openstack
/
neutron
Code Issues Proposed changes

Merge "Enforce specific order for firewall.(un)filtered_ports and devices"

This commit is contained in:
Jenkins 2015-07-13 09:54:45 +00:00 committed by Gerrit Code Review
parent 1ef2fc8fa1 5b066a237e
commit 95302aac84
1 changed files with 48 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
neutron/tests/unit/agent/test_securitygroups_rpc.py
View File

@ -1637,23 +1637,12 @@ COMMIT
CHAINS_NAT = 'OUTPUT|POSTROUTING|PREROUTING|float-snat|snat'
# These Dicts use the same keys as devices2 and devices3 in
# TestSecurityGroupAgentWithIptables() to ensure that the ordering
# is consistent regardless of hashseed value
PORTS = {'tap_port1': 'port1', 'tap_port2': 'port2'}
MACS = {'tap_port1': '12:34:56:78:9A:BC', 'tap_port2': '12:34:56:78:9A:BD'}
IPS = {'tap_port1': '10.0.0.3/32', 'tap_port2': '10.0.0.4/32'}
ports_values = list(PORTS.values())
macs_values = list(MACS.values())
ips_values = list(IPS.values())
IPTABLES_ARG['port1'] = ports_values[0]
IPTABLES_ARG['port2'] = ports_values[1]
IPTABLES_ARG['mac1'] = macs_values[0]
IPTABLES_ARG['mac2'] = macs_values[1]
IPTABLES_ARG['ip1'] = ips_values[0]
IPTABLES_ARG['ip2'] = ips_values[1]
IPTABLES_ARG['port1'] = 'port1'
IPTABLES_ARG['port2'] = 'port2'
IPTABLES_ARG['mac1'] = '12:34:56:78:9A:BC'
IPTABLES_ARG['mac2'] = '12:34:56:78:9A:BD'
IPTABLES_ARG['ip1'] = '10.0.0.3/32'
IPTABLES_ARG['ip2'] = '10.0.0.4/32'
IPTABLES_ARG['chains'] = CHAINS_NAT
IPTABLES_RAW_DEFAULT = """# Generated by iptables_manager
@ -2136,12 +2125,6 @@ COMMIT
# Completed by iptables_manager
""" % IPTABLES_ARG
# These Dicts use the same keys as devices2 and devices3 in
# TestSecurityGroupAgentWithIptables() to ensure that the ordering
# is consistent regardless of hashseed value
REVERSE_PORT_ORDER = {'tap_port1': False, 'tap_port2': True}
reverse_port_order_values = list(REVERSE_PORT_ORDER.values())
IPTABLES_FILTER_2_2 = """# Generated by iptables_manager
*filter
:neutron-filter-top - [0:0]
@ -2174,10 +2157,6 @@ IPTABLES_FILTER_2_2 = """# Generated by iptables_manager
--dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
""" % IPTABLES_ARG
if reverse_port_order_values[0]:
IPTABLES_FILTER_2_2 += ("[0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s "
"-j RETURN\n"
% IPTABLES_ARG)
IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
@ -2205,10 +2184,9 @@ IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
--dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
""" % IPTABLES_ARG
if not reverse_port_order_values[0]:
IPTABLES_FILTER_2_2 += ("[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s "
"-j RETURN\n"
% IPTABLES_ARG)
IPTABLES_FILTER_2_2 += ("[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s "
"-j RETURN\n"
% IPTABLES_ARG)
IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
@ -2554,27 +2532,39 @@ class TestSecurityGroupAgentWithIptables(base.BaseTestCase):
'10.0.0.3/32',
'12:34:56:78:9a:bc',
rule1)}
self.devices2 = {'tap_port1': self._device('tap_port1',
'10.0.0.3/32',
'12:34:56:78:9a:bc',
rule2),
'tap_port2': self._device('tap_port2',
'10.0.0.4/32',
'12:34:56:78:9a:bd',
rule4)}
self.devices3 = {'tap_port1': self._device('tap_port1',
'10.0.0.3/32',
'12:34:56:78:9a:bc',
rule3),
'tap_port2': self._device('tap_port2',
'10.0.0.4/32',
'12:34:56:78:9a:bd',
rule5)}
self.devices2 = collections.OrderedDict([
('tap_port1', self._device('tap_port1',
'10.0.0.3/32',
'12:34:56:78:9a:bc',
rule2)),
('tap_port2', self._device('tap_port2',
'10.0.0.4/32',
'12:34:56:78:9a:bd',
rule4))
])
self.devices3 = collections.OrderedDict([
('tap_port1', self._device('tap_port1',
'10.0.0.3/32',
'12:34:56:78:9a:bc',
rule3)),
('tap_port2', self._device('tap_port2',
'10.0.0.4/32',
'12:34:56:78:9a:bd',
rule5))
])
@staticmethod
def _enforce_order_in_firewall(firewall):
# for the sake of the test, eliminate any order randomness:
# it helps to match iptables output against regexps consistently
for attr in ('filtered_ports', 'unfiltered_ports'):
setattr(firewall, attr, collections.OrderedDict())
def _init_agent(self, defer_refresh_firewall):
self.agent = sg_rpc.SecurityGroupAgentRpc(
context=None, plugin_rpc=self.rpc,
defer_refresh_firewall=defer_refresh_firewall)
self._enforce_order_in_firewall(self.agent.firewall)
def _device(self, device, ip, mac_address, rule):
return {'device': device,
@ -2742,14 +2732,16 @@ class TestSecurityGroupAgentEnhancedRpcWithIptables(
'security_group1': {
'IPv4': ['10.0.0.3/32'], 'IPv6': []}},
'devices': devices_info1}
devices_info2 = {'tap_port1': self._device('tap_port1',
'10.0.0.3/32',
'12:34:56:78:9a:bc',
[]),
'tap_port2': self._device('tap_port2',
'10.0.0.4/32',
'12:34:56:78:9a:bd',
[])}
devices_info2 = collections.OrderedDict([
('tap_port1', self._device('tap_port1',
'10.0.0.3/32',
'12:34:56:78:9a:bc',
[])),
('tap_port2', self._device('tap_port2',
'10.0.0.4/32',
'12:34:56:78:9a:bd',
[]))
])
self.devices_info2 = {'security_groups': {'security_group1': rule1},
'sg_member_ips': {
'security_group1': {
@ -2943,6 +2935,7 @@ class TestSecurityGroupAgentWithOVSIptables(
context=None, plugin_rpc=self.rpc,
local_vlan_map=local_vlan_map,
defer_refresh_firewall=defer_refresh_firewall)
self._enforce_order_in_firewall(self.agent.firewall)
def test_prepare_remove_port(self):
self.rpc.security_group_rules_for_devices.return_value = self.devices1