Beispiel #1
0
 def __init__(self, namespace=None):
     self.iptables = iptables_manager.IptablesManager(
         state_less=True,
         use_ipv6=netutils.is_ipv6_enabled(),
         namespace=namespace)
     # TODO(majopela, shihanzhang): refactor out ipset to a separate
     # driver composed over this one
     self.ipset = ipset_manager.IpsetManager(namespace=namespace)
     # list of port which has security group
     self.filtered_ports = {}
     self.unfiltered_ports = {}
     self.trusted_ports = []
     self.ipconntrack = ip_conntrack.get_conntrack(
         self.iptables.get_rules_for_table,
         self.filtered_ports,
         self.unfiltered_ports,
         namespace=namespace,
         zone_per_port=self.CONNTRACK_ZONE_PER_PORT)
     self._add_fallback_chain_v4v6()
     self._defer_apply = False
     self._pre_defer_filtered_ports = None
     self._pre_defer_unfiltered_ports = None
     # List of security group rules for ports residing on this host
     self.sg_rules = {}
     self.pre_sg_rules = None
     # List of security group member ips for ports residing on this host
     self.sg_members = collections.defaultdict(
         lambda: collections.defaultdict(list))
     self.pre_sg_members = None
     self.enable_ipset = cfg.CONF.SECURITYGROUP.enable_ipset
     self.updated_rule_sg_ids = set()
     self.updated_sg_members = set()
     self.devices_with_updated_sg_members = collections.defaultdict(list)
     self._iptables_protocol_name_map = {}
     self._check_netfilter_for_bridges()
Beispiel #2
0
 def __init__(self, namespace=None):
     self.iptables = iptables_manager.IptablesManager(
         use_ipv6=ipv6_utils.is_enabled(), namespace=namespace)
     # TODO(majopela, shihanzhang): refactor out ipset to a separate
     # driver composed over this one
     self.ipset = ipset_manager.IpsetManager(namespace=namespace)
     self.ipconntrack = ip_conntrack.IpConntrackManager(
         self.get_device_zone, namespace=namespace)
     self._populate_initial_zone_map()
     # list of port which has security group
     self.filtered_ports = {}
     self.unfiltered_ports = {}
     self._add_fallback_chain_v4v6()
     self._defer_apply = False
     self._pre_defer_filtered_ports = None
     self._pre_defer_unfiltered_ports = None
     # List of security group rules for ports residing on this host
     self.sg_rules = {}
     self.pre_sg_rules = None
     # List of security group member ips for ports residing on this host
     self.sg_members = collections.defaultdict(
         lambda: collections.defaultdict(list))
     self.pre_sg_members = None
     self.enable_ipset = cfg.CONF.SECURITYGROUP.enable_ipset
     self._enabled_netfilter_for_bridges = False
     self.updated_rule_sg_ids = set()
     self.updated_sg_members = set()
     self.devices_with_udpated_sg_members = collections.defaultdict(list)
Beispiel #3
0
 def setUp(self):
     super(BaseIpsetManagerTest, self).setUp()
     self.ipset = ipset_manager.IpsetManager()
     self.execute = mock.patch.object(self.ipset, "execute").start()
     self.expected_calls = []
     self.expect_create()
     self.force_sorted_get_set_ips()
Beispiel #4
0
    def _create_ipset_manager_and_set(self, dst_ns, set_name):
        ipset = ipset_manager.IpsetManager(
            root_helper=self.root_helper,
            namespace=dst_ns.namespace)

        ipset._create_set(set_name, IPSET_ETHERTYPE)
        return ipset
Beispiel #5
0
 def __init__(self, namespace=None):
     self.root_helper = cfg.CONF.AGENT.root_helper
     self.iptables = iptables_manager.IptablesManager(
         root_helper=self.root_helper, use_ipv6=ipv6_utils.is_enabled())
     # TODO(majopela, shihanzhang): refactor out ipset to a separate
     # driver composed over this one
     self.ipset = ipset_manager.IpsetManager(root_helper=self.root_helper)
     # list of port which has security group
     self.filtered_ports = {}
     self._add_fallback_chain_v4v6()
     self._defer_apply = False
     self._pre_defer_filtered_ports = None
     # List of security group rules for ports residing on this host
     self.sg_rules = {}
     self.pre_sg_rules = None
     # List of security group member ips for ports residing on this host
     self.sg_members = {}
     self.pre_sg_members = None
     self.ipset_chains = {}
     self.enable_ipset = cfg.CONF.SECURITYGROUP.enable_ipset
     self.defer_sg_rules = {}
     self.defer_sgs = {}
     self.available_local_zones = set(
         xrange(constants.MIN_VLAN_TAG, constants.MAX_VLAN_TAG))
     self.local_zone_map = {}
     self.namespace = namespace
 def setUp(self):
     super(BaseIpsetManagerTest, self).setUp()
     self.root_helper = 'sudo'
     self.ipset = ipset_manager.IpsetManager(root_helper=self.root_helper)
     self.execute = mock.patch.object(self.ipset, "execute").start()
     self.expected_calls = []
     self.expect_create()
Beispiel #7
0
 def setUp(self, maxelem=None, hashsize=None):
     super(BaseIpsetManagerTest, self).setUp()
     cfg.CONF.register_opts(a_cfg.IPSET_OPTS, 'AGENT')
     cfg.CONF.set_override('ipset_maxelem', maxelem, 'AGENT')
     cfg.CONF.set_override('ipset_hashsize', hashsize, 'AGENT')
     self.maxelem = maxelem
     self.hashsize = hashsize
     self.ipset = ipset_manager.IpsetManager()
     self.execute = mock.patch.object(self.ipset, "execute").start()
     self.expected_calls = []
     self.expect_create()