Procházet zdrojové kódy

Merge "use EGRESS_DIRECTION and INGRESS_DIRECTION from neutron-lib"

tags/13.0.0.0b1
Zuul před 2 roky
rodič
revize
20760bcdf5
12 změnil soubory, kde provedl 97 přidání a 109 odebrání
  1. +2
    -5
      neutron/agent/firewall.py
  2. +18
    -18
      neutron/agent/linux/iptables_firewall.py
  3. +2
    -2
      neutron/agent/linux/openvswitch_firewall/firewall.py
  4. +10
    -11
      neutron/agent/linux/openvswitch_firewall/rules.py
  5. +2
    -3
      neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py
  6. +4
    -5
      neutron/tests/common/conn_testers.py
  7. +2
    -3
      neutron/tests/functional/agent/linux/openvswitch_firewall/test_iptables.py
  8. +18
    -19
      neutron/tests/functional/agent/test_firewall.py
  9. +3
    -4
      neutron/tests/functional/services/logapi/test_logging.py
  10. +16
    -17
      neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
  11. +15
    -16
      neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py
  12. +5
    -6
      neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py

+ 2
- 5
neutron/agent/firewall.py Zobrazit soubor

@@ -23,11 +23,8 @@ from neutron_lib import constants as n_const
from neutron_lib.utils import runtime


INGRESS_DIRECTION = n_const.INGRESS_DIRECTION
EGRESS_DIRECTION = n_const.EGRESS_DIRECTION

DIRECTION_IP_PREFIX = {INGRESS_DIRECTION: 'source_ip_prefix',
EGRESS_DIRECTION: 'dest_ip_prefix'}
DIRECTION_IP_PREFIX = {n_const.INGRESS_DIRECTION: 'source_ip_prefix',
n_const.EGRESS_DIRECTION: 'dest_ip_prefix'}

# List of ICMPv6 types that should be permitted (ingress) by default. This list
# depends on iptables conntrack behavior of recognizing ICMP errors (types 1-4)

+ 18
- 18
neutron/agent/linux/iptables_firewall.py Zobrazit soubor

@@ -34,11 +34,11 @@ from neutron.common import utils as c_utils
LOG = logging.getLogger(__name__)
SG_CHAIN = 'sg-chain'
SPOOF_FILTER = 'spoof-filter'
CHAIN_NAME_PREFIX = {firewall.INGRESS_DIRECTION: 'i',
firewall.EGRESS_DIRECTION: 'o',
CHAIN_NAME_PREFIX = {constants.INGRESS_DIRECTION: 'i',
constants.EGRESS_DIRECTION: 'o',
SPOOF_FILTER: 's'}
IPSET_DIRECTION = {firewall.INGRESS_DIRECTION: 'src',
firewall.EGRESS_DIRECTION: 'dst'}
IPSET_DIRECTION = {constants.INGRESS_DIRECTION: 'src',
constants.EGRESS_DIRECTION: 'dst'}
comment_rule = iptables_manager.comment_rule


@@ -53,8 +53,8 @@ class mac_iptables(netaddr.mac_eui48):

class IptablesFirewallDriver(firewall.FirewallDriver):
"""Driver which enforces security groups through iptables rules."""
IPTABLES_DIRECTION = {firewall.INGRESS_DIRECTION: 'physdev-out',
firewall.EGRESS_DIRECTION: 'physdev-in'}
IPTABLES_DIRECTION = {constants.INGRESS_DIRECTION: 'physdev-out',
constants.EGRESS_DIRECTION: 'physdev-in'}
CONNTRACK_ZONE_PER_PORT = False

def __init__(self, namespace=None):
@@ -205,14 +205,14 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
for pname in sorted(ports):
port = ports[pname]
self._add_conntrack_jump(port)
self._setup_chain(port, firewall.INGRESS_DIRECTION)
self._setup_chain(port, firewall.EGRESS_DIRECTION)
self._setup_chain(port, constants.INGRESS_DIRECTION)
self._setup_chain(port, constants.EGRESS_DIRECTION)
self.iptables.ipv4['filter'].add_rule(SG_CHAIN, '-j ACCEPT')
self.iptables.ipv6['filter'].add_rule(SG_CHAIN, '-j ACCEPT')

for port in unfiltered_ports.values():
self._add_accept_rule_port_sec(port, firewall.INGRESS_DIRECTION)
self._add_accept_rule_port_sec(port, firewall.EGRESS_DIRECTION)
self._add_accept_rule_port_sec(port, constants.INGRESS_DIRECTION)
self._add_accept_rule_port_sec(port, constants.EGRESS_DIRECTION)

def _remove_chains(self):
"""Remove ingress and egress chain for a port."""
@@ -222,13 +222,13 @@ class IptablesFirewallDriver(firewall.FirewallDriver):

def _remove_chains_apply(self, ports, unfiltered_ports):
for port in ports.values():
self._remove_chain(port, firewall.INGRESS_DIRECTION)
self._remove_chain(port, firewall.EGRESS_DIRECTION)
self._remove_chain(port, constants.INGRESS_DIRECTION)
self._remove_chain(port, constants.EGRESS_DIRECTION)
self._remove_chain(port, SPOOF_FILTER)
self._remove_conntrack_jump(port)
for port in unfiltered_ports.values():
self._remove_rule_port_sec(port, firewall.INGRESS_DIRECTION)
self._remove_rule_port_sec(port, firewall.EGRESS_DIRECTION)
self._remove_rule_port_sec(port, constants.INGRESS_DIRECTION)
self._remove_rule_port_sec(port, constants.EGRESS_DIRECTION)
self._remove_chain_by_name_v4v6(SG_CHAIN)

def _setup_chain(self, port, DIRECTION):
@@ -281,7 +281,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
else:
self._remove_rule_from_chain_v4v6('FORWARD', jump_rule, jump_rule)

if direction == firewall.EGRESS_DIRECTION:
if direction == constants.EGRESS_DIRECTION:
if add:
self._add_rules_to_chain_v4v6('INPUT', jump_rule, jump_rule,
comment=ic.PORT_SEC_ACCEPT)
@@ -315,7 +315,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
self._add_rules_to_chain_v4v6(SG_CHAIN, jump_rule, jump_rule,
comment=ic.SG_TO_VM_SG)

if direction == firewall.EGRESS_DIRECTION:
if direction == constants.EGRESS_DIRECTION:
self._add_rules_to_chain_v4v6('INPUT', jump_rule, jump_rule,
comment=ic.INPUT_TO_SG)

@@ -532,11 +532,11 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
ipv4_iptables_rules = []
ipv6_iptables_rules = []
# include fixed egress/ingress rules
if direction == firewall.EGRESS_DIRECTION:
if direction == constants.EGRESS_DIRECTION:
self._add_fixed_egress_rules(port,
ipv4_iptables_rules,
ipv6_iptables_rules)
elif direction == firewall.INGRESS_DIRECTION:
elif direction == constants.INGRESS_DIRECTION:
ipv6_iptables_rules += self._accept_inbound_icmpv6()
# include IPv4 and IPv6 iptable rules from security group
ipv4_iptables_rules += self._convert_sgr_to_iptables_rules(

+ 2
- 2
neutron/agent/linux/openvswitch_firewall/firewall.py Zobrazit soubor

@@ -236,8 +236,8 @@ class ConjIdMap(object):
as there are 4 priority levels (see rules.flow_priority_offset)
and 2 conjunction IDs are needed per priority.
"""
if direction not in [firewall.EGRESS_DIRECTION,
firewall.INGRESS_DIRECTION]:
if direction not in [lib_const.EGRESS_DIRECTION,
lib_const.INGRESS_DIRECTION]:
raise ValueError("Invalid direction '%s'" % direction)
if ethertype not in [lib_const.IPv4, lib_const.IPv6]:
raise ValueError("Invalid ethertype '%s'" % ethertype)

+ 10
- 11
neutron/agent/linux/openvswitch_firewall/rules.py Zobrazit soubor

@@ -18,7 +18,6 @@ import collections
import netaddr
from neutron_lib import constants as n_consts

from neutron.agent import firewall
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
from neutron.common import utils
from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \
@@ -29,10 +28,10 @@ CT_STATES = [
ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED]

FLOW_FIELD_FOR_IPVER_AND_DIRECTION = {
(n_consts.IP_VERSION_4, firewall.EGRESS_DIRECTION): 'nw_dst',
(n_consts.IP_VERSION_6, firewall.EGRESS_DIRECTION): 'ipv6_dst',
(n_consts.IP_VERSION_4, firewall.INGRESS_DIRECTION): 'nw_src',
(n_consts.IP_VERSION_6, firewall.INGRESS_DIRECTION): 'ipv6_src',
(n_consts.IP_VERSION_4, n_consts.EGRESS_DIRECTION): 'nw_dst',
(n_consts.IP_VERSION_6, n_consts.EGRESS_DIRECTION): 'ipv6_dst',
(n_consts.IP_VERSION_4, n_consts.INGRESS_DIRECTION): 'nw_src',
(n_consts.IP_VERSION_6, n_consts.INGRESS_DIRECTION): 'ipv6_src',
}

FORBIDDEN_PREFIXES = (n_consts.IPv4_ANY, n_consts.IPv6_ANY)
@@ -185,12 +184,12 @@ def create_flows_from_rule_and_port(rule, port, conjunction=False):

if is_valid_prefix(dst_ip_prefix):
flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[(
utils.get_ip_version(dst_ip_prefix), firewall.EGRESS_DIRECTION)]
utils.get_ip_version(dst_ip_prefix), n_consts.EGRESS_DIRECTION)]
] = dst_ip_prefix

if is_valid_prefix(src_ip_prefix):
flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[(
utils.get_ip_version(src_ip_prefix), firewall.INGRESS_DIRECTION)]
utils.get_ip_version(src_ip_prefix), n_consts.INGRESS_DIRECTION)]
] = src_ip_prefix

flows = create_protocol_flows(direction, flow_template, port, rule)
@@ -200,12 +199,12 @@ def create_flows_from_rule_and_port(rule, port, conjunction=False):

def populate_flow_common(direction, flow_template, port):
"""Initialize common flow fields."""
if direction == firewall.INGRESS_DIRECTION:
if direction == n_consts.INGRESS_DIRECTION:
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
flow_template['actions'] = "output:{:d},resubmit(,{:d})".format(
port.ofport,
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
elif direction == firewall.EGRESS_DIRECTION:
elif direction == n_consts.EGRESS_DIRECTION:
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
# Traffic can be both ingress and egress, check that no ingress rules
# should be applied
@@ -309,9 +308,9 @@ def create_flows_for_ip_address(ip_address, direction, ethertype,

ip_ver = utils.get_ip_version(ip_prefix)

if direction == firewall.EGRESS_DIRECTION:
if direction == n_consts.EGRESS_DIRECTION:
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
elif direction == firewall.INGRESS_DIRECTION:
elif direction == n_consts.INGRESS_DIRECTION:
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE

flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[(

+ 2
- 3
neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py Zobrazit soubor

@@ -22,7 +22,6 @@ from oslo_log import log as logging
from ryu.base import app_manager
from ryu.lib.packet import packet

from neutron.agent import firewall
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw
from neutron.agent.linux.openvswitch_firewall import rules
@@ -381,9 +380,9 @@ class OVSFirewallLoggingDriver(log_ext.LoggingDriver):
'reg_remote_group': self.conj_id_map.get_conj_id(
secgroup_id, remote_sg_id, direction, ethertype) + 1,
}
if direction == firewall.INGRESS_DIRECTION:
if direction == lib_const.INGRESS_DIRECTION:
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
elif direction == firewall.EGRESS_DIRECTION:
elif direction == lib_const.EGRESS_DIRECTION:
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
return [flow_template]


+ 4
- 5
neutron/tests/common/conn_testers.py Zobrazit soubor

@@ -19,7 +19,6 @@ import netaddr
from neutron_lib import constants
from oslo_utils import uuidutils

from neutron.agent import firewall
from neutron.common import constants as n_consts
from neutron.common import utils as common_utils
from neutron.plugins.ml2.drivers.openvswitch.agent.common import (
@@ -46,8 +45,8 @@ class ConnectionTesterException(Exception):
def _validate_direction(f):
@functools.wraps(f)
def wrap(self, direction, *args, **kwargs):
if direction not in (firewall.INGRESS_DIRECTION,
firewall.EGRESS_DIRECTION):
if direction not in (constants.INGRESS_DIRECTION,
constants.EGRESS_DIRECTION):
raise ConnectionTesterException('Unknown direction %s' % direction)
return f(self, direction, *args, **kwargs)
return wrap
@@ -84,8 +83,8 @@ class ConnectionTester(fixtures.Fixture):
TCP = net_helpers.NetcatTester.TCP
ICMP = constants.PROTO_NAME_ICMP
ARP = n_consts.ETHERTYPE_NAME_ARP
INGRESS = firewall.INGRESS_DIRECTION
EGRESS = firewall.EGRESS_DIRECTION
INGRESS = constants.INGRESS_DIRECTION
EGRESS = constants.EGRESS_DIRECTION

def __init__(self, ip_cidr):
self.ip_cidr = ip_cidr

+ 2
- 3
neutron/tests/functional/agent/linux/openvswitch_firewall/test_iptables.py Zobrazit soubor

@@ -16,7 +16,6 @@
from neutron_lib import constants
from oslo_utils import uuidutils

from neutron.agent import firewall
from neutron.agent.linux import iptables_firewall
import neutron.agent.linux.openvswitch_firewall.firewall as ovs_fw_mod
import neutron.agent.linux.openvswitch_firewall.iptables as iptables_helper
@@ -85,10 +84,10 @@ class TestHelper(base.BaseSudoTestCase):

def test_migration(self):
sg_rules = [{'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_ICMP},
{'ethertype': constants.IPv4,
'direction': firewall.EGRESS_DIRECTION}]
'direction': constants.EGRESS_DIRECTION}]
port, desc = self._prepare_port_and_description(sg_rules)
ovs_firewall = ovs_fw_mod.OVSFirewallDriver(self.bridge)
# Check that iptables driver was set and replace it with the one that

+ 18
- 19
neutron/tests/functional/agent/test_firewall.py Zobrazit soubor

@@ -27,7 +27,6 @@ from oslo_log import log as logging
from oslo_utils import uuidutils
import testscenarios

from neutron.agent import firewall
from neutron.agent.linux import iptables_firewall
from neutron.agent.linux import openvswitch_firewall
from neutron.cmd.sanity import checks
@@ -284,10 +283,10 @@ class FirewallTestCase(BaseFirewallTestCase):
def test_ingress_icmp_secgroup(self):
# update the sg_group to make ping pass
sg_rules = [{'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_ICMP},
{'ethertype': constants.IPv4,
'direction': firewall.EGRESS_DIRECTION}]
'direction': constants.EGRESS_DIRECTION}]

self.tester.assert_no_connection(protocol=self.tester.ICMP,
direction=self.tester.INGRESS)
@@ -297,10 +296,10 @@ class FirewallTestCase(BaseFirewallTestCase):

def test_mac_spoofing(self):
sg_rules = [{'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_ICMP},
{'ethertype': constants.IPv4,
'direction': firewall.EGRESS_DIRECTION}]
'direction': constants.EGRESS_DIRECTION}]
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)

self.tester.assert_connection(protocol=self.tester.ICMP,
@@ -350,7 +349,7 @@ class FirewallTestCase(BaseFirewallTestCase):

def test_ip_spoofing(self):
sg_rules = [{'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_ICMP}]
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
not_allowed_ip = "%s/24" % (
@@ -373,7 +372,7 @@ class FirewallTestCase(BaseFirewallTestCase):
self.firewall.update_port_filter(self.src_port_desc)

sg_rules = [{'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_ICMP}]
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
not_allowed_ip = "%s/24" % (
@@ -389,10 +388,10 @@ class FirewallTestCase(BaseFirewallTestCase):

def test_allowed_address_pairs(self):
sg_rules = [{'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_ICMP},
{'ethertype': constants.IPv4,
'direction': firewall.EGRESS_DIRECTION}]
'direction': constants.EGRESS_DIRECTION}]
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)

port_mac = self.tester.vm_mac_address
@@ -500,7 +499,7 @@ class FirewallTestCase(BaseFirewallTestCase):
port_min = 12345
port_max = 12346
sg_rules = [{'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_TCP,
'port_range_min': port_min,
'port_range_max': port_max}]
@@ -523,7 +522,7 @@ class FirewallTestCase(BaseFirewallTestCase):
source_port_min = 12345
source_port_max = 12346
sg_rules = [{'ethertype': constants.IPv4,
'direction': firewall.EGRESS_DIRECTION,
'direction': constants.EGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_TCP,
'source_port_range_min': source_port_min,
'source_port_range_max': source_port_max}]
@@ -546,7 +545,7 @@ class FirewallTestCase(BaseFirewallTestCase):
def test_established_connection_is_cut(self):
port = 12345
sg_rules = [{'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_TCP,
'port_range_min': port,
'port_range_max': port}]
@@ -636,7 +635,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):

def test_icmp_from_specific_address(self):
sg_rules = [{'ethertype': constants.IPv6,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_ICMP,
'source_ip_prefix': self.tester.peer_ip_address}]

@@ -648,7 +647,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):

def test_icmp_to_specific_address(self):
sg_rules = [{'ethertype': constants.IPv6,
'direction': firewall.EGRESS_DIRECTION,
'direction': constants.EGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_ICMP,
'destination_ip_prefix': self.tester.peer_ip_address}]

@@ -660,7 +659,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):

def test_tcp_from_specific_address(self):
sg_rules = [{'ethertype': constants.IPv6,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_TCP,
'source_ip_prefix': self.tester.peer_ip_address}]

@@ -676,7 +675,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):

def test_tcp_to_specific_address(self):
sg_rules = [{'ethertype': constants.IPv6,
'direction': firewall.EGRESS_DIRECTION,
'direction': constants.EGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_TCP,
'destination_ip_prefix': self.tester.peer_ip_address}]

@@ -692,7 +691,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):

def test_udp_from_specific_address(self):
sg_rules = [{'ethertype': constants.IPv6,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_UDP,
'source_ip_prefix': self.tester.peer_ip_address}]

@@ -708,7 +707,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):

def test_udp_to_specific_address(self):
sg_rules = [{'ethertype': constants.IPv6,
'direction': firewall.EGRESS_DIRECTION,
'direction': constants.EGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_UDP,
'destination_ip_prefix': self.tester.peer_ip_address}]

@@ -725,7 +724,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
@skip_if_firewall('openvswitch')
def test_ip_spoofing(self):
sg_rules = [{'ethertype': constants.IPv6,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_ICMP}]
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
not_allowed_ip = "%s/64" % (

+ 3
- 4
neutron/tests/functional/services/logapi/test_logging.py Zobrazit soubor

@@ -22,7 +22,6 @@ from oslo_config import cfg
from oslo_log import log as logging
import testscenarios

from neutron.agent import firewall
from neutron.objects.logapi import logging_resource as log_object
from neutron.plugins.ml2.drivers.openvswitch.agent import (
ovs_agent_extension_api as ovs_ext_api)
@@ -128,18 +127,18 @@ class TestLoggingExtension(LoggingExtensionTestFramework):

def test_log_lifecycle(self):
sg_rules = [{'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_ICMP,
'security_group_id': self.FAKE_SECURITY_GROUP_ID},
{'ethertype': constants.IPv4,
'direction': firewall.EGRESS_DIRECTION,
'direction': constants.EGRESS_DIRECTION,
'security_group_id': self.FAKE_SECURITY_GROUP_ID},
{'ethertype': constants.IPv6,
'protocol': constants.PROTO_NAME_TCP,
'port_range_min': 22,
'port_range_max': 22,
'remote_group_id': 2,
'direction': firewall.EGRESS_DIRECTION,
'direction': constants.EGRESS_DIRECTION,
'security_group_id': self.FAKE_SECURITY_GROUP_ID},
]
self.firewall.update_security_group_rules(

+ 16
- 17
neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py Zobrazit soubor

@@ -17,7 +17,6 @@ from neutron_lib import constants
import testtools

from neutron.agent.common import ovs_lib
from neutron.agent import firewall
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
from neutron.agent.linux.openvswitch_firewall import exceptions
from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw
@@ -253,15 +252,15 @@ class TestConjIdMap(base.BaseTestCase):

def test_get_conj_id(self):
allocated = []
for direction in [firewall.EGRESS_DIRECTION,
firewall.INGRESS_DIRECTION]:
for direction in [constants.EGRESS_DIRECTION,
constants.INGRESS_DIRECTION]:
id_ = self.conj_id_map.get_conj_id(
'sg', 'remote', direction, constants.IPv4)
allocated.append(id_)
self.assertEqual(len(set(allocated)), 2)
self.assertEqual(len(self.conj_id_map.id_map), 2)
self.assertEqual(self.conj_id_map.get_conj_id(
'sg', 'remote', firewall.EGRESS_DIRECTION, constants.IPv4),
'sg', 'remote', constants.EGRESS_DIRECTION, constants.IPv4),
allocated[0])

def test_get_conj_id_invalid(self):
@@ -276,7 +275,7 @@ class TestConjIdMap(base.BaseTestCase):
for sg_id, remote_sg_id in test_data:
ids.append(self.conj_id_map.get_conj_id(
sg_id, remote_sg_id,
firewall.INGRESS_DIRECTION, constants.IPv6))
constants.INGRESS_DIRECTION, constants.IPv6))

result = self.conj_id_map.delete_sg('sg1')
self.assertIn(('sg1', ids[0]), result)
@@ -284,7 +283,7 @@ class TestConjIdMap(base.BaseTestCase):
self.assertFalse(self.conj_id_map.id_map)

reallocated = self.conj_id_map.get_conj_id(
'sg-foo', 'sg-foo', firewall.INGRESS_DIRECTION,
'sg-foo', 'sg-foo', constants.INGRESS_DIRECTION,
constants.IPv6)
self.assertIn(reallocated, ids)

@@ -305,9 +304,9 @@ class TestConjIPFlowManager(base.BaseTestCase):
'get_conj_id') as get_conj_id_mock:
get_conj_id_mock.return_value = self.conj_id
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
firewall.INGRESS_DIRECTION, constants.IPv4, 0)
constants.INGRESS_DIRECTION, constants.IPv4, 0)
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
firewall.INGRESS_DIRECTION, constants.IPv4, 3)
constants.INGRESS_DIRECTION, constants.IPv4, 3)
self.manager.update_flows_for_vlan(self.vlan_tag)
self.assertEqual(self.driver._add_flow.call_args_list,
[mock.call(actions='conjunction(16,1/2)', ct_state='+est-rel-rpl',
@@ -331,15 +330,15 @@ class TestConjIPFlowManager(base.BaseTestCase):
get_id_mock.return_value = self.conj_id
delete_sg_mock.return_value = [('remote_id', self.conj_id)]
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
firewall.INGRESS_DIRECTION, constants.IPv4, 0)
constants.INGRESS_DIRECTION, constants.IPv4, 0)
self.manager.flow_state[self.vlan_tag][(
firewall.INGRESS_DIRECTION, constants.IPv4)] = {
constants.INGRESS_DIRECTION, constants.IPv4)] = {
'10.22.3.4': [self.conj_id]}

self.manager.sg_removed('sg')
self.driver._add_flow.assert_not_called()
self.driver.delete_flows_for_ip_addresses.assert_called_once_with(
{'10.22.3.4'}, firewall.INGRESS_DIRECTION, constants.IPv4,
{'10.22.3.4'}, constants.INGRESS_DIRECTION, constants.IPv4,
self.vlan_tag)


@@ -366,18 +365,18 @@ class TestOVSFirewallDriver(base.BaseTestCase):
security_group_rules = [
{'ethertype': constants.IPv4,
'protocol': constants.PROTO_NAME_TCP,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'port_range_min': 123,
'port_range_max': 123}]
self.firewall.update_security_group_rules(1, security_group_rules)
security_group_rules = [
{'ethertype': constants.IPv4,
'protocol': constants.PROTO_NAME_UDP,
'direction': firewall.EGRESS_DIRECTION},
'direction': constants.EGRESS_DIRECTION},
{'ethertype': constants.IPv6,
'protocol': constants.PROTO_NAME_TCP,
'remote_group_id': 2,
'direction': firewall.EGRESS_DIRECTION}]
'direction': constants.EGRESS_DIRECTION}]
self.firewall.update_security_group_rules(2, security_group_rules)

@property
@@ -559,7 +558,7 @@ class TestOVSFirewallDriver(base.BaseTestCase):
self.firewall.update_port_filter(port_dict)
self.assertTrue(self.mock_bridge.br.delete_flows.called)
conj_id = self.firewall.conj_ip_manager.conj_id_map.get_conj_id(
2, 2, firewall.EGRESS_DIRECTION, constants.IPv6)
2, 2, constants.EGRESS_DIRECTION, constants.IPv6)
filter_rules = [mock.call(
actions='resubmit(,{:d})'.format(
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
@@ -626,10 +625,10 @@ class TestOVSFirewallDriver(base.BaseTestCase):
"""Just make sure it doesn't crash"""
new_rules = [
{'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'protocol': constants.PROTO_NAME_ICMP},
{'ethertype': constants.IPv4,
'direction': firewall.EGRESS_DIRECTION,
'direction': constants.EGRESS_DIRECTION,
'remote_group_id': 2}]
self.firewall.update_security_group_rules(1, new_rules)


+ 15
- 16
neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py Zobrazit soubor

@@ -15,7 +15,6 @@
import mock
from neutron_lib import constants

from neutron.agent import firewall
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw
from neutron.agent.linux.openvswitch_firewall import rules
@@ -74,7 +73,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
def test_create_flows_from_rule_and_port_no_ip_ipv4(self):
rule = {
'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
}
expected_template = {
'priority': 74,
@@ -87,7 +86,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
def test_create_flows_from_rule_and_port_src_and_dst_ipv4(self):
rule = {
'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'source_ip_prefix': '192.168.0.0/24',
'dest_ip_prefix': '10.0.0.1/32',
}
@@ -104,7 +103,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
def test_create_flows_from_rule_and_port_src_and_dst_with_zero_ipv4(self):
rule = {
'ethertype': constants.IPv4,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'source_ip_prefix': '192.168.0.0/24',
'dest_ip_prefix': '0.0.0.0/0',
}
@@ -120,7 +119,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
def test_create_flows_from_rule_and_port_no_ip_ipv6(self):
rule = {
'ethertype': constants.IPv6,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
}
expected_template = {
'priority': 74,
@@ -133,7 +132,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
def test_create_flows_from_rule_and_port_src_and_dst_ipv6(self):
rule = {
'ethertype': constants.IPv6,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'source_ip_prefix': '2001:db8:bbbb::1/64',
'dest_ip_prefix': '2001:db8:aaaa::1/64',
}
@@ -150,7 +149,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
def test_create_flows_from_rule_and_port_src_and_dst_with_zero_ipv6(self):
rule = {
'ethertype': constants.IPv6,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'source_ip_prefix': '2001:db8:bbbb::1/64',
'dest_ip_prefix': '::/0',
}
@@ -191,7 +190,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
'nw_proto': constants.PROTO_NUM_TCP,
}]
self._test_create_protocol_flows_helper(
firewall.INGRESS_DIRECTION, rule, expected_flows)
constants.INGRESS_DIRECTION, rule, expected_flows)

def test_create_protocol_flows_egress(self):
rule = {'protocol': constants.PROTO_NUM_TCP}
@@ -202,7 +201,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
'nw_proto': constants.PROTO_NUM_TCP,
}]
self._test_create_protocol_flows_helper(
firewall.EGRESS_DIRECTION, rule, expected_flows)
constants.EGRESS_DIRECTION, rule, expected_flows)

def test_create_protocol_flows_no_protocol(self):
rule = {}
@@ -212,7 +211,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
}]
self._test_create_protocol_flows_helper(
firewall.EGRESS_DIRECTION, rule, expected_flows)
constants.EGRESS_DIRECTION, rule, expected_flows)

def test_create_protocol_flows_icmp6(self):
rule = {'ethertype': constants.IPv6,
@@ -224,7 +223,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
'nw_proto': constants.PROTO_NUM_IPV6_ICMP,
}]
self._test_create_protocol_flows_helper(
firewall.EGRESS_DIRECTION, rule, expected_flows)
constants.EGRESS_DIRECTION, rule, expected_flows)

def test_create_protocol_flows_port_range(self):
rule = {'ethertype': constants.IPv4,
@@ -239,7 +238,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
'tcp_dst': '0x0016/0xfffe'
}]
self._test_create_protocol_flows_helper(
firewall.EGRESS_DIRECTION, rule, expected_flows)
constants.EGRESS_DIRECTION, rule, expected_flows)

def test_create_protocol_flows_icmp(self):
rule = {'ethertype': constants.IPv4,
@@ -253,7 +252,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
'icmp_type': 0
}]
self._test_create_protocol_flows_helper(
firewall.EGRESS_DIRECTION, rule, expected_flows)
constants.EGRESS_DIRECTION, rule, expected_flows)

def test_create_protocol_flows_ipv6_icmp(self):
rule = {'ethertype': constants.IPv6,
@@ -269,7 +268,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
'icmp_code': 0,
}]
self._test_create_protocol_flows_helper(
firewall.EGRESS_DIRECTION, rule, expected_flows)
constants.EGRESS_DIRECTION, rule, expected_flows)


class TestCreatePortRangeFlows(base.BaseTestCase):
@@ -352,7 +351,7 @@ class TestCreateFlowsForIpAddress(base.BaseTestCase):

conj_ids = [12, 20]
flows = rules.create_flows_for_ip_address(
'192.168.0.1', firewall.EGRESS_DIRECTION, constants.IPv4,
'192.168.0.1', constants.EGRESS_DIRECTION, constants.IPv4,
0x123, conj_ids)

self.assertEqual(2, len(flows))
@@ -386,7 +385,7 @@ class TestCreateConjFlows(base.BaseTestCase):
}

flows = rules.create_conj_flows(port, conj_id,
firewall.INGRESS_DIRECTION,
constants.INGRESS_DIRECTION,
constants.IPv6)

self.assertEqual(ovsfw_consts.OF_STATE_ESTABLISHED_NOT_REPLY,

+ 5
- 6
neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py Zobrazit soubor

@@ -19,7 +19,6 @@ from oslo_config import cfg
from oslo_utils import uuidutils

from neutron.agent.common import ovs_lib
from neutron.agent import firewall
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
from neutron.common import constants as n_const
from neutron.objects.logapi import logging_resource as log_object
@@ -47,18 +46,18 @@ FakeSGLogInfo = [
'security_group_rules': [
{'ethertype': constants.IPv4,
'protocol': constants.PROTO_NAME_TCP,
'direction': firewall.INGRESS_DIRECTION,
'direction': constants.INGRESS_DIRECTION,
'port_range_min': 123,
'port_range_max': 123,
'security_group_id': SG_ID},
{'ethertype': constants.IPv4,
'protocol': constants.PROTO_NAME_UDP,
'direction': firewall.EGRESS_DIRECTION,
'direction': constants.EGRESS_DIRECTION,
'security_group_id': SG_ID},
{'ethertype': constants.IPv6,
'protocol': constants.PROTO_NAME_TCP,
'remote_group_id': REMOTE_SG_ID,
'direction': firewall.EGRESS_DIRECTION,
'direction': constants.EGRESS_DIRECTION,
'security_group_id': SG_ID}
]}],
'event': 'ALL',
@@ -172,7 +171,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
accept_cookie = self.log_driver._get_cookie(PORT_ID, 'ACCEPT')
drop_cookie = self.log_driver._get_cookie(PORT_ID, 'DROP')
conj_id = self.log_driver.conj_id_map.get_conj_id(
SG_ID, REMOTE_SG_ID, firewall.EGRESS_DIRECTION, constants.IPv6)
SG_ID, REMOTE_SG_ID, constants.EGRESS_DIRECTION, constants.IPv6)
add_rules = [
# log ingress tcp port=123
mock.call(
@@ -262,7 +261,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
{'ethertype': constants.IPv4,
'protocol': constants.PROTO_NAME_TCP,
'direction':
firewall.INGRESS_DIRECTION,
constants.INGRESS_DIRECTION,
'port_range_min': 123,
'port_range_max': 123,
'security_group_id': 456}]}],

Načítá se…
Zrušit
Uložit