Merge trunk, resolve conflicts, and rename 010_ migrate file to 011_ since another migrate file got into trunk ahead of this...

2011-03-14 13:59:41 -04:00
parent 0ea1a8b44c 835e0a620f
commit c4d7b76718
12 changed files with 709 additions and 61 deletions
--- a/nova/tests/test_virt.py
+++ b/nova/tests/test_virt.py
@@ -17,6 +17,7 @@
 import eventlet
 import mox
 import os
+import re
 import sys

 from xml.etree.ElementTree import fromstring as xml_to_tree
@@ -521,16 +522,22 @@ class IptablesFirewallTestCase(test.TestCase):
        self.manager.delete_user(self.user)
        super(IptablesFirewallTestCase, self).tearDown()

-    in_rules = [
+    in_nat_rules = [
+      '# Generated by iptables-save v1.4.10 on Sat Feb 19 00:03:19 2011',
+      '*nat',
+      ':PREROUTING ACCEPT [1170:189210]',
+      ':INPUT ACCEPT [844:71028]',
+      ':OUTPUT ACCEPT [5149:405186]',
+      ':POSTROUTING ACCEPT [5063:386098]',
+    ]
+
+    in_filter_rules = [
      '# Generated by iptables-save v1.4.4 on Mon Dec  6 11:54:13 2010',
      '*filter',
      ':INPUT ACCEPT [969615:281627771]',
      ':FORWARD ACCEPT [0:0]',
      ':OUTPUT ACCEPT [915599:63811649]',
      ':nova-block-ipv4 - [0:0]',
-      '-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT ',
-      '-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT ',
-      '-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT ',
      '-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT ',
      '-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED'
      ',ESTABLISHED -j ACCEPT ',
@@ -542,7 +549,7 @@ class IptablesFirewallTestCase(test.TestCase):
      '# Completed on Mon Dec  6 11:54:13 2010',
    ]

-    in6_rules = [
+    in6_filter_rules = [
      '# Generated by ip6tables-save v1.4.4 on Tue Jan 18 23:47:56 2011',
      '*filter',
      ':INPUT ACCEPT [349155:75810423]',
@@ -605,21 +612,31 @@ class IptablesFirewallTestCase(test.TestCase):
        def fake_iptables_execute(*cmd, **kwargs):
            process_input = kwargs.get('process_input', None)
            if cmd == ('sudo', 'ip6tables-save', '-t', 'filter'):
-                return '\n'.join(self.in6_rules), None
+                return '\n'.join(self.in6_filter_rules), None
            if cmd == ('sudo', 'iptables-save', '-t', 'filter'):
-                return '\n'.join(self.in_rules), None
+                return '\n'.join(self.in_filter_rules), None
+            if cmd == ('sudo', 'iptables-save', '-t', 'nat'):
+                return '\n'.join(self.in_nat_rules), None
            if cmd == ('sudo', 'iptables-restore'):
-                self.out_rules = process_input.split('\n')
+                lines = process_input.split('\n')
+                if '*filter' in lines:
+                    self.out_rules = lines
                return '', ''
            if cmd == ('sudo', 'ip6tables-restore'):
-                self.out6_rules = process_input.split('\n')
+                lines = process_input.split('\n')
+                if '*filter' in lines:
+                    self.out6_rules = lines
                return '', ''
-        self.fw.execute = fake_iptables_execute
+            print cmd, kwargs
+
+        from nova.network import linux_net
+        linux_net.iptables_manager.execute = fake_iptables_execute

        self.fw.prepare_instance_filter(instance_ref)
        self.fw.apply_instance_filter(instance_ref)

-        in_rules = filter(lambda l: not l.startswith('#'), self.in_rules)
+        in_rules = filter(lambda l: not l.startswith('#'),
+                          self.in_filter_rules)
        for rule in in_rules:
            if not 'nova' in rule:
                self.assertTrue(rule in self.out_rules,
@@ -642,17 +659,18 @@ class IptablesFirewallTestCase(test.TestCase):
        self.assertTrue(security_group_chain,
                        "The security group chain wasn't added")

-        self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT' % \
-                               security_group_chain in self.out_rules,
+        regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -j ACCEPT')
+        self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
                        "ICMP acceptance rule wasn't added")

-        self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type '
-                        '8 -j ACCEPT' % security_group_chain in self.out_rules,
+        regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -m icmp '
+                           '--icmp-type 8 -j ACCEPT')
+        self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
                        "ICMP Echo Request acceptance rule wasn't added")

-        self.assertTrue('-A %s -p tcp -s 192.168.10.0/24 -m multiport '
-                        '--dports 80:81 -j ACCEPT' % security_group_chain \
-                            in self.out_rules,
+        regex = re.compile('-A .* -p tcp -s 192.168.10.0/24 -m multiport '
+                           '--dports 80:81 -j ACCEPT')
+        self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
                        "TCP port 80/81 acceptance rule wasn't added")
        db.instance_destroy(admin_ctxt, instance_ref['id'])