def create_network_policy_with_multiple_rules(self, rules):
pentrys = []
for rule in rules:
addr1 = self.frame_rule_addresses(rule["src"])
addr2 = self.frame_rule_addresses(rule["dst"])
service_list = self.get_service_list(rule)
mirror_service = self.get_mirror_service(rule)
src_port = rule.get("src-port", PortType(-1, -1))
dst_port = rule.get("dst-port", PortType(-1, -1))
action_list = ActionListType()
if mirror_service:
mirror = MirrorActionType(analyzer_name=mirror_service)
action_list.mirror_to = mirror
if service_list:
action_list.apply_service = service_list
else:
action_list.simple_action = rule["action"]
prule = PolicyRuleType(
rule_uuid=str(uuid.uuid4()),
direction=rule["direction"], protocol=rule["protocol"],
src_addresses=[addr1], dst_addresses=[addr2],
src_ports=[src_port], dst_ports=[dst_port],
action_list=action_list)
pentrys.append(prule)
pentry = PolicyEntriesType(pentrys)
np = NetworkPolicy(str(uuid.uuid4()), network_policy_entries=pentry)
self._vnc_lib.network_policy_create(np)
return np
def _create_policy(self, policy_name, proj_obj, src_vn_obj, dst_vn_obj):
policy_exists = False
policy = NetworkPolicy(name=policy_name, parent_obj=proj_obj)
try:
policy_obj = self._vnc_lib.network_policy_read(
fq_name=policy.get_fq_name())
policy_exists = True
except NoIdError:
# policy does not exist. Create one.
policy_obj = policy
network_policy_entries = PolicyEntriesType([
PolicyRuleType(
direction='<>',
action_list=ActionListType(simple_action='pass'),
protocol='any',
src_addresses=[
AddressType(virtual_network=src_vn_obj.get_fq_name_str())
],
src_ports=[PortType(-1, -1)],
dst_addresses=[
AddressType(virtual_network=dst_vn_obj.get_fq_name_str())
],
dst_ports=[PortType(-1, -1)])
])
policy_obj.set_network_policy_entries(network_policy_entries)
if policy_exists:
self._vnc_lib.network_policy_update(policy)
else:
self._vnc_lib.network_policy_create(policy)
return policy_obj
def _create_policy_entry(self, src_vn_obj, dst_vn_obj):
return PolicyRuleType(
direction='<>',
action_list=ActionListType(simple_action='pass'),
protocol='any',
src_addresses=[
AddressType(virtual_network=src_vn_obj.get_fq_name_str())
],
src_ports=[PortType(-1, -1)],
dst_addresses=[
AddressType(virtual_network=dst_vn_obj.get_fq_name_str())
],
dst_ports=[PortType(-1, -1)])
def test_security_logging_object_with_network_policy_update(self):
vn1_name = self.id() + 'vn1'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
np = self.create_network_policy_with_multiple_rules([])
np_fqdn = np.get_fq_name_str()
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
project = self._vnc_lib.project_read(
fq_name=[u'default-domain', u'default-project'])
slo_name = self.id() + '_slo1'
slo_obj = SecurityLoggingObject(name=slo_name,
parent_obj=project,
security_logging_object_rate=300)
self._vnc_lib.security_logging_object_create(slo_obj)
self.wait_to_get_object(SecurityLoggingObjectST,
slo_obj.get_fq_name_str())
slo_obj.add_network_policy(np, None)
self._vnc_lib.security_logging_object_update(slo_obj)
npr_uuid = str(uuid.uuid4())
action_list = ActionListType()
action_list.simple_action = 'pass'
np_rule = PolicyRuleType(
rule_uuid=npr_uuid,
direction='>',
protocol='tcp',
src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(subnet=SubnetType('10.0.0.0', 24))],
dst_ports=[PortType(0, 65535)],
ether_type='IPv4',
action_list=action_list)
np.set_network_policy_entries(PolicyEntriesType([np_rule]))
self._vnc_lib.network_policy_update(np)
slo_obj = self._vnc_lib.security_logging_object_read(
fq_name=slo_obj.get_fq_name())
expected_rule_list = [
SecurityLoggingObjectRuleEntryType(npr_uuid, rate=300)
]
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, np_fqdn, expected_rule_list)
slo_obj.del_network_policy(np)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, None, [])
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.security_logging_object_delete(
fq_name=slo_obj.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
def test_security_logging_object_with_network_policy_update(self):
vn1_name = self.id() + 'vn1'
vn1 = self.create_virtual_network(vn1_name, "10.1.1.0/24")
np = self.create_network_policy_with_multiple_rules([])
np_fqdn = np.get_fq_name_str()
seq = SequenceType(1, 1)
vnp = VirtualNetworkPolicyType(seq)
vn1.set_network_policy(np, vnp)
self._vnc_lib.virtual_network_update(vn1)
project = self._vnc_lib.project_read(fq_name=[u'default-domain', u'default-project'])
slo_name = self.id() + '_slo1'
slo_obj = SecurityLoggingObject(name=slo_name,
parent_obj=project,
security_logging_object_rate=300)
self._vnc_lib.security_logging_object_create(slo_obj)
self.wait_to_get_object(config_db.SecurityLoggingObjectST,
slo_obj.get_fq_name_str())
slo_obj.add_network_policy(np, None)
self._vnc_lib.security_logging_object_update(slo_obj)
npr_uuid = str(uuid.uuid4())
action_list = ActionListType()
action_list.simple_action = 'pass'
np_rule = PolicyRuleType(rule_uuid=npr_uuid,
direction='>',
protocol='tcp',
src_addresses=[AddressType(subnet=SubnetType('11.0.0.0', 24))],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(subnet=SubnetType('10.0.0.0', 24))],
dst_ports=[PortType(0, 65535)],
ether_type='IPv4',
action_list=action_list
)
np.set_network_policy_entries(PolicyEntriesType([np_rule]))
self._vnc_lib.network_policy_update(np)
slo_obj = self._vnc_lib.security_logging_object_read(fq_name=slo_obj.get_fq_name())
expected_rule_list = [SecurityLoggingObjectRuleEntryType(npr_uuid, rate=300)]
st_slo = to_bgp.SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, np_fqdn, expected_rule_list)
slo_obj.del_network_policy(np)
self._vnc_lib.security_logging_object_update(slo_obj)
st_slo = to_bgp.SecurityLoggingObjectST.get(slo_obj.get_fq_name_str())
self.check_rules_in_slo(st_slo, None, [])
# cleanup
self.delete_network_policy(np, auto_policy=True)
self._vnc_lib.virtual_network_delete(fq_name=vn1.get_fq_name())
self._vnc_lib.security_logging_object_delete(fq_name=slo_obj.get_fq_name())
# check if vn is deleted
self.check_vn_is_deleted(uuid=vn1.uuid)
