Blueprint xenapi-provider-firewall and Bug #915403.

1. Provides dom0 IPtables driver to implement the Provider firewall rules.
  2. Existing libvirt code has been refactored to reduce the amount of duplicated code to a minimum
  3. The three provider apis in ec2/admin.py file are now fixed the following way:
    a.    remove_external_address_block returned 'OK' on removing blocks which didn't exist. This is now fixed.
    b.    block_external_addresses raised exception earlier on duplicate network blocks. Now the exception is logged and failed status message is returned.
    c.  all the three provider apis now logs for invalid and improper inputs and return uniform (a dictionary ) and proper status messages for all cases.
  4. appropriate unit tests added to cover the same

Change-Id: I27d83186f850423a6268947aed0c9a349d8f8d65

Authors

@@ -41,6 +41,7 @@ Dave Walker <DaveWalker@ubuntu.com>
 David Pravec <David.Pravec@danix.org>
 David Subiros <david.perez5@hp.com>
 Dean Troyer <dtroyer@gmail.com>
+Deepak Garg <deepak.garg@citrix.com>
 Derek Higgins <higginsd@gmail.com>
 Devendra Modium <dmodium@isi.edu>
 Devin Carlen <devin.carlen@gmail.com>

nova/tests/test_xenapi.py

@@ -1334,6 +1334,9 @@ class XenAPIBWUsageTestCase(test.TestCase):
         self.assertEqual(result, [])
 
 
+# TODO(salvatore-orlando): this class and
+# nova.tests.test_libvirt.IPTablesFirewallDriverTestCase share a lot of code.
+# Consider abstracting common code in a base class for firewall driver testing.
 class XenAPIDom0IptablesFirewallTestCase(test.TestCase):
 
     _in_nat_rules = [
@@ -1581,3 +1584,60 @@ class XenAPIDom0IptablesFirewallTestCase(test.TestCase):
         self.assertTrue(len(filter(regex.match, self._out_rules)) > 0,
                         "Rules were not updated properly."
                         "The rule for UDP acceptance is missing")
+
+    def test_provider_firewall_rules(self):
+        # setup basic instance data
+        instance_ref = self._create_instance_ref()
+        # FRAGILE: as in libvirt tests
+        # peeks at how the firewall names chains
+        chain_name = 'inst-%s' % instance_ref['id']
+
+        network_info = fake_network.fake_get_instance_nw_info(self.stubs, 1, 1)
+        self.fw.prepare_instance_filter(instance_ref, network_info)
+        self.assertTrue('provider' in self.fw.iptables.ipv4['filter'].chains)
+        rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
+                      if rule.chain == 'provider']
+        self.assertEqual(0, len(rules))
+
+        admin_ctxt = context.get_admin_context()
+        # add a rule and send the update message, check for 1 rule
+        provider_fw0 = db.provider_fw_rule_create(admin_ctxt,
+                                                  {'protocol': 'tcp',
+                                                   'cidr': '10.99.99.99/32',
+                                                   'from_port': 1,
+                                                   'to_port': 65535})
+        self.fw.refresh_provider_fw_rules()
+        rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
+                      if rule.chain == 'provider']
+        self.assertEqual(1, len(rules))
+
+        # Add another, refresh, and make sure number of rules goes to two
+        provider_fw1 = db.provider_fw_rule_create(admin_ctxt,
+                                                  {'protocol': 'udp',
+                                                   'cidr': '10.99.99.99/32',
+                                                   'from_port': 1,
+                                                   'to_port': 65535})
+        self.fw.refresh_provider_fw_rules()
+        rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
+                      if rule.chain == 'provider']
+        self.assertEqual(2, len(rules))
+
+        # create the instance filter and make sure it has a jump rule
+        self.fw.prepare_instance_filter(instance_ref, network_info)
+        self.fw.apply_instance_filter(instance_ref, network_info)
+        inst_rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
+                           if rule.chain == chain_name]
+        jump_rules = [rule for rule in inst_rules if '-j' in rule.rule]
+        provjump_rules = []
+        # IptablesTable doesn't make rules unique internally
+        for rule in jump_rules:
+            if 'provider' in rule.rule and rule not in provjump_rules:
+                provjump_rules.append(rule)
+        self.assertEqual(1, len(provjump_rules))
+
+        # remove a rule from the db, cast to compute to refresh rule
+        db.provider_fw_rule_destroy(admin_ctxt, provider_fw1['id'])
+        self.fw.refresh_provider_fw_rules()
+        rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
+                      if rule.chain == 'provider']
+        self.assertEqual(1, len(rules))

nova/tests/xenapi/stubs.py

@@ -32,7 +32,6 @@ def stubout_firewall_driver(stubs, conn):
         return
 
     vmops = conn._vmops
-    stubs.Set(vmops.firewall_driver, 'setup_basic_filtering', fake_none)
     stubs.Set(vmops.firewall_driver, 'prepare_instance_filter', fake_none)
     stubs.Set(vmops.firewall_driver, 'instance_filter_exists', fake_none)
 

nova/utils.py

@@ -1075,12 +1075,12 @@ def monkey_patch():
             if isinstance(module_data[key], pyclbr.Class):
                 clz = import_class("%s.%s" % (module, key))
                 for method, func in inspect.getmembers(clz, inspect.ismethod):
-                    setattr(clz, method,\
+                    setattr(clz, method,
                         decorator("%s.%s.%s" % (module, key, method), func))
             # set the decorator for the function
             if isinstance(module_data[key], pyclbr.Function):
                 func = import_class("%s.%s" % (module, key))
-                setattr(sys.modules[module], key,\
+                setattr(sys.modules[module], key,
                     decorator("%s.%s" % (module, key), func))