Merge "Move iptables rule fetching and setting to privsep."
This commit is contained in:
commit
ee735b8499
@ -261,11 +261,14 @@ class IptablesManager(object):
|
|||||||
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
def __init__(self, execute=None):
|
def __init__(self, redirect_privsep_calls_to=None):
|
||||||
if not execute:
|
# NOTE(mikal): This is only used by the xenapi hypervisor driver,
|
||||||
self.execute = _execute
|
# which wants to intercept our calls to iptables and redirect them
|
||||||
else:
|
# to an agent running in dom0.
|
||||||
self.execute = execute
|
# TODO(mikal): We really should make the dom0 agent feel more like
|
||||||
|
# privsep. They really are the same thing, just one is from a simpler
|
||||||
|
# time in our past.
|
||||||
|
self.redirect_privsep = redirect_privsep_calls_to
|
||||||
|
|
||||||
self.ipv4 = {'filter': IptablesTable(),
|
self.ipv4 = {'filter': IptablesTable(),
|
||||||
'nat': IptablesTable(),
|
'nat': IptablesTable(),
|
||||||
@ -358,23 +361,42 @@ class IptablesManager(object):
|
|||||||
rules. This happens atomically, thanks to iptables-restore.
|
rules. This happens atomically, thanks to iptables-restore.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
s = [('iptables', self.ipv4)]
|
s = [(True, self.ipv4)]
|
||||||
if CONF.use_ipv6:
|
if CONF.use_ipv6:
|
||||||
s += [('ip6tables', self.ipv6)]
|
s += [(False, self.ipv6)]
|
||||||
|
|
||||||
|
for is_ipv4, tables in s:
|
||||||
|
if not self.redirect_privsep:
|
||||||
|
all_tables, _err = nova.privsep.linux_net.iptables_get_rules(
|
||||||
|
ipv4=is_ipv4)
|
||||||
|
else:
|
||||||
|
if is_ipv4:
|
||||||
|
cmd = 'iptables-save'
|
||||||
|
else:
|
||||||
|
cmd = 'ip6tables-save'
|
||||||
|
all_tables, _err = self.redirect_privsep(
|
||||||
|
cmd, '-c', run_as_root=True, attempts=5)
|
||||||
|
|
||||||
for cmd, tables in s:
|
|
||||||
all_tables, _err = self.execute('%s-save' % (cmd,), '-c',
|
|
||||||
run_as_root=True,
|
|
||||||
attempts=5)
|
|
||||||
all_lines = all_tables.split('\n')
|
all_lines = all_tables.split('\n')
|
||||||
for table_name, table in tables.items():
|
for table_name, table in tables.items():
|
||||||
start, end = self._find_table(all_lines, table_name)
|
start, end = self._find_table(all_lines, table_name)
|
||||||
all_lines[start:end] = self._modify_rules(
|
all_lines[start:end] = self._modify_rules(
|
||||||
all_lines[start:end], table, table_name)
|
all_lines[start:end], table, table_name)
|
||||||
table.dirty = False
|
table.dirty = False
|
||||||
self.execute('%s-restore' % (cmd,), '-c', run_as_root=True,
|
|
||||||
process_input=six.b('\n'.join(all_lines)),
|
if not self.redirect_privsep:
|
||||||
attempts=5)
|
nova.privsep.linux_net.iptables_set_rules(all_lines,
|
||||||
|
ipv4=is_ipv4)
|
||||||
|
else:
|
||||||
|
if is_ipv4:
|
||||||
|
cmd = 'iptables-restore'
|
||||||
|
else:
|
||||||
|
cmd = 'ip6tables-restore'
|
||||||
|
self.redirect_privsep(
|
||||||
|
cmd, '-c', run_as_root=True,
|
||||||
|
process_input=six.b('\n'.join(all_lines)),
|
||||||
|
attempts=5)
|
||||||
|
|
||||||
LOG.debug("IPTablesManager.apply completed with success")
|
LOG.debug("IPTablesManager.apply completed with success")
|
||||||
|
|
||||||
def _find_table(self, lines, table_name):
|
def _find_table(self, lines, table_name):
|
||||||
|
@ -19,6 +19,7 @@ Linux network specific helpers.
|
|||||||
|
|
||||||
|
|
||||||
import os
|
import os
|
||||||
|
import six
|
||||||
|
|
||||||
from oslo_concurrency import processutils
|
from oslo_concurrency import processutils
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
@ -266,3 +267,25 @@ def add_vlan(bridge_interface, interface, vlan_num):
|
|||||||
processutils.execute('ip', 'link', 'add', 'link', bridge_interface,
|
processutils.execute('ip', 'link', 'add', 'link', bridge_interface,
|
||||||
'name', interface, 'type', 'vlan',
|
'name', interface, 'type', 'vlan',
|
||||||
'id', vlan_num, check_exit_code=[0, 2, 254])
|
'id', vlan_num, check_exit_code=[0, 2, 254])
|
||||||
|
|
||||||
|
|
||||||
|
@nova.privsep.sys_admin_pctxt.entrypoint
|
||||||
|
def iptables_get_rules(ipv4=True):
|
||||||
|
if ipv4:
|
||||||
|
cmd = 'iptables'
|
||||||
|
else:
|
||||||
|
cmd = 'ip6tables'
|
||||||
|
|
||||||
|
return processutils.execute('%s-save' % cmd, '-c', attempts=5)
|
||||||
|
|
||||||
|
|
||||||
|
@nova.privsep.sys_admin_pctxt.entrypoint
|
||||||
|
def iptables_set_rules(rules, ipv4=True):
|
||||||
|
if ipv4:
|
||||||
|
cmd = 'iptables'
|
||||||
|
else:
|
||||||
|
cmd = 'ip6tables'
|
||||||
|
|
||||||
|
processutils.execute('%s-restore' % cmd, '-c',
|
||||||
|
process_input=six.b('\n'.join(rules)),
|
||||||
|
attempts=5)
|
||||||
|
@ -95,6 +95,13 @@ class ServiceFixture(fixtures.Fixture):
|
|||||||
self.ctxt = context.get_admin_context()
|
self.ctxt = context.get_admin_context()
|
||||||
if self.cell:
|
if self.cell:
|
||||||
context.set_target_cell(self.ctxt, self.cell)
|
context.set_target_cell(self.ctxt, self.cell)
|
||||||
|
|
||||||
|
# NOTE(mikal): we don't have root to manipulate iptables, so just
|
||||||
|
# zero that bit out.
|
||||||
|
self.useFixture(fixtures.MonkeyPatch(
|
||||||
|
'nova.network.linux_net.IptablesManager._apply',
|
||||||
|
lambda _: None))
|
||||||
|
|
||||||
with mock.patch('nova.context.get_admin_context',
|
with mock.patch('nova.context.get_admin_context',
|
||||||
return_value=self.ctxt):
|
return_value=self.ctxt):
|
||||||
self.service = service.Service.create(**self.kwargs)
|
self.service = service.Service.create(**self.kwargs)
|
||||||
|
@ -373,7 +373,13 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
get_associated)
|
get_associated)
|
||||||
|
|
||||||
@mock.patch.object(linux_net.iptables_manager.ipv4['nat'], 'add_rule')
|
@mock.patch.object(linux_net.iptables_manager.ipv4['nat'], 'add_rule')
|
||||||
def _test_add_snat_rule(self, expected, is_external, mock_add_rule):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def _test_add_snat_rule(self, expected, is_external,
|
||||||
|
mock_iptables_set_rules, mock_iptables_get_rules,
|
||||||
|
mock_add_rule):
|
||||||
|
|
||||||
def verify_add_rule(chain, rule):
|
def verify_add_rule(chain, rule):
|
||||||
self.assertEqual('snat', chain)
|
self.assertEqual('snat', chain)
|
||||||
@ -415,7 +421,13 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
|
|
||||||
@mock.patch.object(fileutils, 'ensure_tree')
|
@mock.patch.object(fileutils, 'ensure_tree')
|
||||||
@mock.patch.object(os, 'chmod')
|
@mock.patch.object(os, 'chmod')
|
||||||
def test_update_dhcp_for_nw00(self, mock_chmod, mock_ensure_tree):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_update_dhcp_for_nw00(self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules, mock_chmod,
|
||||||
|
mock_ensure_tree):
|
||||||
with mock.patch.object(self.driver, 'write_to_file') \
|
with mock.patch.object(self.driver, 'write_to_file') \
|
||||||
as mock_write_to_file:
|
as mock_write_to_file:
|
||||||
self.flags(use_single_default_gateway=True)
|
self.flags(use_single_default_gateway=True)
|
||||||
@ -428,7 +440,13 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
|
|
||||||
@mock.patch.object(fileutils, 'ensure_tree')
|
@mock.patch.object(fileutils, 'ensure_tree')
|
||||||
@mock.patch.object(os, 'chmod')
|
@mock.patch.object(os, 'chmod')
|
||||||
def test_update_dhcp_for_nw01(self, mock_chmod, mock_ensure_tree):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_update_dhcp_for_nw01(self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules, mock_chmod,
|
||||||
|
mock_ensure_tree):
|
||||||
with mock.patch.object(self.driver, 'write_to_file') \
|
with mock.patch.object(self.driver, 'write_to_file') \
|
||||||
as mock_write_to_file:
|
as mock_write_to_file:
|
||||||
self.flags(use_single_default_gateway=True)
|
self.flags(use_single_default_gateway=True)
|
||||||
@ -594,9 +612,14 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
@mock.patch('nova.privsep.linux_net.routes_show',
|
@mock.patch('nova.privsep.linux_net.routes_show',
|
||||||
return_value=('fake', 0))
|
return_value=('fake', 0))
|
||||||
@mock.patch('nova.privsep.linux_net.lookup_ip', return_value=('', ''))
|
@mock.patch('nova.privsep.linux_net.lookup_ip', return_value=('', ''))
|
||||||
def test_linux_bridge_driver_plug(self, mock_lookup_ip, mock_routes_show,
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
mock_enabled, mock_add_bridge,
|
return_value=('', ''))
|
||||||
mock_add_rule):
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_linux_bridge_driver_plug(
|
||||||
|
self, mock_iptables_set_rules, mock_iptables_get_rules,
|
||||||
|
mock_lookup_ip, mock_routes_show, mock_enabled, mock_add_bridge,
|
||||||
|
mock_add_rule):
|
||||||
"""Makes sure plug doesn't drop FORWARD by default.
|
"""Makes sure plug doesn't drop FORWARD by default.
|
||||||
|
|
||||||
Ensures bug 890195 doesn't reappear.
|
Ensures bug 890195 doesn't reappear.
|
||||||
@ -644,7 +667,12 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
|
|
||||||
@mock.patch.object(linux_net.LinuxBridgeInterfaceDriver,
|
@mock.patch.object(linux_net.LinuxBridgeInterfaceDriver,
|
||||||
'ensure_vlan_bridge')
|
'ensure_vlan_bridge')
|
||||||
def test_vlan_override(self, mock_ensure_vlan_bridge):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_vlan_override(self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules, mock_ensure_vlan_bridge):
|
||||||
"""Makes sure vlan_interface flag overrides network bridge_interface.
|
"""Makes sure vlan_interface flag overrides network bridge_interface.
|
||||||
|
|
||||||
Allows heterogeneous networks a la bug 833426
|
Allows heterogeneous networks a la bug 833426
|
||||||
@ -675,7 +703,12 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
self.assertEqual(3, mock_ensure_vlan_bridge.call_count)
|
self.assertEqual(3, mock_ensure_vlan_bridge.call_count)
|
||||||
|
|
||||||
@mock.patch.object(linux_net.LinuxBridgeInterfaceDriver, 'ensure_bridge')
|
@mock.patch.object(linux_net.LinuxBridgeInterfaceDriver, 'ensure_bridge')
|
||||||
def test_flat_override(self, mock_ensure_bridge):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_flat_override(self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules, mock_ensure_bridge):
|
||||||
"""Makes sure flat_interface flag overrides network bridge_interface.
|
"""Makes sure flat_interface flag overrides network bridge_interface.
|
||||||
|
|
||||||
Allows heterogeneous networks a la bug 833426
|
Allows heterogeneous networks a la bug 833426
|
||||||
@ -707,7 +740,13 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
@mock.patch('os.chmod')
|
@mock.patch('os.chmod')
|
||||||
@mock.patch.object(linux_net, '_add_dhcp_mangle_rule')
|
@mock.patch.object(linux_net, '_add_dhcp_mangle_rule')
|
||||||
@mock.patch.object(linux_net, '_execute')
|
@mock.patch.object(linux_net, '_execute')
|
||||||
def _test_dnsmasq_execute(self, mock_execute, mock_add_dhcp_mangle_rule,
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def _test_dnsmasq_execute(self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules, mock_execute,
|
||||||
|
mock_add_dhcp_mangle_rule,
|
||||||
mock_chmod, mock_write_to_file,
|
mock_chmod, mock_write_to_file,
|
||||||
mock_dnsmasq_pid_for, extra_expected=None):
|
mock_dnsmasq_pid_for, extra_expected=None):
|
||||||
network_ref = {'id': 'fake',
|
network_ref = {'id': 'fake',
|
||||||
@ -775,7 +814,12 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
def test_dnsmasq_execute(self):
|
def test_dnsmasq_execute(self):
|
||||||
self._test_dnsmasq_execute()
|
self._test_dnsmasq_execute()
|
||||||
|
|
||||||
def test_dnsmasq_execute_dns_servers(self):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_dnsmasq_execute_dns_servers(self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules):
|
||||||
self.flags(dns_server=['1.1.1.1', '2.2.2.2'])
|
self.flags(dns_server=['1.1.1.1', '2.2.2.2'])
|
||||||
expected = [
|
expected = [
|
||||||
'--no-resolv',
|
'--no-resolv',
|
||||||
@ -793,15 +837,14 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
self._test_dnsmasq_execute(extra_expected=expected)
|
self._test_dnsmasq_execute(extra_expected=expected)
|
||||||
|
|
||||||
@mock.patch('nova.privsep.linux_net.modify_ebtables')
|
@mock.patch('nova.privsep.linux_net.modify_ebtables')
|
||||||
def test_isolated_host(self, mock_modify_ebtables):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_isolated_host(self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules, mock_modify_ebtables):
|
||||||
self.flags(fake_network=False,
|
self.flags(fake_network=False,
|
||||||
share_dhcp_address=True)
|
share_dhcp_address=True)
|
||||||
executes = []
|
|
||||||
|
|
||||||
def fake_execute(*args, **kwargs):
|
|
||||||
executes.append(args)
|
|
||||||
return "", ""
|
|
||||||
|
|
||||||
driver = linux_net.LinuxBridgeInterfaceDriver()
|
driver = linux_net.LinuxBridgeInterfaceDriver()
|
||||||
|
|
||||||
def fake_ensure(bridge, interface, network, gateway):
|
def fake_ensure(bridge, interface, network, gateway):
|
||||||
@ -810,7 +853,6 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
self.stub_out('nova.network.linux_net.iptables_manager',
|
self.stub_out('nova.network.linux_net.iptables_manager',
|
||||||
linux_net.IptablesManager())
|
linux_net.IptablesManager())
|
||||||
self.stub_out('nova.network.linux_net.binary_name', 'test')
|
self.stub_out('nova.network.linux_net.binary_name', 'test')
|
||||||
self.stub_out('nova.utils.execute', fake_execute)
|
|
||||||
self.stub_out(
|
self.stub_out(
|
||||||
'nova.network.linux_net.LinuxBridgeInterfaceDriver.ensure_bridge',
|
'nova.network.linux_net.LinuxBridgeInterfaceDriver.ensure_bridge',
|
||||||
fake_ensure)
|
fake_ensure)
|
||||||
@ -823,13 +865,12 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
'bridge_interface': iface}
|
'bridge_interface': iface}
|
||||||
driver.plug(network, 'fakemac')
|
driver.plug(network, 'fakemac')
|
||||||
|
|
||||||
expected = [
|
mock_iptables_get_rules.assert_has_calls([
|
||||||
('iptables-save', '-c'),
|
mock.call(ipv4=True),
|
||||||
('iptables-restore', '-c'),
|
mock.call(ipv4=False)])
|
||||||
('ip6tables-save', '-c'),
|
mock_iptables_set_rules.assert_has_calls([
|
||||||
('ip6tables-restore', '-c'),
|
mock.call(mock.ANY, ipv4=True),
|
||||||
]
|
mock.call(mock.ANY, ipv4=False)])
|
||||||
self.assertEqual(expected, executes)
|
|
||||||
mock_modify_ebtables.assert_has_calls([
|
mock_modify_ebtables.assert_has_calls([
|
||||||
mock.call('filter',
|
mock.call('filter',
|
||||||
['INPUT', '-p', 'ARP', '-i', iface, '--arp-ip-dst',
|
['INPUT', '-p', 'ARP', '-i', iface, '--arp-ip-dst',
|
||||||
@ -1084,7 +1125,12 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
self.assertFalse(manager.iptables_apply_deferred)
|
self.assertFalse(manager.iptables_apply_deferred)
|
||||||
|
|
||||||
@mock.patch.object(linux_net.iptables_manager.ipv4['filter'], 'add_rule')
|
@mock.patch.object(linux_net.iptables_manager.ipv4['filter'], 'add_rule')
|
||||||
def _test_add_metadata_accept_rule(self, expected, mock_add_rule):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def _test_add_metadata_accept_rule(self, expected, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules, mock_add_rule):
|
||||||
def verify_add_rule(chain, rule):
|
def verify_add_rule(chain, rule):
|
||||||
self.assertEqual('INPUT', chain)
|
self.assertEqual('INPUT', chain)
|
||||||
self.assertEqual(expected, rule)
|
self.assertEqual(expected, rule)
|
||||||
@ -1094,7 +1140,14 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
mock_add_rule.assert_called_once()
|
mock_add_rule.assert_called_once()
|
||||||
|
|
||||||
@mock.patch.object(linux_net.iptables_manager.ipv6['filter'], 'add_rule')
|
@mock.patch.object(linux_net.iptables_manager.ipv6['filter'], 'add_rule')
|
||||||
def _test_add_metadata_accept_ipv6_rule(self, expected, mock_add_rule):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def _test_add_metadata_accept_ipv6_rule(self, expected,
|
||||||
|
mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules,
|
||||||
|
mock_add_rule):
|
||||||
def verify_add_rule(chain, rule):
|
def verify_add_rule(chain, rule):
|
||||||
self.assertEqual('INPUT', chain)
|
self.assertEqual('INPUT', chain)
|
||||||
self.assertEqual(expected, rule)
|
self.assertEqual(expected, rule)
|
||||||
@ -1132,7 +1185,14 @@ class LinuxNetworkTestCase(test.NoDBTestCase):
|
|||||||
self._test_add_metadata_accept_ipv6_rule(expected)
|
self._test_add_metadata_accept_ipv6_rule(expected)
|
||||||
|
|
||||||
@mock.patch.object(linux_net.iptables_manager.ipv4['nat'], 'add_rule')
|
@mock.patch.object(linux_net.iptables_manager.ipv4['nat'], 'add_rule')
|
||||||
def _test_add_metadata_forward_rule(self, expected, mock_add_rule):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def _test_add_metadata_forward_rule(self, expected,
|
||||||
|
mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules,
|
||||||
|
mock_add_rule):
|
||||||
def verify_add_rule(chain, rule):
|
def verify_add_rule(chain, rule):
|
||||||
self.assertEqual('PREROUTING', chain)
|
self.assertEqual('PREROUTING', chain)
|
||||||
self.assertEqual(expected, rule)
|
self.assertEqual(expected, rule)
|
||||||
|
@ -947,12 +947,15 @@ class VlanNetworkTestCase(test.TestCase):
|
|||||||
@mock.patch('nova.privsep.linux_net.ipv4_forwarding_check',
|
@mock.patch('nova.privsep.linux_net.ipv4_forwarding_check',
|
||||||
return_value=False)
|
return_value=False)
|
||||||
@mock.patch('nova.privsep.linux_net._enable_ipv4_forwarding_inner')
|
@mock.patch('nova.privsep.linux_net._enable_ipv4_forwarding_inner')
|
||||||
def test_vpn_allocate_fixed_ip(self, mock_forwarding_enable,
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
mock_forwarding_check,
|
return_value=('', ''))
|
||||||
mock_address_command,
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
mock_change_ip, mock_lookup_ip,
|
return_value=('', ''))
|
||||||
mock_routes_show, mock_enabled,
|
def test_vpn_allocate_fixed_ip(
|
||||||
mock_add_bridge):
|
self, mock_iptables_set_rules, mock_iptables_get_rules,
|
||||||
|
mock_forwarding_enable, mock_forwarding_check,
|
||||||
|
mock_address_command, mock_change_ip, mock_lookup_ip,
|
||||||
|
mock_routes_show, mock_enabled, mock_add_bridge):
|
||||||
self.mox.StubOutWithMock(db, 'fixed_ip_associate')
|
self.mox.StubOutWithMock(db, 'fixed_ip_associate')
|
||||||
self.mox.StubOutWithMock(db, 'fixed_ip_update')
|
self.mox.StubOutWithMock(db, 'fixed_ip_update')
|
||||||
self.mox.StubOutWithMock(db,
|
self.mox.StubOutWithMock(db,
|
||||||
@ -994,11 +997,15 @@ class VlanNetworkTestCase(test.TestCase):
|
|||||||
@mock.patch('nova.privsep.linux_net.ipv4_forwarding_check',
|
@mock.patch('nova.privsep.linux_net.ipv4_forwarding_check',
|
||||||
return_value=False)
|
return_value=False)
|
||||||
@mock.patch('nova.privsep.linux_net._enable_ipv4_forwarding_inner')
|
@mock.patch('nova.privsep.linux_net._enable_ipv4_forwarding_inner')
|
||||||
def test_allocate_fixed_ip(self, mock_forwarding_enable,
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
mock_forwarding_check, mock_address_command,
|
return_value=('', ''))
|
||||||
mock_change_ip, mock_lookup_ip,
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
mock_routes_show, mock_enabled,
|
return_value=('', ''))
|
||||||
mock_add_bridge):
|
def test_allocate_fixed_ip(
|
||||||
|
self, mock_iptables_set_rules, mock_iptables_get_rules,
|
||||||
|
mock_forwarding_enable, mock_forwarding_check,
|
||||||
|
mock_address_command, mock_change_ip, mock_lookup_ip,
|
||||||
|
mock_routes_show, mock_enabled, mock_add_bridge):
|
||||||
self.stubs.Set(self.network,
|
self.stubs.Set(self.network,
|
||||||
'_do_trigger_security_group_members_refresh_for_instance',
|
'_do_trigger_security_group_members_refresh_for_instance',
|
||||||
lambda *a, **kw: None)
|
lambda *a, **kw: None)
|
||||||
@ -1725,8 +1732,13 @@ class VlanNetworkTestCase(test.TestCase):
|
|||||||
@mock.patch('nova.privsep.linux_net.ipv4_forwarding_check',
|
@mock.patch('nova.privsep.linux_net.ipv4_forwarding_check',
|
||||||
return_value=False)
|
return_value=False)
|
||||||
@mock.patch('nova.privsep.linux_net._enable_ipv4_forwarding_inner')
|
@mock.patch('nova.privsep.linux_net._enable_ipv4_forwarding_inner')
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
def test_add_fixed_ip_instance_without_vpn_requested_networks(
|
def test_add_fixed_ip_instance_without_vpn_requested_networks(
|
||||||
self, mock_forwarding_enable, mock_forwarding_check,
|
self, mock_iptables_set_rules, mock_iptables_get_rules,
|
||||||
|
mock_forwarding_enable, mock_forwarding_check,
|
||||||
mock_address_command, mock_change_ip, mock_lookup_ip,
|
mock_address_command, mock_change_ip, mock_lookup_ip,
|
||||||
mock_routes_show, mock_enabled, mock_add_bridge):
|
mock_routes_show, mock_enabled, mock_add_bridge):
|
||||||
self.stubs.Set(self.network,
|
self.stubs.Set(self.network,
|
||||||
@ -1773,8 +1785,13 @@ class VlanNetworkTestCase(test.TestCase):
|
|||||||
@mock.patch('nova.privsep.linux_net.unbind_ip')
|
@mock.patch('nova.privsep.linux_net.unbind_ip')
|
||||||
@mock.patch('nova.privsep.linux_net.clean_conntrack')
|
@mock.patch('nova.privsep.linux_net.clean_conntrack')
|
||||||
@mock.patch('nova.privsep.linux_net.modify_ebtables')
|
@mock.patch('nova.privsep.linux_net.modify_ebtables')
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
def test_ip_association_and_allocation_of_other_project(
|
def test_ip_association_and_allocation_of_other_project(
|
||||||
self, modify_ebtables, clean_conntrack, unbind_ip, bind_ip,
|
self, mock_iptables_set_rules, mock_iptables_get_rules,
|
||||||
|
modify_ebtables, clean_conntrack, unbind_ip, bind_ip,
|
||||||
net_get, fixed_get):
|
net_get, fixed_get):
|
||||||
"""Makes sure that we cannot deallocaate or disassociate
|
"""Makes sure that we cannot deallocaate or disassociate
|
||||||
a public IP of other project.
|
a public IP of other project.
|
||||||
@ -2895,16 +2912,17 @@ class AllocateTestCase(test.TestCase):
|
|||||||
@mock.patch('nova.privsep.linux_net._enable_ipv4_forwarding_inner')
|
@mock.patch('nova.privsep.linux_net._enable_ipv4_forwarding_inner')
|
||||||
@mock.patch('nova.privsep.linux_net.modify_ebtables')
|
@mock.patch('nova.privsep.linux_net.modify_ebtables')
|
||||||
@mock.patch('nova.privsep.linux_net.add_vlan')
|
@mock.patch('nova.privsep.linux_net.add_vlan')
|
||||||
def test_allocate_for_instance(self, mock_add_vlan,
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
mock_modify_ebtables,
|
return_value=('', ''))
|
||||||
mock_forwarding_enable,
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
mock_forwarding_check,
|
return_value=('', ''))
|
||||||
mock_clean_conntrack,
|
def test_allocate_for_instance(
|
||||||
mock_address_command,
|
self, mock_iptables_set_rules, mock_iptables_get_rules,
|
||||||
mock_change_ip, mock_lookup_ip,
|
mock_add_vlan, mock_modify_ebtables, mock_forwarding_enable,
|
||||||
mock_routes_show, mock_unbind, mock_bind,
|
mock_forwarding_check, mock_clean_conntrack, mock_address_command,
|
||||||
mock_set_macaddr, mock_set_enabled,
|
mock_change_ip, mock_lookup_ip, mock_routes_show, mock_unbind,
|
||||||
mock_set_mtu, mock_add_bridge):
|
mock_bind, mock_set_macaddr, mock_set_enabled, mock_set_mtu,
|
||||||
|
mock_add_bridge):
|
||||||
address = "10.10.10.10"
|
address = "10.10.10.10"
|
||||||
self.flags(auto_assign_floating_ip=True)
|
self.flags(auto_assign_floating_ip=True)
|
||||||
|
|
||||||
@ -2980,15 +2998,16 @@ class AllocateTestCase(test.TestCase):
|
|||||||
return_value=False)
|
return_value=False)
|
||||||
@mock.patch('nova.privsep.linux_net._enable_ipv4_forwarding_inner')
|
@mock.patch('nova.privsep.linux_net._enable_ipv4_forwarding_inner')
|
||||||
@mock.patch('nova.privsep.linux_net.add_vlan')
|
@mock.patch('nova.privsep.linux_net.add_vlan')
|
||||||
def test_allocate_for_instance_with_mac(self, mock_add_vlan,
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
mock_forwarding_enable,
|
return_value=('', ''))
|
||||||
mock_forwarding_check,
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
mock_address_command,
|
return_value=('', ''))
|
||||||
mock_change_ip,
|
def test_allocate_for_instance_with_mac(
|
||||||
mock_lookup_ip,
|
self, mock_iptables_set_rules, mock_iptables_get_rules,
|
||||||
mock_routes_show,
|
mock_add_vlan, mock_forwarding_enable,
|
||||||
mock_set_addr, mock_enabled,
|
mock_forwarding_check, mock_address_command,
|
||||||
mock_set_mtu, mock_add_bridge):
|
mock_change_ip, mock_lookup_ip, mock_routes_show,
|
||||||
|
mock_set_addr, mock_enabled, mock_set_mtu, mock_add_bridge):
|
||||||
available_macs = set(['ca:fe:de:ad:be:ef'])
|
available_macs = set(['ca:fe:de:ad:be:ef'])
|
||||||
inst = db.instance_create(self.context, {'host': HOST,
|
inst = db.instance_create(self.context, {'host': HOST,
|
||||||
'display_name': HOST,
|
'display_name': HOST,
|
||||||
@ -3146,10 +3165,13 @@ class FloatingIPTestCase(test.TestCase):
|
|||||||
@mock.patch('nova.privsep.linux_net.unbind_ip')
|
@mock.patch('nova.privsep.linux_net.unbind_ip')
|
||||||
@mock.patch('nova.privsep.linux_net.clean_conntrack')
|
@mock.patch('nova.privsep.linux_net.clean_conntrack')
|
||||||
@mock.patch('nova.privsep.linux_net.modify_ebtables')
|
@mock.patch('nova.privsep.linux_net.modify_ebtables')
|
||||||
def test_deallocation_deleted_instance(self,
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
mock_modify_ebtables,
|
return_value=('', ''))
|
||||||
mock_clean_conntrack,
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
mock_unbind_ip):
|
return_value=('', ''))
|
||||||
|
def test_deallocation_deleted_instance(
|
||||||
|
self, mock_iptables_set_rules, mock_iptables_get_rules,
|
||||||
|
mock_modify_ebtables, mock_clean_conntrack, mock_unbind_ip):
|
||||||
self.stubs.Set(self.network, '_teardown_network_on_host',
|
self.stubs.Set(self.network, '_teardown_network_on_host',
|
||||||
lambda *args, **kwargs: None)
|
lambda *args, **kwargs: None)
|
||||||
instance = objects.Instance(context=self.context)
|
instance = objects.Instance(context=self.context)
|
||||||
@ -3172,10 +3194,13 @@ class FloatingIPTestCase(test.TestCase):
|
|||||||
@mock.patch('nova.privsep.linux_net.unbind_ip')
|
@mock.patch('nova.privsep.linux_net.unbind_ip')
|
||||||
@mock.patch('nova.privsep.linux_net.clean_conntrack')
|
@mock.patch('nova.privsep.linux_net.clean_conntrack')
|
||||||
@mock.patch('nova.privsep.linux_net.modify_ebtables')
|
@mock.patch('nova.privsep.linux_net.modify_ebtables')
|
||||||
def test_deallocation_duplicate_floating_ip(self,
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
mock_modify_ebtables,
|
return_value=('', ''))
|
||||||
mock_clean_conntrack,
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
mock_unbind_ip):
|
return_value=('', ''))
|
||||||
|
def test_deallocation_duplicate_floating_ip(
|
||||||
|
self, mock_iptables_set_rules, mock_iptables_get_rules,
|
||||||
|
mock_modify_ebtables, mock_clean_conntrack, mock_unbind_ip):
|
||||||
self.stubs.Set(self.network, '_teardown_network_on_host',
|
self.stubs.Set(self.network, '_teardown_network_on_host',
|
||||||
lambda *args, **kwargs: None)
|
lambda *args, **kwargs: None)
|
||||||
instance = objects.Instance(context=self.context)
|
instance = objects.Instance(context=self.context)
|
||||||
|
@ -153,7 +153,12 @@ class QuotaIntegrationTestCase(test.TestCase):
|
|||||||
self._create_instance(flavor_name='m1.xlarge')
|
self._create_instance(flavor_name='m1.xlarge')
|
||||||
|
|
||||||
@mock.patch('nova.privsep.linux_net.bind_ip')
|
@mock.patch('nova.privsep.linux_net.bind_ip')
|
||||||
def test_too_many_addresses(self, mock_bind_ip):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_too_many_addresses(self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules, mock_bind_ip):
|
||||||
# This test is specifically relying on nova-network.
|
# This test is specifically relying on nova-network.
|
||||||
self.flags(use_neutron=False,
|
self.flags(use_neutron=False,
|
||||||
network_manager='nova.network.manager.FlatDHCPManager')
|
network_manager='nova.network.manager.FlatDHCPManager')
|
||||||
@ -173,7 +178,12 @@ class QuotaIntegrationTestCase(test.TestCase):
|
|||||||
db.floating_ip_destroy(context.get_admin_context(), address)
|
db.floating_ip_destroy(context.get_admin_context(), address)
|
||||||
|
|
||||||
@mock.patch('nova.privsep.linux_net.bind_ip')
|
@mock.patch('nova.privsep.linux_net.bind_ip')
|
||||||
def test_auto_assigned(self, mock_bind_ip):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_auto_assigned(self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules, mock_bind_ip):
|
||||||
# This test is specifically relying on nova-network.
|
# This test is specifically relying on nova-network.
|
||||||
self.flags(use_neutron=False,
|
self.flags(use_neutron=False,
|
||||||
network_manager='nova.network.manager.FlatDHCPManager')
|
network_manager='nova.network.manager.FlatDHCPManager')
|
||||||
|
@ -149,10 +149,15 @@ class IptablesFirewallTestCase(test.NoDBTestCase):
|
|||||||
inst.info_cache.deleted = False
|
inst.info_cache.deleted = False
|
||||||
return inst
|
return inst
|
||||||
|
|
||||||
@mock.patch.object(linux_net.iptables_manager, "execute")
|
|
||||||
@mock.patch.object(objects.InstanceList, "get_by_security_group_id")
|
@mock.patch.object(objects.InstanceList, "get_by_security_group_id")
|
||||||
@mock.patch.object(objects.SecurityGroupRuleList, "get_by_instance")
|
@mock.patch.object(objects.SecurityGroupRuleList, "get_by_instance")
|
||||||
def test_static_filters(self, mock_secrule, mock_instlist, fake_execute):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_static_filters(self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules, mock_secrule,
|
||||||
|
mock_instlist):
|
||||||
UUID = "2674993b-6adb-4733-abd9-a7c10cc1f146"
|
UUID = "2674993b-6adb-4733-abd9-a7c10cc1f146"
|
||||||
SRC_UUID = "0e0a76b2-7c52-4bc0-9a60-d83017e42c1a"
|
SRC_UUID = "0e0a76b2-7c52-4bc0-9a60-d83017e42c1a"
|
||||||
instance_ref = self._create_instance_ref(UUID)
|
instance_ref = self._create_instance_ref(UUID)
|
||||||
@ -215,7 +220,7 @@ class IptablesFirewallTestCase(test.NoDBTestCase):
|
|||||||
mock_secrule.return_value = objects.SecurityGroupRuleList(
|
mock_secrule.return_value = objects.SecurityGroupRuleList(
|
||||||
objects=[r1, r2, r3, r4, r5])
|
objects=[r1, r2, r3, r4, r5])
|
||||||
|
|
||||||
def _fake_instlist(ctxt, id):
|
def fake_instlist(ctxt, id):
|
||||||
if id == src_secgroup.id:
|
if id == src_secgroup.id:
|
||||||
insts = objects.InstanceList()
|
insts = objects.InstanceList()
|
||||||
insts.objects.append(src_instance_ref)
|
insts.objects.append(src_instance_ref)
|
||||||
@ -224,32 +229,26 @@ class IptablesFirewallTestCase(test.NoDBTestCase):
|
|||||||
insts = objects.InstanceList()
|
insts = objects.InstanceList()
|
||||||
insts.objects.append(instance_ref)
|
insts.objects.append(instance_ref)
|
||||||
return insts
|
return insts
|
||||||
|
mock_instlist.side_effect = fake_instlist
|
||||||
|
|
||||||
mock_instlist.side_effect = _fake_instlist
|
def fake_iptables_get(ipv4=True):
|
||||||
|
if ipv4:
|
||||||
def fake_iptables_execute(*cmd, **kwargs):
|
|
||||||
process_input = kwargs.get('process_input')
|
|
||||||
if process_input is not None and isinstance(process_input, bytes):
|
|
||||||
process_input = process_input.decode('utf-8')
|
|
||||||
if cmd == ('ip6tables-save', '-c'):
|
|
||||||
return '\n'.join(self.in6_filter_rules), None
|
|
||||||
if cmd == ('iptables-save', '-c'):
|
|
||||||
return '\n'.join(self.in_rules), None
|
return '\n'.join(self.in_rules), None
|
||||||
if cmd == ('iptables-restore', '-c'):
|
else:
|
||||||
lines = process_input.split('\n')
|
return '\n'.join(self.in6_filter_rules), None
|
||||||
if '*filter' in lines:
|
mock_iptables_get_rules.side_effect = fake_iptables_get
|
||||||
self.out_rules = lines
|
|
||||||
return '', ''
|
def fake_iptables_set(rules, ipv4=True):
|
||||||
if cmd == ('ip6tables-restore', '-c',):
|
if '*filter' in rules:
|
||||||
lines = process_input.split('\n')
|
if ipv4:
|
||||||
if '*filter' in lines:
|
self.out_rules = rules
|
||||||
self.out6_rules = lines
|
else:
|
||||||
return '', ''
|
self.out6_rules = rules
|
||||||
|
return '', ''
|
||||||
|
mock_iptables_set_rules.side_effect = fake_iptables_set
|
||||||
|
|
||||||
network_model = _fake_network_info(self, 1)
|
network_model = _fake_network_info(self, 1)
|
||||||
|
|
||||||
fake_execute.side_effect = fake_iptables_execute
|
|
||||||
|
|
||||||
self.stub_out('nova.objects.Instance.get_network_info',
|
self.stub_out('nova.objects.Instance.get_network_info',
|
||||||
lambda instance: network_model)
|
lambda instance: network_model)
|
||||||
|
|
||||||
@ -322,7 +321,12 @@ class IptablesFirewallTestCase(test.NoDBTestCase):
|
|||||||
self.assertEqual(len(rulesv6), 1)
|
self.assertEqual(len(rulesv6), 1)
|
||||||
|
|
||||||
@mock.patch.object(objects.SecurityGroupRuleList, "get_by_instance")
|
@mock.patch.object(objects.SecurityGroupRuleList, "get_by_instance")
|
||||||
def test_multinic_iptables(self, mock_secrule):
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_multinic_iptables(self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules, mock_secrule):
|
||||||
mock_secrule.return_value = objects.SecurityGroupRuleList()
|
mock_secrule.return_value = objects.SecurityGroupRuleList()
|
||||||
|
|
||||||
ipv4_rules_per_addr = 1
|
ipv4_rules_per_addr = 1
|
||||||
@ -356,8 +360,14 @@ class IptablesFirewallTestCase(test.NoDBTestCase):
|
|||||||
@mock.patch.object(firewall.IptablesFirewallDriver,
|
@mock.patch.object(firewall.IptablesFirewallDriver,
|
||||||
'add_filters_for_instance')
|
'add_filters_for_instance')
|
||||||
@mock.patch.object(linux_net.IptablesTable, 'has_chain')
|
@mock.patch.object(linux_net.IptablesTable, 'has_chain')
|
||||||
def test_do_refresh_security_group_rules(self, mock_has_chain,
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
mock_add_filters, mock_instance_rules):
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_do_refresh_security_group_rules(
|
||||||
|
self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules, mock_has_chain,
|
||||||
|
mock_add_filters, mock_instance_rules):
|
||||||
instance_ref = self._create_instance_ref()
|
instance_ref = self._create_instance_ref()
|
||||||
|
|
||||||
mock_instance_rules.return_value = (None, None)
|
mock_instance_rules.return_value = (None, None)
|
||||||
@ -402,11 +412,13 @@ class IptablesFirewallTestCase(test.NoDBTestCase):
|
|||||||
@mock.patch.object(fakelibvirt.virConnect, "nwfilterDefineXML")
|
@mock.patch.object(fakelibvirt.virConnect, "nwfilterDefineXML")
|
||||||
@mock.patch.object(objects.InstanceList, "get_by_security_group_id")
|
@mock.patch.object(objects.InstanceList, "get_by_security_group_id")
|
||||||
@mock.patch.object(objects.SecurityGroupRuleList, "get_by_instance")
|
@mock.patch.object(objects.SecurityGroupRuleList, "get_by_instance")
|
||||||
def test_unfilter_instance_undefines_nwfilter(self,
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
mock_secrule,
|
return_value=('', ''))
|
||||||
mock_instlist,
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
mock_define,
|
return_value=('', ''))
|
||||||
mock_lookup):
|
def test_unfilter_instance_undefines_nwfilter(
|
||||||
|
self, mock_iptables_set_rules, mock_iptables_get_rules,
|
||||||
|
mock_secrule, mock_instlist, mock_define, mock_lookup):
|
||||||
fakefilter = NWFilterFakes()
|
fakefilter = NWFilterFakes()
|
||||||
mock_lookup.side_effect = fakefilter.nwfilterLookupByName
|
mock_lookup.side_effect = fakefilter.nwfilterLookupByName
|
||||||
mock_define.side_effect = fakefilter.filterDefineXMLMock
|
mock_define.side_effect = fakefilter.filterDefineXMLMock
|
||||||
|
@ -1145,7 +1145,13 @@ class XenAPIVMTestCase(stubs.XenAPITestBase,
|
|||||||
return_value=False)
|
return_value=False)
|
||||||
@mock.patch('nova.privsep.linux_net._enable_ipv4_forwarding_inner')
|
@mock.patch('nova.privsep.linux_net._enable_ipv4_forwarding_inner')
|
||||||
@mock.patch('nova.privsep.linux_net.add_vlan')
|
@mock.patch('nova.privsep.linux_net.add_vlan')
|
||||||
def test_spawn_vlanmanager(self, mock_add_vlan, mock_forwarding_enable,
|
@mock.patch('nova.privsep.linux_net.iptables_get_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
@mock.patch('nova.privsep.linux_net.iptables_set_rules',
|
||||||
|
return_value=('', ''))
|
||||||
|
def test_spawn_vlanmanager(self, mock_iptables_set_rules,
|
||||||
|
mock_iptables_get_rules,
|
||||||
|
mock_add_vlan, mock_forwarding_enable,
|
||||||
mock_forwarding_check,
|
mock_forwarding_check,
|
||||||
mock_address_command_horrid,
|
mock_address_command_horrid,
|
||||||
mock_change_ip, mock_set_macaddr,
|
mock_change_ip, mock_set_macaddr,
|
||||||
|
@ -44,7 +44,8 @@ class Dom0IptablesFirewallDriver(firewall.IptablesFirewallDriver):
|
|||||||
super(Dom0IptablesFirewallDriver, self).__init__(**kwargs)
|
super(Dom0IptablesFirewallDriver, self).__init__(**kwargs)
|
||||||
self._session = xenapi_session
|
self._session = xenapi_session
|
||||||
# Create IpTablesManager with executor through plugin
|
# Create IpTablesManager with executor through plugin
|
||||||
self.iptables = linux_net.IptablesManager(self._plugin_execute)
|
self.iptables = linux_net.IptablesManager(
|
||||||
|
redirect_privsep_calls_to=self._plugin_execute)
|
||||||
self.iptables.ipv4['filter'].add_chain('sg-fallback')
|
self.iptables.ipv4['filter'].add_chain('sg-fallback')
|
||||||
self.iptables.ipv4['filter'].add_rule('sg-fallback', '-j DROP')
|
self.iptables.ipv4['filter'].add_rule('sg-fallback', '-j DROP')
|
||||||
self.iptables.ipv6['filter'].add_chain('sg-fallback')
|
self.iptables.ipv6['filter'].add_chain('sg-fallback')
|
||||||
|
Loading…
Reference in New Issue
Block a user