def setUp(self):
super(TestPortSecApp, self).setUp()
self.topology = None
self.policy = None
self._ping = None
self.icmp_id_cursor = int(time.mktime(time.gmtime())) & 0xffff
try:
self._init_topology()
time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT)
port_policies = self._create_port_policies()
self.policy = self.store(
app_testing_objects.Policy(
initial_actions=[
app_testing_objects.SendAction(
self.subnet.subnet_id, self.port1.port_id,
self._create_ping_using_fake_ip),
app_testing_objects.SendAction(
self.subnet.subnet_id, self.port1.port_id,
self._create_ping_using_fake_mac),
app_testing_objects.SendAction(
self.subnet.subnet_id, self.port1.port_id,
self._create_ping_using_vm_ip_mac),
app_testing_objects.SendAction(
self.subnet.subnet_id, self.port1.port_id,
self._create_ping_using_allowed_address_pair),
],
port_policies=port_policies,
unknown_port_action=app_testing_objects.IgnoreAction()))
except Exception:
if self.topology:
self.topology.close()
raise
def _create_port_policies(self, disable_rule=True):
ignore_action = app_testing_objects.IgnoreAction()
key1 = (self.subnet1.subnet_id, self.port1.port_id)
actions = [
app_testing_objects.SendAction(self.subnet1.subnet_id,
self.port1.port_id,
self._create_dhcp_request)
]
if disable_rule:
actions.append(app_testing_objects.DisableRuleAction())
rules1 = [
app_testing_objects.PortPolicyRule(
# Detect dhcp offer
app_testing_objects.RyuDHCPOfferFilter(),
actions),
app_testing_objects.PortPolicyRule(
# Detect dhcp acknowledge
app_testing_objects.RyuDHCPAckFilter(),
actions=[
app_testing_objects.DisableRuleAction(),
app_testing_objects.WaitAction(5),
app_testing_objects.SendAction(
self.subnet1.subnet_id, self.port1.port_id,
self._create_dhcp_renewal_request),
]),
app_testing_objects.PortPolicyRule(
# Detect dhcp acknowledge
app_testing_objects.RyuDHCPAckFilter(),
actions=[
app_testing_objects.StopSimulationAction(),
app_testing_objects.DisableRuleAction()
]),
app_testing_objects.PortPolicyRule(
# Ignore IPv6 packets
app_testing_objects.RyuIPv6Filter(),
actions=[ignore_action]),
]
key2 = (self.subnet1.subnet_id, self.port2.port_id)
rules2 = [
app_testing_objects.PortPolicyRule(
# Detect arp replies
app_testing_objects.RyuDHCPFilter(),
actions=[
app_testing_objects.RaiseAction("Received DHCP packet")
]),
app_testing_objects.PortPolicyRule(
# Ignore IPv6 packets
app_testing_objects.RyuIPv6Filter(),
actions=[ignore_action]),
]
raise_action = app_testing_objects.RaiseAction("Unexpected packet")
policy1 = app_testing_objects.PortPolicy(rules=rules1,
default_action=raise_action)
policy2 = app_testing_objects.PortPolicy(rules=rules2,
default_action=raise_action)
return {
key1: policy1,
key2: policy2,
}
def _update_policy(self):
packet1, self.icmp_request1 = \
self._create_ping_packet(self.port1, self.port3)
packet2, self.icmp_request2 = \
self._create_ping_packet(self.port2, self.port3)
port_policies = self._create_port_policies()
self.policy = self.store(
app_testing_objects.Policy(
initial_actions=[
app_testing_objects.SendAction(
self.subnet.subnet_id,
self.port1.port_id,
packet1.data,
),
app_testing_objects.SendAction(
self.subnet.subnet_id,
self.port2.port_id,
packet2.data,
)
],
port_policies=port_policies,
unknown_port_action=app_testing_objects.IgnoreAction()
)
)
def setUp(self):
super(TestDHCPApp, self).setUp()
self.topology = None
self.policy = None
try:
self.topology = self.store(
app_testing_objects.Topology(self.neutron, self.nb_api))
self.subnet1 = self.topology.create_subnet(cidr='192.168.11.0/24')
self.port1 = self.subnet1.create_port()
self.port2 = self.subnet1.create_port()
time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT)
# Create policy
dhcp_packet = self._create_dhcp_discover()
send_dhcp_offer = app_testing_objects.SendAction(
self.subnet1.subnet_id, self.port1.port_id, str(dhcp_packet))
port_policies = self._create_port_policies()
self.policy = self.store(
app_testing_objects.Policy(
initial_actions=[send_dhcp_offer],
port_policies=port_policies,
unknown_port_action=app_testing_objects.IgnoreAction()))
except Exception:
if self.topology:
self.topology.close()
raise
def test_icmp_ttl_packet_with_rate_limit(self):
ignore_action = app_testing_objects.IgnoreAction()
port_policy = self._create_rate_limit_port_policies(
cfg.CONF.df_l3_app.router_ttl_invalid_max_rate,
app_testing_objects.RyuICMPTimeExceedFilter)
initial_packet = self._create_packet(
self.port2.port.get_logical_port().ip,
ryu.lib.packet.ipv4.inet.IPPROTO_ICMP,
ttl=1)
send_action = app_testing_objects.SendAction(self.subnet1.subnet_id,
self.port1.port_id,
initial_packet)
policy = self.store(
app_testing_objects.Policy(initial_actions=[
send_action, send_action, send_action, send_action
],
port_policies=port_policy,
unknown_port_action=ignore_action))
policy.start(self.topology)
# Since the rate limit, we expect timeout to wait for 4th packet hit
# the policy.
self.assertRaises(app_testing_objects.TimeoutException, policy.wait,
const.DEFAULT_RESOURCE_READY_TIMEOUT)
if len(policy.exceptions) > 0:
raise policy.exceptions[0]
def _create_port_policies(self, pc):
res = {}
if self.corr == sfc.CORR_MPLS:
sf_filter = app_testing_objects.RyuMplsFilter()
else:
sf_filter = app_testing_objects.RyuUdpFilter(DST_PORT)
for _, ppg in enumerate(pc.port_pair_groups):
for _, pp in enumerate(ppg.port_pairs):
key = (self.subnet.subnet_id, pp.ingress.port_id)
res[key] = app_testing_objects.PortPolicy(
rules=[
app_testing_objects.PortPolicyRule(
sf_filter,
actions=[
app_testing_objects.SendAction(
self.subnet.subnet_id,
pp.egress.port_id,
self._sf_callback,
),
],
),
],
default_action=app_testing_objects.IgnoreAction(),
)
return res
def _create_policy_to_reply_arp_request(self):
ignore_action = app_testing_objects.IgnoreAction()
key1 = (self.subnet.subnet_id, self.port.port_id)
port_policies = {
key1: app_testing_objects.PortPolicy(
rules=[
app_testing_objects.PortPolicyRule(
# Detect arp requests
app_testing_objects.OsKenARPRequestFilter(
self.allowed_address_pair_ip_address
),
actions=[
app_testing_objects.SendAction(
self.subnet.subnet_id,
self.port.port_id,
self._create_arp_response
),
app_testing_objects.WaitAction(5),
app_testing_objects.DisableRuleAction(),
app_testing_objects.StopSimulationAction()
]
)
],
default_action=ignore_action
),
}
return port_policies
def test_nat_embedded_rate_limit(self):
self.port.port.update({"security_groups": []})
initial_packet = self._create_packet(
self.topology.external_network.get_gw_ip(),
ryu.lib.packet.ipv4.inet.IPPROTO_UDP)
send_action = app_testing_objects.SendAction(
self.subnet.subnet_id,
self.port.port_id,
initial_packet)
ignore_action = app_testing_objects.IgnoreAction()
policy = self.store(
app_testing_objects.Policy(
initial_actions=[
send_action,
send_action,
send_action,
send_action,
],
port_policies=self._create_rate_limit_port_policies(
cfg.CONF.df_dnat_app.dnat_icmp_error_max_rate,
app_testing_objects.RyuICMPUnreachFilter),
unknown_port_action=ignore_action
)
)
policy.start(self.topology)
# Since the rate limit, we expect timeout to wait for 4th packet hit
# the policy.
self.assertRaises(
app_testing_objects.TimeoutException,
policy.wait,
const.DEFAULT_RESOURCE_READY_TIMEOUT)
if len(policy.exceptions) > 0:
raise policy.exceptions[0]
def test_dhcp_app_dos_block(self):
def internal_predicate():
ovs = test_utils.OvsFlowsParser()
return (self._check_dhcp_block_rule(
ovs.dump(self.integration_bridge)))
self._create_topology()
dhcp_packet = self._create_dhcp_discover()
send_dhcp_offer = app_testing_objects.SendAction(
self.subnet1.subnet_id,
self.port1.port_id,
dhcp_packet,
)
port_policies = self._create_port_policies(disable_rule=False)
policy = app_testing_objects.Policy(
initial_actions=[
send_dhcp_offer, send_dhcp_offer, send_dhcp_offer,
send_dhcp_offer
],
port_policies=port_policies,
unknown_port_action=app_testing_objects.IgnoreAction())
self.addCleanup(policy.close)
policy.start(self.topology)
test_utils.wait_until_true(internal_predicate,
const.DEFAULT_RESOURCE_READY_TIMEOUT, 1,
None)
def test_ttl_packet_rate_limit(self):
initial_packet = self._create_packet(
self.topology.external_network.get_gw_ip(),
ryu.lib.packet.ipv4.inet.IPPROTO_ICMP,
ttl=1)
send_action = app_testing_objects.SendAction(
self.subnet.subnet_id,
self.port.port_id,
initial_packet)
ignore_action = app_testing_objects.IgnoreAction()
policy = app_testing_objects.Policy(
initial_actions=[
send_action,
send_action,
send_action,
send_action,
],
port_policies=self._create_rate_limit_port_policies(
cfg.CONF.df_dnat_app.dnat_ttl_invalid_max_rate,
app_testing_objects.RyuICMPTimeExceedFilter),
unknown_port_action=ignore_action
)
self.addCleanup(policy.close)
policy.start(self.topology)
# Since the rate limit, we expect timeout to wait for 4th packet hit
# the policy.
self.assertRaises(
app_testing_objects.TimeoutException,
policy.wait,
const.DEFAULT_RESOURCE_READY_TIMEOUT)
if len(policy.exceptions) > 0:
raise policy.exceptions[0]
def setUp(self):
super(TestArpResponder, self).setUp()
self.topology = None
self.policy = None
try:
self.topology = app_testing_objects.Topology(
self.neutron,
self.nb_api)
subnet1 = self.topology.create_subnet(cidr='192.168.10.0/24')
port1 = subnet1.create_port()
port2 = subnet1.create_port()
time.sleep(test_utils.DEFAULT_CMD_TIMEOUT)
# Create policy
arp_packet = self._create_arp_request(
src_port=port1.port.get_logical_port(),
dst_port=port2.port.get_logical_port(),
)
send_arp_request = app_testing_objects.SendAction(
subnet1.subnet_id,
port1.port_id,
str(arp_packet),
)
ignore_action = app_testing_objects.IgnoreAction()
log_action = app_testing_objects.LogAction()
key1 = (subnet1.subnet_id, port1.port_id)
port_policies = {
key1: app_testing_objects.PortPolicy(
rules=[
app_testing_objects.PortPolicyRule(
# Detect arp replies
app_testing_objects.RyuARPReplyFilter(),
actions=[
log_action,
app_testing_objects.StopSimulationAction()
]
),
app_testing_objects.PortPolicyRule(
# Ignore IPv6 packets
app_testing_objects.RyuIPv6Filter(),
actions=[
ignore_action
]
),
],
default_action=app_testing_objects.RaiseAction(
"Unexpected packet"
)
),
}
self.policy = app_testing_objects.Policy(
initial_actions=[send_arp_request],
port_policies=port_policies,
unknown_port_action=ignore_action
)
except Exception:
if self.topology:
self.topology.close()
raise
self.store(self.topology)
self.store(self.policy)
def setUp(self):
super(TestL3App, self).setUp()
self.topology = None
self.policy = None
self._ping = None
try:
self.topology = self.store(
app_testing_objects.Topology(self.neutron, self.nb_api))
self.subnet1 = self.topology.create_subnet(cidr='192.168.12.0/24')
self.subnet2 = self.topology.create_subnet(cidr='192.168.13.0/24')
self.port1 = self.subnet1.create_port()
self.port2 = self.subnet2.create_port()
self.router = self.topology.create_router([
self.subnet1.subnet_id,
self.subnet2.subnet_id,
])
time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT)
port_policies = self._create_port_policies()
self.policy = self.store(
app_testing_objects.Policy(
initial_actions=[
app_testing_objects.SendAction(
self.subnet1.subnet_id, self.port1.port_id,
self._create_ping_packet),
],
port_policies=port_policies,
unknown_port_action=app_testing_objects.IgnoreAction()))
except Exception:
if self.topology:
self.topology.close()
raise
def test_nat_embedded_packet(self):
ignore_action = app_testing_objects.IgnoreAction()
self.port.port.update({"security_groups": []})
initial_packet = self._create_packet(
self.topology.external_network.get_gw_ip(),
ryu.lib.packet.ipv4.inet.IPPROTO_UDP)
policy = self.store(
app_testing_objects.Policy(
initial_actions=[
app_testing_objects.SendAction(
self.subnet.subnet_id,
self.port.port_id,
initial_packet,
),
],
port_policies=self._create_icmp_test_port_policies(
app_testing_objects.RyuICMPUnreachFilter),
unknown_port_action=ignore_action
)
)
policy.start(self.topology)
policy.wait(const.DEFAULT_RESOURCE_READY_TIMEOUT)
if len(policy.exceptions) > 0:
raise policy.exceptions[0]
def setUp(self):
super(TestNeighborAdvertiser, self).setUp()
self.topology = None
self.policy = None
# Disable Duplicate Address Detection requests from the interface
self.dad_conf = utils.execute(
['sysctl', '-n', 'net.ipv6.conf.default.accept_dad'])
utils.execute(['sysctl', '-w', 'net.ipv6.conf.default.accept_dad=0'],
run_as_root=True)
# Disable Router Solicitation requests from the interface
self.router_solicit_conf = utils.execute(
['sysctl', '-n', 'net.ipv6.conf.default.router_solicitations'])
utils.execute(
['sysctl', '-w', 'net.ipv6.conf.default.router_solicitations=0'],
run_as_root=True)
self.topology = app_testing_objects.Topology(self.neutron, self.nb_api)
self.addCleanup(self.topology.close)
subnet1 = self.topology.create_subnet(cidr='1111:1111:1111::/64')
port1 = subnet1.create_port()
port2 = subnet1.create_port()
time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT)
# Create Neighbor Solicitation packet
ns_packet = self._create_ns_request(
src_port=port1.port.get_logical_port(),
dst_port=port2.port.get_logical_port(),
)
send_ns_request = app_testing_objects.SendAction(
subnet1.subnet_id,
port1.port_id,
ns_packet,
)
ignore_action = app_testing_objects.IgnoreAction()
log_action = app_testing_objects.LogAction()
key1 = (subnet1.subnet_id, port1.port_id)
adv_filter = app_testing_objects.RyuNeighborAdvertisementFilter()
port_policies = {
key1:
app_testing_objects.PortPolicy(
rules=[
app_testing_objects.PortPolicyRule(
# Detect advertisements
adv_filter,
actions=[
log_action,
app_testing_objects.StopSimulationAction()
]),
app_testing_objects.PortPolicyRule(
# Filter local VM's Multicast requests
app_testing_objects.RyuIpv6MulticastFilter(),
actions=[ignore_action])
],
default_action=app_testing_objects.RaiseAction(
"Unexpected packet")),
}
self.policy = app_testing_objects.Policy(
initial_actions=[send_ns_request],
port_policies=port_policies,
unknown_port_action=ignore_action)
self.addCleanup(self.policy.close)
def _create_port_policies(self):
raise_action = app_testing_objects.RaiseAction("Unexpected packet")
key1 = (self.subnet.subnet_id, self.permit_port.port_id)
rules1 = [
app_testing_objects.PortPolicyRule(
# Detect pong, end simulation
app_testing_objects.RyuICMPPongFilter(
self.permit_icmp_request, ethertype=self.ethertype),
actions=[
app_testing_objects.DisableRuleAction(),
app_testing_objects.StopSimulationAction(),
]),
]
key2 = (self.subnet.subnet_id, self.no_permit_port.port_id)
rules2 = [
app_testing_objects.PortPolicyRule(
# Detect pong, raise unexpected packet exception
app_testing_objects.RyuICMPPongFilter(
self.no_permit_icmp_request, self.ethertype),
actions=[raise_action]),
]
key3 = (self.subnet.subnet_id, self.port3.port_id)
rules3 = [
app_testing_objects.PortPolicyRule(
# Detect ping from port1, reply with pong
app_testing_objects.RyuICMPPingFilter(self.permit_icmp_request,
self.ethertype),
actions=[
app_testing_objects.SendAction(self.subnet.subnet_id,
self.port3.port_id,
self._create_pong_packet),
app_testing_objects.DisableRuleAction(),
]),
app_testing_objects.PortPolicyRule(
# Detect ping from port2, raise unexpected packet exception
app_testing_objects.RyuICMPPingFilter(
self.no_permit_icmp_request, self.ethertype),
actions=[raise_action])
]
filtering_rules = self._get_filtering_rules()
rules1 += filtering_rules
rules3 += filtering_rules
rules2 += filtering_rules
policy1 = app_testing_objects.PortPolicy(rules=rules1,
default_action=raise_action)
policy2 = app_testing_objects.PortPolicy(rules=rules2,
default_action=raise_action)
policy3 = app_testing_objects.PortPolicy(rules=rules3,
default_action=raise_action)
return {key1: policy1, key2: policy2, key3: policy3}
def _create_policy(self):
port_policies = self._create_port_policies()
initial_packet = self._create_packet(
'10.0.1.2', os_ken.lib.packet.ipv4.inet.IPPROTO_ICMP)
policy = app_testing_objects.Policy(
initial_actions=[
app_testing_objects.SendAction(self.subnet1.subnet_id,
self.port1.port_id,
initial_packet),
],
port_policies=port_policies,
unknown_port_action=app_testing_objects.IgnoreAction())
self.addCleanup(policy.close)
return policy
def test_udp_virtual_router_interface_with_rate_limit(self):
if 'zmq_pubsub_driver' == cfg.CONF.df.pub_sub_driver:
# NOTE(nick-ma-z): This test case directly calls nb_api which
# relies on a publisher running on local process. In ZMQ driver,
# a socket needs to be binded which causes conflicts with other
# df-services. But in Redis driver, the publisher is virtual and
# does not actually run which makes this test case work.
self.skipTest("ZMQ_PUBSUB does not support this test case")
# Delete the concrete router interface.
router_port_id = self.router.router_interfaces[
self.subnet1.subnet_id]['port_id']
topic = self.router.router_interfaces[
self.subnet1.subnet_id]['tenant_id']
self.nb_api.delete(l2.LogicalPort(id=router_port_id, topic=topic))
lrouter = self.nb_api.get(
l3.LogicalRouter(id=self.router.router.router_id, topic=topic))
lrouter.version += 1
original_lrouter = copy.deepcopy(lrouter)
lrouter.remove_router_port(router_port_id)
self.nb_api.update(lrouter)
# Update router with virtual router interface.
original_lrouter.version += 1
self.nb_api.update(original_lrouter)
time.sleep(const.DEFAULT_CMD_TIMEOUT)
self.port1.port.update({"security_groups": []})
ignore_action = app_testing_objects.IgnoreAction()
port_policy = self._create_rate_limit_port_policies(
cfg.CONF.df_l3_app.router_port_unreach_max_rate,
app_testing_objects.RyuICMPUnreachFilter)
initial_packet = self._create_packet(
"192.168.12.1", ryu.lib.packet.ipv4.inet.IPPROTO_UDP)
send_action = app_testing_objects.SendAction(self.subnet1.subnet_id,
self.port1.port_id,
initial_packet)
policy = self.store(
app_testing_objects.Policy(initial_actions=[
send_action, send_action, send_action, send_action
],
port_policies=port_policy,
unknown_port_action=ignore_action))
policy.start(self.topology)
# Since the rate limit, we expect timeout to wait for 4th packet hit
# the policy.
self.assertRaises(app_testing_objects.TimeoutException, policy.wait,
const.DEFAULT_RESOURCE_READY_TIMEOUT)
if len(policy.exceptions) > 0:
raise policy.exceptions[0]
def _create_port_policies(self):
ignore_action = app_testing_objects.IgnoreAction()
key1 = (self.subnet1.subnet_id, self.port1.port_id)
rules1 = [
app_testing_objects.PortPolicyRule(
# Detect pong, end simulation
app_testing_objects.RyuICMPPongFilter(self._get_ping),
actions=[
app_testing_objects.DisableRuleAction(),
app_testing_objects.StopSimulationAction(),
]),
app_testing_objects.PortPolicyRule(
# Ignore gratuitous ARP packets
app_testing_objects.RyuARPGratuitousFilter(),
actions=[ignore_action]),
app_testing_objects.PortPolicyRule(
# Ignore IPv6 packets
app_testing_objects.RyuIPv6Filter(),
actions=[ignore_action]),
]
key2 = (self.subnet2.subnet_id, self.port2.port_id)
rules2 = [
app_testing_objects.PortPolicyRule(
# Detect ping, reply with pong
app_testing_objects.RyuICMPPingFilter(),
actions=[
app_testing_objects.SendAction(self.subnet2.subnet_id,
self.port2.port_id,
self._create_pong_packet),
app_testing_objects.DisableRuleAction(),
]),
app_testing_objects.PortPolicyRule(
# Ignore gratuitous ARP packets
app_testing_objects.RyuARPGratuitousFilter(),
actions=[ignore_action]),
app_testing_objects.PortPolicyRule(
# Ignore IPv6 packets
app_testing_objects.RyuIPv6Filter(),
actions=[ignore_action]),
]
raise_action = app_testing_objects.RaiseAction("Unexpected packet")
policy1 = app_testing_objects.PortPolicy(rules=rules1,
default_action=raise_action)
policy2 = app_testing_objects.PortPolicy(rules=rules2,
default_action=raise_action)
return {
key1: policy1,
key2: policy2,
}
def _create_allowed_address_pairs_policy(self):
packet1, self.allowed_address_pairs_icmp_request = \
self._create_ping_packet(self.port4, self.port3)
port_policies = self._create_allowed_address_pairs_port_policies()
self.allowed_address_pairs_policy = app_testing_objects.Policy(
initial_actions=[
app_testing_objects.SendAction(self.subnet.subnet_id,
self.port4.port_id,
packet1.data)
],
port_policies=port_policies,
unknown_port_action=app_testing_objects.IgnoreAction())
self.addCleanup(self.allowed_address_pairs_policy.close)
def _test_enable_dhcp(self):
# Create policy
dhcp_packet = self._create_dhcp_discover()
send_dhcp_offer = app_testing_objects.SendAction(
self.subnet1.subnet_id,
self.port1.port_id,
dhcp_packet,
)
port_policies = self._create_port_policies()
policy = app_testing_objects.Policy(
initial_actions=[send_dhcp_offer],
port_policies=port_policies,
unknown_port_action=app_testing_objects.IgnoreAction())
self.addCleanup(policy.close)
apps.start_policy(policy, self.topology,
const.DEFAULT_RESOURCE_READY_TIMEOUT)
def _test_disable_dhcp(self):
dhcp_packet = self._create_dhcp_discover()
send_dhcp_offer = app_testing_objects.SendAction(
self.subnet1.subnet_id,
self.port1.port_id,
dhcp_packet,
)
key = (self.subnet1.subnet_id, self.port1.port_id)
rules = [
app_testing_objects.PortPolicyRule(
# Detect arp replies
app_testing_objects.OsKenDHCPFilter(),
actions=[
app_testing_objects.RaiseAction(
"Received DHCP packet"
)
]
),
app_testing_objects.PortPolicyRule(
# Ignore IPv6 packets
app_testing_objects.OsKenIPv6Filter(),
actions=[
app_testing_objects.IgnoreAction()
]
),
]
raise_action = app_testing_objects.RaiseAction("Unexpected packet")
port_policy = app_testing_objects.PortPolicy(
rules=rules,
default_action=raise_action
)
policy = app_testing_objects.Policy(
initial_actions=[send_dhcp_offer],
port_policies={key: port_policy},
unknown_port_action=app_testing_objects.IgnoreAction()
)
self.addCleanup(policy.close)
policy.start(self.topology)
# Since there is no dhcp response, we are expecting timeout
# exception here.
self.assertRaises(
app_testing_objects.TimeoutException,
policy.wait,
const.DEFAULT_RESOURCE_READY_TIMEOUT)
policy.stop()
if len(policy.exceptions) > 0:
raise policy.exceptions[0]
def _test_icmp_address(self, dst_ip):
port_policies = self._create_port_policies()
initial_packet = self._create_packet(
dst_ip, ryu.lib.packet.ipv4.inet.IPPROTO_ICMP)
policy = self.store(
app_testing_objects.Policy(
initial_actions=[
app_testing_objects.SendAction(
self.subnet1.subnet_id,
self.port1.port_id,
initial_packet,
),
],
port_policies=port_policies,
unknown_port_action=app_testing_objects.IgnoreAction()))
apps.start_policy(policy, self.topology,
const.DEFAULT_RESOURCE_READY_TIMEOUT)
def test_sfc(self):
initial_packet = self._get_bytes(
self._gen_ethernet() / self._gen_ipv4(proto=inet.IPPROTO_UDP) /
self._gen_udp(src_port=SRC_PORT, dst_port=DST_PORT) / ('0' * 64))
final_packet = self._get_bytes(
self._gen_ethernet() / self._gen_ipv4(proto=inet.IPPROTO_UDP) /
self._gen_udp(src_port=SRC_PORT, dst_port=DST_PORT) /
('{len}'.format(len=len(self.layout)) * 64))
fc = self.store(
objects.FlowClassifierTestObj(self.neutron, self.nb_api), )
fc.create({'logical_source_port': self.src_port.port.port_id}, )
pc = self._create_pc(fc, self.layout)
time.sleep(_QUICK_RESOURCE_READY_TIMEOUT)
dst_key = (self.subnet.subnet_id, self.dst_port.port_id)
port_policies = {
dst_key:
app_testing_objects.PortPolicy(
rules=[
app_testing_objects.PortPolicyRule(
app_testing_objects.ExactMatchFilter(final_packet),
actions=[app_testing_objects.StopSimulationAction()],
),
],
default_action=app_testing_objects.IgnoreAction(),
),
}
port_policies.update(self._create_port_policies(pc))
policy = self.store(
app_testing_objects.Policy(
initial_actions=[
app_testing_objects.SendAction(
self.subnet.subnet_id,
self.src_port.port_id,
initial_packet,
),
],
port_policies=port_policies,
unknown_port_action=app_testing_objects.LogAction()), )
policy.start(self.topology)
policy.wait(10)
if policy.exceptions:
raise policy.exceptions[0]
def test_icmp_ttl_packet(self):
ignore_action = app_testing_objects.IgnoreAction()
initial_packet = self._create_packet(
self.topology.external_network.get_gw_ip(),
os_ken.lib.packet.ipv4.inet.IPPROTO_ICMP,
ttl=1)
policy = app_testing_objects.Policy(
initial_actions=[
app_testing_objects.SendAction(
self.subnet.subnet_id,
self.port.port_id,
initial_packet,
),
],
port_policies=self._create_icmp_test_port_policies(
app_testing_objects.OsKenICMPTimeExceedFilter),
unknown_port_action=ignore_action)
self.addCleanup(policy.close)
apps.start_policy(policy, self.topology,
const.DEFAULT_RESOURCE_READY_TIMEOUT)
def test_dhcp_app_dos_block(self):
def internal_predicate():
ovs = test_utils.OvsFlowsParser()
return (self._check_dhcp_block_rule(ovs.dump()))
dhcp_packet = self._create_dhcp_discover()
send_dhcp_offer = app_testing_objects.SendAction(
self.subnet1.subnet_id, self.port1.port_id, str(dhcp_packet))
port_policies = self._create_port_policies(disable_rule=False)
policy = self.store(
app_testing_objects.Policy(
initial_actions=[
send_dhcp_offer, send_dhcp_offer, send_dhcp_offer,
send_dhcp_offer
],
port_policies=port_policies,
unknown_port_action=app_testing_objects.IgnoreAction()))
policy.start(self.topology)
wait_until_true(internal_predicate, 30, 1, None)
def test_udp_concrete_router_interface(self):
# By default, fullstack will start l3 agent. So there will be concrete
# router interface.
self.port1.port.update({"security_groups": []})
ignore_action = app_testing_objects.IgnoreAction()
port_policy = self._create_icmp_test_port_policies(
app_testing_objects.RyuICMPUnreachFilter)
initial_packet = self._create_packet(
"192.168.12.1", ryu.lib.packet.ipv4.inet.IPPROTO_UDP)
policy = self.store(
app_testing_objects.Policy(initial_actions=[
app_testing_objects.SendAction(
self.subnet1.subnet_id,
self.port1.port_id,
initial_packet,
),
],
port_policies=port_policy,
unknown_port_action=ignore_action))
apps.start_policy(policy, self.topology,
const.DEFAULT_RESOURCE_READY_TIMEOUT)
def test_router_extra_route(self):
nexthop_port = self.subnet1.create_port()
nexthop_ip = nexthop_port.port.get_logical_port().ip
self.router.router.update({
"routes": [{
"nexthop": nexthop_ip,
"destination": "30.0.0.0/24"
}]
})
time.sleep(const.DEFAULT_CMD_TIMEOUT)
ignore_action = app_testing_objects.IgnoreAction()
port_policy = self._create_extra_route_policies(nexthop_port)
initial_packet = self._create_packet(
"30.0.0.12", ryu.lib.packet.ipv4.inet.IPPROTO_ICMP)
send_action = app_testing_objects.SendAction(self.subnet1.subnet_id,
self.port1.port_id,
initial_packet)
policy = self.store(
app_testing_objects.Policy(initial_actions=[send_action],
port_policies=port_policy,
unknown_port_action=ignore_action))
apps.start_policy(policy, self.topology,
const.DEFAULT_RESOURCE_READY_TIMEOUT)
def test_fc(self):
fc = self.store(
objects.FlowClassifierTestObj(self.neutron, self.nb_api), )
fc.create(self._fc_params)
pc = self._create_pc(fc, [1])
time.sleep(_QUICK_RESOURCE_READY_TIMEOUT)
dst_key = (self.subnet.subnet_id, self.dst_port.port_id)
port_policies = {
dst_key:
app_testing_objects.PortPolicy(
rules=[
app_testing_objects.PortPolicyRule(
app_testing_objects.ExactMatchFilter(
self._final_packet, ),
actions=[app_testing_objects.StopSimulationAction()],
),
],
default_action=app_testing_objects.IgnoreAction(),
),
}
port_policies.update(self._create_port_policies(pc))
policy = self.store(
app_testing_objects.Policy(
initial_actions=[
app_testing_objects.SendAction(
self.subnet.subnet_id,
self.src_port.port_id,
self._initial_packet,
),
],
port_policies=port_policies,
unknown_port_action=app_testing_objects.LogAction()), )
policy.start(self.topology)
policy.wait(10)
if policy.exceptions:
raise policy.exceptions[0]
def test_reconnect_of_controller(self):
cmd = ["ovs-vsctl", "get-controller", cfg.CONF.df.integration_bridge]
controller = utils.execute(cmd, run_as_root=True).strip()
cmd[1] = "del-controller"
utils.execute(cmd, run_as_root=True)
dst_ip = self.port2.port.get_logical_port().ip
port_policies = self._create_port_policies(connected=False)
initial_packet = self._create_packet(
dst_ip, ryu.lib.packet.ipv4.inet.IPPROTO_ICMP)
policy = self.store(
app_testing_objects.Policy(
initial_actions=[
app_testing_objects.SendAction(
self.subnet1.subnet_id,
self.port1.port_id,
initial_packet,
),
],
port_policies=port_policies,
unknown_port_action=app_testing_objects.IgnoreAction()))
policy.start(self.topology)
# Since there is no OpenFlow in vswitch, we are expecting timeout
# exception here.
self.assertRaises(app_testing_objects.TimeoutException, policy.wait,
const.DEFAULT_RESOURCE_READY_TIMEOUT)
policy.stop()
if len(policy.exceptions) > 0:
raise policy.exceptions[0]
cmd[1] = "set-controller"
cmd.append(controller)
utils.execute(cmd, run_as_root=True)
time.sleep(apps.CONTROLLER_RECONNECT_TIMEOUT)
self._test_icmp_address(dst_ip)
def _create_port_policies(self, disable_rule=True):
ignore_action = app_testing_objects.IgnoreAction()
key1 = (self.subnet1.subnet_id, self.port1.port_id)
actions = [
app_testing_objects.SendAction(self.subnet1.subnet_id,
self.port1.port_id,
self._create_dhcp_request)
]
if disable_rule:
actions.append(app_testing_objects.DisableRuleAction())
testclass = self
class DHCPAckFilterVerifiesMTU(app_testing_objects.RyuDHCPAckFilter):
def __init__(self, expected_mtu):
super(DHCPAckFilterVerifiesMTU, self).__init__()
self.expected_mtu = expected_mtu
def __call__(self, buf):
result = super(DHCPAckFilterVerifiesMTU, self).__call__(buf)
if not result:
return result
pkt = ryu.lib.packet.packet.Packet(buf)
pkt_dhcp_protocol = pkt.get_protocol(dhcp.dhcp)
for option in pkt_dhcp_protocol.options.option_list:
if option.tag == dhcp.DHCP_INTERFACE_MTU_OPT:
mtu = struct.unpack('!H', option.value)
testclass.assertEqual((self.expected_mtu, ), mtu)
return result
lport1 = self.port1.port.get_logical_port()
lswitch_ref = lport1.lswitch
lswitch = self.nb_api.get(lswitch_ref)
expected_mtu = lswitch.mtu
rules1 = [
app_testing_objects.PortPolicyRule(
# Detect dhcp offer
app_testing_objects.RyuDHCPOfferFilter(),
actions),
app_testing_objects.PortPolicyRule(
# Detect dhcp acknowledge
DHCPAckFilterVerifiesMTU(expected_mtu),
actions=[
app_testing_objects.DisableRuleAction(),
app_testing_objects.WaitAction(5),
app_testing_objects.SendAction(
self.subnet1.subnet_id, self.port1.port_id,
self._create_dhcp_renewal_request),
]),
app_testing_objects.PortPolicyRule(
# Detect dhcp acknowledge
DHCPAckFilterVerifiesMTU(expected_mtu),
actions=[
app_testing_objects.StopSimulationAction(),
app_testing_objects.DisableRuleAction()
]),
app_testing_objects.PortPolicyRule(
# Ignore IPv6 packets
app_testing_objects.RyuIPv6Filter(),
actions=[ignore_action]),
]
key2 = (self.subnet1.subnet_id, self.port2.port_id)
rules2 = [
app_testing_objects.PortPolicyRule(
# Detect arp replies
app_testing_objects.RyuDHCPFilter(),
actions=[
app_testing_objects.RaiseAction("Received DHCP packet")
]),
app_testing_objects.PortPolicyRule(
# Ignore IPv6 packets
app_testing_objects.RyuIPv6Filter(),
actions=[ignore_action]),
]
raise_action = app_testing_objects.RaiseAction("Unexpected packet")
policy1 = app_testing_objects.PortPolicy(rules=rules1,
default_action=raise_action)
policy2 = app_testing_objects.PortPolicy(rules=rules2,
default_action=raise_action)
return {
key1: policy1,
key2: policy2,
}
