From c20ad344da1f51617e631c1768b645ed1e01c1fc Mon Sep 17 00:00:00 2001 From: yujie Date: Wed, 18 May 2016 19:56:04 +0800 Subject: [PATCH] Egress sg_rules should get 'prefix' from 'dest_ip_prefix' When adding an egress rule to sg assigned remote CIDR, vms using this sg will add a rule in iptables like -oxxxxxxxx-x -d CIDR. But test cases for egress with prefix always using -s CIDR, which is not correct. Closes-Bug: #1523835 Change-Id: Ifabfe3278aa0516a222f71153e47149ff4562d5e --- .../agent/linux/test_iptables_firewall.py | 96 ++++++++++--------- 1 file changed, 53 insertions(+), 43 deletions(-) diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index 06f28e5e0cf..e75c27df51d 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -391,7 +391,17 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): ingress = None self._test_prepare_port_filter(rule, ingress, egress) - def test_filter_ipv4_egress_prefix(self): + def test_filter_ipv4_egress_dest_prefix(self): + prefix = FAKE_PREFIX['IPv4'] + rule = {'ethertype': 'IPv4', + 'direction': 'egress', + 'dest_ip_prefix': prefix} + egress = mock.call.add_rule( + 'ofake_dev', '-d %s -j RETURN' % prefix, comment=None) + ingress = None + self._test_prepare_port_filter(rule, ingress, egress) + + def test_filter_ipv4_egress_source_prefix(self): prefix = FAKE_PREFIX['IPv4'] rule = {'ethertype': 'IPv4', 'direction': 'egress', @@ -415,9 +425,9 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): rule = {'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'tcp', - 'source_ip_prefix': prefix} + 'dest_ip_prefix': prefix} egress = mock.call.add_rule('ofake_dev', - '-s %s -p tcp -j RETURN' % prefix, + '-d %s -p tcp -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -436,9 +446,9 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): rule = {'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'icmp', - 'source_ip_prefix': prefix} + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( - 'ofake_dev', '-s %s -p icmp -j RETURN' % prefix, + 'ofake_dev', '-d %s -p icmp -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -448,11 +458,11 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): rule = {'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'icmp', - 'source_port_range_min': 8, - 'source_ip_prefix': prefix} + 'port_range_min': 8, + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p icmp -m icmp --icmp-type 8 -j RETURN' % prefix, + '-d %s -p icmp -m icmp --icmp-type 8 -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -462,11 +472,11 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): rule = {'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'icmp', - 'source_port_range_min': 'echo-request', - 'source_ip_prefix': prefix} + 'port_range_min': 'echo-request', + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p icmp -m icmp --icmp-type echo-request ' + '-d %s -p icmp -m icmp --icmp-type echo-request ' '-j RETURN' % prefix, comment=None) ingress = None @@ -477,12 +487,12 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): rule = {'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'icmp', - 'source_port_range_min': 8, - 'source_port_range_max': 0, - 'source_ip_prefix': prefix} + 'port_range_min': 8, + 'port_range_max': 0, + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p icmp -m icmp --icmp-type 8/0 -j RETURN' % prefix, + '-d %s -p icmp -m icmp --icmp-type 8/0 -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -519,10 +529,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'tcp', 'port_range_min': 10, 'port_range_max': 100, - 'source_ip_prefix': prefix} + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p tcp -m tcp -m multiport --dports 10:100 ' + '-d %s -p tcp -m tcp -m multiport --dports 10:100 ' '-j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -541,9 +551,9 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): rule = {'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'udp', - 'source_ip_prefix': prefix} + 'dest_ip_prefix': prefix} egress = mock.call.add_rule('ofake_dev', - '-s %s -p udp -j RETURN' % prefix, + '-d %s -p udp -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -580,10 +590,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'udp', 'port_range_min': 10, 'port_range_max': 100, - 'source_ip_prefix': prefix} + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p udp -m udp -m multiport --dports 10:100 ' + '-d %s -p udp -m udp -m multiport --dports 10:100 ' '-j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -779,9 +789,9 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): prefix = FAKE_PREFIX['IPv6'] rule = {'ethertype': 'IPv6', 'direction': 'egress', - 'source_ip_prefix': prefix} + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( - 'ofake_dev', '-s %s -j RETURN' % prefix, comment=None) + 'ofake_dev', '-d %s -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -799,9 +809,9 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): rule = {'ethertype': 'IPv6', 'direction': 'egress', 'protocol': 'tcp', - 'source_ip_prefix': prefix} + 'dest_ip_prefix': prefix} egress = mock.call.add_rule('ofake_dev', - '-s %s -p tcp -j RETURN' % prefix, + '-d %s -p tcp -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -820,9 +830,9 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): rule = {'ethertype': 'IPv6', 'direction': 'egress', 'protocol': 'icmp', - 'source_ip_prefix': prefix} + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( - 'ofake_dev', '-s %s -p ipv6-icmp -j RETURN' % prefix, + 'ofake_dev', '-d %s -p ipv6-icmp -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -832,11 +842,11 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): rule = {'ethertype': 'IPv6', 'direction': 'egress', 'protocol': 'icmp', - 'source_port_range_min': 8, - 'source_ip_prefix': prefix} + 'port_range_min': 8, + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p ipv6-icmp -m icmp6 --icmpv6-type 8 -j RETURN' % prefix, + '-d %s -p ipv6-icmp -m icmp6 --icmpv6-type 8 -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -846,11 +856,11 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): rule = {'ethertype': 'IPv6', 'direction': 'egress', 'protocol': 'icmp', - 'source_port_range_min': 'echo-request', - 'source_ip_prefix': prefix} + 'port_range_min': 'echo-request', + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p ipv6-icmp -m icmp6 --icmpv6-type echo-request ' + '-d %s -p ipv6-icmp -m icmp6 --icmpv6-type echo-request ' '-j RETURN' % prefix, comment=None) ingress = None @@ -861,12 +871,12 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): rule = {'ethertype': 'IPv6', 'direction': 'egress', 'protocol': 'icmp', - 'source_port_range_min': 8, - 'source_port_range_max': 0, - 'source_ip_prefix': prefix} + 'port_range_min': 8, + 'port_range_max': 0, + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p ipv6-icmp -m icmp6 --icmpv6-type 8/0 -j RETURN' % prefix, + '-d %s -p ipv6-icmp -m icmp6 --icmpv6-type 8/0 -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -903,10 +913,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'tcp', 'port_range_min': 10, 'port_range_max': 100, - 'source_ip_prefix': prefix} + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p tcp -m tcp -m multiport --dports 10:100 ' + '-d %s -p tcp -m tcp -m multiport --dports 10:100 ' '-j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -925,9 +935,9 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): rule = {'ethertype': 'IPv6', 'direction': 'egress', 'protocol': 'udp', - 'source_ip_prefix': prefix} + 'dest_ip_prefix': prefix} egress = mock.call.add_rule('ofake_dev', - '-s %s -p udp -j RETURN' % prefix, + '-d %s -p udp -j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress) @@ -964,10 +974,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): 'protocol': 'udp', 'port_range_min': 10, 'port_range_max': 100, - 'source_ip_prefix': prefix} + 'dest_ip_prefix': prefix} egress = mock.call.add_rule( 'ofake_dev', - '-s %s -p udp -m udp -m multiport --dports 10:100 ' + '-d %s -p udp -m udp -m multiport --dports 10:100 ' '-j RETURN' % prefix, comment=None) ingress = None self._test_prepare_port_filter(rule, ingress, egress)