
||||
@functools.wraps(f)
|
||||
def wrap(self, direction, *args, **kwargs):
|
||||
if direction not in (firewall.INGRESS_DIRECTION,
|
||||
firewall.EGRESS_DIRECTION):
|
||||
if direction not in (constants.INGRESS_DIRECTION,
|
||||
constants.EGRESS_DIRECTION):
|
||||
raise ConnectionTesterException('Unknown direction %s' % direction)
|
||||
return f(self, direction, *args, **kwargs)
|
||||
return wrap
|
||||
@ -84,8 +83,8 @@ class ConnectionTester(fixtures.Fixture):
|
||||
TCP = net_helpers.NetcatTester.TCP
|
||||
ICMP = constants.PROTO_NAME_ICMP
|
||||
ARP = n_consts.ETHERTYPE_NAME_ARP
|
||||
INGRESS = firewall.INGRESS_DIRECTION
|
||||
EGRESS = firewall.EGRESS_DIRECTION
|
||||
INGRESS = constants.INGRESS_DIRECTION
|
||||
EGRESS = constants.EGRESS_DIRECTION
|
||||
|
||||
def __init__(self, ip_cidr):
|
||||
self.ip_cidr = ip_cidr
|
||||
|
||||
@ -16,7 +16,6 @@
|
||||
from neutron_lib import constants
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from neutron.agent import firewall
|
||||
from neutron.agent.linux import iptables_firewall
|
||||
import neutron.agent.linux.openvswitch_firewall.firewall as ovs_fw_mod
|
||||
import neutron.agent.linux.openvswitch_firewall.iptables as iptables_helper
|
||||
@ -85,10 +84,10 @@ class TestHelper(base.BaseSudoTestCase):
|
||||
|
||||
def test_migration(self):
|
||||
sg_rules = [{'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_ICMP},
|
||||
{'ethertype': constants.IPv4,
|
||||
'direction': firewall.EGRESS_DIRECTION}]
|
||||
'direction': constants.EGRESS_DIRECTION}]
|
||||
port, desc = self._prepare_port_and_description(sg_rules)
|
||||
ovs_firewall = ovs_fw_mod.OVSFirewallDriver(self.bridge)
|
||||
# Check that iptables driver was set and replace it with the one that
|
||||
|
||||
@ -27,7 +27,6 @@ from oslo_log import log as logging
|
||||
from oslo_utils import uuidutils
|
||||
import testscenarios
|
||||
|
||||
from neutron.agent import firewall
|
||||
from neutron.agent.linux import iptables_firewall
|
||||
from neutron.agent.linux import openvswitch_firewall
|
||||
from neutron.cmd.sanity import checks
|
||||
@ -284,10 +283,10 @@ class FirewallTestCase(BaseFirewallTestCase):
|
||||
def test_ingress_icmp_secgroup(self):
|
||||
# update the sg_group to make ping pass
|
||||
sg_rules = [{'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_ICMP},
|
||||
{'ethertype': constants.IPv4,
|
||||
'direction': firewall.EGRESS_DIRECTION}]
|
||||
'direction': constants.EGRESS_DIRECTION}]
|
||||
|
||||
self.tester.assert_no_connection(protocol=self.tester.ICMP,
|
||||
direction=self.tester.INGRESS)
|
||||
@ -297,10 +296,10 @@ class FirewallTestCase(BaseFirewallTestCase):
|
||||
|
||||
def test_mac_spoofing(self):
|
||||
sg_rules = [{'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_ICMP},
|
||||
{'ethertype': constants.IPv4,
|
||||
'direction': firewall.EGRESS_DIRECTION}]
|
||||
'direction': constants.EGRESS_DIRECTION}]
|
||||
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
||||
|
||||
self.tester.assert_connection(protocol=self.tester.ICMP,
|
||||
@ -350,7 +349,7 @@ class FirewallTestCase(BaseFirewallTestCase):
|
||||
|
||||
def test_ip_spoofing(self):
|
||||
sg_rules = [{'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_ICMP}]
|
||||
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
||||
not_allowed_ip = "%s/24" % (
|
||||
@ -373,7 +372,7 @@ class FirewallTestCase(BaseFirewallTestCase):
|
||||
self.firewall.update_port_filter(self.src_port_desc)
|
||||
|
||||
sg_rules = [{'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_ICMP}]
|
||||
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
||||
not_allowed_ip = "%s/24" % (
|
||||
@ -389,10 +388,10 @@ class FirewallTestCase(BaseFirewallTestCase):
|
||||
|
||||
def test_allowed_address_pairs(self):
|
||||
sg_rules = [{'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_ICMP},
|
||||
{'ethertype': constants.IPv4,
|
||||
'direction': firewall.EGRESS_DIRECTION}]
|
||||
'direction': constants.EGRESS_DIRECTION}]
|
||||
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
||||
|
||||
port_mac = self.tester.vm_mac_address
|
||||
@ -500,7 +499,7 @@ class FirewallTestCase(BaseFirewallTestCase):
|
||||
port_min = 12345
|
||||
port_max = 12346
|
||||
sg_rules = [{'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_TCP,
|
||||
'port_range_min': port_min,
|
||||
'port_range_max': port_max}]
|
||||
@ -523,7 +522,7 @@ class FirewallTestCase(BaseFirewallTestCase):
|
||||
source_port_min = 12345
|
||||
source_port_max = 12346
|
||||
sg_rules = [{'ethertype': constants.IPv4,
|
||||
'direction': firewall.EGRESS_DIRECTION,
|
||||
'direction': constants.EGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_TCP,
|
||||
'source_port_range_min': source_port_min,
|
||||
'source_port_range_max': source_port_max}]
|
||||
@ -546,7 +545,7 @@ class FirewallTestCase(BaseFirewallTestCase):
|
||||
def test_established_connection_is_cut(self):
|
||||
port = 12345
|
||||
sg_rules = [{'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_TCP,
|
||||
'port_range_min': port,
|
||||
'port_range_max': port}]
|
||||
@ -636,7 +635,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
||||
|
||||
def test_icmp_from_specific_address(self):
|
||||
sg_rules = [{'ethertype': constants.IPv6,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_ICMP,
|
||||
'source_ip_prefix': self.tester.peer_ip_address}]
|
||||
|
||||
@ -648,7 +647,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
||||
|
||||
def test_icmp_to_specific_address(self):
|
||||
sg_rules = [{'ethertype': constants.IPv6,
|
||||
'direction': firewall.EGRESS_DIRECTION,
|
||||
'direction': constants.EGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_ICMP,
|
||||
'destination_ip_prefix': self.tester.peer_ip_address}]
|
||||
|
||||
@ -660,7 +659,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
||||
|
||||
def test_tcp_from_specific_address(self):
|
||||
sg_rules = [{'ethertype': constants.IPv6,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_TCP,
|
||||
'source_ip_prefix': self.tester.peer_ip_address}]
|
||||
|
||||
@ -676,7 +675,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
||||
|
||||
def test_tcp_to_specific_address(self):
|
||||
sg_rules = [{'ethertype': constants.IPv6,
|
||||
'direction': firewall.EGRESS_DIRECTION,
|
||||
'direction': constants.EGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_TCP,
|
||||
'destination_ip_prefix': self.tester.peer_ip_address}]
|
||||
|
||||
@ -692,7 +691,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
||||
|
||||
def test_udp_from_specific_address(self):
|
||||
sg_rules = [{'ethertype': constants.IPv6,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_UDP,
|
||||
'source_ip_prefix': self.tester.peer_ip_address}]
|
||||
|
||||
@ -708,7 +707,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
||||
|
||||
def test_udp_to_specific_address(self):
|
||||
sg_rules = [{'ethertype': constants.IPv6,
|
||||
'direction': firewall.EGRESS_DIRECTION,
|
||||
'direction': constants.EGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_UDP,
|
||||
'destination_ip_prefix': self.tester.peer_ip_address}]
|
||||
|
||||
@ -725,7 +724,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
||||
@skip_if_firewall('openvswitch')
|
||||
def test_ip_spoofing(self):
|
||||
sg_rules = [{'ethertype': constants.IPv6,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_ICMP}]
|
||||
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
||||
not_allowed_ip = "%s/64" % (
|
||||
|
||||
@ -22,7 +22,6 @@ from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
import testscenarios
|
||||
|
||||
from neutron.agent import firewall
|
||||
from neutron.objects.logapi import logging_resource as log_object
|
||||
from neutron.plugins.ml2.drivers.openvswitch.agent import (
|
||||
ovs_agent_extension_api as ovs_ext_api)
|
||||
@ -128,18 +127,18 @@ class TestLoggingExtension(LoggingExtensionTestFramework):
|
||||
|
||||
def test_log_lifecycle(self):
|
||||
sg_rules = [{'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_ICMP,
|
||||
'security_group_id': self.FAKE_SECURITY_GROUP_ID},
|
||||
{'ethertype': constants.IPv4,
|
||||
'direction': firewall.EGRESS_DIRECTION,
|
||||
'direction': constants.EGRESS_DIRECTION,
|
||||
'security_group_id': self.FAKE_SECURITY_GROUP_ID},
|
||||
{'ethertype': constants.IPv6,
|
||||
'protocol': constants.PROTO_NAME_TCP,
|
||||
'port_range_min': 22,
|
||||
'port_range_max': 22,
|
||||
'remote_group_id': 2,
|
||||
'direction': firewall.EGRESS_DIRECTION,
|
||||
'direction': constants.EGRESS_DIRECTION,
|
||||
'security_group_id': self.FAKE_SECURITY_GROUP_ID},
|
||||
]
|
||||
self.firewall.update_security_group_rules(
|
||||
|
||||
@ -17,7 +17,6 @@ from neutron_lib import constants
|
||||
import testtools
|
||||
|
||||
from neutron.agent.common import ovs_lib
|
||||
from neutron.agent import firewall
|
||||
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
||||
from neutron.agent.linux.openvswitch_firewall import exceptions
|
||||
from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw
|
||||
@ -253,15 +252,15 @@ class TestConjIdMap(base.BaseTestCase):
|
||||
|
||||
def test_get_conj_id(self):
|
||||
allocated = []
|
||||
for direction in [firewall.EGRESS_DIRECTION,
|
||||
firewall.INGRESS_DIRECTION]:
|
||||
for direction in [constants.EGRESS_DIRECTION,
|
||||
constants.INGRESS_DIRECTION]:
|
||||
id_ = self.conj_id_map.get_conj_id(
|
||||
'sg', 'remote', direction, constants.IPv4)
|
||||
allocated.append(id_)
|
||||
self.assertEqual(len(set(allocated)), 2)
|
||||
self.assertEqual(len(self.conj_id_map.id_map), 2)
|
||||
self.assertEqual(self.conj_id_map.get_conj_id(
|
||||
'sg', 'remote', firewall.EGRESS_DIRECTION, constants.IPv4),
|
||||
'sg', 'remote', constants.EGRESS_DIRECTION, constants.IPv4),
|
||||
allocated[0])
|
||||
|
||||
def test_get_conj_id_invalid(self):
|
||||
@ -276,7 +275,7 @@ class TestConjIdMap(base.BaseTestCase):
|
||||
for sg_id, remote_sg_id in test_data:
|
||||
ids.append(self.conj_id_map.get_conj_id(
|
||||
sg_id, remote_sg_id,
|
||||
firewall.INGRESS_DIRECTION, constants.IPv6))
|
||||
constants.INGRESS_DIRECTION, constants.IPv6))
|
||||
|
||||
result = self.conj_id_map.delete_sg('sg1')
|
||||
self.assertIn(('sg1', ids[0]), result)
|
||||
@ -284,7 +283,7 @@ class TestConjIdMap(base.BaseTestCase):
|
||||
self.assertFalse(self.conj_id_map.id_map)
|
||||
|
||||
reallocated = self.conj_id_map.get_conj_id(
|
||||
'sg-foo', 'sg-foo', firewall.INGRESS_DIRECTION,
|
||||
'sg-foo', 'sg-foo', constants.INGRESS_DIRECTION,
|
||||
constants.IPv6)
|
||||
self.assertIn(reallocated, ids)
|
||||
|
||||
@ -305,9 +304,9 @@ class TestConjIPFlowManager(base.BaseTestCase):
|
||||
'get_conj_id') as get_conj_id_mock:
|
||||
get_conj_id_mock.return_value = self.conj_id
|
||||
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
|
||||
firewall.INGRESS_DIRECTION, constants.IPv4, 0)
|
||||
constants.INGRESS_DIRECTION, constants.IPv4, 0)
|
||||
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
|
||||
firewall.INGRESS_DIRECTION, constants.IPv4, 3)
|
||||
constants.INGRESS_DIRECTION, constants.IPv4, 3)
|
||||
self.manager.update_flows_for_vlan(self.vlan_tag)
|
||||
self.assertEqual(self.driver._add_flow.call_args_list,
|
||||
[mock.call(actions='conjunction(16,1/2)', ct_state='+est-rel-rpl',
|
||||
@ -331,15 +330,15 @@ class TestConjIPFlowManager(base.BaseTestCase):
|
||||
get_id_mock.return_value = self.conj_id
|
||||
delete_sg_mock.return_value = [('remote_id', self.conj_id)]
|
||||
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
|
||||
firewall.INGRESS_DIRECTION, constants.IPv4, 0)
|
||||
constants.INGRESS_DIRECTION, constants.IPv4, 0)
|
||||
self.manager.flow_state[self.vlan_tag][(
|
||||
firewall.INGRESS_DIRECTION, constants.IPv4)] = {
|
||||
constants.INGRESS_DIRECTION, constants.IPv4)] = {
|
||||
'10.22.3.4': [self.conj_id]}
|
||||
|
||||
self.manager.sg_removed('sg')
|
||||
self.driver._add_flow.assert_not_called()
|
||||
self.driver.delete_flows_for_ip_addresses.assert_called_once_with(
|
||||
{'10.22.3.4'}, firewall.INGRESS_DIRECTION, constants.IPv4,
|
||||
{'10.22.3.4'}, constants.INGRESS_DIRECTION, constants.IPv4,
|
||||
self.vlan_tag)
|
||||
|
||||
|
||||
@ -366,18 +365,18 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
||||
security_group_rules = [
|
||||
{'ethertype': constants.IPv4,
|
||||
'protocol': constants.PROTO_NAME_TCP,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'port_range_min': 123,
|
||||
'port_range_max': 123}]
|
||||
self.firewall.update_security_group_rules(1, security_group_rules)
|
||||
security_group_rules = [
|
||||
{'ethertype': constants.IPv4,
|
||||
'protocol': constants.PROTO_NAME_UDP,
|
||||
'direction': firewall.EGRESS_DIRECTION},
|
||||
'direction': constants.EGRESS_DIRECTION},
|
||||
{'ethertype': constants.IPv6,
|
||||
'protocol': constants.PROTO_NAME_TCP,
|
||||
'remote_group_id': 2,
|
||||
'direction': firewall.EGRESS_DIRECTION}]
|
||||
'direction': constants.EGRESS_DIRECTION}]
|
||||
self.firewall.update_security_group_rules(2, security_group_rules)
|
||||
|
||||
@property
|
||||
@ -559,7 +558,7 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
||||
self.firewall.update_port_filter(port_dict)
|
||||
self.assertTrue(self.mock_bridge.br.delete_flows.called)
|
||||
conj_id = self.firewall.conj_ip_manager.conj_id_map.get_conj_id(
|
||||
2, 2, firewall.EGRESS_DIRECTION, constants.IPv6)
|
||||
2, 2, constants.EGRESS_DIRECTION, constants.IPv6)
|
||||
filter_rules = [mock.call(
|
||||
actions='resubmit(,{:d})'.format(
|
||||
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
|
||||
@ -626,10 +625,10 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
||||
"""Just make sure it doesn't crash"""
|
||||
new_rules = [
|
||||
{'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'protocol': constants.PROTO_NAME_ICMP},
|
||||
{'ethertype': constants.IPv4,
|
||||
'direction': firewall.EGRESS_DIRECTION,
|
||||
'direction': constants.EGRESS_DIRECTION,
|
||||
'remote_group_id': 2}]
|
||||
self.firewall.update_security_group_rules(1, new_rules)
|
||||
|
||||
|
||||
@ -15,7 +15,6 @@
|
||||
import mock
|
||||
from neutron_lib import constants
|
||||
|
||||
from neutron.agent import firewall
|
||||
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
||||
from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw
|
||||
from neutron.agent.linux.openvswitch_firewall import rules
|
||||
@ -74,7 +73,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
|
||||
def test_create_flows_from_rule_and_port_no_ip_ipv4(self):
|
||||
rule = {
|
||||
'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
}
|
||||
expected_template = {
|
||||
'priority': 74,
|
||||
@ -87,7 +86,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
|
||||
def test_create_flows_from_rule_and_port_src_and_dst_ipv4(self):
|
||||
rule = {
|
||||
'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'source_ip_prefix': '192.168.0.0/24',
|
||||
'dest_ip_prefix': '10.0.0.1/32',
|
||||
}
|
||||
@ -104,7 +103,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
|
||||
def test_create_flows_from_rule_and_port_src_and_dst_with_zero_ipv4(self):
|
||||
rule = {
|
||||
'ethertype': constants.IPv4,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'source_ip_prefix': '192.168.0.0/24',
|
||||
'dest_ip_prefix': '0.0.0.0/0',
|
||||
}
|
||||
@ -120,7 +119,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
|
||||
def test_create_flows_from_rule_and_port_no_ip_ipv6(self):
|
||||
rule = {
|
||||
'ethertype': constants.IPv6,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
}
|
||||
expected_template = {
|
||||
'priority': 74,
|
||||
@ -133,7 +132,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
|
||||
def test_create_flows_from_rule_and_port_src_and_dst_ipv6(self):
|
||||
rule = {
|
||||
'ethertype': constants.IPv6,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'source_ip_prefix': '2001:db8:bbbb::1/64',
|
||||
'dest_ip_prefix': '2001:db8:aaaa::1/64',
|
||||
}
|
||||
@ -150,7 +149,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
|
||||
def test_create_flows_from_rule_and_port_src_and_dst_with_zero_ipv6(self):
|
||||
rule = {
|
||||
'ethertype': constants.IPv6,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'source_ip_prefix': '2001:db8:bbbb::1/64',
|
||||
'dest_ip_prefix': '::/0',
|
||||
}
|
||||
@ -191,7 +190,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
||||
'nw_proto': constants.PROTO_NUM_TCP,
|
||||
}]
|
||||
self._test_create_protocol_flows_helper(
|
||||
firewall.INGRESS_DIRECTION, rule, expected_flows)
|
||||
constants.INGRESS_DIRECTION, rule, expected_flows)
|
||||
|
||||
def test_create_protocol_flows_egress(self):
|
||||
rule = {'protocol': constants.PROTO_NUM_TCP}
|
||||
@ -202,7 +201,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
||||
'nw_proto': constants.PROTO_NUM_TCP,
|
||||
}]
|
||||
self._test_create_protocol_flows_helper(
|
||||
firewall.EGRESS_DIRECTION, rule, expected_flows)
|
||||
constants.EGRESS_DIRECTION, rule, expected_flows)
|
||||
|
||||
def test_create_protocol_flows_no_protocol(self):
|
||||
rule = {}
|
||||
@ -212,7 +211,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
||||
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
|
||||
}]
|
||||
self._test_create_protocol_flows_helper(
|
||||
firewall.EGRESS_DIRECTION, rule, expected_flows)
|
||||
constants.EGRESS_DIRECTION, rule, expected_flows)
|
||||
|
||||
def test_create_protocol_flows_icmp6(self):
|
||||
rule = {'ethertype': constants.IPv6,
|
||||
@ -224,7 +223,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
||||
'nw_proto': constants.PROTO_NUM_IPV6_ICMP,
|
||||
}]
|
||||
self._test_create_protocol_flows_helper(
|
||||
firewall.EGRESS_DIRECTION, rule, expected_flows)
|
||||
constants.EGRESS_DIRECTION, rule, expected_flows)
|
||||
|
||||
def test_create_protocol_flows_port_range(self):
|
||||
rule = {'ethertype': constants.IPv4,
|
||||
@ -239,7 +238,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
||||
'tcp_dst': '0x0016/0xfffe'
|
||||
}]
|
||||
self._test_create_protocol_flows_helper(
|
||||
firewall.EGRESS_DIRECTION, rule, expected_flows)
|
||||
constants.EGRESS_DIRECTION, rule, expected_flows)
|
||||
|
||||
def test_create_protocol_flows_icmp(self):
|
||||
rule = {'ethertype': constants.IPv4,
|
||||
@ -253,7 +252,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
||||
'icmp_type': 0
|
||||
}]
|
||||
self._test_create_protocol_flows_helper(
|
||||
firewall.EGRESS_DIRECTION, rule, expected_flows)
|
||||
constants.EGRESS_DIRECTION, rule, expected_flows)
|
||||
|
||||
def test_create_protocol_flows_ipv6_icmp(self):
|
||||
rule = {'ethertype': constants.IPv6,
|
||||
@ -269,7 +268,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
||||
'icmp_code': 0,
|
||||
}]
|
||||
self._test_create_protocol_flows_helper(
|
||||
firewall.EGRESS_DIRECTION, rule, expected_flows)
|
||||
constants.EGRESS_DIRECTION, rule, expected_flows)
|
||||
|
||||
|
||||
class TestCreatePortRangeFlows(base.BaseTestCase):
|
||||
@ -352,7 +351,7 @@ class TestCreateFlowsForIpAddress(base.BaseTestCase):
|
||||
|
||||
conj_ids = [12, 20]
|
||||
flows = rules.create_flows_for_ip_address(
|
||||
'192.168.0.1', firewall.EGRESS_DIRECTION, constants.IPv4,
|
||||
'192.168.0.1', constants.EGRESS_DIRECTION, constants.IPv4,
|
||||
0x123, conj_ids)
|
||||
|
||||
self.assertEqual(2, len(flows))
|
||||
@ -386,7 +385,7 @@ class TestCreateConjFlows(base.BaseTestCase):
|
||||
}
|
||||
|
||||
flows = rules.create_conj_flows(port, conj_id,
|
||||
firewall.INGRESS_DIRECTION,
|
||||
constants.INGRESS_DIRECTION,
|
||||
constants.IPv6)
|
||||
|
||||
self.assertEqual(ovsfw_consts.OF_STATE_ESTABLISHED_NOT_REPLY,
|
||||
|
||||
@ -19,7 +19,6 @@ from oslo_config import cfg
|
||||
from oslo_utils import uuidutils
|
||||
|
||||
from neutron.agent.common import ovs_lib
|
||||
from neutron.agent import firewall
|
||||
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
||||
from neutron.common import constants as n_const
|
||||
from neutron.objects.logapi import logging_resource as log_object
|
||||
@ -47,18 +46,18 @@ FakeSGLogInfo = [
|
||||
'security_group_rules': [
|
||||
{'ethertype': constants.IPv4,
|
||||
'protocol': constants.PROTO_NAME_TCP,
|
||||
'direction': firewall.INGRESS_DIRECTION,
|
||||
'direction': constants.INGRESS_DIRECTION,
|
||||
'port_range_min': 123,
|
||||
'port_range_max': 123,
|
||||
'security_group_id': SG_ID},
|
||||
{'ethertype': constants.IPv4,
|
||||
'protocol': constants.PROTO_NAME_UDP,
|
||||
'direction': firewall.EGRESS_DIRECTION,
|
||||
'direction': constants.EGRESS_DIRECTION,
|
||||
'security_group_id': SG_ID},
|
||||
{'ethertype': constants.IPv6,
|
||||
'protocol': constants.PROTO_NAME_TCP,
|
||||
'remote_group_id': REMOTE_SG_ID,
|
||||
'direction': firewall.EGRESS_DIRECTION,
|
||||
'direction': constants.EGRESS_DIRECTION,
|
||||
'security_group_id': SG_ID}
|
||||
]}],
|
||||
'event': 'ALL',
|
||||
@ -172,7 +171,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
|
||||
accept_cookie = self.log_driver._get_cookie(PORT_ID, 'ACCEPT')
|
||||
drop_cookie = self.log_driver._get_cookie(PORT_ID, 'DROP')
|
||||
conj_id = self.log_driver.conj_id_map.get_conj_id(
|
||||
SG_ID, REMOTE_SG_ID, firewall.EGRESS_DIRECTION, constants.IPv6)
|
||||
SG_ID, REMOTE_SG_ID, constants.EGRESS_DIRECTION, constants.IPv6)
|
||||
add_rules = [
|
||||
# log ingress tcp port=123
|
||||
mock.call(
|
||||
@ -262,7 +261,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
|
||||
{'ethertype': constants.IPv4,
|
||||
'protocol': constants.PROTO_NAME_TCP,
|
||||
'direction':
|
||||
firewall.INGRESS_DIRECTION,
|
||||
constants.INGRESS_DIRECTION,
|
||||
'port_range_min': 123,
|
||||
'port_range_max': 123,
|
||||
'security_group_id': 456}]}],
|
||||
|
||||
Loading…
Reference in New Issue
Block a user