Browse Source

Remove rootwrap execution (4)

Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.

This patch migrates any "iptables" and "ipset" command related
to privsep.

Change-Id: I4a1e137b2b414067504ad7c799d68f482bf3d36c
Story: #2007686
Task: #41558
changes/37/774137/4
Rodolfo Alonso Hernandez 2 years ago
parent
commit
6c75316ca0
  1. 12
      etc/neutron/rootwrap.d/iptables-firewall.filters
  2. 13
      neutron/agent/linux/iptables_manager.py
  3. 9
      neutron/cmd/ipset_cleanup.py
  4. 206
      neutron/tests/unit/agent/linux/test_iptables_manager.py
  5. 18
      neutron/tests/unit/agent/test_securitygroups_rpc.py

12
etc/neutron/rootwrap.d/iptables-firewall.filters

@ -8,18 +8,6 @@
[Filters]
# neutron/agent/linux/iptables_firewall.py
# "iptables-save", ...
iptables-save: CommandFilter, iptables-save, root
iptables-restore: CommandFilter, iptables-restore, root
ip6tables-save: CommandFilter, ip6tables-save, root
ip6tables-restore: CommandFilter, ip6tables-restore, root
# neutron/agent/linux/iptables_firewall.py
# "iptables", "-A", ...
iptables: CommandFilter, iptables, root
ip6tables: CommandFilter, ip6tables, root
# neutron/agent/linux/iptables_firewall.py
sysctl: CommandFilter, sysctl, root

13
neutron/agent/linux/iptables_manager.py

@ -478,13 +478,14 @@ class IptablesManager(object):
args = ['iptables-save', '-t', table]
if self.namespace:
args = ['ip', 'netns', 'exec', self.namespace] + args
return linux_utils.execute(args, run_as_root=True).split('\n')
return linux_utils.execute(args, run_as_root=True,
privsep_exec=True).split('\n')
def _get_version(self):
# Output example is "iptables v1.6.2"
args = ['iptables', '--version']
version = str(linux_utils.execute(
args, run_as_root=True).split()[1][1:])
args, run_as_root=True, privsep_exec=True).split()[1][1:])
LOG.debug("IPTables version installed: %s", version)
return version
@ -510,7 +511,7 @@ class IptablesManager(object):
try:
kwargs = {} if lock else {'log_fail_as_error': False}
linux_utils.execute(args, process_input='\n'.join(commands),
run_as_root=True, **kwargs)
run_as_root=True, privsep_exec=True, **kwargs)
except RuntimeError as error:
return error
@ -572,7 +573,8 @@ class IptablesManager(object):
if self.namespace:
args = ['ip', 'netns', 'exec', self.namespace] + args
try:
save_output = linux_utils.execute(args, run_as_root=True)
save_output = linux_utils.execute(args, run_as_root=True,
privsep_exec=True)
except RuntimeError:
# We could be racing with a cron job deleting namespaces.
# It is useless to try to apply iptables rules over and
@ -781,7 +783,8 @@ class IptablesManager(object):
# enabled is that we need to log the error. This is used to avoid
# generating alarms that will be ignored by operators.
current_table = linux_utils.execute(
args, run_as_root=True, log_fail_as_error=cfg.CONF.debug)
args, run_as_root=True, privsep_exec=True,
log_fail_as_error=cfg.CONF.debug)
current_lines = current_table.split('\n')
for line in current_lines[2:]:

9
neutron/cmd/ipset_cleanup.py

@ -40,7 +40,7 @@ def setup_conf():
def remove_iptables_reference(ipset):
# Remove any iptables reference to this IPset
cmd = ['iptables-save'] if 'IPv4' in ipset else ['ip6tables-save']
iptables_save = utils.execute(cmd, run_as_root=True)
iptables_save = utils.execute(cmd, run_as_root=True, privsep_exec=True)
if ipset in iptables_save:
cmd = ['iptables'] if 'IPv4' in ipset else ['ip6tables']
@ -52,7 +52,8 @@ def remove_iptables_reference(ipset):
params = rule.split()
params[0] = '-D'
try:
utils.execute(cmd + params, run_as_root=True)
utils.execute(cmd + params, run_as_root=True,
privsep_exec=True)
except Exception:
LOG.exception('Error, unable to remove iptables rule '
'for IPset: %s', ipset)
@ -67,7 +68,7 @@ def destroy_ipset(conf, ipset):
LOG.info("Destroying IPset: %s", ipset)
cmd = ['ipset', 'destroy', ipset]
try:
utils.execute(cmd, run_as_root=True)
utils.execute(cmd, run_as_root=True, privsep_exec=True)
except Exception:
LOG.exception('Error, unable to destroy IPset: %s', ipset)
@ -77,7 +78,7 @@ def cleanup_ipsets(conf):
LOG.info("Destroying IPsets with prefix: %s", conf.prefix)
cmd = ['ipset', '-L', '-n']
ipsets = utils.execute(cmd, run_as_root=True)
ipsets = utils.execute(cmd, run_as_root=True, privsep_exec=True)
for ipset in ipsets.split('\n'):
if conf.allsets or ipset.startswith(conf.prefix):
destroy_ipset(conf, ipset)

206
neutron/tests/unit/agent/linux/test_iptables_manager.py

@ -230,21 +230,21 @@ class IptablesCommentsTestCase(base.BaseTestCase):
mangle_dump = _generate_mangle_dump(IPTABLES_ARG)
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump_mod + mangle_dump +
COMMENTED_NAT_DUMP + raw_dump),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + mangle_dump +
COMMENTED_NAT_DUMP + raw_dump),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
tools.setup_mock_calls(self.execute, expected_calls_and_values)
@ -406,23 +406,23 @@ class IptablesManagerBaseTestCase(base.BaseTestCase):
def _extend_with_ip6tables_filter_end(self, expected_calls, filter_dump):
expected_calls.extend([
(mock.call(['ip6tables-save'],
run_as_root=True),
(mock.call(['ip6tables-save'], run_as_root=True,
privsep_exec=True),
''),
(mock.call(['ip6tables-restore', '-n'],
process_input=filter_dump,
run_as_root=True, log_fail_as_error=False),
process_input=filter_dump, run_as_root=True,
privsep_exec=True, log_fail_as_error=False),
None)])
def _extend_with_ip6tables_filter(self, expected_calls, filter_dump):
expected_calls.insert(2, (
mock.call(['ip6tables-save'],
run_as_root=True),
run_as_root=True, privsep_exec=True),
''))
expected_calls.insert(3, (
mock.call(['ip6tables-restore', '-n'],
process_input=filter_dump,
run_as_root=True, log_fail_as_error=False),
process_input=filter_dump, run_as_root=True,
privsep_exec=True, log_fail_as_error=False),
None))
self._extend_with_ip6tables_filter_end(expected_calls, filter_dump)
@ -459,21 +459,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % IPTABLES_ARG
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump_mod + MANGLE_DUMP +
NAT_DUMP + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -503,21 +503,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
raw_dump = RAW_DUMP % IPTABLES_ARG
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump_mod + MANGLE_DUMP +
NAT_DUMP + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -579,21 +579,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
raw_dump = RAW_DUMP % IPTABLES_ARG
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump_mod + MANGLE_DUMP +
NAT_DUMP + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP +
NAT_DUMP + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -645,21 +645,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
'# Completed by iptables_manager\n' % IPTABLES_ARG)
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + mangle_dump_mod +
NAT_DUMP + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP +
NAT_DUMP + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -716,21 +716,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
raw_dump = RAW_DUMP % IPTABLES_ARG
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP +
nat_dump_mod + RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP + nat_dump +
RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -778,21 +778,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
% IPTABLES_ARG)
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
raw_dump_mod),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
RAW_DUMP),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -912,10 +912,11 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
self.execute.assert_has_calls(
[mock.call(['iptables-restore', '-n'],
process_input=mock.ANY, run_as_root=True,
log_fail_as_error=False),
privsep_exec=True, log_fail_as_error=False),
mock.call(['iptables-restore', '-n', '-w', '10',
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
process_input=mock.ANY, run_as_root=True)])
process_input=mock.ANY, run_as_root=True,
privsep_exec=True)])
# The RuntimeError should have triggered a log of the input to the
# process that it failed to execute. Verify by comparing the log
@ -943,26 +944,29 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
num_calls = 3
expected_calls_and_values = [
(mock.call(['iptables-save'], run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
FILTER_DUMP),
(mock.call(['iptables-restore', '-n'],
process_input=mock.ANY, run_as_root=True,
log_fail_as_error=False),
privsep_exec=True, log_fail_as_error=False),
PE_error),
(mock.call(['iptables-restore', '-n', '-w', '10',
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
process_input=mock.ANY, run_as_root=True),
process_input=mock.ANY, run_as_root=True,
privsep_exec=True),
None),
]
if self.use_ipv6:
num_calls += 2
expected_calls_and_values.append(
(mock.call(['ip6tables-save'], run_as_root=True),
(mock.call(['ip6tables-save'], run_as_root=True,
privsep_exec=True),
FILTER_DUMP))
expected_calls_and_values.append(
(mock.call(['ip6tables-restore', '-n', '-w', '10',
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
process_input=mock.ANY, run_as_root=True),
process_input=mock.ANY, run_as_root=True,
privsep_exec=True),
None))
tools.setup_mock_calls(self.execute, expected_calls_and_values)
@ -973,22 +977,26 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
self.execute.reset_mock()
num_calls = 2
expected_calls_and_values = [
(mock.call(['iptables-save'], run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True,
privsep_exec=True),
FILTER_DUMP),
(mock.call(['iptables-restore', '-n', '-w', '10',
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
process_input=mock.ANY, run_as_root=True),
process_input=mock.ANY, run_as_root=True,
privsep_exec=True),
None),
]
if self.use_ipv6:
num_calls += 2
expected_calls_and_values.append(
(mock.call(['ip6tables-save'], run_as_root=True),
(mock.call(['ip6tables-save'], run_as_root=True,
privsep_exec=True),
FILTER_DUMP))
expected_calls_and_values.append(
(mock.call(['ip6tables-restore', '-n', '-w', '10',
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
process_input=mock.ANY, run_as_root=True),
process_input=mock.ANY, run_as_root=True,
privsep_exec=True),
None))
tools.setup_mock_calls(self.execute, expected_calls_and_values)
@ -1020,36 +1028,41 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
expected_calls_and_values = [
(mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
TRAFFIC_COUNTERS_DUMP),
(mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n',
'-v', '-x', '-w', '10'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''),
(mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n',
'-v', '-x', '-w', '10'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''),
(mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n',
'-v', '-x', '-w', '10'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''),
]
if self.use_ipv6:
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10'], run_as_root=True,
log_fail_as_error=False),
privsep_exec=True, log_fail_as_error=False),
''))
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
TRAFFIC_COUNTERS_DUMP))
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10'], run_as_root=True,
log_fail_as_error=False),
privsep_exec=True, log_fail_as_error=False),
''))
exp_packets *= 2
exp_bytes *= 2
@ -1070,36 +1083,43 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
expected_calls_and_values = [
(mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
TRAFFIC_COUNTERS_DUMP),
(mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n',
'-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''),
(mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n',
'-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''),
(mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n',
'-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
'')
]
if self.use_ipv6:
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''))
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
TRAFFIC_COUNTERS_DUMP))
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT',
'-n', '-v', '-x', '-w', '10', '-Z'],
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
''))
exp_packets *= 2
exp_bytes *= 2
@ -1121,19 +1141,19 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
filter_dump_mod = FILTER_RESTORE_DUMP % iptables_args
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
(filter_dump_mod + MANGLE_RESTORE_DUMP +
NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)),
]
if self.use_ipv6:
expected_calls_and_values.append(
(mock.call(['ip6tables-save'], run_as_root=True),
(mock.call(['ip6tables-save'], run_as_root=True,
privsep_exec=True),
FILTER_DUMP))
expected_calls_and_values.append(
(mock.call(['ip6tables-restore', '-n'],
process_input=mock.ANY, run_as_root=True,
log_fail_as_error=False),
privsep_exec=True, log_fail_as_error=False),
None))
tools.setup_mock_calls(self.execute, expected_calls_and_values)
@ -1164,13 +1184,13 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
% IPTABLES_ARG)
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
(filter_dump_mod + MANGLE_RESTORE_DUMP +
NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)),
(mock.call(['iptables-restore', '-n'],
process_input=RESTORE_INPUT,
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
@ -1221,21 +1241,21 @@ class IptablesManagerStateFulTestCaseCustomBinaryName(
mangle_dump = _generate_mangle_dump(iptables_args)
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump_mod + mangle_dump +
nat_dump + raw_dump),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump + mangle_dump +
nat_dump + raw_dump),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:
@ -1289,21 +1309,21 @@ class IptablesManagerStateFulTestCaseEmptyCustomBinaryName(
mangle_dump = _generate_mangle_dump(iptables_args)
expected_calls_and_values = [
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump_mod + mangle_dump +
nat_dump + raw_dump),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
(mock.call(['iptables-save'],
run_as_root=True),
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
''),
(mock.call(['iptables-restore', '-n'],
process_input=(filter_dump + mangle_dump +
nat_dump + raw_dump),
run_as_root=True, log_fail_as_error=False),
run_as_root=True, privsep_exec=True,
log_fail_as_error=False),
None),
]
if self.use_ipv6:

18
neutron/tests/unit/agent/test_securitygroups_rpc.py

@ -2837,25 +2837,19 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase):
def _replay_iptables(self, v4_filter, v6_filter, raw):
self._register_mock_call(
['iptables-save'],
run_as_root=True,
['iptables-save'], run_as_root=True, privsep_exec=True,
return_value='')
self._register_mock_call(
['iptables-restore', '-n'],
process_input=self._regex(v4_filter + raw),
run_as_root=True,
log_fail_as_error=False,
return_value='')
process_input=self._regex(v4_filter + raw), run_as_root=True,
privsep_exec=True, log_fail_as_error=False, return_value='')
self._register_mock_call(
['ip6tables-save'],
run_as_root=True,
['ip6tables-save'], run_as_root=True, privsep_exec=True,
return_value='')
self._register_mock_call(
['ip6tables-restore', '-n'],
process_input=self._regex(v6_filter + raw),
run_as_root=True,
log_fail_as_error=False,
return_value='')
process_input=self._regex(v6_filter + raw), run_as_root=True,
privsep_exec=True, log_fail_as_error=False, return_value='')
def test_prepare_remove_port(self):
self.ipconntrack._device_zone_map = {}

Loading…
Cancel
Save