use EGRESS_DIRECTION and INGRESS_DIRECTION from neutron-lib
The EGRESS_DIRECTION and INGRESS_DIRECTION constants live in neutron-lib now. This patch removes them from neutron and uses lib's version of them. NeutronLibImpact Change-Id: I1b81f5c3de9e6f2c0967c2db23ddb716ee7ec6b9
This commit is contained in:
parent
8e3730538c
commit
d55e824310
@ -23,11 +23,8 @@ from neutron_lib import constants as n_const
|
|||||||
from neutron_lib.utils import runtime
|
from neutron_lib.utils import runtime
|
||||||
|
|
||||||
|
|
||||||
INGRESS_DIRECTION = n_const.INGRESS_DIRECTION
|
DIRECTION_IP_PREFIX = {n_const.INGRESS_DIRECTION: 'source_ip_prefix',
|
||||||
EGRESS_DIRECTION = n_const.EGRESS_DIRECTION
|
n_const.EGRESS_DIRECTION: 'dest_ip_prefix'}
|
||||||
|
|
||||||
DIRECTION_IP_PREFIX = {INGRESS_DIRECTION: 'source_ip_prefix',
|
|
||||||
EGRESS_DIRECTION: 'dest_ip_prefix'}
|
|
||||||
|
|
||||||
# List of ICMPv6 types that should be permitted (ingress) by default. This list
|
# List of ICMPv6 types that should be permitted (ingress) by default. This list
|
||||||
# depends on iptables conntrack behavior of recognizing ICMP errors (types 1-4)
|
# depends on iptables conntrack behavior of recognizing ICMP errors (types 1-4)
|
||||||
|
@ -34,11 +34,11 @@ from neutron.common import utils as c_utils
|
|||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
SG_CHAIN = 'sg-chain'
|
SG_CHAIN = 'sg-chain'
|
||||||
SPOOF_FILTER = 'spoof-filter'
|
SPOOF_FILTER = 'spoof-filter'
|
||||||
CHAIN_NAME_PREFIX = {firewall.INGRESS_DIRECTION: 'i',
|
CHAIN_NAME_PREFIX = {constants.INGRESS_DIRECTION: 'i',
|
||||||
firewall.EGRESS_DIRECTION: 'o',
|
constants.EGRESS_DIRECTION: 'o',
|
||||||
SPOOF_FILTER: 's'}
|
SPOOF_FILTER: 's'}
|
||||||
IPSET_DIRECTION = {firewall.INGRESS_DIRECTION: 'src',
|
IPSET_DIRECTION = {constants.INGRESS_DIRECTION: 'src',
|
||||||
firewall.EGRESS_DIRECTION: 'dst'}
|
constants.EGRESS_DIRECTION: 'dst'}
|
||||||
comment_rule = iptables_manager.comment_rule
|
comment_rule = iptables_manager.comment_rule
|
||||||
|
|
||||||
|
|
||||||
@ -53,8 +53,8 @@ class mac_iptables(netaddr.mac_eui48):
|
|||||||
|
|
||||||
class IptablesFirewallDriver(firewall.FirewallDriver):
|
class IptablesFirewallDriver(firewall.FirewallDriver):
|
||||||
"""Driver which enforces security groups through iptables rules."""
|
"""Driver which enforces security groups through iptables rules."""
|
||||||
IPTABLES_DIRECTION = {firewall.INGRESS_DIRECTION: 'physdev-out',
|
IPTABLES_DIRECTION = {constants.INGRESS_DIRECTION: 'physdev-out',
|
||||||
firewall.EGRESS_DIRECTION: 'physdev-in'}
|
constants.EGRESS_DIRECTION: 'physdev-in'}
|
||||||
CONNTRACK_ZONE_PER_PORT = False
|
CONNTRACK_ZONE_PER_PORT = False
|
||||||
|
|
||||||
def __init__(self, namespace=None):
|
def __init__(self, namespace=None):
|
||||||
@ -205,14 +205,14 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||||||
for pname in sorted(ports):
|
for pname in sorted(ports):
|
||||||
port = ports[pname]
|
port = ports[pname]
|
||||||
self._add_conntrack_jump(port)
|
self._add_conntrack_jump(port)
|
||||||
self._setup_chain(port, firewall.INGRESS_DIRECTION)
|
self._setup_chain(port, constants.INGRESS_DIRECTION)
|
||||||
self._setup_chain(port, firewall.EGRESS_DIRECTION)
|
self._setup_chain(port, constants.EGRESS_DIRECTION)
|
||||||
self.iptables.ipv4['filter'].add_rule(SG_CHAIN, '-j ACCEPT')
|
self.iptables.ipv4['filter'].add_rule(SG_CHAIN, '-j ACCEPT')
|
||||||
self.iptables.ipv6['filter'].add_rule(SG_CHAIN, '-j ACCEPT')
|
self.iptables.ipv6['filter'].add_rule(SG_CHAIN, '-j ACCEPT')
|
||||||
|
|
||||||
for port in unfiltered_ports.values():
|
for port in unfiltered_ports.values():
|
||||||
self._add_accept_rule_port_sec(port, firewall.INGRESS_DIRECTION)
|
self._add_accept_rule_port_sec(port, constants.INGRESS_DIRECTION)
|
||||||
self._add_accept_rule_port_sec(port, firewall.EGRESS_DIRECTION)
|
self._add_accept_rule_port_sec(port, constants.EGRESS_DIRECTION)
|
||||||
|
|
||||||
def _remove_chains(self):
|
def _remove_chains(self):
|
||||||
"""Remove ingress and egress chain for a port."""
|
"""Remove ingress and egress chain for a port."""
|
||||||
@ -222,13 +222,13 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||||||
|
|
||||||
def _remove_chains_apply(self, ports, unfiltered_ports):
|
def _remove_chains_apply(self, ports, unfiltered_ports):
|
||||||
for port in ports.values():
|
for port in ports.values():
|
||||||
self._remove_chain(port, firewall.INGRESS_DIRECTION)
|
self._remove_chain(port, constants.INGRESS_DIRECTION)
|
||||||
self._remove_chain(port, firewall.EGRESS_DIRECTION)
|
self._remove_chain(port, constants.EGRESS_DIRECTION)
|
||||||
self._remove_chain(port, SPOOF_FILTER)
|
self._remove_chain(port, SPOOF_FILTER)
|
||||||
self._remove_conntrack_jump(port)
|
self._remove_conntrack_jump(port)
|
||||||
for port in unfiltered_ports.values():
|
for port in unfiltered_ports.values():
|
||||||
self._remove_rule_port_sec(port, firewall.INGRESS_DIRECTION)
|
self._remove_rule_port_sec(port, constants.INGRESS_DIRECTION)
|
||||||
self._remove_rule_port_sec(port, firewall.EGRESS_DIRECTION)
|
self._remove_rule_port_sec(port, constants.EGRESS_DIRECTION)
|
||||||
self._remove_chain_by_name_v4v6(SG_CHAIN)
|
self._remove_chain_by_name_v4v6(SG_CHAIN)
|
||||||
|
|
||||||
def _setup_chain(self, port, DIRECTION):
|
def _setup_chain(self, port, DIRECTION):
|
||||||
@ -281,7 +281,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||||||
else:
|
else:
|
||||||
self._remove_rule_from_chain_v4v6('FORWARD', jump_rule, jump_rule)
|
self._remove_rule_from_chain_v4v6('FORWARD', jump_rule, jump_rule)
|
||||||
|
|
||||||
if direction == firewall.EGRESS_DIRECTION:
|
if direction == constants.EGRESS_DIRECTION:
|
||||||
if add:
|
if add:
|
||||||
self._add_rules_to_chain_v4v6('INPUT', jump_rule, jump_rule,
|
self._add_rules_to_chain_v4v6('INPUT', jump_rule, jump_rule,
|
||||||
comment=ic.PORT_SEC_ACCEPT)
|
comment=ic.PORT_SEC_ACCEPT)
|
||||||
@ -315,7 +315,7 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||||||
self._add_rules_to_chain_v4v6(SG_CHAIN, jump_rule, jump_rule,
|
self._add_rules_to_chain_v4v6(SG_CHAIN, jump_rule, jump_rule,
|
||||||
comment=ic.SG_TO_VM_SG)
|
comment=ic.SG_TO_VM_SG)
|
||||||
|
|
||||||
if direction == firewall.EGRESS_DIRECTION:
|
if direction == constants.EGRESS_DIRECTION:
|
||||||
self._add_rules_to_chain_v4v6('INPUT', jump_rule, jump_rule,
|
self._add_rules_to_chain_v4v6('INPUT', jump_rule, jump_rule,
|
||||||
comment=ic.INPUT_TO_SG)
|
comment=ic.INPUT_TO_SG)
|
||||||
|
|
||||||
@ -532,11 +532,11 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
|
|||||||
ipv4_iptables_rules = []
|
ipv4_iptables_rules = []
|
||||||
ipv6_iptables_rules = []
|
ipv6_iptables_rules = []
|
||||||
# include fixed egress/ingress rules
|
# include fixed egress/ingress rules
|
||||||
if direction == firewall.EGRESS_DIRECTION:
|
if direction == constants.EGRESS_DIRECTION:
|
||||||
self._add_fixed_egress_rules(port,
|
self._add_fixed_egress_rules(port,
|
||||||
ipv4_iptables_rules,
|
ipv4_iptables_rules,
|
||||||
ipv6_iptables_rules)
|
ipv6_iptables_rules)
|
||||||
elif direction == firewall.INGRESS_DIRECTION:
|
elif direction == constants.INGRESS_DIRECTION:
|
||||||
ipv6_iptables_rules += self._accept_inbound_icmpv6()
|
ipv6_iptables_rules += self._accept_inbound_icmpv6()
|
||||||
# include IPv4 and IPv6 iptable rules from security group
|
# include IPv4 and IPv6 iptable rules from security group
|
||||||
ipv4_iptables_rules += self._convert_sgr_to_iptables_rules(
|
ipv4_iptables_rules += self._convert_sgr_to_iptables_rules(
|
||||||
|
@ -236,8 +236,8 @@ class ConjIdMap(object):
|
|||||||
as there are 4 priority levels (see rules.flow_priority_offset)
|
as there are 4 priority levels (see rules.flow_priority_offset)
|
||||||
and 2 conjunction IDs are needed per priority.
|
and 2 conjunction IDs are needed per priority.
|
||||||
"""
|
"""
|
||||||
if direction not in [firewall.EGRESS_DIRECTION,
|
if direction not in [lib_const.EGRESS_DIRECTION,
|
||||||
firewall.INGRESS_DIRECTION]:
|
lib_const.INGRESS_DIRECTION]:
|
||||||
raise ValueError("Invalid direction '%s'" % direction)
|
raise ValueError("Invalid direction '%s'" % direction)
|
||||||
if ethertype not in [lib_const.IPv4, lib_const.IPv6]:
|
if ethertype not in [lib_const.IPv4, lib_const.IPv6]:
|
||||||
raise ValueError("Invalid ethertype '%s'" % ethertype)
|
raise ValueError("Invalid ethertype '%s'" % ethertype)
|
||||||
|
@ -18,7 +18,6 @@ import collections
|
|||||||
import netaddr
|
import netaddr
|
||||||
from neutron_lib import constants as n_consts
|
from neutron_lib import constants as n_consts
|
||||||
|
|
||||||
from neutron.agent import firewall
|
|
||||||
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
||||||
from neutron.common import utils
|
from neutron.common import utils
|
||||||
from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \
|
from neutron.plugins.ml2.drivers.openvswitch.agent.common import constants \
|
||||||
@ -29,10 +28,10 @@ CT_STATES = [
|
|||||||
ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED]
|
ovsfw_consts.OF_STATE_NEW_NOT_ESTABLISHED]
|
||||||
|
|
||||||
FLOW_FIELD_FOR_IPVER_AND_DIRECTION = {
|
FLOW_FIELD_FOR_IPVER_AND_DIRECTION = {
|
||||||
(n_consts.IP_VERSION_4, firewall.EGRESS_DIRECTION): 'nw_dst',
|
(n_consts.IP_VERSION_4, n_consts.EGRESS_DIRECTION): 'nw_dst',
|
||||||
(n_consts.IP_VERSION_6, firewall.EGRESS_DIRECTION): 'ipv6_dst',
|
(n_consts.IP_VERSION_6, n_consts.EGRESS_DIRECTION): 'ipv6_dst',
|
||||||
(n_consts.IP_VERSION_4, firewall.INGRESS_DIRECTION): 'nw_src',
|
(n_consts.IP_VERSION_4, n_consts.INGRESS_DIRECTION): 'nw_src',
|
||||||
(n_consts.IP_VERSION_6, firewall.INGRESS_DIRECTION): 'ipv6_src',
|
(n_consts.IP_VERSION_6, n_consts.INGRESS_DIRECTION): 'ipv6_src',
|
||||||
}
|
}
|
||||||
|
|
||||||
FORBIDDEN_PREFIXES = (n_consts.IPv4_ANY, n_consts.IPv6_ANY)
|
FORBIDDEN_PREFIXES = (n_consts.IPv4_ANY, n_consts.IPv6_ANY)
|
||||||
@ -185,12 +184,12 @@ def create_flows_from_rule_and_port(rule, port, conjunction=False):
|
|||||||
|
|
||||||
if is_valid_prefix(dst_ip_prefix):
|
if is_valid_prefix(dst_ip_prefix):
|
||||||
flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[(
|
flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[(
|
||||||
utils.get_ip_version(dst_ip_prefix), firewall.EGRESS_DIRECTION)]
|
utils.get_ip_version(dst_ip_prefix), n_consts.EGRESS_DIRECTION)]
|
||||||
] = dst_ip_prefix
|
] = dst_ip_prefix
|
||||||
|
|
||||||
if is_valid_prefix(src_ip_prefix):
|
if is_valid_prefix(src_ip_prefix):
|
||||||
flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[(
|
flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[(
|
||||||
utils.get_ip_version(src_ip_prefix), firewall.INGRESS_DIRECTION)]
|
utils.get_ip_version(src_ip_prefix), n_consts.INGRESS_DIRECTION)]
|
||||||
] = src_ip_prefix
|
] = src_ip_prefix
|
||||||
|
|
||||||
flows = create_protocol_flows(direction, flow_template, port, rule)
|
flows = create_protocol_flows(direction, flow_template, port, rule)
|
||||||
@ -200,12 +199,12 @@ def create_flows_from_rule_and_port(rule, port, conjunction=False):
|
|||||||
|
|
||||||
def populate_flow_common(direction, flow_template, port):
|
def populate_flow_common(direction, flow_template, port):
|
||||||
"""Initialize common flow fields."""
|
"""Initialize common flow fields."""
|
||||||
if direction == firewall.INGRESS_DIRECTION:
|
if direction == n_consts.INGRESS_DIRECTION:
|
||||||
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
|
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
|
||||||
flow_template['actions'] = "output:{:d},resubmit(,{:d})".format(
|
flow_template['actions'] = "output:{:d},resubmit(,{:d})".format(
|
||||||
port.ofport,
|
port.ofport,
|
||||||
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
ovs_consts.ACCEPTED_INGRESS_TRAFFIC_TABLE)
|
||||||
elif direction == firewall.EGRESS_DIRECTION:
|
elif direction == n_consts.EGRESS_DIRECTION:
|
||||||
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
|
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
|
||||||
# Traffic can be both ingress and egress, check that no ingress rules
|
# Traffic can be both ingress and egress, check that no ingress rules
|
||||||
# should be applied
|
# should be applied
|
||||||
@ -309,9 +308,9 @@ def create_flows_for_ip_address(ip_address, direction, ethertype,
|
|||||||
|
|
||||||
ip_ver = utils.get_ip_version(ip_prefix)
|
ip_ver = utils.get_ip_version(ip_prefix)
|
||||||
|
|
||||||
if direction == firewall.EGRESS_DIRECTION:
|
if direction == n_consts.EGRESS_DIRECTION:
|
||||||
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
|
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
|
||||||
elif direction == firewall.INGRESS_DIRECTION:
|
elif direction == n_consts.INGRESS_DIRECTION:
|
||||||
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
|
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
|
||||||
|
|
||||||
flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[(
|
flow_template[FLOW_FIELD_FOR_IPVER_AND_DIRECTION[(
|
||||||
|
@ -22,7 +22,6 @@ from oslo_log import log as logging
|
|||||||
from ryu.base import app_manager
|
from ryu.base import app_manager
|
||||||
from ryu.lib.packet import packet
|
from ryu.lib.packet import packet
|
||||||
|
|
||||||
from neutron.agent import firewall
|
|
||||||
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
||||||
from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw
|
from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw
|
||||||
from neutron.agent.linux.openvswitch_firewall import rules
|
from neutron.agent.linux.openvswitch_firewall import rules
|
||||||
@ -381,9 +380,9 @@ class OVSFirewallLoggingDriver(log_ext.LoggingDriver):
|
|||||||
'reg_remote_group': self.conj_id_map.get_conj_id(
|
'reg_remote_group': self.conj_id_map.get_conj_id(
|
||||||
secgroup_id, remote_sg_id, direction, ethertype) + 1,
|
secgroup_id, remote_sg_id, direction, ethertype) + 1,
|
||||||
}
|
}
|
||||||
if direction == firewall.INGRESS_DIRECTION:
|
if direction == lib_const.INGRESS_DIRECTION:
|
||||||
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
|
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
|
||||||
elif direction == firewall.EGRESS_DIRECTION:
|
elif direction == lib_const.EGRESS_DIRECTION:
|
||||||
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
|
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
|
||||||
return [flow_template]
|
return [flow_template]
|
||||||
|
|
||||||
|
@ -19,7 +19,6 @@ import netaddr
|
|||||||
from neutron_lib import constants
|
from neutron_lib import constants
|
||||||
from oslo_utils import uuidutils
|
from oslo_utils import uuidutils
|
||||||
|
|
||||||
from neutron.agent import firewall
|
|
||||||
from neutron.common import constants as n_consts
|
from neutron.common import constants as n_consts
|
||||||
from neutron.common import utils as common_utils
|
from neutron.common import utils as common_utils
|
||||||
from neutron.plugins.ml2.drivers.openvswitch.agent.common import (
|
from neutron.plugins.ml2.drivers.openvswitch.agent.common import (
|
||||||
@ -46,8 +45,8 @@ class ConnectionTesterException(Exception):
|
|||||||
def _validate_direction(f):
|
def _validate_direction(f):
|
||||||
@functools.wraps(f)
|
@functools.wraps(f)
|
||||||
def wrap(self, direction, *args, **kwargs):
|
def wrap(self, direction, *args, **kwargs):
|
||||||
if direction not in (firewall.INGRESS_DIRECTION,
|
if direction not in (constants.INGRESS_DIRECTION,
|
||||||
firewall.EGRESS_DIRECTION):
|
constants.EGRESS_DIRECTION):
|
||||||
raise ConnectionTesterException('Unknown direction %s' % direction)
|
raise ConnectionTesterException('Unknown direction %s' % direction)
|
||||||
return f(self, direction, *args, **kwargs)
|
return f(self, direction, *args, **kwargs)
|
||||||
return wrap
|
return wrap
|
||||||
@ -84,8 +83,8 @@ class ConnectionTester(fixtures.Fixture):
|
|||||||
TCP = net_helpers.NetcatTester.TCP
|
TCP = net_helpers.NetcatTester.TCP
|
||||||
ICMP = constants.PROTO_NAME_ICMP
|
ICMP = constants.PROTO_NAME_ICMP
|
||||||
ARP = n_consts.ETHERTYPE_NAME_ARP
|
ARP = n_consts.ETHERTYPE_NAME_ARP
|
||||||
INGRESS = firewall.INGRESS_DIRECTION
|
INGRESS = constants.INGRESS_DIRECTION
|
||||||
EGRESS = firewall.EGRESS_DIRECTION
|
EGRESS = constants.EGRESS_DIRECTION
|
||||||
|
|
||||||
def __init__(self, ip_cidr):
|
def __init__(self, ip_cidr):
|
||||||
self.ip_cidr = ip_cidr
|
self.ip_cidr = ip_cidr
|
||||||
|
@ -16,7 +16,6 @@
|
|||||||
from neutron_lib import constants
|
from neutron_lib import constants
|
||||||
from oslo_utils import uuidutils
|
from oslo_utils import uuidutils
|
||||||
|
|
||||||
from neutron.agent import firewall
|
|
||||||
from neutron.agent.linux import iptables_firewall
|
from neutron.agent.linux import iptables_firewall
|
||||||
import neutron.agent.linux.openvswitch_firewall.firewall as ovs_fw_mod
|
import neutron.agent.linux.openvswitch_firewall.firewall as ovs_fw_mod
|
||||||
import neutron.agent.linux.openvswitch_firewall.iptables as iptables_helper
|
import neutron.agent.linux.openvswitch_firewall.iptables as iptables_helper
|
||||||
@ -85,10 +84,10 @@ class TestHelper(base.BaseSudoTestCase):
|
|||||||
|
|
||||||
def test_migration(self):
|
def test_migration(self):
|
||||||
sg_rules = [{'ethertype': constants.IPv4,
|
sg_rules = [{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_ICMP},
|
'protocol': constants.PROTO_NAME_ICMP},
|
||||||
{'ethertype': constants.IPv4,
|
{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.EGRESS_DIRECTION}]
|
'direction': constants.EGRESS_DIRECTION}]
|
||||||
port, desc = self._prepare_port_and_description(sg_rules)
|
port, desc = self._prepare_port_and_description(sg_rules)
|
||||||
ovs_firewall = ovs_fw_mod.OVSFirewallDriver(self.bridge)
|
ovs_firewall = ovs_fw_mod.OVSFirewallDriver(self.bridge)
|
||||||
# Check that iptables driver was set and replace it with the one that
|
# Check that iptables driver was set and replace it with the one that
|
||||||
|
@ -27,7 +27,6 @@ from oslo_log import log as logging
|
|||||||
from oslo_utils import uuidutils
|
from oslo_utils import uuidutils
|
||||||
import testscenarios
|
import testscenarios
|
||||||
|
|
||||||
from neutron.agent import firewall
|
|
||||||
from neutron.agent.linux import iptables_firewall
|
from neutron.agent.linux import iptables_firewall
|
||||||
from neutron.agent.linux import openvswitch_firewall
|
from neutron.agent.linux import openvswitch_firewall
|
||||||
from neutron.cmd.sanity import checks
|
from neutron.cmd.sanity import checks
|
||||||
@ -284,10 +283,10 @@ class FirewallTestCase(BaseFirewallTestCase):
|
|||||||
def test_ingress_icmp_secgroup(self):
|
def test_ingress_icmp_secgroup(self):
|
||||||
# update the sg_group to make ping pass
|
# update the sg_group to make ping pass
|
||||||
sg_rules = [{'ethertype': constants.IPv4,
|
sg_rules = [{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_ICMP},
|
'protocol': constants.PROTO_NAME_ICMP},
|
||||||
{'ethertype': constants.IPv4,
|
{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.EGRESS_DIRECTION}]
|
'direction': constants.EGRESS_DIRECTION}]
|
||||||
|
|
||||||
self.tester.assert_no_connection(protocol=self.tester.ICMP,
|
self.tester.assert_no_connection(protocol=self.tester.ICMP,
|
||||||
direction=self.tester.INGRESS)
|
direction=self.tester.INGRESS)
|
||||||
@ -297,10 +296,10 @@ class FirewallTestCase(BaseFirewallTestCase):
|
|||||||
|
|
||||||
def test_mac_spoofing(self):
|
def test_mac_spoofing(self):
|
||||||
sg_rules = [{'ethertype': constants.IPv4,
|
sg_rules = [{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_ICMP},
|
'protocol': constants.PROTO_NAME_ICMP},
|
||||||
{'ethertype': constants.IPv4,
|
{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.EGRESS_DIRECTION}]
|
'direction': constants.EGRESS_DIRECTION}]
|
||||||
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
||||||
|
|
||||||
self.tester.assert_connection(protocol=self.tester.ICMP,
|
self.tester.assert_connection(protocol=self.tester.ICMP,
|
||||||
@ -350,7 +349,7 @@ class FirewallTestCase(BaseFirewallTestCase):
|
|||||||
|
|
||||||
def test_ip_spoofing(self):
|
def test_ip_spoofing(self):
|
||||||
sg_rules = [{'ethertype': constants.IPv4,
|
sg_rules = [{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_ICMP}]
|
'protocol': constants.PROTO_NAME_ICMP}]
|
||||||
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
||||||
not_allowed_ip = "%s/24" % (
|
not_allowed_ip = "%s/24" % (
|
||||||
@ -373,7 +372,7 @@ class FirewallTestCase(BaseFirewallTestCase):
|
|||||||
self.firewall.update_port_filter(self.src_port_desc)
|
self.firewall.update_port_filter(self.src_port_desc)
|
||||||
|
|
||||||
sg_rules = [{'ethertype': constants.IPv4,
|
sg_rules = [{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_ICMP}]
|
'protocol': constants.PROTO_NAME_ICMP}]
|
||||||
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
||||||
not_allowed_ip = "%s/24" % (
|
not_allowed_ip = "%s/24" % (
|
||||||
@ -389,10 +388,10 @@ class FirewallTestCase(BaseFirewallTestCase):
|
|||||||
|
|
||||||
def test_allowed_address_pairs(self):
|
def test_allowed_address_pairs(self):
|
||||||
sg_rules = [{'ethertype': constants.IPv4,
|
sg_rules = [{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_ICMP},
|
'protocol': constants.PROTO_NAME_ICMP},
|
||||||
{'ethertype': constants.IPv4,
|
{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.EGRESS_DIRECTION}]
|
'direction': constants.EGRESS_DIRECTION}]
|
||||||
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
||||||
|
|
||||||
port_mac = self.tester.vm_mac_address
|
port_mac = self.tester.vm_mac_address
|
||||||
@ -500,7 +499,7 @@ class FirewallTestCase(BaseFirewallTestCase):
|
|||||||
port_min = 12345
|
port_min = 12345
|
||||||
port_max = 12346
|
port_max = 12346
|
||||||
sg_rules = [{'ethertype': constants.IPv4,
|
sg_rules = [{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_TCP,
|
'protocol': constants.PROTO_NAME_TCP,
|
||||||
'port_range_min': port_min,
|
'port_range_min': port_min,
|
||||||
'port_range_max': port_max}]
|
'port_range_max': port_max}]
|
||||||
@ -523,7 +522,7 @@ class FirewallTestCase(BaseFirewallTestCase):
|
|||||||
source_port_min = 12345
|
source_port_min = 12345
|
||||||
source_port_max = 12346
|
source_port_max = 12346
|
||||||
sg_rules = [{'ethertype': constants.IPv4,
|
sg_rules = [{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.EGRESS_DIRECTION,
|
'direction': constants.EGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_TCP,
|
'protocol': constants.PROTO_NAME_TCP,
|
||||||
'source_port_range_min': source_port_min,
|
'source_port_range_min': source_port_min,
|
||||||
'source_port_range_max': source_port_max}]
|
'source_port_range_max': source_port_max}]
|
||||||
@ -546,7 +545,7 @@ class FirewallTestCase(BaseFirewallTestCase):
|
|||||||
def test_established_connection_is_cut(self):
|
def test_established_connection_is_cut(self):
|
||||||
port = 12345
|
port = 12345
|
||||||
sg_rules = [{'ethertype': constants.IPv4,
|
sg_rules = [{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_TCP,
|
'protocol': constants.PROTO_NAME_TCP,
|
||||||
'port_range_min': port,
|
'port_range_min': port,
|
||||||
'port_range_max': port}]
|
'port_range_max': port}]
|
||||||
@ -636,7 +635,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
|||||||
|
|
||||||
def test_icmp_from_specific_address(self):
|
def test_icmp_from_specific_address(self):
|
||||||
sg_rules = [{'ethertype': constants.IPv6,
|
sg_rules = [{'ethertype': constants.IPv6,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_ICMP,
|
'protocol': constants.PROTO_NAME_ICMP,
|
||||||
'source_ip_prefix': self.tester.peer_ip_address}]
|
'source_ip_prefix': self.tester.peer_ip_address}]
|
||||||
|
|
||||||
@ -648,7 +647,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
|||||||
|
|
||||||
def test_icmp_to_specific_address(self):
|
def test_icmp_to_specific_address(self):
|
||||||
sg_rules = [{'ethertype': constants.IPv6,
|
sg_rules = [{'ethertype': constants.IPv6,
|
||||||
'direction': firewall.EGRESS_DIRECTION,
|
'direction': constants.EGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_ICMP,
|
'protocol': constants.PROTO_NAME_ICMP,
|
||||||
'destination_ip_prefix': self.tester.peer_ip_address}]
|
'destination_ip_prefix': self.tester.peer_ip_address}]
|
||||||
|
|
||||||
@ -660,7 +659,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
|||||||
|
|
||||||
def test_tcp_from_specific_address(self):
|
def test_tcp_from_specific_address(self):
|
||||||
sg_rules = [{'ethertype': constants.IPv6,
|
sg_rules = [{'ethertype': constants.IPv6,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_TCP,
|
'protocol': constants.PROTO_NAME_TCP,
|
||||||
'source_ip_prefix': self.tester.peer_ip_address}]
|
'source_ip_prefix': self.tester.peer_ip_address}]
|
||||||
|
|
||||||
@ -676,7 +675,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
|||||||
|
|
||||||
def test_tcp_to_specific_address(self):
|
def test_tcp_to_specific_address(self):
|
||||||
sg_rules = [{'ethertype': constants.IPv6,
|
sg_rules = [{'ethertype': constants.IPv6,
|
||||||
'direction': firewall.EGRESS_DIRECTION,
|
'direction': constants.EGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_TCP,
|
'protocol': constants.PROTO_NAME_TCP,
|
||||||
'destination_ip_prefix': self.tester.peer_ip_address}]
|
'destination_ip_prefix': self.tester.peer_ip_address}]
|
||||||
|
|
||||||
@ -692,7 +691,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
|||||||
|
|
||||||
def test_udp_from_specific_address(self):
|
def test_udp_from_specific_address(self):
|
||||||
sg_rules = [{'ethertype': constants.IPv6,
|
sg_rules = [{'ethertype': constants.IPv6,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_UDP,
|
'protocol': constants.PROTO_NAME_UDP,
|
||||||
'source_ip_prefix': self.tester.peer_ip_address}]
|
'source_ip_prefix': self.tester.peer_ip_address}]
|
||||||
|
|
||||||
@ -708,7 +707,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
|||||||
|
|
||||||
def test_udp_to_specific_address(self):
|
def test_udp_to_specific_address(self):
|
||||||
sg_rules = [{'ethertype': constants.IPv6,
|
sg_rules = [{'ethertype': constants.IPv6,
|
||||||
'direction': firewall.EGRESS_DIRECTION,
|
'direction': constants.EGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_UDP,
|
'protocol': constants.PROTO_NAME_UDP,
|
||||||
'destination_ip_prefix': self.tester.peer_ip_address}]
|
'destination_ip_prefix': self.tester.peer_ip_address}]
|
||||||
|
|
||||||
@ -725,7 +724,7 @@ class FirewallTestCaseIPv6(BaseFirewallTestCase):
|
|||||||
@skip_if_firewall('openvswitch')
|
@skip_if_firewall('openvswitch')
|
||||||
def test_ip_spoofing(self):
|
def test_ip_spoofing(self):
|
||||||
sg_rules = [{'ethertype': constants.IPv6,
|
sg_rules = [{'ethertype': constants.IPv6,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_ICMP}]
|
'protocol': constants.PROTO_NAME_ICMP}]
|
||||||
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
self._apply_security_group_rules(self.FAKE_SECURITY_GROUP_ID, sg_rules)
|
||||||
not_allowed_ip = "%s/64" % (
|
not_allowed_ip = "%s/64" % (
|
||||||
|
@ -22,7 +22,6 @@ from oslo_config import cfg
|
|||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
import testscenarios
|
import testscenarios
|
||||||
|
|
||||||
from neutron.agent import firewall
|
|
||||||
from neutron.objects.logapi import logging_resource as log_object
|
from neutron.objects.logapi import logging_resource as log_object
|
||||||
from neutron.plugins.ml2.drivers.openvswitch.agent import (
|
from neutron.plugins.ml2.drivers.openvswitch.agent import (
|
||||||
ovs_agent_extension_api as ovs_ext_api)
|
ovs_agent_extension_api as ovs_ext_api)
|
||||||
@ -128,18 +127,18 @@ class TestLoggingExtension(LoggingExtensionTestFramework):
|
|||||||
|
|
||||||
def test_log_lifecycle(self):
|
def test_log_lifecycle(self):
|
||||||
sg_rules = [{'ethertype': constants.IPv4,
|
sg_rules = [{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_ICMP,
|
'protocol': constants.PROTO_NAME_ICMP,
|
||||||
'security_group_id': self.FAKE_SECURITY_GROUP_ID},
|
'security_group_id': self.FAKE_SECURITY_GROUP_ID},
|
||||||
{'ethertype': constants.IPv4,
|
{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.EGRESS_DIRECTION,
|
'direction': constants.EGRESS_DIRECTION,
|
||||||
'security_group_id': self.FAKE_SECURITY_GROUP_ID},
|
'security_group_id': self.FAKE_SECURITY_GROUP_ID},
|
||||||
{'ethertype': constants.IPv6,
|
{'ethertype': constants.IPv6,
|
||||||
'protocol': constants.PROTO_NAME_TCP,
|
'protocol': constants.PROTO_NAME_TCP,
|
||||||
'port_range_min': 22,
|
'port_range_min': 22,
|
||||||
'port_range_max': 22,
|
'port_range_max': 22,
|
||||||
'remote_group_id': 2,
|
'remote_group_id': 2,
|
||||||
'direction': firewall.EGRESS_DIRECTION,
|
'direction': constants.EGRESS_DIRECTION,
|
||||||
'security_group_id': self.FAKE_SECURITY_GROUP_ID},
|
'security_group_id': self.FAKE_SECURITY_GROUP_ID},
|
||||||
]
|
]
|
||||||
self.firewall.update_security_group_rules(
|
self.firewall.update_security_group_rules(
|
||||||
|
@ -17,7 +17,6 @@ from neutron_lib import constants
|
|||||||
import testtools
|
import testtools
|
||||||
|
|
||||||
from neutron.agent.common import ovs_lib
|
from neutron.agent.common import ovs_lib
|
||||||
from neutron.agent import firewall
|
|
||||||
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
||||||
from neutron.agent.linux.openvswitch_firewall import exceptions
|
from neutron.agent.linux.openvswitch_firewall import exceptions
|
||||||
from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw
|
from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw
|
||||||
@ -253,15 +252,15 @@ class TestConjIdMap(base.BaseTestCase):
|
|||||||
|
|
||||||
def test_get_conj_id(self):
|
def test_get_conj_id(self):
|
||||||
allocated = []
|
allocated = []
|
||||||
for direction in [firewall.EGRESS_DIRECTION,
|
for direction in [constants.EGRESS_DIRECTION,
|
||||||
firewall.INGRESS_DIRECTION]:
|
constants.INGRESS_DIRECTION]:
|
||||||
id_ = self.conj_id_map.get_conj_id(
|
id_ = self.conj_id_map.get_conj_id(
|
||||||
'sg', 'remote', direction, constants.IPv4)
|
'sg', 'remote', direction, constants.IPv4)
|
||||||
allocated.append(id_)
|
allocated.append(id_)
|
||||||
self.assertEqual(len(set(allocated)), 2)
|
self.assertEqual(len(set(allocated)), 2)
|
||||||
self.assertEqual(len(self.conj_id_map.id_map), 2)
|
self.assertEqual(len(self.conj_id_map.id_map), 2)
|
||||||
self.assertEqual(self.conj_id_map.get_conj_id(
|
self.assertEqual(self.conj_id_map.get_conj_id(
|
||||||
'sg', 'remote', firewall.EGRESS_DIRECTION, constants.IPv4),
|
'sg', 'remote', constants.EGRESS_DIRECTION, constants.IPv4),
|
||||||
allocated[0])
|
allocated[0])
|
||||||
|
|
||||||
def test_get_conj_id_invalid(self):
|
def test_get_conj_id_invalid(self):
|
||||||
@ -276,7 +275,7 @@ class TestConjIdMap(base.BaseTestCase):
|
|||||||
for sg_id, remote_sg_id in test_data:
|
for sg_id, remote_sg_id in test_data:
|
||||||
ids.append(self.conj_id_map.get_conj_id(
|
ids.append(self.conj_id_map.get_conj_id(
|
||||||
sg_id, remote_sg_id,
|
sg_id, remote_sg_id,
|
||||||
firewall.INGRESS_DIRECTION, constants.IPv6))
|
constants.INGRESS_DIRECTION, constants.IPv6))
|
||||||
|
|
||||||
result = self.conj_id_map.delete_sg('sg1')
|
result = self.conj_id_map.delete_sg('sg1')
|
||||||
self.assertIn(('sg1', ids[0]), result)
|
self.assertIn(('sg1', ids[0]), result)
|
||||||
@ -284,7 +283,7 @@ class TestConjIdMap(base.BaseTestCase):
|
|||||||
self.assertFalse(self.conj_id_map.id_map)
|
self.assertFalse(self.conj_id_map.id_map)
|
||||||
|
|
||||||
reallocated = self.conj_id_map.get_conj_id(
|
reallocated = self.conj_id_map.get_conj_id(
|
||||||
'sg-foo', 'sg-foo', firewall.INGRESS_DIRECTION,
|
'sg-foo', 'sg-foo', constants.INGRESS_DIRECTION,
|
||||||
constants.IPv6)
|
constants.IPv6)
|
||||||
self.assertIn(reallocated, ids)
|
self.assertIn(reallocated, ids)
|
||||||
|
|
||||||
@ -305,9 +304,9 @@ class TestConjIPFlowManager(base.BaseTestCase):
|
|||||||
'get_conj_id') as get_conj_id_mock:
|
'get_conj_id') as get_conj_id_mock:
|
||||||
get_conj_id_mock.return_value = self.conj_id
|
get_conj_id_mock.return_value = self.conj_id
|
||||||
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
|
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
|
||||||
firewall.INGRESS_DIRECTION, constants.IPv4, 0)
|
constants.INGRESS_DIRECTION, constants.IPv4, 0)
|
||||||
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
|
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
|
||||||
firewall.INGRESS_DIRECTION, constants.IPv4, 3)
|
constants.INGRESS_DIRECTION, constants.IPv4, 3)
|
||||||
self.manager.update_flows_for_vlan(self.vlan_tag)
|
self.manager.update_flows_for_vlan(self.vlan_tag)
|
||||||
self.assertEqual(self.driver._add_flow.call_args_list,
|
self.assertEqual(self.driver._add_flow.call_args_list,
|
||||||
[mock.call(actions='conjunction(16,1/2)', ct_state='+est-rel-rpl',
|
[mock.call(actions='conjunction(16,1/2)', ct_state='+est-rel-rpl',
|
||||||
@ -331,15 +330,15 @@ class TestConjIPFlowManager(base.BaseTestCase):
|
|||||||
get_id_mock.return_value = self.conj_id
|
get_id_mock.return_value = self.conj_id
|
||||||
delete_sg_mock.return_value = [('remote_id', self.conj_id)]
|
delete_sg_mock.return_value = [('remote_id', self.conj_id)]
|
||||||
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
|
self.manager.add(self.vlan_tag, 'sg', 'remote_id',
|
||||||
firewall.INGRESS_DIRECTION, constants.IPv4, 0)
|
constants.INGRESS_DIRECTION, constants.IPv4, 0)
|
||||||
self.manager.flow_state[self.vlan_tag][(
|
self.manager.flow_state[self.vlan_tag][(
|
||||||
firewall.INGRESS_DIRECTION, constants.IPv4)] = {
|
constants.INGRESS_DIRECTION, constants.IPv4)] = {
|
||||||
'10.22.3.4': [self.conj_id]}
|
'10.22.3.4': [self.conj_id]}
|
||||||
|
|
||||||
self.manager.sg_removed('sg')
|
self.manager.sg_removed('sg')
|
||||||
self.driver._add_flow.assert_not_called()
|
self.driver._add_flow.assert_not_called()
|
||||||
self.driver.delete_flows_for_ip_addresses.assert_called_once_with(
|
self.driver.delete_flows_for_ip_addresses.assert_called_once_with(
|
||||||
{'10.22.3.4'}, firewall.INGRESS_DIRECTION, constants.IPv4,
|
{'10.22.3.4'}, constants.INGRESS_DIRECTION, constants.IPv4,
|
||||||
self.vlan_tag)
|
self.vlan_tag)
|
||||||
|
|
||||||
|
|
||||||
@ -366,18 +365,18 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
|||||||
security_group_rules = [
|
security_group_rules = [
|
||||||
{'ethertype': constants.IPv4,
|
{'ethertype': constants.IPv4,
|
||||||
'protocol': constants.PROTO_NAME_TCP,
|
'protocol': constants.PROTO_NAME_TCP,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'port_range_min': 123,
|
'port_range_min': 123,
|
||||||
'port_range_max': 123}]
|
'port_range_max': 123}]
|
||||||
self.firewall.update_security_group_rules(1, security_group_rules)
|
self.firewall.update_security_group_rules(1, security_group_rules)
|
||||||
security_group_rules = [
|
security_group_rules = [
|
||||||
{'ethertype': constants.IPv4,
|
{'ethertype': constants.IPv4,
|
||||||
'protocol': constants.PROTO_NAME_UDP,
|
'protocol': constants.PROTO_NAME_UDP,
|
||||||
'direction': firewall.EGRESS_DIRECTION},
|
'direction': constants.EGRESS_DIRECTION},
|
||||||
{'ethertype': constants.IPv6,
|
{'ethertype': constants.IPv6,
|
||||||
'protocol': constants.PROTO_NAME_TCP,
|
'protocol': constants.PROTO_NAME_TCP,
|
||||||
'remote_group_id': 2,
|
'remote_group_id': 2,
|
||||||
'direction': firewall.EGRESS_DIRECTION}]
|
'direction': constants.EGRESS_DIRECTION}]
|
||||||
self.firewall.update_security_group_rules(2, security_group_rules)
|
self.firewall.update_security_group_rules(2, security_group_rules)
|
||||||
|
|
||||||
@property
|
@property
|
||||||
@ -559,7 +558,7 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
|||||||
self.firewall.update_port_filter(port_dict)
|
self.firewall.update_port_filter(port_dict)
|
||||||
self.assertTrue(self.mock_bridge.br.delete_flows.called)
|
self.assertTrue(self.mock_bridge.br.delete_flows.called)
|
||||||
conj_id = self.firewall.conj_ip_manager.conj_id_map.get_conj_id(
|
conj_id = self.firewall.conj_ip_manager.conj_id_map.get_conj_id(
|
||||||
2, 2, firewall.EGRESS_DIRECTION, constants.IPv6)
|
2, 2, constants.EGRESS_DIRECTION, constants.IPv6)
|
||||||
filter_rules = [mock.call(
|
filter_rules = [mock.call(
|
||||||
actions='resubmit(,{:d})'.format(
|
actions='resubmit(,{:d})'.format(
|
||||||
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
|
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
|
||||||
@ -626,10 +625,10 @@ class TestOVSFirewallDriver(base.BaseTestCase):
|
|||||||
"""Just make sure it doesn't crash"""
|
"""Just make sure it doesn't crash"""
|
||||||
new_rules = [
|
new_rules = [
|
||||||
{'ethertype': constants.IPv4,
|
{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'protocol': constants.PROTO_NAME_ICMP},
|
'protocol': constants.PROTO_NAME_ICMP},
|
||||||
{'ethertype': constants.IPv4,
|
{'ethertype': constants.IPv4,
|
||||||
'direction': firewall.EGRESS_DIRECTION,
|
'direction': constants.EGRESS_DIRECTION,
|
||||||
'remote_group_id': 2}]
|
'remote_group_id': 2}]
|
||||||
self.firewall.update_security_group_rules(1, new_rules)
|
self.firewall.update_security_group_rules(1, new_rules)
|
||||||
|
|
||||||
|
@ -15,7 +15,6 @@
|
|||||||
import mock
|
import mock
|
||||||
from neutron_lib import constants
|
from neutron_lib import constants
|
||||||
|
|
||||||
from neutron.agent import firewall
|
|
||||||
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
||||||
from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw
|
from neutron.agent.linux.openvswitch_firewall import firewall as ovsfw
|
||||||
from neutron.agent.linux.openvswitch_firewall import rules
|
from neutron.agent.linux.openvswitch_firewall import rules
|
||||||
@ -74,7 +73,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
|
|||||||
def test_create_flows_from_rule_and_port_no_ip_ipv4(self):
|
def test_create_flows_from_rule_and_port_no_ip_ipv4(self):
|
||||||
rule = {
|
rule = {
|
||||||
'ethertype': constants.IPv4,
|
'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
}
|
}
|
||||||
expected_template = {
|
expected_template = {
|
||||||
'priority': 74,
|
'priority': 74,
|
||||||
@ -87,7 +86,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
|
|||||||
def test_create_flows_from_rule_and_port_src_and_dst_ipv4(self):
|
def test_create_flows_from_rule_and_port_src_and_dst_ipv4(self):
|
||||||
rule = {
|
rule = {
|
||||||
'ethertype': constants.IPv4,
|
'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'source_ip_prefix': '192.168.0.0/24',
|
'source_ip_prefix': '192.168.0.0/24',
|
||||||
'dest_ip_prefix': '10.0.0.1/32',
|
'dest_ip_prefix': '10.0.0.1/32',
|
||||||
}
|
}
|
||||||
@ -104,7 +103,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
|
|||||||
def test_create_flows_from_rule_and_port_src_and_dst_with_zero_ipv4(self):
|
def test_create_flows_from_rule_and_port_src_and_dst_with_zero_ipv4(self):
|
||||||
rule = {
|
rule = {
|
||||||
'ethertype': constants.IPv4,
|
'ethertype': constants.IPv4,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'source_ip_prefix': '192.168.0.0/24',
|
'source_ip_prefix': '192.168.0.0/24',
|
||||||
'dest_ip_prefix': '0.0.0.0/0',
|
'dest_ip_prefix': '0.0.0.0/0',
|
||||||
}
|
}
|
||||||
@ -120,7 +119,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
|
|||||||
def test_create_flows_from_rule_and_port_no_ip_ipv6(self):
|
def test_create_flows_from_rule_and_port_no_ip_ipv6(self):
|
||||||
rule = {
|
rule = {
|
||||||
'ethertype': constants.IPv6,
|
'ethertype': constants.IPv6,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
}
|
}
|
||||||
expected_template = {
|
expected_template = {
|
||||||
'priority': 74,
|
'priority': 74,
|
||||||
@ -133,7 +132,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
|
|||||||
def test_create_flows_from_rule_and_port_src_and_dst_ipv6(self):
|
def test_create_flows_from_rule_and_port_src_and_dst_ipv6(self):
|
||||||
rule = {
|
rule = {
|
||||||
'ethertype': constants.IPv6,
|
'ethertype': constants.IPv6,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'source_ip_prefix': '2001:db8:bbbb::1/64',
|
'source_ip_prefix': '2001:db8:bbbb::1/64',
|
||||||
'dest_ip_prefix': '2001:db8:aaaa::1/64',
|
'dest_ip_prefix': '2001:db8:aaaa::1/64',
|
||||||
}
|
}
|
||||||
@ -150,7 +149,7 @@ class TestCreateFlowsFromRuleAndPort(base.BaseTestCase):
|
|||||||
def test_create_flows_from_rule_and_port_src_and_dst_with_zero_ipv6(self):
|
def test_create_flows_from_rule_and_port_src_and_dst_with_zero_ipv6(self):
|
||||||
rule = {
|
rule = {
|
||||||
'ethertype': constants.IPv6,
|
'ethertype': constants.IPv6,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'source_ip_prefix': '2001:db8:bbbb::1/64',
|
'source_ip_prefix': '2001:db8:bbbb::1/64',
|
||||||
'dest_ip_prefix': '::/0',
|
'dest_ip_prefix': '::/0',
|
||||||
}
|
}
|
||||||
@ -191,7 +190,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
|||||||
'nw_proto': constants.PROTO_NUM_TCP,
|
'nw_proto': constants.PROTO_NUM_TCP,
|
||||||
}]
|
}]
|
||||||
self._test_create_protocol_flows_helper(
|
self._test_create_protocol_flows_helper(
|
||||||
firewall.INGRESS_DIRECTION, rule, expected_flows)
|
constants.INGRESS_DIRECTION, rule, expected_flows)
|
||||||
|
|
||||||
def test_create_protocol_flows_egress(self):
|
def test_create_protocol_flows_egress(self):
|
||||||
rule = {'protocol': constants.PROTO_NUM_TCP}
|
rule = {'protocol': constants.PROTO_NUM_TCP}
|
||||||
@ -202,7 +201,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
|||||||
'nw_proto': constants.PROTO_NUM_TCP,
|
'nw_proto': constants.PROTO_NUM_TCP,
|
||||||
}]
|
}]
|
||||||
self._test_create_protocol_flows_helper(
|
self._test_create_protocol_flows_helper(
|
||||||
firewall.EGRESS_DIRECTION, rule, expected_flows)
|
constants.EGRESS_DIRECTION, rule, expected_flows)
|
||||||
|
|
||||||
def test_create_protocol_flows_no_protocol(self):
|
def test_create_protocol_flows_no_protocol(self):
|
||||||
rule = {}
|
rule = {}
|
||||||
@ -212,7 +211,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
|||||||
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
|
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
|
||||||
}]
|
}]
|
||||||
self._test_create_protocol_flows_helper(
|
self._test_create_protocol_flows_helper(
|
||||||
firewall.EGRESS_DIRECTION, rule, expected_flows)
|
constants.EGRESS_DIRECTION, rule, expected_flows)
|
||||||
|
|
||||||
def test_create_protocol_flows_icmp6(self):
|
def test_create_protocol_flows_icmp6(self):
|
||||||
rule = {'ethertype': constants.IPv6,
|
rule = {'ethertype': constants.IPv6,
|
||||||
@ -224,7 +223,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
|||||||
'nw_proto': constants.PROTO_NUM_IPV6_ICMP,
|
'nw_proto': constants.PROTO_NUM_IPV6_ICMP,
|
||||||
}]
|
}]
|
||||||
self._test_create_protocol_flows_helper(
|
self._test_create_protocol_flows_helper(
|
||||||
firewall.EGRESS_DIRECTION, rule, expected_flows)
|
constants.EGRESS_DIRECTION, rule, expected_flows)
|
||||||
|
|
||||||
def test_create_protocol_flows_port_range(self):
|
def test_create_protocol_flows_port_range(self):
|
||||||
rule = {'ethertype': constants.IPv4,
|
rule = {'ethertype': constants.IPv4,
|
||||||
@ -239,7 +238,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
|||||||
'tcp_dst': '0x0016/0xfffe'
|
'tcp_dst': '0x0016/0xfffe'
|
||||||
}]
|
}]
|
||||||
self._test_create_protocol_flows_helper(
|
self._test_create_protocol_flows_helper(
|
||||||
firewall.EGRESS_DIRECTION, rule, expected_flows)
|
constants.EGRESS_DIRECTION, rule, expected_flows)
|
||||||
|
|
||||||
def test_create_protocol_flows_icmp(self):
|
def test_create_protocol_flows_icmp(self):
|
||||||
rule = {'ethertype': constants.IPv4,
|
rule = {'ethertype': constants.IPv4,
|
||||||
@ -253,7 +252,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
|||||||
'icmp_type': 0
|
'icmp_type': 0
|
||||||
}]
|
}]
|
||||||
self._test_create_protocol_flows_helper(
|
self._test_create_protocol_flows_helper(
|
||||||
firewall.EGRESS_DIRECTION, rule, expected_flows)
|
constants.EGRESS_DIRECTION, rule, expected_flows)
|
||||||
|
|
||||||
def test_create_protocol_flows_ipv6_icmp(self):
|
def test_create_protocol_flows_ipv6_icmp(self):
|
||||||
rule = {'ethertype': constants.IPv6,
|
rule = {'ethertype': constants.IPv6,
|
||||||
@ -269,7 +268,7 @@ class TestCreateProtocolFlows(base.BaseTestCase):
|
|||||||
'icmp_code': 0,
|
'icmp_code': 0,
|
||||||
}]
|
}]
|
||||||
self._test_create_protocol_flows_helper(
|
self._test_create_protocol_flows_helper(
|
||||||
firewall.EGRESS_DIRECTION, rule, expected_flows)
|
constants.EGRESS_DIRECTION, rule, expected_flows)
|
||||||
|
|
||||||
|
|
||||||
class TestCreatePortRangeFlows(base.BaseTestCase):
|
class TestCreatePortRangeFlows(base.BaseTestCase):
|
||||||
@ -352,7 +351,7 @@ class TestCreateFlowsForIpAddress(base.BaseTestCase):
|
|||||||
|
|
||||||
conj_ids = [12, 20]
|
conj_ids = [12, 20]
|
||||||
flows = rules.create_flows_for_ip_address(
|
flows = rules.create_flows_for_ip_address(
|
||||||
'192.168.0.1', firewall.EGRESS_DIRECTION, constants.IPv4,
|
'192.168.0.1', constants.EGRESS_DIRECTION, constants.IPv4,
|
||||||
0x123, conj_ids)
|
0x123, conj_ids)
|
||||||
|
|
||||||
self.assertEqual(2, len(flows))
|
self.assertEqual(2, len(flows))
|
||||||
@ -386,7 +385,7 @@ class TestCreateConjFlows(base.BaseTestCase):
|
|||||||
}
|
}
|
||||||
|
|
||||||
flows = rules.create_conj_flows(port, conj_id,
|
flows = rules.create_conj_flows(port, conj_id,
|
||||||
firewall.INGRESS_DIRECTION,
|
constants.INGRESS_DIRECTION,
|
||||||
constants.IPv6)
|
constants.IPv6)
|
||||||
|
|
||||||
self.assertEqual(ovsfw_consts.OF_STATE_ESTABLISHED_NOT_REPLY,
|
self.assertEqual(ovsfw_consts.OF_STATE_ESTABLISHED_NOT_REPLY,
|
||||||
|
@ -19,7 +19,6 @@ from oslo_config import cfg
|
|||||||
from oslo_utils import uuidutils
|
from oslo_utils import uuidutils
|
||||||
|
|
||||||
from neutron.agent.common import ovs_lib
|
from neutron.agent.common import ovs_lib
|
||||||
from neutron.agent import firewall
|
|
||||||
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
from neutron.agent.linux.openvswitch_firewall import constants as ovsfw_consts
|
||||||
from neutron.common import constants as n_const
|
from neutron.common import constants as n_const
|
||||||
from neutron.objects.logapi import logging_resource as log_object
|
from neutron.objects.logapi import logging_resource as log_object
|
||||||
@ -47,18 +46,18 @@ FakeSGLogInfo = [
|
|||||||
'security_group_rules': [
|
'security_group_rules': [
|
||||||
{'ethertype': constants.IPv4,
|
{'ethertype': constants.IPv4,
|
||||||
'protocol': constants.PROTO_NAME_TCP,
|
'protocol': constants.PROTO_NAME_TCP,
|
||||||
'direction': firewall.INGRESS_DIRECTION,
|
'direction': constants.INGRESS_DIRECTION,
|
||||||
'port_range_min': 123,
|
'port_range_min': 123,
|
||||||
'port_range_max': 123,
|
'port_range_max': 123,
|
||||||
'security_group_id': SG_ID},
|
'security_group_id': SG_ID},
|
||||||
{'ethertype': constants.IPv4,
|
{'ethertype': constants.IPv4,
|
||||||
'protocol': constants.PROTO_NAME_UDP,
|
'protocol': constants.PROTO_NAME_UDP,
|
||||||
'direction': firewall.EGRESS_DIRECTION,
|
'direction': constants.EGRESS_DIRECTION,
|
||||||
'security_group_id': SG_ID},
|
'security_group_id': SG_ID},
|
||||||
{'ethertype': constants.IPv6,
|
{'ethertype': constants.IPv6,
|
||||||
'protocol': constants.PROTO_NAME_TCP,
|
'protocol': constants.PROTO_NAME_TCP,
|
||||||
'remote_group_id': REMOTE_SG_ID,
|
'remote_group_id': REMOTE_SG_ID,
|
||||||
'direction': firewall.EGRESS_DIRECTION,
|
'direction': constants.EGRESS_DIRECTION,
|
||||||
'security_group_id': SG_ID}
|
'security_group_id': SG_ID}
|
||||||
]}],
|
]}],
|
||||||
'event': 'ALL',
|
'event': 'ALL',
|
||||||
@ -172,7 +171,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
|
|||||||
accept_cookie = self.log_driver._get_cookie(PORT_ID, 'ACCEPT')
|
accept_cookie = self.log_driver._get_cookie(PORT_ID, 'ACCEPT')
|
||||||
drop_cookie = self.log_driver._get_cookie(PORT_ID, 'DROP')
|
drop_cookie = self.log_driver._get_cookie(PORT_ID, 'DROP')
|
||||||
conj_id = self.log_driver.conj_id_map.get_conj_id(
|
conj_id = self.log_driver.conj_id_map.get_conj_id(
|
||||||
SG_ID, REMOTE_SG_ID, firewall.EGRESS_DIRECTION, constants.IPv6)
|
SG_ID, REMOTE_SG_ID, constants.EGRESS_DIRECTION, constants.IPv6)
|
||||||
add_rules = [
|
add_rules = [
|
||||||
# log ingress tcp port=123
|
# log ingress tcp port=123
|
||||||
mock.call(
|
mock.call(
|
||||||
@ -262,7 +261,7 @@ class TestOVSFirewallLoggingDriver(base.BaseTestCase):
|
|||||||
{'ethertype': constants.IPv4,
|
{'ethertype': constants.IPv4,
|
||||||
'protocol': constants.PROTO_NAME_TCP,
|
'protocol': constants.PROTO_NAME_TCP,
|
||||||
'direction':
|
'direction':
|
||||||
firewall.INGRESS_DIRECTION,
|
constants.INGRESS_DIRECTION,
|
||||||
'port_range_min': 123,
|
'port_range_min': 123,
|
||||||
'port_range_max': 123,
|
'port_range_max': 123,
|
||||||
'security_group_id': 456}]}],
|
'security_group_id': 456}]}],
|
||||||
|
Loading…
Reference in New Issue
Block a user