def test_empty_ipsets(self):
"""
Empty ipsets.
"""
description = "Description : blah"
suffix = "whatever"
rule_list = []
self.create_ipsets("inet")
frules.update_ipsets(IPV4, description, suffix, rule_list,
"ipset_addr", "ipset_port", "ipset_icmp",
"tmp_ipset_addr", "tmp_ipset_port",
"tmp_ipset_icmp")
stub_ipsets.check_state(expected_ipsets)
def test_exception(self):
"""
Test exception when adding ipset value.
"""
description = "description"
suffix = "suffix"
rule_list = [{'cidr': "1.2.3.4/24"}]
self.create_ipsets("inet")
with mock.patch('calico.felix.test.stub_ipsets.add',
side_effect=FailedSystemCall("oops", [], 1, "", "")):
frules.update_ipsets(IPV4, description, suffix, rule_list,
"ipset_addr", "ipset_port", "ipset_icmp",
"tmp_ipset_addr", "tmp_ipset_port",
"tmp_ipset_icmp")
stub_ipsets.check_state(expected_ipsets)
def test_ipv6_ipsets(self):
"""
IPv6 ipsets
"""
description = "description"
suffix = "suffix"
rule_list = []
default_cidr = "2001::1:2:3:4/24"
self.create_ipsets("inet6")
# Ignored rules
rule_list.append({'blah': "junk"}) # no CIDR
rule_list.append({'cidr': "junk"}) # junk CIDR
rule_list.append({'cidr': "1.2.3.4/32"}) # IPv4, not v6
rule_list.append({
'cidr': default_cidr,
'port': 123
}) # port, no protocol
rule_list.append({
'cidr': default_cidr,
'protocol': "tcp",
'port': "blah"
}) # bad port
rule_list.append({
'cidr': default_cidr,
'protocol': "tcp",
'port': ["blah", "bloop"]
}) # bad port range
rule_list.append({
'cidr': default_cidr,
'protocol': "tcp",
'port': [0, 123]
}) # bad port in range
rule_list.append({
'cidr': default_cidr,
'protocol': "tcp",
'port': [1, 2, 3]
}) # not two in range
rule_list.append({
'cidr': default_cidr,
'protocol': "tcp",
'port': [1]
}) # not two in range
rule_list.append({
'cidr': default_cidr,
'protocol': "icmp",
'port': "1"
}) # port not allowed
rule_list.append({
'cidr': default_cidr,
'protocol': "ipv6-icmp",
'port': "1"
}) # port not allowed
rule_list.append({
'cidr': default_cidr,
'protocol': "icmp",
'icmp_code': "1"
}) # code without type
rule_list.append({
'cidr': default_cidr,
'protocol': "blah",
'port': "1"
}) # port not allowed for protocol
# Better rules
rule_list.append({'cidr': "1:2:3::4/24"})
expected_ipsets.add("ipset_addr", "1:2:3::4/24")
rule_list.append({'cidr': "1:2:3::/0", 'protocol': "tcp"})
expected_ipsets.add("ipset_port", "::/1,tcp:1-65535")
expected_ipsets.add("ipset_port", "8000::/1,tcp:1-65535")
rule_list.append({
'cidr': "1::1/8",
'protocol': "udp",
'port': [2, 10]
})
expected_ipsets.add("ipset_port", "1::1/8,udp:2-10")
rule_list.append({'cidr': "1::2/8", 'protocol': "sctp", 'port': "2"})
expected_ipsets.add("ipset_port", "1::2/8,sctp:2")
rule_list.append({
'cidr': "1::3/8",
'protocol': "udplite",
'port': [2, 10]
})
expected_ipsets.add("ipset_port", "1::3/8,udplite:2-10")
rule_list.append({'cidr': "1::4/8", 'protocol': "ipv6-icmp"})
expected_ipsets.add("ipset_icmp", "1::4/8")
rule_list.append({
'cidr': "1::5/8",
'protocol': "ipv6-icmp",
'icmp_type': 123
})
expected_ipsets.add("ipset_port", "1::5/8,ipv6-icmp:123/0")
rule_list.append({
'cidr': "1::6/8",
'protocol': "ipv6-icmp",
'icmp_type': "type"
})
expected_ipsets.add("ipset_port", "1::6/8,ipv6-icmp:type")
rule_list.append({
'cidr': "1::7/8",
'protocol': "ipv6-icmp",
'icmp_type': 123,
'icmp_code': "code"
})
expected_ipsets.add("ipset_port", "1::7/8,ipv6-icmp:123/code")
rule_list.append({
'cidr': "1::8/8",
'protocol': "ipv6-icmp",
'icmp_type': "type",
'icmp_code': "code"
}) # code ignored
expected_ipsets.add("ipset_port", "1::8/8,ipv6-icmp:type")
rule_list.append({'cidr': "1::9/8", 'protocol': "blah"})
expected_ipsets.add("ipset_port", "1::9/8,blah:0")
frules.update_ipsets(IPV6, description, suffix, rule_list,
"ipset_addr", "ipset_port", "ipset_icmp",
"tmp_ipset_addr", "tmp_ipset_port",
"tmp_ipset_icmp")
stub_ipsets.check_state(expected_ipsets)
