x/python-ganttclient
Code Issues Proposed changes

Add an apply_instance_filter method to NWFilter driver.

Browse Source 
Adjust unit tests for both firewall drivers to actually exercise these
code paths.
This commit is contained in:
Soren Hansen
2011-01-19 09:39:22 +00:00
committed by Tarmac
parent 554a296ddd eefc71aadf
commit 38387cc231
1 changed files with 35 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
nova/tests/test_virt.py
View File

@@ -228,12 +228,6 @@ class IptablesFirewallTestCase(test.TestCase):
self.manager.delete_user(self.user) self.manager.delete_user(self.user)
super(IptablesFirewallTestCase, self).tearDown() super(IptablesFirewallTestCase, self).tearDown()
def _p(self, *args, **kwargs):
if 'iptables-restore' in args:
print ' '.join(args), kwargs['stdin']
if 'iptables-save' in args:
return
in_rules = [ in_rules = [
'# Generated by iptables-save v1.4.4 on Mon Dec 6 11:54:13 2010', '# Generated by iptables-save v1.4.4 on Mon Dec 6 11:54:13 2010',
'*filter', '*filter',
@@ -255,11 +249,21 @@ class IptablesFirewallTestCase(test.TestCase):
'# Completed on Mon Dec 6 11:54:13 2010', '# Completed on Mon Dec 6 11:54:13 2010',
] ]
in6_rules = [
'# Generated by ip6tables-save v1.4.4 on Tue Jan 18 23:47:56 2011',
'*filter',
':INPUT ACCEPT [349155:75810423]',
':FORWARD ACCEPT [0:0]',
':OUTPUT ACCEPT [349256:75777230]',
'COMMIT',
'# Completed on Tue Jan 18 23:47:56 2011'
]
def test_static_filters(self): def test_static_filters(self):
self.fw.execute = self._p
instance_ref = db.instance_create(self.context, instance_ref = db.instance_create(self.context,
{'user_id': 'fake', {'user_id': 'fake',
'project_id': 'fake'}) 'project_id': 'fake',
'mac_address': '56:12:12:12:12:12'})
ip = '10.11.12.13' ip = '10.11.12.13'
network_ref = db.project_get_network(self.context, network_ref = db.project_get_network(self.context,
@@ -304,18 +308,31 @@ class IptablesFirewallTestCase(test.TestCase):
secgroup['id']) secgroup['id'])
instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id'])
self.fw.add_instance(instance_ref) # self.fw.add_instance(instance_ref)
def fake_iptables_execute(cmd, process_input=None):
if cmd == 'sudo ip6tables-save -t filter':
return '\n'.join(self.in6_rules), None
if cmd == 'sudo iptables-save -t filter':
return '\n'.join(self.in_rules), None
if cmd == 'sudo iptables-restore':
self.out_rules = process_input.split('\n')
return '', ''
if cmd == 'sudo ip6tables-restore':
self.out6_rules = process_input.split('\n')
return '', ''
self.fw.execute = fake_iptables_execute
out_rules = self.fw.modify_rules(self.in_rules) self.fw.prepare_instance_filter(instance_ref)
self.fw.apply_instance_filter(instance_ref)
in_rules = filter(lambda l: not l.startswith('#'), self.in_rules) in_rules = filter(lambda l: not l.startswith('#'), self.in_rules)
for rule in in_rules: for rule in in_rules:
if not 'nova' in rule: if not 'nova' in rule:
self.assertTrue(rule in out_rules, self.assertTrue(rule in self.out_rules,
'Rule went missing: %s' % rule) 'Rule went missing: %s' % rule)
instance_chain = None instance_chain = None
for rule in out_rules: for rule in self.out_rules:
# This is pretty crude, but it'll do for now # This is pretty crude, but it'll do for now
if '-d 10.11.12.13 -j' in rule: if '-d 10.11.12.13 -j' in rule:
instance_chain = rule.split(' ')[-1] instance_chain = rule.split(' ')[-1]
@@ -323,7 +340,7 @@ class IptablesFirewallTestCase(test.TestCase):
self.assertTrue(instance_chain, "The instance chain wasn't added") self.assertTrue(instance_chain, "The instance chain wasn't added")
security_group_chain = None security_group_chain = None
for rule in out_rules: for rule in self.out_rules:
# This is pretty crude, but it'll do for now # This is pretty crude, but it'll do for now
if '-A %s -j' % instance_chain in rule: if '-A %s -j' % instance_chain in rule:
security_group_chain = rule.split(' ')[-1] security_group_chain = rule.split(' ')[-1]
@@ -332,16 +349,16 @@ class IptablesFirewallTestCase(test.TestCase):
"The security group chain wasn't added") "The security group chain wasn't added")
self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT' % \ self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT' % \
security_group_chain in out_rules, security_group_chain in self.out_rules,
"ICMP acceptance rule wasn't added") "ICMP acceptance rule wasn't added")
self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type' self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type '
' 8 -j ACCEPT' % security_group_chain in out_rules, '8 -j ACCEPT' % security_group_chain in self.out_rules,
"ICMP Echo Request acceptance rule wasn't added") "ICMP Echo Request acceptance rule wasn't added")
self.assertTrue('-A %s -p tcp -s 192.168.10.0/24 -m multiport ' self.assertTrue('-A %s -p tcp -s 192.168.10.0/24 -m multiport '
'--dports 80:81 -j ACCEPT' % security_group_chain \ '--dports 80:81 -j ACCEPT' % security_group_chain \
in out_rules, in self.out_rules,
"TCP port 80/81 acceptance rule wasn't added") "TCP port 80/81 acceptance rule wasn't added")
@@ -476,5 +493,6 @@ class NWFilterTestCase(test.TestCase):
self.fw.setup_basic_filtering(instance) self.fw.setup_basic_filtering(instance)
self.fw.prepare_instance_filter(instance) self.fw.prepare_instance_filter(instance)
self.fw.apply_instance_filter(instance)
_ensure_all_called() _ensure_all_called()
self.teardown_security_group() self.teardown_security_group()