def test_create_update_port_allowed_address_pairs(self):
kwargs = {'allowed_address_pairs':
[{"ip_address": "10.1.1.10"},
{"ip_address": "20.1.1.20",
"mac_address": "aa:bb:cc:dd:ee:ff"}]}
with self.subnet(enable_dhcp=False) as subnet:
self.nb_api.create.reset_mock()
with self.port(subnet=subnet,
arg_list=('allowed_address_pairs',),
**kwargs) as p:
port = p['port']
self.nb_api.create.assert_called_once()
lport = self.nb_api.create.call_args_list[0][0][0]
self.nb_api.create.reset_mock()
expected_aap = [
l2.AddressPair(ip_address="10.1.1.10",
mac_address=port['mac_address']),
l2.AddressPair(ip_address="20.1.1.20",
mac_address="aa:bb:cc:dd:ee:ff")]
self.assertItemsEqual(
[aap.to_struct() for aap in expected_aap],
[aap.to_struct() for aap in lport.allowed_address_pairs])
self.nb_api.update.reset_mock()
data = {'port': {'allowed_address_pairs': []}}
req = self.new_update_request(
'ports',
data, port['id'])
req.get_response(self.api)
self.nb_api.update.assert_called_once()
lport = self.nb_api.update.call_args_list[0][0][0]
self.assertEqual([], lport.allowed_address_pairs)
def _get_allow_ip_mac_pairs(self, lport):
allowed_ip_mac_pairs = []
fixed_ips = lport.ips
fixed_mac = lport.mac
if (fixed_ips is not None) and (fixed_mac is not None):
for fixed_ip in fixed_ips:
allowed_ip_mac_pairs.append(
l2.AddressPair(ip_address=fixed_ip, mac_address=fixed_mac))
allow_address_pairs = lport.allowed_address_pairs
if allow_address_pairs is not None:
allowed_ip_mac_pairs.extend(allow_address_pairs)
return allowed_ip_mac_pairs
def test_support_allowed_address_pairs(self):
# create fake security group
self.controller.update(self.security_group)
# add a local port with allowed address pairs
fake_local_lport = self._get_another_local_lport()
fake_local_lport.allowed_address_pairs = [
l2.AddressPair(ip_address='10.0.0.100',
mac_address='fa:16:3e:8c:2e:12')
]
fake_local_lport_version = fake_local_lport.version
self.controller.update(fake_local_lport)
# add flows:
# 1-2. a flow in ingress conntrack table (ipv4, ipv6
# 3-4. a associating flow in ingress secgroup table (ipv4, ipv6)
# 5-6. a flow in egress conntrack table (ipv4, ipv6)
# 7-8. a associating flow in egress secgroup table (ipv4, ipv6)
# 9-10. a ingress rule flow in ingress secgroup table(using fixed ip:
# ipv4, ipv6)
# 11. a ingress rule flow in ingress secgroup table(using ip in allowed
# address pairs)
# 12. the permit flow in ingress secgroup table
# 13-14. a egress rule flow in egress secgroup table (ipv4, ipv6)
# 15. the permit flow in egress secgroup table
self.assertEqual(15, self._get_call_count_of_add_flow())
self.mock_mod_flow.reset_mock()
# update allowed address pairs of the lport
fake_local_lport = self._get_another_local_lport()
fake_local_lport.allowed_address_pairs = [
l2.AddressPair(ip_address='10.0.0.200',
mac_address='fa:16:3e:8c:2e:12')
]
fake_local_lport_version += 1
fake_local_lport.version = fake_local_lport_version
self.controller.update(fake_local_lport)
# add flows:
# 1. a ingress rule flow in ingress secgroup table(using ip in the new
# allowed address pairs)
# remove flows:
# 1. a ingress rule flow in ingress secgroup table(using ip in the old
# allowed address pairs)
self.assertEqual(1, self._get_call_count_of_add_flow())
self.assertEqual(1, self._get_call_count_of_del_flow())
self.mock_mod_flow.reset_mock()
# remove local port
self.controller.delete(fake_local_lport)
# remove flows:
# 1-2. a flow in ingress conntrack table (ipv4, ipv6)
# 3-4. a associating flow in ingress secgroup table (ipv4, ipv6)
# 5-6. a flow in egress conntrack table (ipv4, ipv6)
# 7-8. a associating flow in egress secgroup table (ipv4, ipv6)
# 9-10. two ingress rule flow (caused by IP addresses represent
# remote_group_id changed) in ingress secgroup table (fixed ips)
# 11. a ingress rule flow (caused by IP addresses represent
# remote_group_id changed) in ingress secgroup table (allowes pairs)
# 12. ingress rules deleted by cookie in ingress secgroup table (ipv4)
# 13. ingress rules deleted by cookie in ingress secgroup table (ipv6)
# 14. egress rules deleted by cookie in egress secgroup table (ipv4)
# 15. egress rules deleted by cookie in egress secgroup table (ipv6)
# 16. the permit flow in ingress secgroup table
# 17. the permit flow in egress secgroup table
self.assertEqual(17, self._get_call_count_of_del_flow())
self.mock_mod_flow.reset_mock()
# delete fake security group
self.controller.delete(self.security_group)