From d351ba1137d3062d9953bd1a2e45664d1dc7189d Mon Sep 17 00:00:00 2001
From: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
Date: Wed, 12 Feb 2020 18:56:13 +0000
Subject: [PATCH] "ping"/"ping6" command support in rootwrap filters

To have correct support in rootwrap, "ping"/"ping6" command should
have the correct filters in rootwrap.

Because "ping" command is harmless, "CommandFilter" is used to allow
any binary call, regardless of the parameters used and the order.

Nevertheless, this patch also proposes to use "ping"/"ping6" with
the same parameters and a specific order, to help in the debug
process:
- ping[6] -W <timeout> <address>
- ping[6] -W <timeout> -c <count> <address>
- ping[6] -W <timeout> -c <count> -i <interval> <address>

Those commands could be called from inside a namespace. The needed
filter is also added in this patch.

Depends-On: https://review.opendev.org/754960
Change-Id: Ie5cbc0dcc76672b26cd2605f08cfd17a30b4c905
Closes-Bug: #1863006
(cherry picked from commit cc3b9df4268ac339d0b7316595a4148ba4c69836)
---
 etc/neutron/rootwrap.d/debug.filters                    | 8 ++++----
 neutron/tests/common/net_helpers.py                     | 7 ++++---
 neutron/tests/functional/agent/l3/test_legacy_router.py | 2 +-
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/etc/neutron/rootwrap.d/debug.filters b/etc/neutron/rootwrap.d/debug.filters
index 8d7a2dc69e4..828d563d68f 100644
--- a/etc/neutron/rootwrap.d/debug.filters
+++ b/etc/neutron/rootwrap.d/debug.filters
@@ -12,10 +12,10 @@
 # from inside a namespace which requires root
 # _alt variants allow to match -c and -w in any order
 #   (used by NeutronDebugAgent.ping_all)
-ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
-ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
-ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
-ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
+ping: CommandFilter, ping, root
+ping6: CommandFilter, ping6, root
+ping_exec: IpNetnsExecFilter, ping, root
+ping6_exec: IpNetnsExecFilter, ping6, root
 
 # "sleep" command, only for testing
 sleep: RegExpFilter, sleep, root, sleep, \d+
diff --git a/neutron/tests/common/net_helpers.py b/neutron/tests/common/net_helpers.py
index 11d2492891c..9018307c1b4 100644
--- a/neutron/tests/common/net_helpers.py
+++ b/neutron/tests/common/net_helpers.py
@@ -111,7 +111,7 @@ def assert_ping(src_namespace, dst_ip, timeout=1, count=3):
     ipversion = netaddr.IPAddress(dst_ip).version
     ping_command = 'ping' if ipversion == 4 else 'ping6'
     ns_ip_wrapper = ip_lib.IPWrapper(src_namespace)
-    ns_ip_wrapper.netns.execute([ping_command, '-c', count, '-W', timeout,
+    ns_ip_wrapper.netns.execute([ping_command, '-W', timeout, '-c', count,
                                  dst_ip])
 
 
@@ -124,7 +124,7 @@ def assert_async_ping(src_namespace, dst_ip, timeout=1, count=1, interval=1):
     # cannot be used and it needs to be done using the following workaround.
     for _index in range(count):
         start_time = time.time()
-        ns_ip_wrapper.netns.execute([ping_command, '-c', '1', '-W', timeout,
+        ns_ip_wrapper.netns.execute([ping_command, '-W', timeout, '-c', '1',
                                      dst_ip])
         end_time = time.time()
         diff = end_time - start_time
@@ -416,11 +416,12 @@ class Pinger(object):
             raise RuntimeError("This pinger has already a running process")
         ip_version = common_utils.get_ip_version(self.address)
         ping_exec = 'ping' if ip_version == n_const.IP_VERSION_4 else 'ping6'
-        cmd = [ping_exec, self.address, '-W', str(self.timeout)]
+        cmd = [ping_exec, '-W', str(self.timeout)]
         if self.count:
             cmd.extend(['-c', str(self.count)])
         if self.interval:
             cmd.extend(['-i', str(self.interval)])
+        cmd.append(self.address)
         self.proc = RootHelperProcess(cmd, namespace=self.namespace)
 
     def stop(self):
diff --git a/neutron/tests/functional/agent/l3/test_legacy_router.py b/neutron/tests/functional/agent/l3/test_legacy_router.py
index a88c0547284..d08f07c5617 100644
--- a/neutron/tests/functional/agent/l3/test_legacy_router.py
+++ b/neutron/tests/functional/agent/l3/test_legacy_router.py
@@ -320,7 +320,7 @@ class L3AgentTestCase(framework.L3AgentTestFramework):
         # Verify that the ping replys with fip
         ns_ip_wrapper = ip_lib.IPWrapper(src_machine.namespace)
         result = ns_ip_wrapper.netns.execute(
-            ['ping', '-c', 1, '-W', 5, dst_fip])
+            ['ping', '-W', 5, '-c', 1, dst_fip])
         self._assert_ping_reply_from_expected_address(result, dst_fip)
 
     def _setup_address_scope(self, internal_address_scope1,