openstack
/
neutron
Code Issues Proposed changes

ovsfw: fix allowed_address_pairs MAC issue 

Current ovsfw implementation does not take care of the different
MACs in allowed_address_pairs with the VM's MAC.
This patch use the following method to fix this issue:
1. Do not check dl_src in table=72 because table=71 has checked
dl_src for Egress.
2. Add all allowed MACs in table=0 and table=73 for Ingress.
3. Do not check dl_dst in table=82 because this check has done
in table=0 and table=73.
4. Delete allowed MACs in table=0 and table=73 when needed.

Conflicts:
	doc/source/devref/openvswitch_firewall.rst
	neutron/agent/linux/openvswitch_firewall/firewall.py
	neutron/agent/linux/openvswitch_firewall/rules.py
	neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
	neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py

Change-Id: Iad59096f0c9855ebfd4a0d5b447e73b443d66c1d
Closes-Bug: #1697593
(cherry picked from commit b7892b16b2)
This commit is contained in:
jufeng 2017-06-13 15:13:53 +08:00 committed by Jakub Libosvar
parent d5cde63cb4
commit dd153c3bbf
6 changed files with 111 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
doc/source/devref/openvswitch_firewall.rst
View File

@ -101,12 +101,14 @@ the second security group. Ports have following attributes:
- ip address: 192.168.0.1
- mac address: fa:16:3e:a4:22:10
- security group 1: can send icmp packets out
- allowed address pair: 10.0.0.1/32, fa:16:3e:8c:84:13
Port 2
- plugged to the port 2 in OVS bridge
- ip address: 192.168.0.2
- mac address: fa:16:3e:24:57:c7
- security group 2: can receive icmp packets from security group 1
- allowed address pair: 10.1.0.0/24, fa:16:3e:8c:84:14
The first ``table 0`` distinguishes the traffic to ingress or egress and loads
to ``register 5`` value identifying port traffic.
@ -115,11 +117,13 @@ by destination mac address. ``register 6`` contains
::
table=0, priority=100,in_port=1 actions=load:0x1->NXM_NX_REG5[],load:0x284->NXM_NX_REG6[],resubmit(,71)
table=0, priority=100,in_port=2 actions=load:0x2->NXM_NX_REG5[],load:0x284->NXM_NX_REG6[],resubmit(,71)
table=0, priority=90,dl_dst=fa:16:3e:a4:22:10 actions=load:0x1->NXM_NX_REG5[],load:0x284->NXM_NX_REG6[],resubmit(,81)
table=0, priority=90,dl_dst=fa:16:3e:24:57:c7 actions=load:0x2->NXM_NX_REG5[],load:0x284->NXM_NX_REG6[],resubmit(,81)
table=0, priority=0 actions=NORMAL
table=60, priority=100,in_port=1 actions=load:0x1->NXM_NX_REG5[],load:0x284->NXM_NX_REG6[],resubmit(,71)
table=60, priority=100,in_port=2 actions=load:0x2->NXM_NX_REG5[],load:0x284->NXM_NX_REG6[],resubmit(,71)
table=60, priority=90,dl_dst=fa:16:3e:a4:22:10 actions=load:0x1->NXM_NX_REG5[],load:0x284->NXM_NX_REG6[],resubmit(,81)
table=60, priority=90,dl_dst=fa:16:3e:8c:84:13 actions=load:0x1->NXM_NX_REG5[],load:0x284->NXM_NX_REG6[],resubmit(,81)
table=60, priority=90,dl_dst=fa:16:3e:24:57:c7 actions=load:0x2->NXM_NX_REG5[],load:0x284->NXM_NX_REG6[],resubmit(,81)
table=60, priority=90,dl_dst=fa:16:3e:8c:84:14 actions=load:0x2->NXM_NX_REG5[],load:0x284->NXM_NX_REG6[],resubmit(,81)
table=60, priority=0 actions=NORMAL
Following ``table 71`` implements arp spoofing protection, ip spoofing
protection, allows traffic for obtaining ip addresses (dhcp, dhcpv6, slaac,
@ -151,7 +155,9 @@ Following rules implement arp spoofing protection
::
table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:a4:22:10,arp_spa=192.168.0.1 actions=NORMAL
table=71, priority=95,arp,reg5=0x1,in_port=1,dl_src=fa:16:3e:8c:84:13,arp_spa=10.0.0.1 actions=NORMAL
table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:24:57:c7,arp_spa=192.168.0.2 actions=NORMAL
table=71, priority=95,arp,reg5=0x2,in_port=2,dl_src=fa:16:3e:8c:84:14,arp_spa=10.1.0.0/24 actions=NORMAL
DHCP and DHCPv6 traffic is allowed to instance but DHCP servers are blocked on
instances.
@ -173,7 +179,9 @@ combinations. All other packets are dropped.
::
table=71, priority=65,ct_state=-trk,ip,reg5=0x1,in_port=1,dl_src=fa:16:3e:a4:22:10,nw_src=192.168.0.1 actions=ct(table=72,zone=NXM_NX_REG6[0..15])
table=71, priority=65,ct_state=-trk,ip,reg5=0x1,in_port=1,dl_src=fa:16:3e:8c:84:13,nw_src=10.0.0.1 actions=ct(table=72,zone=NXM_NX_REG6[0..15])
table=71, priority=65,ct_state=-trk,ip,reg5=0x2,in_port=2,dl_src=fa:16:3e:24:57:c7,nw_src=192.168.0.2 actions=ct(table=72,zone=NXM_NX_REG6[0..15])
table=71, priority=65,ct_state=-trk,ip,reg5=0x2,in_port=2,dl_src=fa:16:3e:8c:84:14,nw_src=10.1.0.0/24 actions=ct(table=72,zone=NXM_NX_REG6[0..15])
table=71, priority=65,ct_state=-trk,ipv6,reg5=0x1,in_port=1,dl_src=fa:16:3e:a4:22:10,ipv6_src=fe80::f816:3eff:fea4:2210 actions=ct(table=72,zone=NXM_NX_REG6[0..15])
table=71, priority=65,ct_state=-trk,ipv6,reg5=0x2,in_port=2,dl_src=fa:16:3e:24:57:c7,ipv6_src=fe80::f816:3eff:fe24:57c7 actions=ct(table=72,zone=NXM_NX_REG6[0..15])
table=71, priority=10,ct_state=-trk,reg5=0x1,in_port=1 actions=drop
@ -192,8 +200,8 @@ In case below we allow all icmp egress traffic.
::
table=72, priority=70,ct_state=+est-rel-rpl,icmp,reg5=0x1,dl_src=fa:16:3e:a4:22:10 actions=resubmit(,73)
table=72, priority=70,ct_state=+new-est,icmp,reg5=0x1,dl_src=fa:16:3e:a4:22:10 actions=resubmit(,73)
table=72, priority=70,ct_state=+est-rel-rpl,icmp,reg5=0x1, actions=resubmit(,73)
table=72, priority=70,ct_state=+new-est,icmp,reg5=0x1, actions=resubmit(,73)
table=72, priority=50,ct_state=+inv+trk actions=drop
@ -236,7 +244,9 @@ remaining egress connections are sent to normal switching.
::
table=73, priority=100,dl_dst=fa:16:3e:a4:22:10 actions=load:0x1->NXM_NX_REG5[],resubmit(,81)
table=73, priority=100,dl_dst=fa:16:3e:8c:84:13 actions=load:0x1->NXM_NX_REG5[],resubmit(,81)
table=73, priority=100,dl_dst=fa:16:3e:24:57:c7 actions=load:0x2->NXM_NX_REG5[],resubmit(,81)
table=73, priority=100,dl_dst=fa:16:3e:8c:84:14 actions=load:0x2->NXM_NX_REG5[],resubmit(,81)
table=73, priority=90,ct_state=+new-est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15]),NORMAL
table=73, priority=90,ct_state=+new-est,reg5=0x2 actions=ct(commit,zone=NXM_NX_REG6[0..15]),NORMAL
table=73, priority=80,reg5=0x1 actions=NORMAL
@ -250,18 +260,18 @@ port. Not tracked packets are sent to obtain conntrack information.
::
table=81, priority=100,arp,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=strip_vlan,output:1
table=81, priority=100,arp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=130 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=131 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=132 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=135 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,dl_dst=fa:16:3e:a4:22:10,icmp_type=136 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=130 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=131 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=132 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=135 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,icmp_type=136 actions=strip_vlan,output:2
table=81, priority=100,arp,reg5=0x1 actions=strip_vlan,output:1
table=81, priority=100,arp,reg5=0x2 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x1,icmp_type=130 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,icmp_type=131 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,icmp_type=132 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,icmp_type=135 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x1,icmp_type=136 actions=strip_vlan,output:1
table=81, priority=100,icmp6,reg5=0x2,icmp_type=130 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,icmp_type=131 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,icmp_type=132 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,icmp_type=135 actions=strip_vlan,output:2
table=81, priority=100,icmp6,reg5=0x2,icmp_type=136 actions=strip_vlan,output:2
table=81, priority=95,udp,reg5=0x1,tp_src=67,tp_dst=68 actions=strip_vlan,output:1
table=81, priority=95,udp6,reg5=0x1,tp_src=547,tp_dst=546 actions=strip_vlan,output:1
table=81, priority=95,udp,reg5=0x2,tp_src=67,tp_dst=68 actions=strip_vlan,output:2
@ -270,8 +280,8 @@ port. Not tracked packets are sent to obtain conntrack information.
table=81, priority=90,ct_state=-trk,ipv6,reg5=0x1 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
table=81, priority=90,ct_state=-trk,ip,reg5=0x2 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
table=81, priority=90,ct_state=-trk,ipv6,reg5=0x2 actions=ct(table=82,zone=NXM_NX_REG6[0..15])
table=81, priority=80,ct_state=+trk,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=resubmit(,82)
table=81, priority=80,ct_state=+trk,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=resubmit(,82)
table=81, priority=80,ct_state=+trk,reg5=0x1 actions=resubmit(,82)
table=81, priority=80,ct_state=+trk,reg5=0x2 actions=resubmit(,82)
table=81, priority=0 actions=drop
Similarly to ``table 72``, ``table 82`` accepts established and related
@ -281,8 +291,8 @@ connections. In this case we allow all icmp traffic coming from
::
table=82, priority=70,ct_state=+est-rel-rpl,icmp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,nw_src=192.168.0.1 actions=strip_vlan,output:2
table=82, priority=70,ct_state=+new-est,icmp,reg5=0x2,dl_dst=fa:16:3e:24:57:c7,nw_src=192.168.0.1 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:2
table=82, priority=70,ct_state=+est-rel-rpl,icmp,reg5=0x2,nw_src=192.168.0.1 actions=strip_vlan,output:2
table=82, priority=70,ct_state=+new-est,icmp,reg5=0x2,nw_src=192.168.0.1 actions=ct(commit,zone=NXM_NX_REG6[0..15]),strip_vlan,output:2
table=82, priority=50,ct_state=+inv+trk actions=drop
The mechanism for dropping connections that are not allowed anymore is the
@ -292,10 +302,10 @@ same as in ``table 72``.
table=82, priority=50,ct_mark=0x1,reg5=0x1 actions=drop
table=82, priority=50,ct_mark=0x1,reg5=0x2 actions=drop
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=strip_vlan,output:1
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=strip_vlan,output:2
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1,dl_dst=fa:16:3e:a4:22:10 actions=strip_vlan,output:1
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2,dl_dst=fa:16:3e:24:57:c7 actions=strip_vlan,output:2
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1
table=82, priority=50,ct_state=+est-rel+rpl,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x1 actions=strip_vlan,output:1
table=82, priority=50,ct_state=-new-est+rel-inv,ct_zone=644,ct_mark=0,reg5=0x2 actions=strip_vlan,output:2
table=82, priority=40,ct_state=-est,reg5=0x1 actions=drop
table=82, priority=40,ct_state=+est,reg5=0x1 actions=ct(commit,zone=NXM_NX_REG6[0..15],exec(load:0x1->NXM_NX_CT_MARK[]))
table=82, priority=40,ct_state=-est,reg5=0x2 actions=drop

72
neutron/agent/linux/openvswitch_firewall/firewall.py
View File

@ -114,6 +114,13 @@ class OFPort(object):
return {(aap['mac_address'], aap['ip_address']) for aap in aap_dict
if netaddr.IPNetwork(aap['ip_address']).version == version}
@property
def all_allowed_macs(self):
macs = {item[0] for item in self.allowed_pairs_v4.union(
self.allowed_pairs_v6)}
macs.add(self.mac)
return macs
@property
def ipv4_addresses(self):
return [ip_addr for ip_addr in self.fixed_ips
@ -279,12 +286,15 @@ class OVSFirewallDriver(firewall.FirewallDriver):
if not firewall.port_sec_enabled(port):
return
old_of_port = self.get_ofport(port)
of_port = self.get_or_create_ofport(port)
# Make sure delete old allow_address_pair MACs because
# allow_address_pair MACs will be updated in
# self.get_or_create_ofport(port)
if old_of_port:
LOG.error(_LE("Initializing port %s that was already "
"initialized."),
port['device'])
self.delete_all_port_flows(old_of_port)
of_port = self.get_or_create_ofport(port)
self.initialize_port_flows(of_port)
self.add_flows_from_rules(of_port)
@ -360,20 +370,21 @@ class OVSFirewallDriver(firewall.FirewallDriver):
ovs_consts.BASE_EGRESS_TABLE)
)
# Identify ingress flows after egress filtering
self._add_flow(
table=ovs_consts.LOCAL_SWITCHING,
priority=90,
dl_dst=port.mac,
actions='set_field:{:d}->reg{:d},'
'set_field:{:d}->reg{:d},'
'resubmit(,{:d})'.format(
port.ofport,
ovsfw_consts.REG_PORT,
port.vlan_tag,
ovsfw_consts.REG_NET,
ovs_consts.BASE_INGRESS_TABLE),
)
# Identify ingress flows
for mac_addr in port.all_allowed_macs:
self._add_flow(
table=ovs_consts.LOCAL_SWITCHING,
priority=90,
dl_dst=mac_addr,
actions='set_field:{:d}->reg{:d},'
'set_field:{:d}->reg{:d},'
'resubmit(,{:d})'.format(
port.ofport,
ovsfw_consts.REG_PORT,
port.vlan_tag,
ovsfw_consts.REG_NET,
ovs_consts.BASE_INGRESS_TABLE),
)
self._initialize_egress(port)
self._initialize_ingress(port)
@ -497,15 +508,16 @@ class OVSFirewallDriver(firewall.FirewallDriver):
# Fill in accept_or_ingress table by checking that traffic is ingress
# and if not, accept it
self._add_flow(
table=ovs_consts.ACCEPT_OR_INGRESS_TABLE,
priority=100,
dl_dst=port.mac,
actions='set_field:{:d}->reg{:d},resubmit(,{:d})'.format(
port.ofport,
ovsfw_consts.REG_PORT,
ovs_consts.BASE_INGRESS_TABLE),
)
for mac_addr in port.all_allowed_macs:
self._add_flow(
table=ovs_consts.ACCEPT_OR_INGRESS_TABLE,
priority=100,
dl_dst=mac_addr,
actions='set_field:{:d}->reg{:d},resubmit(,{:d})'.format(
port.ofport,
ovsfw_consts.REG_PORT,
ovs_consts.BASE_INGRESS_TABLE),
)
for ethertype in [constants.ETHERTYPE_IP, constants.ETHERTYPE_IPV6]:
self._add_flow(
table=ovs_consts.ACCEPT_OR_INGRESS_TABLE,
@ -579,7 +591,6 @@ class OVSFirewallDriver(firewall.FirewallDriver):
table=ovs_consts.BASE_INGRESS_TABLE,
priority=100,
reg_port=port.ofport,
dl_dst=port.mac,
dl_type=constants.ETHERTYPE_IPV6,
nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
icmp_type=icmp_type,
@ -593,7 +604,6 @@ class OVSFirewallDriver(firewall.FirewallDriver):
priority=100,
dl_type=constants.ETHERTYPE_ARP,
reg_port=port.ofport,
dl_dst=port.mac,
actions='strip_vlan,output:{:d}'.format(port.ofport),
)
self._initialize_ingress_ipv6_icmp(port)
@ -630,7 +640,6 @@ class OVSFirewallDriver(firewall.FirewallDriver):
ct_state=ovsfw_consts.OF_STATE_TRACKED,
priority=80,
reg_port=port.ofport,
dl_dst=port.mac,
actions='resubmit(,{:d})'.format(ovs_consts.RULES_INGRESS_TABLE)
)
@ -657,7 +666,6 @@ class OVSFirewallDriver(firewall.FirewallDriver):
self._add_flow(
table=ovs_consts.RULES_INGRESS_TABLE,
priority=50,
dl_dst=port.mac,
reg_port=port.ofport,
ct_state=state,
ct_mark=ovsfw_consts.CT_MARK_NORMAL,
@ -710,9 +718,11 @@ class OVSFirewallDriver(firewall.FirewallDriver):
def delete_all_port_flows(self, port):
"""Delete all flows for given port"""
self._delete_flows(table=ovs_consts.LOCAL_SWITCHING, dl_dst=port.mac)
for mac_addr in port.all_allowed_macs:
self._delete_flows(table=ovs_consts.LOCAL_SWITCHING,
dl_dst=mac_addr)
self._delete_flows(table=ovs_consts.ACCEPT_OR_INGRESS_TABLE,
dl_dst=mac_addr)
self._delete_flows(table=ovs_consts.LOCAL_SWITCHING,
in_port=port.ofport)
self._delete_flows(reg_port=port.ofport)
self._delete_flows(table=ovs_consts.ACCEPT_OR_INGRESS_TABLE,
dl_dst=port.mac)

2
neutron/agent/linux/openvswitch_firewall/rules.py
View File

@ -68,11 +68,9 @@ def create_protocol_flows(direction, flow_template, port, rule):
flow_template = flow_template.copy()
if direction == firewall.INGRESS_DIRECTION:
flow_template['table'] = ovs_consts.RULES_INGRESS_TABLE
flow_template['dl_dst'] = port.mac
flow_template['actions'] = "strip_vlan,output:{:d}".format(port.ofport)
elif direction == firewall.EGRESS_DIRECTION:
flow_template['table'] = ovs_consts.RULES_EGRESS_TABLE
flow_template['dl_src'] = port.mac
# Traffic can be both ingress and egress, check that no ingress rules
# should be applied
flow_template['actions'] = 'resubmit(,{:d})'.format(

31
neutron/tests/functional/agent/test_firewall.py
View File

@ -396,20 +396,51 @@ class FirewallTestCase(BaseFirewallTestCase):
port_mac = self.tester.vm_mac_address
allowed_ip = netaddr.IPAddress(self.tester.vm_ip_address) + 1
not_allowed_ip = "%s/24" % (allowed_ip + 1)
allowed_mac = 'fa:16:3e:8c:84:13'
not_allowed_mac = 'fa:16:3e:8c:84:14'
self.src_port_desc['allowed_address_pairs'] = [
{'mac_address': port_mac,
'ip_address': "%s/32" % allowed_ip},
{'mac_address': allowed_mac,
'ip_address': "%s/32" % allowed_ip}]
allowed_ip = "%s/24" % allowed_ip
self.firewall.update_port_filter(self.src_port_desc)
self.tester.assert_connection(protocol=self.tester.ICMP,
direction=self.tester.INGRESS)
self.tester.assert_connection(protocol=self.tester.ICMP,
direction=self.tester.EGRESS)
self.tester.vm_ip_cidr = allowed_ip
self.tester.assert_connection(protocol=self.tester.ICMP,
direction=self.tester.INGRESS)
self.tester.assert_connection(protocol=self.tester.ICMP,
direction=self.tester.EGRESS)
self.tester.vm_ip_cidr = not_allowed_ip
self.tester.assert_no_connection(protocol=self.tester.ICMP,
direction=self.tester.INGRESS)
self.tester.assert_no_connection(protocol=self.tester.ICMP,
direction=self.tester.EGRESS)
self.tester.vm_mac_address = allowed_mac
self.tester.vm_ip_cidr = allowed_ip
self.tester.flush_arp_tables()
self.tester.assert_connection(protocol=self.tester.ICMP,
direction=self.tester.INGRESS)
self.tester.assert_connection(protocol=self.tester.ICMP,
direction=self.tester.EGRESS)
self.tester.vm_mac_address = allowed_mac
self.tester.vm_ip_cidr = not_allowed_ip
self.tester.flush_arp_tables()
self.tester.assert_no_connection(protocol=self.tester.ICMP,
direction=self.tester.INGRESS)
self.tester.assert_no_connection(protocol=self.tester.ICMP,
direction=self.tester.EGRESS)
self.tester.vm_mac_address = not_allowed_mac
self.tester.vm_ip_cidr = allowed_ip
self.tester.flush_arp_tables()
self.tester.assert_no_connection(protocol=self.tester.ICMP,
direction=self.tester.INGRESS)
self.tester.assert_no_connection(protocol=self.tester.ICMP,
direction=self.tester.EGRESS)
def test_arp_is_allowed(self):
self.tester.assert_connection(protocol=self.tester.ARP,

5
neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
View File

@ -371,7 +371,8 @@ class TestOVSFirewallDriver(base.BaseTestCase):
def test_prepare_port_filter(self):
port_dict = {'device': 'port-id',
'security_groups': [1]}
'security_groups': [1],
'fixed_ips': ["10.0.0.1"]}
self._prepare_security_group()
self.firewall.prepare_port_filter(port_dict)
exp_egress_classifier = mock.call(
@ -393,7 +394,6 @@ class TestOVSFirewallDriver(base.BaseTestCase):
filter_rule = mock.call(
actions='ct(commit,zone=NXM_NX_REG6[0..15]),'
'strip_vlan,output:{:d}'.format(self.port_ofport),
dl_dst=self.port_mac,
dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP),
nw_proto=constants.PROTO_NUM_TCP,
priority=70,
@ -436,7 +436,6 @@ class TestOVSFirewallDriver(base.BaseTestCase):
filter_rule = mock.call(
actions='resubmit(,{:d})'.format(
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
dl_src=self.port_mac,
dl_type="0x{:04x}".format(n_const.ETHERTYPE_IP),
nw_proto=constants.PROTO_NUM_UDP,
priority=70,

5
neutron/tests/unit/agent/linux/openvswitch_firewall/test_rules.py
View File

@ -185,7 +185,6 @@ class TestCreateProtocolFlows(base.BaseTestCase):
rule = {'protocol': constants.PROTO_NAME_TCP}
expected_flows = [{
'table': ovs_consts.RULES_INGRESS_TABLE,
'dl_dst': self.port.mac,
'actions': 'strip_vlan,output:1',
'nw_proto': constants.PROTO_NUM_TCP,
}]
@ -196,7 +195,6 @@ class TestCreateProtocolFlows(base.BaseTestCase):
rule = {'protocol': constants.PROTO_NAME_TCP}
expected_flows = [{
'table': ovs_consts.RULES_EGRESS_TABLE,
'dl_src': self.port.mac,
'actions': 'resubmit(,{:d})'.format(
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
'nw_proto': constants.PROTO_NUM_TCP,
@ -208,7 +206,6 @@ class TestCreateProtocolFlows(base.BaseTestCase):
rule = {}
expected_flows = [{
'table': ovs_consts.RULES_EGRESS_TABLE,
'dl_src': self.port.mac,
'actions': 'resubmit(,{:d})'.format(
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
}]
@ -220,7 +217,6 @@ class TestCreateProtocolFlows(base.BaseTestCase):
'protocol': constants.PROTO_NAME_ICMP}
expected_flows = [{
'table': ovs_consts.RULES_EGRESS_TABLE,
'dl_src': self.port.mac,
'actions': 'resubmit(,{:d})'.format(
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
'nw_proto': constants.PROTO_NUM_IPV6_ICMP,
@ -235,7 +231,6 @@ class TestCreateProtocolFlows(base.BaseTestCase):
'port_range_max': 23}
expected_flows = [{
'table': ovs_consts.RULES_EGRESS_TABLE,
'dl_src': self.port.mac,
'actions': 'resubmit(,{:d})'.format(
ovs_consts.ACCEPT_OR_INGRESS_TABLE),
'nw_proto': constants.PROTO_NUM_TCP,