x/python-ganttclient
Code Issues Proposed changes

Add source-group filtering.

Browse Source 
Move refresh to be triggered by allocation and deallocation of IP's rather than creation/destruction of instances.

There really needs a way to use ipsets for this, but it's not widely supported yet (went into mainline linux at 2.6.39), so this implementation just uses regular iptables.
This commit is contained in:
Soren Hansen
2011-08-14 04:17:48 +00:00
committed by Tarmac
parent 4e841d1add 1a32a3ea62
commit ed79192a33
2 changed files with 37 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
nova/tests/test_libvirt.py
View File

@@ -71,12 +71,12 @@ def _create_network_info(count=1, ipv6=None):
return [(network, mapping) for x in xrange(0, count)] return [(network, mapping) for x in xrange(0, count)]
def _setup_networking(instance_id, ip='1.2.3.4'): def _setup_networking(instance_id, ip='1.2.3.4', mac='56:12:12:12:12:12'):
ctxt = context.get_admin_context() ctxt = context.get_admin_context()
network_ref = db.project_get_networks(ctxt, network_ref = db.project_get_networks(ctxt,
'fake', 'fake',
associate=True)[0] associate=True)[0]
vif = {'address': '56:12:12:12:12:12', vif = {'address': mac,
'network_id': network_ref['id'], 'network_id': network_ref['id'],
'instance_id': instance_id} 'instance_id': instance_id}
vif_ref = db.virtual_interface_create(ctxt, vif) vif_ref = db.virtual_interface_create(ctxt, vif)
@@ -884,7 +884,11 @@ class IptablesFirewallTestCase(test.TestCase):
def test_static_filters(self): def test_static_filters(self):
instance_ref = self._create_instance_ref() instance_ref = self._create_instance_ref()
_setup_networking(instance_ref['id'], self.test_ip) src_instance_ref = self._create_instance_ref()
src_ip = '10.11.12.14'
src_mac = '56:12:12:12:12:13'
_setup_networking(instance_ref['id'], self.test_ip, src_mac)
_setup_networking(src_instance_ref['id'], src_ip)
admin_ctxt = context.get_admin_context() admin_ctxt = context.get_admin_context()
secgroup = db.security_group_create(admin_ctxt, secgroup = db.security_group_create(admin_ctxt,
@@ -893,6 +897,12 @@ class IptablesFirewallTestCase(test.TestCase):
'name': 'testgroup', 'name': 'testgroup',
'description': 'test group'}) 'description': 'test group'})
src_secgroup = db.security_group_create(admin_ctxt,
{'user_id': 'fake',
'project_id': 'fake',
'name': 'testsourcegroup',
'description': 'src group'})
db.security_group_rule_create(admin_ctxt, db.security_group_rule_create(admin_ctxt,
{'parent_group_id': secgroup['id'], {'parent_group_id': secgroup['id'],
'protocol': 'icmp', 'protocol': 'icmp',
@@ -914,9 +924,19 @@ class IptablesFirewallTestCase(test.TestCase):
'to_port': 81, 'to_port': 81,
'cidr': '192.168.10.0/24'}) 'cidr': '192.168.10.0/24'})
db.security_group_rule_create(admin_ctxt,
{'parent_group_id': secgroup['id'],
'protocol': 'tcp',
'from_port': 80,
'to_port': 81,
'group_id': src_secgroup['id']})
db.instance_add_security_group(admin_ctxt, instance_ref['id'], db.instance_add_security_group(admin_ctxt, instance_ref['id'],
secgroup['id']) secgroup['id'])
db.instance_add_security_group(admin_ctxt, src_instance_ref['id'],
src_secgroup['id'])
instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id'])
src_instance_ref = db.instance_get(admin_ctxt, src_instance_ref['id'])
# self.fw.add_instance(instance_ref) # self.fw.add_instance(instance_ref)
def fake_iptables_execute(*cmd, **kwargs): def fake_iptables_execute(*cmd, **kwargs):
@@ -969,17 +989,22 @@ class IptablesFirewallTestCase(test.TestCase):
self.assertTrue(security_group_chain, self.assertTrue(security_group_chain,
"The security group chain wasn't added") "The security group chain wasn't added")
regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -j ACCEPT') regex = re.compile('-A .* -j ACCEPT -p icmp -s 192.168.11.0/24')
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
"ICMP acceptance rule wasn't added") "ICMP acceptance rule wasn't added")
regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -m icmp ' regex = re.compile('-A .* -j ACCEPT -p icmp -m icmp --icmp-type 8'
'--icmp-type 8 -j ACCEPT') ' -s 192.168.11.0/24')
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
"ICMP Echo Request acceptance rule wasn't added") "ICMP Echo Request acceptance rule wasn't added")
regex = re.compile('-A .* -p tcp -s 192.168.10.0/24 -m multiport ' regex = re.compile('-A .* -j ACCEPT -p tcp -m multiport '
'--dports 80:81 -j ACCEPT') '--dports 80:81 -s %s' % (src_ip,))
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
"TCP port 80/81 acceptance rule wasn't added")
regex = re.compile('-A .* -j ACCEPT -p tcp '
'-m multiport --dports 80:81 -s 192.168.10.0/24')
self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, self.assertTrue(len(filter(regex.match, self.out_rules)) > 0,
"TCP port 80/81 acceptance rule wasn't added") "TCP port 80/81 acceptance rule wasn't added")
db.instance_destroy(admin_ctxt, instance_ref['id']) db.instance_destroy(admin_ctxt, instance_ref['id'])

4
nova/tests/test_network.py
View File

@@ -210,7 +210,11 @@ class VlanNetworkTestCase(test.TestCase):
self.mox.StubOutWithMock(db, 'fixed_ip_update') self.mox.StubOutWithMock(db, 'fixed_ip_update')
self.mox.StubOutWithMock(db, self.mox.StubOutWithMock(db,
'virtual_interface_get_by_instance_and_network') 'virtual_interface_get_by_instance_and_network')
self.mox.StubOutWithMock(db, 'instance_get')
db.instance_get(mox.IgnoreArg(),
mox.IgnoreArg()).AndReturn({'security_groups':
[{'id': 0}]})
db.fixed_ip_associate_pool(mox.IgnoreArg(), db.fixed_ip_associate_pool(mox.IgnoreArg(),
mox.IgnoreArg(), mox.IgnoreArg(),
mox.IgnoreArg()).AndReturn('192.168.0.1') mox.IgnoreArg()).AndReturn('192.168.0.1')