def get_allowed_denied_vr_vm(self, allowed_vr_ip, vm_nic_uuid):
        '''
        Get source VR vm for PF port testing. 
        @return: allowed_vr, denied_vr
        '''
        #get allowed vr vm
        allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip)
        vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip)
        l3_uuid = vr_nic.l3NetworkUuid

        allowed_vr_uuid_list = [allowed_vr_vm.uuid]
        #target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly.
        if vm_nic_uuid:
            vm_nic = test_lib.lib_get_nic_by_uuid(vm_nic_uuid)
            vr_l3_uuid = vm_nic.l3NetworkUuid
            pf_vr = test_lib.lib_find_vr_by_l3_uuid(vr_l3_uuid)[0]
            allowed_vr_uuid_list.append(pf_vr.uuid)

        denied_vr_vm = _find_denied_vr(allowed_vr_vm.clusterUuid, l3_uuid, allowed_vr_uuid_list)
        return allowed_vr_vm, denied_vr_vm
    def get_allowed_denied_vr_vm(self, allowed_vr_ip, vm_nic_uuid):
        '''
        Get source VR vm for PF port testing. 
        @return: allowed_vr, denied_vr
        '''
        #get allowed vr vm
        allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip)
        vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip)
        l3_uuid = vr_nic.l3NetworkUuid

        allowed_vr_uuid_list = [allowed_vr_vm.uuid]
        #target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly.
        if vm_nic_uuid:
            vm_nic = test_lib.lib_get_nic_by_uuid(vm_nic_uuid)
            vr_l3_uuid = vm_nic.l3NetworkUuid
            pf_vr = test_lib.lib_find_vr_by_l3_uuid(vr_l3_uuid)[0]
            allowed_vr_uuid_list.append(pf_vr.uuid)

        denied_vr_vm = _find_denied_vr(allowed_vr_vm.clusterUuid, l3_uuid, allowed_vr_uuid_list)
        return allowed_vr_vm, denied_vr_vm
    def check(self):
        '''
            check will assume target vm only have 1 port forwarding VR. 
            So all vms PF rules are assigned to 1 VM nic.
        '''
        super(zstack_vcenter_pf_tcp_checker, self).check()
        test_result = True
        target_vm = self.test_obj.get_target_vm().vm
        pf_rule = self.test_obj.get_port_forwarding()
        vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid)
        all_ports = port_header.all_ports
        #only open ports when VM is running.
        if self.test_obj.get_target_vm().state == vm_header.RUNNING:
            test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_nic.l3NetworkUuid)
        #consolidate rules for TCP/UDP/ICMP with different AllowedCidr
        rule_port = port_header.get_port_rule(pf_rule.vipPortStart, pf_rule.vipPortEnd)

        #check SG ingress limitation. Since SG rule will not consider vip as 
        #allowedCidr, if there is ingress limitation, the ingress PF connection
        #will be blocked.
        sg_tcp_ingress_flag = _sg_rule_exist(vm_nic, inventory.TCP, pf_rule)

        allowedCidr = pf_rule.allowedCidr
        allowed_vr_ip = allowedCidr.split('/')[0]
        allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip)
        vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip)
        l3_uuid = vr_nic.l3NetworkUuid

        allowed_vr_uuid_list = [allowed_vr_vm.uuid]
        #target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly.
        pf_vm_vrs = test_lib.lib_find_vr_by_vm(target_vm)
        for pf_vr in pf_vm_vrs:
            allowed_vr_uuid_list.append(pf_vr.uuid)

        denied_vr_vm = _find_denied_vr(target_vm.clusterUuid, l3_uuid, allowed_vr_uuid_list)
        denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm)

        vip_uuid = pf_rule.vipUuid
        cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid)
        vipIp = res_ops.query_resource(res_ops.VIP, cond)[0].ip
        if sg_tcp_ingress_flag:
            test_util.test_logger('SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s' % target_vm.uuid)
            try:
                test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, [], all_ports, target_vm)
            except:
                test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s, when SG rule exists. " % (pf_rule.uuid, target_vm.uuid))
                test_result = False
                if test_result != self.exp_result:
                    return self.judge(test_result)
        else:
            allowed_ports = port_header.get_ports(rule_port)
            denied_ports = list_ops.list_minus(all_ports, allowed_ports)
            try:
                test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm)
            except:
                traceback.print_exc(file=sys.stdout)
                test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid))
                test_result = False
                if test_result != self.exp_result:
                    return self.judge(test_result)
            else:
                test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s " % (pf_rule.uuid, target_vm.uuid))

            try:
                test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, [], all_ports, target_vm)
            except:
                traceback.print_exc(file=sys.stdout)
                test_util.test_logger("Catch failure when checking Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s" % (pf_rule.uuid, target_vm.uuid))
                test_result = False
                if test_result != self.exp_result:
                    return self.judge(test_result)
            else:
                test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (pf_rule.uuid, target_vm.uuid))

        test_util.test_logger('Check result: [Port Forwarding] finishes TCP testing for [vm:] %s [nic:] %s' % (target_vm.uuid, vm_nic.uuid))
        return self.judge(test_result)
    def check(self):
        '''
            check will assume target vm only have 1 port forwarding VR. 
            So all vms PF rules are assigned to 1 VM nic.
        '''
        super(zstack_kvm_pf_tcp_checker, self).check()
        test_result = True
        target_vm = self.test_obj.get_target_vm().vm
        pf_rule = self.test_obj.get_port_forwarding()
        vm_nic = test_lib.lib_get_nic_by_uuid(pf_rule.vmNicUuid)
        all_ports = port_header.all_ports
        #only open ports when VM is running.
        if self.test_obj.get_target_vm().state == vm_header.RUNNING:
            test_lib.lib_open_vm_listen_ports(target_vm, all_ports,
                                              vm_nic.l3NetworkUuid)
        #consolidate rules for TCP/UDP/ICMP with different AllowedCidr
        rule_port = port_header.get_port_rule(pf_rule.vipPortStart,
                                              pf_rule.vipPortEnd)

        #check SG ingress limitation. Since SG rule will not consider vip as
        #allowedCidr, if there is ingress limitation, the ingress PF connection
        #will be blocked.
        sg_tcp_ingress_flag = _sg_rule_exist(vm_nic, inventory.TCP, pf_rule)

        allowedCidr = pf_rule.allowedCidr
        allowed_vr_ip = allowedCidr.split('/')[0]
        allowed_vr_vm = test_lib.lib_get_vm_by_ip(allowed_vr_ip)
        vr_nic = test_lib.lib_get_nic_by_ip(allowed_vr_ip)
        l3_uuid = vr_nic.l3NetworkUuid

        allowed_vr_uuid_list = [allowed_vr_vm.uuid]
        #target_vm's VRs should be excluded, otherwise the ip package will be routed to this VR directly.
        pf_vm_vrs = test_lib.lib_find_vr_by_vm(target_vm)
        for pf_vr in pf_vm_vrs:
            allowed_vr_uuid_list.append(pf_vr.uuid)

        denied_vr_vm = _find_denied_vr(target_vm.clusterUuid, l3_uuid,
                                       allowed_vr_uuid_list)
        denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm)

        vip_uuid = pf_rule.vipUuid
        cond = res_ops.gen_query_conditions('uuid', '=', vip_uuid)
        vipIp = res_ops.query_resource(res_ops.VIP, cond)[0].ip
        if sg_tcp_ingress_flag:
            test_util.test_logger(
                'SG TCP Ingress rule existence. PF TCP ingress rule will be blocked for [vm:] %s'
                % target_vm.uuid)
            try:
                test_lib.lib_check_ports_in_a_command(allowed_vr_vm,
                                                      allowed_vr_ip, vipIp, [],
                                                      all_ports, target_vm)
            except:
                test_util.test_logger(
                    "Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s, when SG rule exists. "
                    % (pf_rule.uuid, target_vm.uuid))
                test_result = False
                if test_result != self.exp_result:
                    return self.judge(test_result)
        else:
            allowed_ports = port_header.get_ports(rule_port)
            denied_ports = list_ops.list_minus(all_ports, allowed_ports)
            try:
                test_lib.lib_check_ports_in_a_command(allowed_vr_vm,
                                                      allowed_vr_ip, vipIp,
                                                      allowed_ports,
                                                      denied_ports, target_vm)
            except:
                traceback.print_exc(file=sys.stdout)
                test_util.test_logger(
                    "Catch failure when checking Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s "
                    % (pf_rule.uuid, target_vm.uuid))
                test_result = False
                if test_result != self.exp_result:
                    return self.judge(test_result)
            else:
                test_util.test_logger(
                    "Checking pass for Port Forwarding TCP [rule:] %s for allowed Cidr from [vm:] %s "
                    % (pf_rule.uuid, target_vm.uuid))

            try:
                test_lib.lib_check_ports_in_a_command(denied_vr_vm,
                                                      denied_vr_ip, vipIp, [],
                                                      all_ports, target_vm)
            except:
                traceback.print_exc(file=sys.stdout)
                test_util.test_logger(
                    "Catch failure when checking Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s"
                    % (pf_rule.uuid, target_vm.uuid))
                test_result = False
                if test_result != self.exp_result:
                    return self.judge(test_result)
            else:
                test_util.test_logger(
                    "Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. "
                    % (pf_rule.uuid, target_vm.uuid))

        test_util.test_logger(
            'Check result: [Port Forwarding] finishes TCP testing for [vm:] %s [nic:] %s'
            % (target_vm.uuid, vm_nic.uuid))
        return self.judge(test_result)