openstack/neutron
Code Issues Proposed changes

Merge "ovsfw: Fix up port_range and ICMP type/code handling"

Browse Source
This commit is contained in:
Jenkins
2017-09-08 04:57:07 +00:00
committed by Gerrit Code Review
parent d44879333d b82db0a9f2
commit 96f8fbc62d
2 changed files with 48 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
neutron/agent/linux/openvswitch_firewall/rules.py
View File

@@ -95,7 +95,10 @@ def create_protocol_flows(direction, flow_template, port, rule):
if protocol is not None: if protocol is not None:
flow_template['nw_proto'] = protocol flow_template['nw_proto'] = protocol
flows = create_port_range_flows(flow_template, rule) if protocol in [n_consts.PROTO_NUM_ICMP, n_consts.PROTO_NUM_IPV6_ICMP]:
flows = create_icmp_flows(flow_template, rule)
else:
flows = create_port_range_flows(flow_template, rule)
return flows or [flow_template] return flows or [flow_template]
@@ -138,6 +141,19 @@ def create_port_range_flows(flow_template, rule):
return flows return flows
def create_icmp_flows(flow_template, rule):
icmp_type = rule.get('port_range_min')
if icmp_type is None:
return
flow = flow_template.copy()
flow['icmp_type'] = icmp_type
icmp_code = rule.get('port_range_max')
if icmp_code is not None:
flow['icmp_code'] = icmp_code
return [flow]
def create_flows_for_ip_address(ip_address, direction, ethertype, def create_flows_for_ip_address(ip_address, direction, ethertype,
vlan_tag, conj_ids): vlan_tag, conj_ids):
"""Create flows from a rule and an ip_address derived from """Create flows from a rule and an ip_address derived from

31
neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py
View File

@@ -240,6 +240,36 @@ class TestCreateProtocolFlows(base.BaseTestCase):
self._test_create_protocol_flows_helper( self._test_create_protocol_flows_helper(
firewall.EGRESS_DIRECTION, rule, expected_flows) firewall.EGRESS_DIRECTION, rule, expected_flows)
def test_create_protocol_flows_icmp(self):
rule = {'ethertype': constants.IPv4,
'protocol': constants.PROTO_NUM_ICMP,
'port_range_min': 0}
expected_flows = [{
'table': ovs_consts.RULES_EGRESS_TABLE,
'actions': 'resubmit(,{:d})'.format(
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
'nw_proto': constants.PROTO_NUM_ICMP,
'icmp_type': 0
}]
self._test_create_protocol_flows_helper(
firewall.EGRESS_DIRECTION, rule, expected_flows)
def test_create_protocol_flows_ipv6_icmp(self):
rule = {'ethertype': constants.IPv6,
'protocol': constants.PROTO_NUM_IPV6_ICMP,
'port_range_min': 5,
'port_range_max': 0}
expected_flows = [{
'table': ovs_consts.RULES_EGRESS_TABLE,
'actions': 'resubmit(,{:d})'.format(
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
'nw_proto': constants.PROTO_NUM_IPV6_ICMP,
'icmp_type': 5,
'icmp_code': 0,
}]
self._test_create_protocol_flows_helper(
firewall.EGRESS_DIRECTION, rule, expected_flows)
class TestCreatePortRangeFlows(base.BaseTestCase): class TestCreatePortRangeFlows(base.BaseTestCase):
def _test_create_port_range_flows_helper(self, expected_flows, rule): def _test_create_port_range_flows_helper(self, expected_flows, rule):
@@ -294,6 +324,7 @@ class TestCreatePortRangeFlows(base.BaseTestCase):
self._test_create_port_range_flows_helper(expected_flows, rule) self._test_create_port_range_flows_helper(expected_flows, rule)
def test_create_port_range_with_icmp_protocol(self): def test_create_port_range_with_icmp_protocol(self):
# NOTE: such call is prevented by create_protocols_flows
rule = { rule = {
'protocol': constants.PROTO_NUM_ICMP, 'protocol': constants.PROTO_NUM_ICMP,
'port_range_min': 10, 'port_range_min': 10,