From d55e824310b642ed21b0b81db3a65cf3d9f1df48 Mon Sep 17 00:00:00 2001 From: Boden R Date: Fri, 5 Jan 2018 08:37:49 -0700 Subject: [PATCH] use EGRESS_DIRECTION and INGRESS_DIRECTION from neutron-lib The EGRESS_DIRECTION and INGRESS_DIRECTION constants live in neutron-lib now. This patch removes them from neutron and uses lib's version of them. NeutronLibImpact Change-Id: I1b81f5c3de9e6f2c0967c2db23ddb716ee7ec6b9 --- neutron/agent/firewall.py | 7 +--- neutron/agent/linux/iptables_firewall.py | 36 +++++++++--------- .../linux/openvswitch_firewall/firewall.py | 4 +- .../agent/linux/openvswitch_firewall/rules.py | 21 +++++------ .../drivers/openvswitch/ovs_firewall_log.py | 5 +-- neutron/tests/common/conn_testers.py | 9 ++--- .../openvswitch_firewall/test_iptables.py | 5 +-- .../tests/functional/agent/test_firewall.py | 37 +++++++++---------- .../services/logapi/test_logging.py | 7 ++-- .../openvswitch_firewall/test_firewall.py | 33 ++++++++--------- .../linux/openvswitch_firewall/test_rules.py | 31 ++++++++-------- .../openvswitch/test_ovs_firewall_log.py | 11 +++--- 12 files changed, 97 insertions(+), 109 deletions(-) diff --git a/neutron/agent/firewall.py b/neutron/agent/firewall.py index 1dd2cbce0f6..4a54c6a2399 100644 --- a/neutron/agent/firewall.py +++ b/neutron/agent/firewall.py @@ -23,11 +23,8 @@ from neutron_lib import constants as n_const from neutron_lib.utils import runtime -INGRESS_DIRECTION = n_const.INGRESS_DIRECTION -EGRESS_DIRECTION = n_const.EGRESS_DIRECTION - -DIRECTION_IP_PREFIX = {INGRESS_DIRECTION: 'source_ip_prefix', - EGRESS_DIRECTION: 'dest_ip_prefix'} +DIRECTION_IP_PREFIX = {n_const.INGRESS_DIRECTION: 'source_ip_prefix', + n_const.EGRESS_DIRECTION: 'dest_ip_prefix'} # List of ICMPv6 types that should be permitted (ingress) by default. This list # depends on iptables conntrack behavior of recognizing ICMP errors (types 1-4) diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 7ece5752401..ff6083e917d 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -34,11 +34,11 @@ from neutron.common import utils as c_utils LOG = logging.getLogger(__name__) SG_CHAIN = 'sg-chain' SPOOF_FILTER = 'spoof-filter' -CHAIN_NAME_PREFIX = {firewall.INGRESS_DIRECTION: 'i', - firewall.EGRESS_DIRECTION: 'o', +CHAIN_NAME_PREFIX = {constants.INGRESS_DIRECTION: 'i', + constants.EGRESS_DIRECTION: 'o', SPOOF_FILTER: 's'} -IPSET_DIRECTION = {firewall.INGRESS_DIRECTION: 'src', - firewall.EGRESS_DIRECTION: 'dst'} +IPSET_DIRECTION = {constants.INGRESS_DIRECTION: 'src', + constants.EGRESS_DIRECTION: 'dst'} comment_rule = iptables_manager.comment_rule @@ -53,8 +53,8 @@ class mac_iptables(netaddr.mac_eui48): class IptablesFirewallDriver(firewall.FirewallDriver): """Driver which enforces security groups through iptables rules.""" - IPTABLES_DIRECTION = {firewall.INGRESS_DIRECTION: 'physdev-out', - firewall.EGRESS_DIRECTION: 'physdev-in'} + IPTABLES_DIRECTION = {constants.INGRESS_DIRECTION: 'physdev-out', + constants.EGRESS_DIRECTION: 'physdev-in'} CONNTRACK_ZONE_PER_PORT = False def __init__(self, namespace=None): @@ -205,14 +205,14 @@ class IptablesFirewallDriver(firewall.FirewallDriver): for pname in sorted(ports): port = ports[pname] self._add_conntrack_jump(port) - self._setup_chain(port, firewall.INGRESS_DIRECTION) - self._setup_chain(port, firewall.EGRESS_DIRECTION) + self._setup_chain(port, constants.INGRESS_DIRECTION) + self._setup_chain(port, constants.EGRESS_DIRECTION) self.iptables.ipv4['filter'].add_rule(SG_CHAIN, '-j ACCEPT') self.iptables.ipv6['filter'].add_rule(SG_CHAIN, '-j ACCEPT') for port in unfiltered_ports.values(): - self._add_accept_rule_port_sec(port, firewall.INGRESS_DIRECTION) - self._add_accept_rule_port_sec(port, firewall.EGRESS_DIRECTION) + self._add_accept_rule_port_sec(port, constants.INGRESS_DIRECTION) + self._add_accept_rule_port_sec(port, constants.EGRESS_DIRECTION) def _remove_chains(self): """Remove ingress and egress chain for a port.""" @@ -222,13 +222,13 @@ class IptablesFirewallDriver(firewall.FirewallDriver): def _remove_chains_apply(self, ports, unfiltered_ports): for port in ports.values(): - self._remove_chain(port, firewall.INGRESS_DIRECTION) - self._remove_chain(port, firewall.EGRESS_DIRECTION) + self._remove_chain(port, constants.INGRESS_DIRECTION) + self._remove_chain(port, constants.EGRESS_DIRECTION) self._remove_chain(port, SPOOF_FILTER) self._remove_conntrack_jump(port) for port in unfiltered_ports.values(): - self._remove_rule_port_sec(port, firewall.INGRESS_DIRECTION) - self._remove_rule_port_sec(port, firewall.EGRESS_DIRECTION) + self._remove_rule_port_sec(port, constants.INGRESS_DIRECTION) + self._remove_rule_port_sec(port, constants.EGRESS_DIRECTION) self._remove_chain_by_name_v4v6(SG_CHAIN) def _setup_chain(self, port, DIRECTION): @@ -281,7 +281,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): else: self._remove_rule_from_chain_v4v6('FORWARD', jump_rule, jump_rule) - if direction == firewall.EGRESS_DIRECTION: + if direction == constants.EGRESS_DIRECTION: if add: self._add_rules_to_chain_v4v6('INPUT', jump_rule, jump_rule, comment=ic.PORT_SEC_ACCEPT) @@ -315,7 +315,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver): self._add_rules_to_chain_v4v6(SG_CHAIN, jump_rule, jump_rule, comment=ic.SG_TO_VM_SG) - if direction == firewall.EGRESS_DIRECTION: + if direction == constants.EGRESS_DIRECTION: self._add_rules_to_chain_v4v6('INPUT', jump_rule, jump_rule, comment=ic.INPUT_TO_SG) @@ -532,11 +532,11 @@ class IptablesFirewallDriver(firewall.FirewallDriver): ipv4_iptables_rules = [] ipv6_iptables_rules = [] # include fixed egress/ingress rules - if direction == firewall.EGRESS_DIRECTION: + if direction == constants.EGRESS_DIRECTION: self._add_fixed_egress_rules(port, ipv4_iptables_rules, ipv6_iptables_rules) - elif direction == firewall.INGRESS_DIRECTION: + elif direction == constants.INGRESS_DIRECTION: ipv6_iptables_rules += self._accept_inbound_icmpv6() # include IPv4 and IPv6 iptable rules from security group ipv4_iptables_rules += self._convert_sgr_to_iptables_rules( diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py index 4520e688e0d..519e8be7f6c 100644 --- a/neutron/agent/linux/openvswitch_firewall/firewall.py +++ b/neutron/agent/linux/openvswitch_firewall/firewall.py @@ -236,8 +236,8 @@ class ConjIdMap(object): as there are 4 priority levels (see rules.flow_priority_offset) and 2 conjunction IDs are needed per priority. """ - if direction not in [firewall.EGRESS_DIRECTION, - firewall.INGRESS_DIRECTION]: + if direction not in [lib_const.EGRESS_DIRECTION, + lib_const.INGRESS_DIRECTION]: raise ValueError("Invalid direction '%s'" % direction) if ethertype not in [lib_const.IPv4, lib_const.IPv6]: raise ValueError("Invalid ethertype '%s'" % ethertype) diff --git a/neutron/agent/linux/openvswitch_firewall/rules.py b/neutron/agent/linux/openvswitch_firewall/rules.py index 5c395b0e088..f7bdf8b6a02 100644 --- a/neutron/agent/linux/openvswitch_firewall/rules.py +++ b/neutron/agent/linux/openvswitch_firewall/rules.py @@ -18,7 +18,6 @@ import collections import netaddr from neutron_lib import constants as n_consts -from neutron.agent import firewall from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts from neutron.common import utils from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \ @@ -29,10 +28,10 @@ CT_STATES = [ ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED] FLOW_FIELD_FOR_IPVER_AND_DIRECTION = { - (n_consts.IP_VERSION_4, firewall.EGRESS_DIRECTION): 'nw_dst', - (n_consts.IP_VERSION_6, firewall.EGRESS_DIRECTION): 'ipv6_dst', - (n_consts.IP_VERSION_4, firewall.INGRESS_DIRECTION): 'nw_src', - (n_consts.IP_VERSION_6, firewall.INGRESS_DIRECTION): 'ipv6_src', + (n_consts.IP_VERSION_4, n_consts.EGRESS_DIRECTION): 'nw_dst', + (n_consts.IP_VERSION_6, n_consts.EGRESS_DIRECTION): 'ipv6_dst', + (n_consts.IP_VERSION_4, n_consts.INGRESS_DIRECTION): 'nw_src', + (n_consts.IP_VERSION_6, n_consts.INGRESS_DIRECTION): 'ipv6_src', } FORBIDDEN_PREFIXES = (n_consts.IPv4_ANY, n_consts.IPv6_ANY) @@ -185,12 +184,12 @@ def create_flows_from_rule_and_port(rule, port, conjunction=False): if is_valid_prefix(dst_ip_prefix): flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[( - utils.get_ip_version(dst_ip_prefix), firewall.EGRESS_DIRECTION)] + utils.get_ip_version(dst_ip_prefix), n_consts.EGRESS_DIRECTION)] ] = dst_ip_prefix if is_valid_prefix(src_ip_prefix): flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[( - utils.get_ip_version(src_ip_prefix), firewall.INGRESS_DIRECTION)] + utils.get_ip_version(src_ip_prefix), n_consts.INGRESS_DIRECTION)] ] = src_ip_prefix flows = create_protocol_flows(direction, flow_template, port, rule) @@ -200,12 +199,12 @@ def create_flows_from_rule_and_port(rule, port, conjunction=False): def populate_flow_common(direction, flow_template, port): """Initialize common flow fields.""" - if direction == firewall.INGRESS_DIRECTION: + if direction == n_consts.INGRESS_DIRECTION: flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE flow_template['actions'] = "output:{:d},resubmit(,{:d})".format( port.ofport, ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE) - elif direction == firewall.EGRESS_DIRECTION: + elif direction == n_consts.EGRESS_DIRECTION: flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE # Traffic can be both ingress and egress, check that no ingress rules # should be applied @@ -309,9 +308,9 @@ def create_flows_for_ip_address(ip_address, direction, ethertype, ip_ver = utils.get_ip_version(ip_prefix) - if direction == firewall.EGRESS_DIRECTION: + if direction == n_consts.EGRESS_DIRECTION: flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE - elif direction == firewall.INGRESS_DIRECTION: + elif direction == n_consts.INGRESS_DIRECTION: flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[( diff --git a/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py b/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py index 66ce1fde137..890b0c55aa3 100644 --- a/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py +++ b/neutron/services/logapi/drivers/openvswitch/ovs_firewall_log.py @@ -22,7 +22,6 @@ from oslo_log import log as logging from ryu.base import app_manager from ryu.lib.packet import packet -from neutron.agent import firewall from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw from neutron.agent.linux.openvswitch_firewall import rules @@ -381,9 +380,9 @@ class OVSFirewallLoggingDriver(log_ext.LoggingDriver): 'reg_remote_group': self.conj_id_map.get_conj_id( secgroup_id, remote_sg_id, direction, ethertype) + 1, } - if direction == firewall.INGRESS_DIRECTION: + if direction == lib_const.INGRESS_DIRECTION: flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE - elif direction == firewall.EGRESS_DIRECTION: + elif direction == lib_const.EGRESS_DIRECTION: flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE return [flow_template] diff --git a/neutron/tests/common/conn_testers.py b/neutron/tests/common/conn_testers.py index f59dc083ab6..1d8b7a4309f 100644 --- a/neutron/tests/common/conn_testers.py +++ b/neutron/tests/common/conn_testers.py @@ -19,7 +19,6 @@ import netaddr from neutron_lib import constants from oslo_utils import uuidutils -from neutron.agent import firewall from neutron.common import constants as n_consts from neutron.common import utils as common_utils from neutron.plugins.ml2.drivers.openvswitch.agent.common import ( @@ -46,8 +45,8 @@ class ConnectionTesterException(Exception): def _validate_direction(f): @functools.wraps(f) def wrap(self, direction, *args, **kwargs): - if direction not in (firewall.INGRESS_DIRECTION, - firewall.EGRESS_DIRECTION): + if direction not in (constants.INGRESS_DIRECTION, + constants.EGRESS_DIRECTION): raise ConnectionTesterException('Unknown direction %s' % direction) return f(self, direction, *args, **kwargs) return wrap @@ -84,8 +83,8 @@ class ConnectionTester(fixtures.Fixture): TCP = net_helpers.NetcatTester.TCP ICMP = constants.PROTO_NAME_ICMP ARP = n_consts.ETHERTYPE_NAME_ARP - INGRESS = firewall.INGRESS_DIRECTION - EGRESS = firewall.EGRESS_DIRECTION + INGRESS = constants.INGRESS_DIRECTION + EGRESS = constants.EGRESS_DIRECTION def __init__(self, ip_cidr): self.ip_cidr = ip_cidr diff --git a/neutron/tests/functional/agent/linux/openvswitch_firewall/test_iptables.py b/neutron/tests/functional/agent/linux/openvswitch_firewall/test_iptables.py index 7bb57d0b613..69257a03039 100644 --- a/neutron/tests/functional/agent/linux/openvswitch_firewall/test_iptables.py +++ b/neutron/tests/functional/agent/linux/openvswitch_firewall/test_iptables.py @@ -16,7 +16,6 @@ from neutron_lib import constants from oslo_utils import uuidutils -from neutron.agent import firewall from neutron.agent.linux import iptables_firewall import neutron.agent.linux.openvswitch_firewall.firewall as ovs_fw_mod import neutron.agent.linux.openvswitch_firewall.iptables as iptables_helper @@ -85,10 +84,10 @@ class TestHelper(base.BaseSudoTestCase): def test_migration(self): sg_rules = [{'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_ICMP}, {'ethertype': constants.IPv4, - 'direction': firewall.EGRESS_DIRECTION}] + 'direction': constants.EGRESS_DIRECTION}] port, desc = self._prepare_port_and_description(sg_rules) ovs_firewall = ovs_fw_mod.OVSFirewallDriver(self.bridge) # Check that iptables driver was set and replace it with the one that diff --git a/neutron/tests/functional/agent/test_firewall.py b/neutron/tests/functional/agent/test_firewall.py index 55010fac9f0..21787f8f63d 100644 --- a/neutron/tests/functional/agent/test_firewall.py +++ b/neutron/tests/functional/agent/test_firewall.py @@ -27,7 +27,6 @@ from oslo_log import log as logging from oslo_utils import uuidutils import testscenarios -from neutron.agent import firewall from neutron.agent.linux import iptables_firewall from neutron.agent.linux import openvswitch_firewall from neutron.cmd.sanity import checks @@ -284,10 +283,10 @@ class FirewallTestCase(BaseFirewallTestCase): def test_ingress_icmp_secgroup(self): # update the sg_group to make ping pass sg_rules = [{'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_ICMP}, {'ethertype': constants.IPv4, - 'direction': firewall.EGRESS_DIRECTION}] + 'direction': constants.EGRESS_DIRECTION}] self.tester.assert_no_connection(protocol=self.tester.ICMP, direction=self.tester.INGRESS) @@ -297,10 +296,10 @@ class FirewallTestCase(BaseFirewallTestCase): def test_mac_spoofing(self): sg_rules = [{'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_ICMP}, {'ethertype': constants.IPv4, - 'direction': firewall.EGRESS_DIRECTION}] + 'direction': constants.EGRESS_DIRECTION}] self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules) self.tester.assert_connection(protocol=self.tester.ICMP, @@ -350,7 +349,7 @@ class FirewallTestCase(BaseFirewallTestCase): def test_ip_spoofing(self): sg_rules = [{'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_ICMP}] self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules) not_allowed_ip = "%s/24" % ( @@ -373,7 +372,7 @@ class FirewallTestCase(BaseFirewallTestCase): self.firewall.update_port_filter(self.src_port_desc) sg_rules = [{'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_ICMP}] self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules) not_allowed_ip = "%s/24" % ( @@ -389,10 +388,10 @@ class FirewallTestCase(BaseFirewallTestCase): def test_allowed_address_pairs(self): sg_rules = [{'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_ICMP}, {'ethertype': constants.IPv4, - 'direction': firewall.EGRESS_DIRECTION}] + 'direction': constants.EGRESS_DIRECTION}] self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules) port_mac = self.tester.vm_mac_address @@ -500,7 +499,7 @@ class FirewallTestCase(BaseFirewallTestCase): port_min = 12345 port_max = 12346 sg_rules = [{'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_TCP, 'port_range_min': port_min, 'port_range_max': port_max}] @@ -523,7 +522,7 @@ class FirewallTestCase(BaseFirewallTestCase): source_port_min = 12345 source_port_max = 12346 sg_rules = [{'ethertype': constants.IPv4, - 'direction': firewall.EGRESS_DIRECTION, + 'direction': constants.EGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_TCP, 'source_port_range_min': source_port_min, 'source_port_range_max': source_port_max}] @@ -546,7 +545,7 @@ class FirewallTestCase(BaseFirewallTestCase): def test_established_connection_is_cut(self): port = 12345 sg_rules = [{'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_TCP, 'port_range_min': port, 'port_range_max': port}] @@ -636,7 +635,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase): def test_icmp_from_specific_address(self): sg_rules = [{'ethertype': constants.IPv6, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_ICMP, 'source_ip_prefix': self.tester.peer_ip_address}] @@ -648,7 +647,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase): def test_icmp_to_specific_address(self): sg_rules = [{'ethertype': constants.IPv6, - 'direction': firewall.EGRESS_DIRECTION, + 'direction': constants.EGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_ICMP, 'destination_ip_prefix': self.tester.peer_ip_address}] @@ -660,7 +659,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase): def test_tcp_from_specific_address(self): sg_rules = [{'ethertype': constants.IPv6, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_TCP, 'source_ip_prefix': self.tester.peer_ip_address}] @@ -676,7 +675,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase): def test_tcp_to_specific_address(self): sg_rules = [{'ethertype': constants.IPv6, - 'direction': firewall.EGRESS_DIRECTION, + 'direction': constants.EGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_TCP, 'destination_ip_prefix': self.tester.peer_ip_address}] @@ -692,7 +691,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase): def test_udp_from_specific_address(self): sg_rules = [{'ethertype': constants.IPv6, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_UDP, 'source_ip_prefix': self.tester.peer_ip_address}] @@ -708,7 +707,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase): def test_udp_to_specific_address(self): sg_rules = [{'ethertype': constants.IPv6, - 'direction': firewall.EGRESS_DIRECTION, + 'direction': constants.EGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_UDP, 'destination_ip_prefix': self.tester.peer_ip_address}] @@ -725,7 +724,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase): @skip_if_firewall('openvswitch') def test_ip_spoofing(self): sg_rules = [{'ethertype': constants.IPv6, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_ICMP}] self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules) not_allowed_ip = "%s/64" % ( diff --git a/neutron/tests/functional/services/logapi/test_logging.py b/neutron/tests/functional/services/logapi/test_logging.py index e041f0b7f63..7c289d31e23 100644 --- a/neutron/tests/functional/services/logapi/test_logging.py +++ b/neutron/tests/functional/services/logapi/test_logging.py @@ -22,7 +22,6 @@ from oslo_config import cfg from oslo_log import log as logging import testscenarios -from neutron.agent import firewall from neutron.objects.logapi import logging_resource as log_object from neutron.plugins.ml2.drivers.openvswitch.agent import ( ovs_agent_extension_api as ovs_ext_api) @@ -128,18 +127,18 @@ class TestLoggingExtension(LoggingExtensionTestFramework): def test_log_lifecycle(self): sg_rules = [{'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_ICMP, 'security_group_id': self.FAKE_SECURITY_GROUP_ID}, {'ethertype': constants.IPv4, - 'direction': firewall.EGRESS_DIRECTION, + 'direction': constants.EGRESS_DIRECTION, 'security_group_id': self.FAKE_SECURITY_GROUP_ID}, {'ethertype': constants.IPv6, 'protocol': constants.PROTO_NAME_TCP, 'port_range_min': 22, 'port_range_max': 22, 'remote_group_id': 2, - 'direction': firewall.EGRESS_DIRECTION, + 'direction': constants.EGRESS_DIRECTION, 'security_group_id': self.FAKE_SECURITY_GROUP_ID}, ] self.firewall.update_security_group_rules( diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py index 81486eccf4b..c1c8e531c39 100644 --- a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py +++ b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py @@ -17,7 +17,6 @@ from neutron_lib import constants import testtools from neutron.agent.common import ovs_lib -from neutron.agent import firewall from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts from neutron.agent.linux.openvswitch_firewall import exceptions from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw @@ -253,15 +252,15 @@ class TestConjIdMap(base.BaseTestCase): def test_get_conj_id(self): allocated = [] - for direction in [firewall.EGRESS_DIRECTION, - firewall.INGRESS_DIRECTION]: + for direction in [constants.EGRESS_DIRECTION, + constants.INGRESS_DIRECTION]: id_ = self.conj_id_map.get_conj_id( 'sg', 'remote', direction, constants.IPv4) allocated.append(id_) self.assertEqual(len(set(allocated)), 2) self.assertEqual(len(self.conj_id_map.id_map), 2) self.assertEqual(self.conj_id_map.get_conj_id( - 'sg', 'remote', firewall.EGRESS_DIRECTION, constants.IPv4), + 'sg', 'remote', constants.EGRESS_DIRECTION, constants.IPv4), allocated[0]) def test_get_conj_id_invalid(self): @@ -276,7 +275,7 @@ class TestConjIdMap(base.BaseTestCase): for sg_id, remote_sg_id in test_data: ids.append(self.conj_id_map.get_conj_id( sg_id, remote_sg_id, - firewall.INGRESS_DIRECTION, constants.IPv6)) + constants.INGRESS_DIRECTION, constants.IPv6)) result = self.conj_id_map.delete_sg('sg1') self.assertIn(('sg1', ids[0]), result) @@ -284,7 +283,7 @@ class TestConjIdMap(base.BaseTestCase): self.assertFalse(self.conj_id_map.id_map) reallocated = self.conj_id_map.get_conj_id( - 'sg-foo', 'sg-foo', firewall.INGRESS_DIRECTION, + 'sg-foo', 'sg-foo', constants.INGRESS_DIRECTION, constants.IPv6) self.assertIn(reallocated, ids) @@ -305,9 +304,9 @@ class TestConjIPFlowManager(base.BaseTestCase): 'get_conj_id') as get_conj_id_mock: get_conj_id_mock.return_value = self.conj_id self.manager.add(self.vlan_tag, 'sg', 'remote_id', - firewall.INGRESS_DIRECTION, constants.IPv4, 0) + constants.INGRESS_DIRECTION, constants.IPv4, 0) self.manager.add(self.vlan_tag, 'sg', 'remote_id', - firewall.INGRESS_DIRECTION, constants.IPv4, 3) + constants.INGRESS_DIRECTION, constants.IPv4, 3) self.manager.update_flows_for_vlan(self.vlan_tag) self.assertEqual(self.driver._add_flow.call_args_list, [mock.call(actions='conjunction(16,1/2)', ct_state='+est-rel-rpl', @@ -331,15 +330,15 @@ class TestConjIPFlowManager(base.BaseTestCase): get_id_mock.return_value = self.conj_id delete_sg_mock.return_value = [('remote_id', self.conj_id)] self.manager.add(self.vlan_tag, 'sg', 'remote_id', - firewall.INGRESS_DIRECTION, constants.IPv4, 0) + constants.INGRESS_DIRECTION, constants.IPv4, 0) self.manager.flow_state[self.vlan_tag][( - firewall.INGRESS_DIRECTION, constants.IPv4)] = { + constants.INGRESS_DIRECTION, constants.IPv4)] = { '10.22.3.4': [self.conj_id]} self.manager.sg_removed('sg') self.driver._add_flow.assert_not_called() self.driver.delete_flows_for_ip_addresses.assert_called_once_with( - {'10.22.3.4'}, firewall.INGRESS_DIRECTION, constants.IPv4, + {'10.22.3.4'}, constants.INGRESS_DIRECTION, constants.IPv4, self.vlan_tag) @@ -366,18 +365,18 @@ class TestOVSFirewallDriver(base.BaseTestCase): security_group_rules = [ {'ethertype': constants.IPv4, 'protocol': constants.PROTO_NAME_TCP, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'port_range_min': 123, 'port_range_max': 123}] self.firewall.update_security_group_rules(1, security_group_rules) security_group_rules = [ {'ethertype': constants.IPv4, 'protocol': constants.PROTO_NAME_UDP, - 'direction': firewall.EGRESS_DIRECTION}, + 'direction': constants.EGRESS_DIRECTION}, {'ethertype': constants.IPv6, 'protocol': constants.PROTO_NAME_TCP, 'remote_group_id': 2, - 'direction': firewall.EGRESS_DIRECTION}] + 'direction': constants.EGRESS_DIRECTION}] self.firewall.update_security_group_rules(2, security_group_rules) @property @@ -559,7 +558,7 @@ class TestOVSFirewallDriver(base.BaseTestCase): self.firewall.update_port_filter(port_dict) self.assertTrue(self.mock_bridge.br.delete_flows.called) conj_id = self.firewall.conj_ip_manager.conj_id_map.get_conj_id( - 2, 2, firewall.EGRESS_DIRECTION, constants.IPv6) + 2, 2, constants.EGRESS_DIRECTION, constants.IPv6) filter_rules = [mock.call( actions='resubmit(,{:d})'.format( ovs_consts.ACCEPT_OR_INGRESS_TABLE), @@ -626,10 +625,10 @@ class TestOVSFirewallDriver(base.BaseTestCase): """Just make sure it doesn't crash""" new_rules = [ {'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'protocol': constants.PROTO_NAME_ICMP}, {'ethertype': constants.IPv4, - 'direction': firewall.EGRESS_DIRECTION, + 'direction': constants.EGRESS_DIRECTION, 'remote_group_id': 2}] self.firewall.update_security_group_rules(1, new_rules) diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py index 35689fe3a70..ef3c571bdfa 100644 --- a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py +++ b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py @@ -15,7 +15,6 @@ import mock from neutron_lib import constants -from neutron.agent import firewall from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw from neutron.agent.linux.openvswitch_firewall import rules @@ -74,7 +73,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase): def test_create_flows_from_rule_and_port_no_ip_ipv4(self): rule = { 'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, } expected_template = { 'priority': 74, @@ -87,7 +86,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase): def test_create_flows_from_rule_and_port_src_and_dst_ipv4(self): rule = { 'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'source_ip_prefix': '192.168.0.0/24', 'dest_ip_prefix': '10.0.0.1/32', } @@ -104,7 +103,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase): def test_create_flows_from_rule_and_port_src_and_dst_with_zero_ipv4(self): rule = { 'ethertype': constants.IPv4, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'source_ip_prefix': '192.168.0.0/24', 'dest_ip_prefix': '0.0.0.0/0', } @@ -120,7 +119,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase): def test_create_flows_from_rule_and_port_no_ip_ipv6(self): rule = { 'ethertype': constants.IPv6, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, } expected_template = { 'priority': 74, @@ -133,7 +132,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase): def test_create_flows_from_rule_and_port_src_and_dst_ipv6(self): rule = { 'ethertype': constants.IPv6, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'source_ip_prefix': '2001:db8:bbbb::1/64', 'dest_ip_prefix': '2001:db8:aaaa::1/64', } @@ -150,7 +149,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase): def test_create_flows_from_rule_and_port_src_and_dst_with_zero_ipv6(self): rule = { 'ethertype': constants.IPv6, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'source_ip_prefix': '2001:db8:bbbb::1/64', 'dest_ip_prefix': '::/0', } @@ -191,7 +190,7 @@ class TestCreateProtocolFlows(base.BaseTestCase): 'nw_proto': constants.PROTO_NUM_TCP, }] self._test_create_protocol_flows_helper( - firewall.INGRESS_DIRECTION, rule, expected_flows) + constants.INGRESS_DIRECTION, rule, expected_flows) def test_create_protocol_flows_egress(self): rule = {'protocol': constants.PROTO_NUM_TCP} @@ -202,7 +201,7 @@ class TestCreateProtocolFlows(base.BaseTestCase): 'nw_proto': constants.PROTO_NUM_TCP, }] self._test_create_protocol_flows_helper( - firewall.EGRESS_DIRECTION, rule, expected_flows) + constants.EGRESS_DIRECTION, rule, expected_flows) def test_create_protocol_flows_no_protocol(self): rule = {} @@ -212,7 +211,7 @@ class TestCreateProtocolFlows(base.BaseTestCase): ovs_consts.ACCEPT_OR_INGRESS_TABLE), }] self._test_create_protocol_flows_helper( - firewall.EGRESS_DIRECTION, rule, expected_flows) + constants.EGRESS_DIRECTION, rule, expected_flows) def test_create_protocol_flows_icmp6(self): rule = {'ethertype': constants.IPv6, @@ -224,7 +223,7 @@ class TestCreateProtocolFlows(base.BaseTestCase): 'nw_proto': constants.PROTO_NUM_IPV6_ICMP, }] self._test_create_protocol_flows_helper( - firewall.EGRESS_DIRECTION, rule, expected_flows) + constants.EGRESS_DIRECTION, rule, expected_flows) def test_create_protocol_flows_port_range(self): rule = {'ethertype': constants.IPv4, @@ -239,7 +238,7 @@ class TestCreateProtocolFlows(base.BaseTestCase): 'tcp_dst': '0x0016/0xfffe' }] self._test_create_protocol_flows_helper( - firewall.EGRESS_DIRECTION, rule, expected_flows) + constants.EGRESS_DIRECTION, rule, expected_flows) def test_create_protocol_flows_icmp(self): rule = {'ethertype': constants.IPv4, @@ -253,7 +252,7 @@ class TestCreateProtocolFlows(base.BaseTestCase): 'icmp_type': 0 }] self._test_create_protocol_flows_helper( - firewall.EGRESS_DIRECTION, rule, expected_flows) + constants.EGRESS_DIRECTION, rule, expected_flows) def test_create_protocol_flows_ipv6_icmp(self): rule = {'ethertype': constants.IPv6, @@ -269,7 +268,7 @@ class TestCreateProtocolFlows(base.BaseTestCase): 'icmp_code': 0, }] self._test_create_protocol_flows_helper( - firewall.EGRESS_DIRECTION, rule, expected_flows) + constants.EGRESS_DIRECTION, rule, expected_flows) class TestCreatePortRangeFlows(base.BaseTestCase): @@ -352,7 +351,7 @@ class TestCreateFlowsForIpAddress(base.BaseTestCase): conj_ids = [12, 20] flows = rules.create_flows_for_ip_address( - '192.168.0.1', firewall.EGRESS_DIRECTION, constants.IPv4, + '192.168.0.1', constants.EGRESS_DIRECTION, constants.IPv4, 0x123, conj_ids) self.assertEqual(2, len(flows)) @@ -386,7 +385,7 @@ class TestCreateConjFlows(base.BaseTestCase): } flows = rules.create_conj_flows(port, conj_id, - firewall.INGRESS_DIRECTION, + constants.INGRESS_DIRECTION, constants.IPv6) self.assertEqual(ovsfw_consts.OF_STATE_ESTABLISHED_NOT_REPLY, diff --git a/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py b/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py index 7d50d3a85e3..48bacc9b34f 100644 --- a/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py +++ b/neutron/tests/unit/services/logapi/drivers/openvswitch/test_ovs_firewall_log.py @@ -19,7 +19,6 @@ from oslo_config import cfg from oslo_utils import uuidutils from neutron.agent.common import ovs_lib -from neutron.agent import firewall from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts from neutron.common import constants as n_const from neutron.objects.logapi import logging_resource as log_object @@ -47,18 +46,18 @@ FakeSGLogInfo = [ 'security_group_rules': [ {'ethertype': constants.IPv4, 'protocol': constants.PROTO_NAME_TCP, - 'direction': firewall.INGRESS_DIRECTION, + 'direction': constants.INGRESS_DIRECTION, 'port_range_min': 123, 'port_range_max': 123, 'security_group_id': SG_ID}, {'ethertype': constants.IPv4, 'protocol': constants.PROTO_NAME_UDP, - 'direction': firewall.EGRESS_DIRECTION, + 'direction': constants.EGRESS_DIRECTION, 'security_group_id': SG_ID}, {'ethertype': constants.IPv6, 'protocol': constants.PROTO_NAME_TCP, 'remote_group_id': REMOTE_SG_ID, - 'direction': firewall.EGRESS_DIRECTION, + 'direction': constants.EGRESS_DIRECTION, 'security_group_id': SG_ID} ]}], 'event': 'ALL', @@ -172,7 +171,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase): accept_cookie = self.log_driver._get_cookie(PORT_ID, 'ACCEPT') drop_cookie = self.log_driver._get_cookie(PORT_ID, 'DROP') conj_id = self.log_driver.conj_id_map.get_conj_id( - SG_ID, REMOTE_SG_ID, firewall.EGRESS_DIRECTION, constants.IPv6) + SG_ID, REMOTE_SG_ID, constants.EGRESS_DIRECTION, constants.IPv6) add_rules = [ # log ingress tcp port=123 mock.call( @@ -262,7 +261,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase): {'ethertype': constants.IPv4, 'protocol': constants.PROTO_NAME_TCP, 'direction': - firewall.INGRESS_DIRECTION, + constants.INGRESS_DIRECTION, 'port_range_min': 123, 'port_range_max': 123, 'security_group_id': 456}]}],