Add a new IptablesManager that takes care of all uses of iptables.
Port all uses of iptables (in linux_net and libvirt_conn) over to use this new manager. It wraps all uses of iptables so that each component can maintain its own set of rules without interfering with other components and/or existing system rules. iptables-restore is an atomic interface to netfilter in the kernel. This means we can make a bunch of changes at a time, minimising the number of calls to iptables.
This commit is contained in:
Soren Hansen
@@ -29,11 +29,153 @@ from nova import log as logging
|
|||||||
from nova import test
|
from nova import test
|
||||||
from nova import utils
|
from nova import utils
|
||||||
from nova.auth import manager
|
from nova.auth import manager
|
||||||
|
from nova.network import linux_net
|
||||||
|
|
||||||
FLAGS = flags.FLAGS
|
FLAGS = flags.FLAGS
|
||||||
LOG = logging.getLogger('nova.tests.network')
|
LOG = logging.getLogger('nova.tests.network')
|
||||||
|
|
||||||
|
|
||||||
|
class IptablesManagerTestCase(test.TestCase):
|
||||||
|
sample_filter = ['#Generated by iptables-save on Fri Feb 18 15:17:05 2011',
|
||||||
|
'*filter',
|
||||||
|
':INPUT ACCEPT [2223527:305688874]',
|
||||||
|
':FORWARD ACCEPT [0:0]',
|
||||||
|
':OUTPUT ACCEPT [2172501:140856656]',
|
||||||
|
':nova-compute-FORWARD - [0:0]',
|
||||||
|
':nova-compute-INPUT - [0:0]',
|
||||||
|
':nova-compute-local - [0:0]',
|
||||||
|
':nova-compute-OUTPUT - [0:0]',
|
||||||
|
':nova-filter-top - [0:0]',
|
||||||
|
'-A FORWARD -j nova-filter-top ',
|
||||||
|
'-A OUTPUT -j nova-filter-top ',
|
||||||
|
'-A nova-filter-top -j nova-compute-local ',
|
||||||
|
'-A INPUT -j nova-compute-INPUT ',
|
||||||
|
'-A OUTPUT -j nova-compute-OUTPUT ',
|
||||||
|
'-A FORWARD -j nova-compute-FORWARD ',
|
||||||
|
'-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT ',
|
||||||
|
'-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT ',
|
||||||
|
'-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT ',
|
||||||
|
'-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT ',
|
||||||
|
'-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT ',
|
||||||
|
'-A FORWARD -i virbr0 -o virbr0 -j ACCEPT ',
|
||||||
|
'-A FORWARD -o virbr0 -j REJECT --reject-with '
|
||||||
|
'icmp-port-unreachable ',
|
||||||
|
'-A FORWARD -i virbr0 -j REJECT --reject-with '
|
||||||
|
'icmp-port-unreachable ',
|
||||||
|
'COMMIT',
|
||||||
|
'# Completed on Fri Feb 18 15:17:05 2011']
|
||||||
|
|
||||||
|
sample_nat = ['# Generated by iptables-save on Fri Feb 18 15:17:05 2011',
|
||||||
|
'*nat',
|
||||||
|
':PREROUTING ACCEPT [3936:762355]',
|
||||||
|
':INPUT ACCEPT [2447:225266]',
|
||||||
|
':OUTPUT ACCEPT [63491:4191863]',
|
||||||
|
':POSTROUTING ACCEPT [63112:4108641]',
|
||||||
|
':nova-compute-OUTPUT - [0:0]',
|
||||||
|
':nova-compute-floating-ip-snat - [0:0]',
|
||||||
|
':nova-compute-SNATTING - [0:0]',
|
||||||
|
':nova-compute-PREROUTING - [0:0]',
|
||||||
|
':nova-compute-POSTROUTING - [0:0]',
|
||||||
|
':nova-postrouting-bottom - [0:0]',
|
||||||
|
'-A PREROUTING -j nova-compute-PREROUTING ',
|
||||||
|
'-A OUTPUT -j nova-compute-OUTPUT ',
|
||||||
|
'-A POSTROUTING -j nova-compute-POSTROUTING ',
|
||||||
|
'-A POSTROUTING -j nova-postrouting-bottom ',
|
||||||
|
'-A nova-postrouting-bottom -j nova-compute-SNATTING ',
|
||||||
|
'-A nova-compute-SNATTING -j nova-compute-floating-ip-snat ',
|
||||||
|
'COMMIT',
|
||||||
|
'# Completed on Fri Feb 18 15:17:05 2011']
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(IptablesManagerTestCase, self).setUp()
|
||||||
|
self.manager = linux_net.IptablesManager()
|
||||||
|
|
||||||
|
def test_filter_rules_are_wrapped(self):
|
||||||
|
current_lines = self.sample_filter
|
||||||
|
|
||||||
|
table = self.manager.ipv4['filter']
|
||||||
|
table.add_rule('FORWARD', '-s 1.2.3.4/5 -j DROP')
|
||||||
|
new_lines = self.manager._modify_rules(current_lines, table)
|
||||||
|
self.assertTrue('-A run_tests.py-FORWARD '
|
||||||
|
'-s 1.2.3.4/5 -j DROP' in new_lines)
|
||||||
|
|
||||||
|
table.remove_rule('FORWARD', '-s 1.2.3.4/5 -j DROP')
|
||||||
|
new_lines = self.manager._modify_rules(current_lines, table)
|
||||||
|
self.assertTrue('-A run_tests.py-FORWARD '
|
||||||
|
'-s 1.2.3.4/5 -j DROP' not in new_lines)
|
||||||
|
|
||||||
|
def test_nat_rules(self):
|
||||||
|
current_lines = self.sample_nat
|
||||||
|
new_lines = self.manager._modify_rules(current_lines,
|
||||||
|
self.manager.ipv4['nat'])
|
||||||
|
|
||||||
|
for line in [':nova-compute-OUTPUT - [0:0]',
|
||||||
|
':nova-compute-floating-ip-snat - [0:0]',
|
||||||
|
':nova-compute-SNATTING - [0:0]',
|
||||||
|
':nova-compute-PREROUTING - [0:0]',
|
||||||
|
':nova-compute-POSTROUTING - [0:0]']:
|
||||||
|
self.assertTrue(line in new_lines, "One of nova-compute's chains "
|
||||||
|
"went missing.")
|
||||||
|
|
||||||
|
seen_lines = set()
|
||||||
|
for line in new_lines:
|
||||||
|
line = line.strip()
|
||||||
|
self.assertTrue(line not in seen_lines,
|
||||||
|
"Duplicate line: %s" % line)
|
||||||
|
seen_lines.add(line)
|
||||||
|
|
||||||
|
last_postrouting_line = ''
|
||||||
|
|
||||||
|
for line in new_lines:
|
||||||
|
if line.startswith('-A POSTROUTING'):
|
||||||
|
last_postrouting_line = line
|
||||||
|
|
||||||
|
self.assertTrue('-j nova-postrouting-bottom' in last_postrouting_line,
|
||||||
|
"Last POSTROUTING rule does not jump to "
|
||||||
|
"nova-postouting-bottom: %s" % last_postrouting_line)
|
||||||
|
|
||||||
|
for chain in ['POSTROUTING', 'PREROUTING', 'OUTPUT']:
|
||||||
|
self.assertTrue('-A %s -j run_tests.py-%s' \
|
||||||
|
% (chain, chain) in new_lines,
|
||||||
|
"Built-in chain %s not wrapped" % (chain,))
|
||||||
|
|
||||||
|
def test_filter_rules(self):
|
||||||
|
current_lines = self.sample_filter
|
||||||
|
new_lines = self.manager._modify_rules(current_lines,
|
||||||
|
self.manager.ipv4['filter'])
|
||||||
|
|
||||||
|
for line in [':nova-compute-FORWARD - [0:0]',
|
||||||
|
':nova-compute-INPUT - [0:0]',
|
||||||
|
':nova-compute-local - [0:0]',
|
||||||
|
':nova-compute-OUTPUT - [0:0]']:
|
||||||
|
self.assertTrue(line in new_lines, "One of nova-compute's chains"
|
||||||
|
" went missing.")
|
||||||
|
|
||||||
|
seen_lines = set()
|
||||||
|
for line in new_lines:
|
||||||
|
line = line.strip()
|
||||||
|
self.assertTrue(line not in seen_lines,
|
||||||
|
"Duplicate line: %s" % line)
|
||||||
|
seen_lines.add(line)
|
||||||
|
|
||||||
|
for chain in ['FORWARD', 'OUTPUT']:
|
||||||
|
for line in new_lines:
|
||||||
|
if line.startswith('-A %s' % chain):
|
||||||
|
self.assertTrue('-j nova-filter-top' in line,
|
||||||
|
"First %s rule does not "
|
||||||
|
"jump to nova-filter-top" % chain)
|
||||||
|
break
|
||||||
|
|
||||||
|
self.assertTrue('-A nova-filter-top '
|
||||||
|
'-j run_tests.py-local' in new_lines,
|
||||||
|
"nova-filter-top does not jump to wrapped local chain")
|
||||||
|
|
||||||
|
for chain in ['INPUT', 'OUTPUT', 'FORWARD']:
|
||||||
|
self.assertTrue('-A %s -j run_tests.py-%s' \
|
||||||
|
% (chain, chain) in new_lines,
|
||||||
|
"Built-in chain %s not wrapped" % (chain,))
|
||||||
|
|
||||||
|
|
||||||
class NetworkTestCase(test.TestCase):
|
class NetworkTestCase(test.TestCase):
|
||||||
"""Test cases for network code"""
|
"""Test cases for network code"""
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
|||||||
@@ -14,6 +14,7 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
import re
|
||||||
import os
|
import os
|
||||||
|
|
||||||
import eventlet
|
import eventlet
|
||||||
@@ -301,16 +302,22 @@ class IptablesFirewallTestCase(test.TestCase):
|
|||||||
self.manager.delete_user(self.user)
|
self.manager.delete_user(self.user)
|
||||||
super(IptablesFirewallTestCase, self).tearDown()
|
super(IptablesFirewallTestCase, self).tearDown()
|
||||||
|
|
||||||
in_rules = [
|
in_nat_rules = [
|
||||||
|
'# Generated by iptables-save v1.4.10 on Sat Feb 19 00:03:19 2011',
|
||||||
|
'*nat',
|
||||||
|
':PREROUTING ACCEPT [1170:189210]',
|
||||||
|
':INPUT ACCEPT [844:71028]',
|
||||||
|
':OUTPUT ACCEPT [5149:405186]',
|
||||||
|
':POSTROUTING ACCEPT [5063:386098]'
|
||||||
|
]
|
||||||
|
|
||||||
|
in_filter_rules = [
|
||||||
'# Generated by iptables-save v1.4.4 on Mon Dec 6 11:54:13 2010',
|
'# Generated by iptables-save v1.4.4 on Mon Dec 6 11:54:13 2010',
|
||||||
'*filter',
|
'*filter',
|
||||||
':INPUT ACCEPT [969615:281627771]',
|
':INPUT ACCEPT [969615:281627771]',
|
||||||
':FORWARD ACCEPT [0:0]',
|
':FORWARD ACCEPT [0:0]',
|
||||||
':OUTPUT ACCEPT [915599:63811649]',
|
':OUTPUT ACCEPT [915599:63811649]',
|
||||||
':nova-block-ipv4 - [0:0]',
|
':nova-block-ipv4 - [0:0]',
|
||||||
'-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT ',
|
|
||||||
'-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT ',
|
|
||||||
'-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT ',
|
|
||||||
'-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT ',
|
'-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT ',
|
||||||
'-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED'
|
'-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED'
|
||||||
',ESTABLISHED -j ACCEPT ',
|
',ESTABLISHED -j ACCEPT ',
|
||||||
@@ -322,7 +329,7 @@ class IptablesFirewallTestCase(test.TestCase):
|
|||||||
'# Completed on Mon Dec 6 11:54:13 2010',
|
'# Completed on Mon Dec 6 11:54:13 2010',
|
||||||
]
|
]
|
||||||
|
|
||||||
in6_rules = [
|
in6_filter_rules = [
|
||||||
'# Generated by ip6tables-save v1.4.4 on Tue Jan 18 23:47:56 2011',
|
'# Generated by ip6tables-save v1.4.4 on Tue Jan 18 23:47:56 2011',
|
||||||
'*filter',
|
'*filter',
|
||||||
':INPUT ACCEPT [349155:75810423]',
|
':INPUT ACCEPT [349155:75810423]',
|
||||||
@@ -385,21 +392,31 @@ class IptablesFirewallTestCase(test.TestCase):
|
|||||||
def fake_iptables_execute(*cmd, **kwargs):
|
def fake_iptables_execute(*cmd, **kwargs):
|
||||||
process_input = kwargs.get('process_input', None)
|
process_input = kwargs.get('process_input', None)
|
||||||
if cmd == ('sudo', 'ip6tables-save', '-t', 'filter'):
|
if cmd == ('sudo', 'ip6tables-save', '-t', 'filter'):
|
||||||
return '\n'.join(self.in6_rules), None
|
return '\n'.join(self.in6_filter_rules), None
|
||||||
if cmd == ('sudo', 'iptables-save', '-t', 'filter'):
|
if cmd == ('sudo', 'iptables-save', '-t', 'filter'):
|
||||||
return '\n'.join(self.in_rules), None
|
return '\n'.join(self.in_filter_rules), None
|
||||||
|
if cmd == ('sudo', 'iptables-save', '-t', 'nat'):
|
||||||
|
return '\n'.join(self.in_nat_rules), None
|
||||||
if cmd == ('sudo', 'iptables-restore'):
|
if cmd == ('sudo', 'iptables-restore'):
|
||||||
self.out_rules = process_input.split('\n')
|
lines = process_input.split('\n')
|
||||||
|
if '*filter' in lines:
|
||||||
|
self.out_rules = lines
|
||||||
return '', ''
|
return '', ''
|
||||||
if cmd == ('sudo', 'ip6tables-restore'):
|
if cmd == ('sudo', 'ip6tables-restore'):
|
||||||
self.out6_rules = process_input.split('\n')
|
lines = process_input.split('\n')
|
||||||
|
if '*filter' in lines:
|
||||||
|
self.out6_rules = lines
|
||||||
return '', ''
|
return '', ''
|
||||||
self.fw.execute = fake_iptables_execute
|
print cmd, kwargs
|
||||||
|
|
||||||
|
from nova.network import linux_net
|
||||||
|
linux_net.iptables_manager.execute = fake_iptables_execute
|
||||||
|
|
||||||
self.fw.prepare_instance_filter(instance_ref)
|
self.fw.prepare_instance_filter(instance_ref)
|
||||||
self.fw.apply_instance_filter(instance_ref)
|
self.fw.apply_instance_filter(instance_ref)
|
||||||
|
|
||||||
in_rules = filter(lambda l: not l.startswith('#'), self.in_rules)
|
in_rules = filter(lambda l: not l.startswith('#'),
|
||||||
|
self.in_filter_rules)
|
||||||
for rule in in_rules:
|
for rule in in_rules:
|
||||||
if not 'nova' in rule:
|
if not 'nova' in rule:
|
||||||
self.assertTrue(rule in self.out_rules,
|
self.assertTrue(rule in self.out_rules,
|
||||||
@@ -422,17 +439,18 @@ class IptablesFirewallTestCase(test.TestCase):
|
|||||||
self.assertTrue(security_group_chain,
|
self.assertTrue(security_group_chain,
|
||||||
"The security group chain wasn't added")
|
"The security group chain wasn't added")
|
||||||
|
|
||||||
self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT' % \
|
regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -j ACCEPT')
|
||||||
security_group_chain in self.out_rules,
|
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
|
||||||
"ICMP acceptance rule wasn't added")
|
"ICMP acceptance rule wasn't added")
|
||||||
|
|
||||||
self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type '
|
regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -m icmp '
|
||||||
'8 -j ACCEPT' % security_group_chain in self.out_rules,
|
'--icmp-type 8 -j ACCEPT')
|
||||||
|
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
|
||||||
"ICMP Echo Request acceptance rule wasn't added")
|
"ICMP Echo Request acceptance rule wasn't added")
|
||||||
|
|
||||||
self.assertTrue('-A %s -p tcp -s 192.168.10.0/24 -m multiport '
|
regex = re.compile('-A .* -p tcp -s 192.168.10.0/24 -m multiport '
|
||||||
'--dports 80:81 -j ACCEPT' % security_group_chain \
|
'--dports 80:81 -j ACCEPT')
|
||||||
in self.out_rules,
|
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
|
||||||
"TCP port 80/81 acceptance rule wasn't added")
|
"TCP port 80/81 acceptance rule wasn't added")
|
||||||
db.instance_destroy(admin_ctxt, instance_ref['id'])
|
db.instance_destroy(admin_ctxt, instance_ref['id'])
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user