Remove rootwrap execution (4)
Replace rootwrap execution with privsep context execution. This series of patches will progressively replace any rootwrap call. This patch migrates any "iptables" and "ipset" command related to privsep. Change-Id: I4a1e137b2b414067504ad7c799d68f482bf3d36c Story: #2007686 Task: #41558
This commit is contained in:
Rodolfo Alonso Hernandez
parent
da27fb0870
commit
6c75316ca0
@ -8,18 +8,6 @@
|
||||
|
||||
[Filters]
|
||||
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
# "iptables-save", ...
|
||||
iptables-save: CommandFilter, iptables-save, root
|
||||
iptables-restore: CommandFilter, iptables-restore, root
|
||||
ip6tables-save: CommandFilter, ip6tables-save, root
|
||||
ip6tables-restore: CommandFilter, ip6tables-restore, root
|
||||
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
# "iptables", "-A", ...
|
||||
iptables: CommandFilter, iptables, root
|
||||
ip6tables: CommandFilter, ip6tables, root
|
||||
|
||||
# neutron/agent/linux/iptables_firewall.py
|
||||
sysctl: CommandFilter, sysctl, root
|
||||
|
||||
|
||||
@ -478,13 +478,14 @@ class IptablesManager(object):
|
||||
args = ['iptables-save', '-t', table]
|
||||
if self.namespace:
|
||||
args = ['ip', 'netns', 'exec', self.namespace] + args
|
||||
return linux_utils.execute(args, run_as_root=True).split('\n')
|
||||
return linux_utils.execute(args, run_as_root=True,
|
||||
privsep_exec=True).split('\n')
|
||||
|
||||
def _get_version(self):
|
||||
# Output example is "iptables v1.6.2"
|
||||
args = ['iptables', '--version']
|
||||
version = str(linux_utils.execute(
|
||||
args, run_as_root=True).split()[1][1:])
|
||||
args, run_as_root=True, privsep_exec=True).split()[1][1:])
|
||||
LOG.debug("IPTables version installed: %s", version)
|
||||
return version
|
||||
|
||||
@ -510,7 +511,7 @@ class IptablesManager(object):
|
||||
try:
|
||||
kwargs = {} if lock else {'log_fail_as_error': False}
|
||||
linux_utils.execute(args, process_input='\n'.join(commands),
|
||||
run_as_root=True, **kwargs)
|
||||
run_as_root=True, privsep_exec=True, **kwargs)
|
||||
except RuntimeError as error:
|
||||
return error
|
||||
|
||||
@ -572,7 +573,8 @@ class IptablesManager(object):
|
||||
if self.namespace:
|
||||
args = ['ip', 'netns', 'exec', self.namespace] + args
|
||||
try:
|
||||
save_output = linux_utils.execute(args, run_as_root=True)
|
||||
save_output = linux_utils.execute(args, run_as_root=True,
|
||||
privsep_exec=True)
|
||||
except RuntimeError:
|
||||
# We could be racing with a cron job deleting namespaces.
|
||||
# It is useless to try to apply iptables rules over and
|
||||
@ -781,7 +783,8 @@ class IptablesManager(object):
|
||||
# enabled is that we need to log the error. This is used to avoid
|
||||
# generating alarms that will be ignored by operators.
|
||||
current_table = linux_utils.execute(
|
||||
args, run_as_root=True, log_fail_as_error=cfg.CONF.debug)
|
||||
args, run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=cfg.CONF.debug)
|
||||
current_lines = current_table.split('\n')
|
||||
|
||||
for line in current_lines[2:]:
|
||||
|
||||
@ -40,7 +40,7 @@ def setup_conf():
|
||||
def remove_iptables_reference(ipset):
|
||||
# Remove any iptables reference to this IPset
|
||||
cmd = ['iptables-save'] if 'IPv4' in ipset else ['ip6tables-save']
|
||||
iptables_save = utils.execute(cmd, run_as_root=True)
|
||||
iptables_save = utils.execute(cmd, run_as_root=True, privsep_exec=True)
|
||||
|
||||
if ipset in iptables_save:
|
||||
cmd = ['iptables'] if 'IPv4' in ipset else ['ip6tables']
|
||||
@ -52,7 +52,8 @@ def remove_iptables_reference(ipset):
|
||||
params = rule.split()
|
||||
params[0] = '-D'
|
||||
try:
|
||||
utils.execute(cmd + params, run_as_root=True)
|
||||
utils.execute(cmd + params, run_as_root=True,
|
||||
privsep_exec=True)
|
||||
except Exception:
|
||||
LOG.exception('Error, unable to remove iptables rule '
|
||||
'for IPset: %s', ipset)
|
||||
@ -67,7 +68,7 @@ def destroy_ipset(conf, ipset):
|
||||
LOG.info("Destroying IPset: %s", ipset)
|
||||
cmd = ['ipset', 'destroy', ipset]
|
||||
try:
|
||||
utils.execute(cmd, run_as_root=True)
|
||||
utils.execute(cmd, run_as_root=True, privsep_exec=True)
|
||||
except Exception:
|
||||
LOG.exception('Error, unable to destroy IPset: %s', ipset)
|
||||
|
||||
@ -77,7 +78,7 @@ def cleanup_ipsets(conf):
|
||||
LOG.info("Destroying IPsets with prefix: %s", conf.prefix)
|
||||
|
||||
cmd = ['ipset', '-L', '-n']
|
||||
ipsets = utils.execute(cmd, run_as_root=True)
|
||||
ipsets = utils.execute(cmd, run_as_root=True, privsep_exec=True)
|
||||
for ipset in ipsets.split('\n'):
|
||||
if conf.allsets or ipset.startswith(conf.prefix):
|
||||
destroy_ipset(conf, ipset)
|
||||
|
||||
@ -230,21 +230,21 @@ class IptablesCommentsTestCase(base.BaseTestCase):
|
||||
mangle_dump = _generate_mangle_dump(IPTABLES_ARG)
|
||||
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(filter_dump_mod + mangle_dump +
|
||||
COMMENTED_NAT_DUMP + raw_dump),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(FILTER_DUMP + mangle_dump +
|
||||
COMMENTED_NAT_DUMP + raw_dump),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
]
|
||||
tools.setup_mock_calls(self.execute, expected_calls_and_values)
|
||||
@ -406,23 +406,23 @@ class IptablesManagerBaseTestCase(base.BaseTestCase):
|
||||
|
||||
def _extend_with_ip6tables_filter_end(self, expected_calls, filter_dump):
|
||||
expected_calls.extend([
|
||||
(mock.call(['ip6tables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['ip6tables-save'], run_as_root=True,
|
||||
privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['ip6tables-restore', '-n'],
|
||||
process_input=filter_dump,
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
process_input=filter_dump, run_as_root=True,
|
||||
privsep_exec=True, log_fail_as_error=False),
|
||||
None)])
|
||||
|
||||
def _extend_with_ip6tables_filter(self, expected_calls, filter_dump):
|
||||
expected_calls.insert(2, (
|
||||
mock.call(['ip6tables-save'],
|
||||
run_as_root=True),
|
||||
run_as_root=True, privsep_exec=True),
|
||||
''))
|
||||
expected_calls.insert(3, (
|
||||
mock.call(['ip6tables-restore', '-n'],
|
||||
process_input=filter_dump,
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
process_input=filter_dump, run_as_root=True,
|
||||
privsep_exec=True, log_fail_as_error=False),
|
||||
None))
|
||||
self._extend_with_ip6tables_filter_end(expected_calls, filter_dump)
|
||||
|
||||
@ -459,21 +459,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % IPTABLES_ARG
|
||||
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(filter_dump_mod + MANGLE_DUMP +
|
||||
NAT_DUMP + RAW_DUMP),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
|
||||
RAW_DUMP),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
]
|
||||
if self.use_ipv6:
|
||||
@ -503,21 +503,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
raw_dump = RAW_DUMP % IPTABLES_ARG
|
||||
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(filter_dump_mod + MANGLE_DUMP +
|
||||
NAT_DUMP + RAW_DUMP),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
|
||||
RAW_DUMP),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
]
|
||||
if self.use_ipv6:
|
||||
@ -579,21 +579,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
raw_dump = RAW_DUMP % IPTABLES_ARG
|
||||
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(filter_dump_mod + MANGLE_DUMP +
|
||||
NAT_DUMP + RAW_DUMP),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(FILTER_DUMP + MANGLE_DUMP +
|
||||
NAT_DUMP + RAW_DUMP),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
]
|
||||
if self.use_ipv6:
|
||||
@ -645,21 +645,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
'# Completed by iptables_manager\n' % IPTABLES_ARG)
|
||||
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(FILTER_DUMP + mangle_dump_mod +
|
||||
NAT_DUMP + RAW_DUMP),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(FILTER_DUMP + MANGLE_DUMP +
|
||||
NAT_DUMP + RAW_DUMP),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
]
|
||||
if self.use_ipv6:
|
||||
@ -716,21 +716,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
raw_dump = RAW_DUMP % IPTABLES_ARG
|
||||
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(FILTER_DUMP + MANGLE_DUMP +
|
||||
nat_dump_mod + RAW_DUMP),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(FILTER_DUMP + MANGLE_DUMP + nat_dump +
|
||||
RAW_DUMP),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
]
|
||||
if self.use_ipv6:
|
||||
@ -778,21 +778,21 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
% IPTABLES_ARG)
|
||||
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
|
||||
raw_dump_mod),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP +
|
||||
RAW_DUMP),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
]
|
||||
if self.use_ipv6:
|
||||
@ -912,10 +912,11 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
self.execute.assert_has_calls(
|
||||
[mock.call(['iptables-restore', '-n'],
|
||||
process_input=mock.ANY, run_as_root=True,
|
||||
log_fail_as_error=False),
|
||||
privsep_exec=True, log_fail_as_error=False),
|
||||
mock.call(['iptables-restore', '-n', '-w', '10',
|
||||
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
||||
process_input=mock.ANY, run_as_root=True)])
|
||||
process_input=mock.ANY, run_as_root=True,
|
||||
privsep_exec=True)])
|
||||
|
||||
# The RuntimeError should have triggered a log of the input to the
|
||||
# process that it failed to execute. Verify by comparing the log
|
||||
@ -943,26 +944,29 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
|
||||
num_calls = 3
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'], run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
FILTER_DUMP),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=mock.ANY, run_as_root=True,
|
||||
log_fail_as_error=False),
|
||||
privsep_exec=True, log_fail_as_error=False),
|
||||
PE_error),
|
||||
(mock.call(['iptables-restore', '-n', '-w', '10',
|
||||
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
||||
process_input=mock.ANY, run_as_root=True),
|
||||
process_input=mock.ANY, run_as_root=True,
|
||||
privsep_exec=True),
|
||||
None),
|
||||
]
|
||||
if self.use_ipv6:
|
||||
num_calls += 2
|
||||
expected_calls_and_values.append(
|
||||
(mock.call(['ip6tables-save'], run_as_root=True),
|
||||
(mock.call(['ip6tables-save'], run_as_root=True,
|
||||
privsep_exec=True),
|
||||
FILTER_DUMP))
|
||||
expected_calls_and_values.append(
|
||||
(mock.call(['ip6tables-restore', '-n', '-w', '10',
|
||||
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
||||
process_input=mock.ANY, run_as_root=True),
|
||||
process_input=mock.ANY, run_as_root=True,
|
||||
privsep_exec=True),
|
||||
None))
|
||||
|
||||
tools.setup_mock_calls(self.execute, expected_calls_and_values)
|
||||
@ -973,22 +977,26 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
self.execute.reset_mock()
|
||||
num_calls = 2
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'], run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True,
|
||||
privsep_exec=True),
|
||||
FILTER_DUMP),
|
||||
(mock.call(['iptables-restore', '-n', '-w', '10',
|
||||
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
||||
process_input=mock.ANY, run_as_root=True),
|
||||
process_input=mock.ANY, run_as_root=True,
|
||||
privsep_exec=True),
|
||||
None),
|
||||
]
|
||||
if self.use_ipv6:
|
||||
num_calls += 2
|
||||
expected_calls_and_values.append(
|
||||
(mock.call(['ip6tables-save'], run_as_root=True),
|
||||
(mock.call(['ip6tables-save'], run_as_root=True,
|
||||
privsep_exec=True),
|
||||
FILTER_DUMP))
|
||||
expected_calls_and_values.append(
|
||||
(mock.call(['ip6tables-restore', '-n', '-w', '10',
|
||||
'-W', iptables_manager.XLOCK_WAIT_INTERVAL],
|
||||
process_input=mock.ANY, run_as_root=True),
|
||||
process_input=mock.ANY, run_as_root=True,
|
||||
privsep_exec=True),
|
||||
None))
|
||||
|
||||
tools.setup_mock_calls(self.execute, expected_calls_and_values)
|
||||
@ -1020,36 +1028,41 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT',
|
||||
'-n', '-v', '-x', '-w', '10'],
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
TRAFFIC_COUNTERS_DUMP),
|
||||
(mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n',
|
||||
'-v', '-x', '-w', '10'],
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
''),
|
||||
(mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n',
|
||||
'-v', '-x', '-w', '10'],
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
''),
|
||||
(mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n',
|
||||
'-v', '-x', '-w', '10'],
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
''),
|
||||
]
|
||||
if self.use_ipv6:
|
||||
expected_calls_and_values.append(
|
||||
(mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT',
|
||||
'-n', '-v', '-x', '-w', '10'], run_as_root=True,
|
||||
log_fail_as_error=False),
|
||||
privsep_exec=True, log_fail_as_error=False),
|
||||
''))
|
||||
expected_calls_and_values.append(
|
||||
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
|
||||
'-n', '-v', '-x', '-w', '10'],
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
TRAFFIC_COUNTERS_DUMP))
|
||||
expected_calls_and_values.append(
|
||||
(mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT',
|
||||
'-n', '-v', '-x', '-w', '10'], run_as_root=True,
|
||||
log_fail_as_error=False),
|
||||
privsep_exec=True, log_fail_as_error=False),
|
||||
''))
|
||||
exp_packets *= 2
|
||||
exp_bytes *= 2
|
||||
@ -1070,36 +1083,43 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT',
|
||||
'-n', '-v', '-x', '-w', '10', '-Z'],
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
TRAFFIC_COUNTERS_DUMP),
|
||||
(mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n',
|
||||
'-v', '-x', '-w', '10', '-Z'],
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
''),
|
||||
(mock.call(['iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n',
|
||||
'-v', '-x', '-w', '10', '-Z'],
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
''),
|
||||
(mock.call(['iptables', '-t', 'nat', '-L', 'OUTPUT', '-n',
|
||||
'-v', '-x', '-w', '10', '-Z'],
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
'')
|
||||
]
|
||||
if self.use_ipv6:
|
||||
expected_calls_and_values.append(
|
||||
(mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT',
|
||||
'-n', '-v', '-x', '-w', '10', '-Z'],
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
''))
|
||||
expected_calls_and_values.append(
|
||||
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
|
||||
'-n', '-v', '-x', '-w', '10', '-Z'],
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
TRAFFIC_COUNTERS_DUMP))
|
||||
expected_calls_and_values.append(
|
||||
(mock.call(['ip6tables', '-t', 'mangle', '-L', 'OUTPUT',
|
||||
'-n', '-v', '-x', '-w', '10', '-Z'],
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
''))
|
||||
exp_packets *= 2
|
||||
exp_bytes *= 2
|
||||
@ -1121,19 +1141,19 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
filter_dump_mod = FILTER_RESTORE_DUMP % iptables_args
|
||||
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
(filter_dump_mod + MANGLE_RESTORE_DUMP +
|
||||
NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)),
|
||||
]
|
||||
if self.use_ipv6:
|
||||
expected_calls_and_values.append(
|
||||
(mock.call(['ip6tables-save'], run_as_root=True),
|
||||
(mock.call(['ip6tables-save'], run_as_root=True,
|
||||
privsep_exec=True),
|
||||
FILTER_DUMP))
|
||||
expected_calls_and_values.append(
|
||||
(mock.call(['ip6tables-restore', '-n'],
|
||||
process_input=mock.ANY, run_as_root=True,
|
||||
log_fail_as_error=False),
|
||||
privsep_exec=True, log_fail_as_error=False),
|
||||
None))
|
||||
|
||||
tools.setup_mock_calls(self.execute, expected_calls_and_values)
|
||||
@ -1164,13 +1184,13 @@ class IptablesManagerStateFulTestCase(IptablesManagerBaseTestCase):
|
||||
% IPTABLES_ARG)
|
||||
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
(filter_dump_mod + MANGLE_RESTORE_DUMP +
|
||||
NAT_RESTORE_DUMP + RAW_RESTORE_DUMP)),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=RESTORE_INPUT,
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
]
|
||||
|
||||
@ -1221,21 +1241,21 @@ class IptablesManagerStateFulTestCaseCustomBinaryName(
|
||||
mangle_dump = _generate_mangle_dump(iptables_args)
|
||||
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(filter_dump_mod + mangle_dump +
|
||||
nat_dump + raw_dump),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(filter_dump + mangle_dump +
|
||||
nat_dump + raw_dump),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
]
|
||||
if self.use_ipv6:
|
||||
@ -1289,21 +1309,21 @@ class IptablesManagerStateFulTestCaseEmptyCustomBinaryName(
|
||||
mangle_dump = _generate_mangle_dump(iptables_args)
|
||||
|
||||
expected_calls_and_values = [
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(filter_dump_mod + mangle_dump +
|
||||
nat_dump + raw_dump),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
(mock.call(['iptables-save'],
|
||||
run_as_root=True),
|
||||
(mock.call(['iptables-save'], run_as_root=True, privsep_exec=True),
|
||||
''),
|
||||
(mock.call(['iptables-restore', '-n'],
|
||||
process_input=(filter_dump + mangle_dump +
|
||||
nat_dump + raw_dump),
|
||||
run_as_root=True, log_fail_as_error=False),
|
||||
run_as_root=True, privsep_exec=True,
|
||||
log_fail_as_error=False),
|
||||
None),
|
||||
]
|
||||
if self.use_ipv6:
|
||||
|
||||
@ -2837,25 +2837,19 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase):
|
||||
|
||||
def _replay_iptables(self, v4_filter, v6_filter, raw):
|
||||
self._register_mock_call(
|
||||
['iptables-save'],
|
||||
run_as_root=True,
|
||||
['iptables-save'], run_as_root=True, privsep_exec=True,
|
||||
return_value='')
|
||||
self._register_mock_call(
|
||||
['iptables-restore', '-n'],
|
||||
process_input=self._regex(v4_filter + raw),
|
||||
run_as_root=True,
|
||||
log_fail_as_error=False,
|
||||
return_value='')
|
||||
process_input=self._regex(v4_filter + raw), run_as_root=True,
|
||||
privsep_exec=True, log_fail_as_error=False, return_value='')
|
||||
self._register_mock_call(
|
||||
['ip6tables-save'],
|
||||
run_as_root=True,
|
||||
['ip6tables-save'], run_as_root=True, privsep_exec=True,
|
||||
return_value='')
|
||||
self._register_mock_call(
|
||||
['ip6tables-restore', '-n'],
|
||||
process_input=self._regex(v6_filter + raw),
|
||||
run_as_root=True,
|
||||
log_fail_as_error=False,
|
||||
return_value='')
|
||||
process_input=self._regex(v6_filter + raw), run_as_root=True,
|
||||
privsep_exec=True, log_fail_as_error=False, return_value='')
|
||||
|
||||
def test_prepare_remove_port(self):
|
||||
self.ipconntrack._device_zone_map = {}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user