def test_multiple_matches(): lga_rules = {'app': [ Rule(ipset('1.1.1.1'), ipset('2.0.0.0/8'), 'app', 'one'), Rule(ipset('1.1.1.2'), ipset('2.0.0.0/8'), 'app', 'two'), Rule(ipset('1.1.1.3'), ipset('2.0.0.0/8'), 'app', 'three'), ]} ord_rules = {'app': [ Rule(ipset('1.0.0.0/8'), ipset('2.7.8.8'), 'app', 'eight'), Rule(ipset('1.0.0.0/8'), ipset('2.7.8.9'), 'app', 'nine'), ]} address_spaces = { 'lga': ipset('1.0.0.0/8'), 'ord': ipset('2.0.0.0/8'), } sources = {'fw1.ord': ord_rules, 'fw1.lga': lga_rules} with no_simplify(): result = process.combine(address_spaces, routes, sources) eq_(sorted(result['app']), sorted([ # takes the intersection of all rules: Rule(src=ipset('1.1.1.1'), dst=ipset('2.7.8.8'), app='app', name='eight+one'), Rule(src=ipset('1.1.1.1'), dst=ipset('2.7.8.9'), app='app', name='nine+one'), Rule(src=ipset('1.1.1.2'), dst=ipset('2.7.8.8'), app='app', name='eight+two'), Rule(src=ipset('1.1.1.2'), dst=ipset('2.7.8.9'), app='app', name='nine+two'), Rule(src=ipset('1.1.1.3'), dst=ipset('2.7.8.8'), app='app', name='eight+three'), Rule(src=ipset('1.1.1.3'), dst=ipset('2.7.8.9'), app='app', name='nine+three') ]))
def test_overlapping_rules(): lga_rules = { 'app': [ Rule(ipset('1.1.0.0/16'), ipset('2.0.0.0/8'), 'app', 'lga'), ] } ord_rules = { 'app': [ Rule(ipset('1.0.0.0/8'), ipset('2.1.0.0/16'), 'app', 'ord'), ] } address_spaces = { 'lga': ipset('1.0.0.0/8'), 'ord': ipset('2.0.0.0/8'), } sources = {'fw1.ord': ord_rules, 'fw1.lga': lga_rules} with no_simplify(): result = process.combine(address_spaces, routes, sources) eq_( result, { 'app': [ # takes the intersection of both rules: Rule(ipset('1.1.0.0/16'), ipset('2.1.0.0/16'), 'app', 'lga+ord'), ] })
def test_limited_by_space(): lax_rules = {'app': [ ]} lga_rules = {'app': [ # /7 covers both lax and lga Rule(ipset('0.0.0.0/7'), ipset('2.0.0.0/8'), 'app', 'lga'), ]} ord_rules = {'app': [ Rule(ipset('0.0.0.0/7'), ipset('2.0.0.0/8'), 'app', 'ord'), ]} address_spaces = { 'lax': ipset('0.0.0.0/8'), 'lga': ipset('1.0.0.0/8'), 'ord': ipset('2.0.0.0/8'), } routes = { ('lax', 'lax'): ['fw1.lax'], ('lax', 'lga'): ['fw1.lga', 'fw1.lax'], ('lax', 'ord'): ['fw1.ord', 'fw1.lax'], ('lga', 'lax'): ['fw1.lax', 'fw1.lga'], ('lga', 'lga'): ['fw1.lga'], ('lga', 'ord'): ['fw1.ord', 'fw1.lga'], ('ord', 'lax'): ['fw1.ord', 'fw1.lax'], ('ord', 'lga'): ['fw1.ord', 'fw1.lga'], ('ord', 'ord'): ['fw1.ord'], } sources = {'fw1.ord': ord_rules, 'fw1.lga': lga_rules, 'fw1.lax': lax_rules} with no_simplify(): result = process.combine(address_spaces, routes, sources) eq_(result, {'app': [ # only lga's address space is allowed Rule(ipset('1.0.0.0/8'), ipset('2.0.0.0/8'), 'app', 'lga+ord'), ]})
def test_one_address_space(): rules = {'app': [ Rule(ipset('1.2.3.4'), ipset('1.7.7.7'), 'app', 'p2p'), Rule(ipset('1.2.5.0/24'), ipset('1.7.7.7'), 'app', 'net'), ]} with no_simplify(): result = process.combine( {'nyc': ipset('1.0.0.0/8')}, {('nyc', 'nyc'): ['fw1.nyc']}, {'fw1.nyc': rules}) eq_(sorted(result), sorted(rules))
def test_combine(): address_spaces = { 'ten': ipset('10.0.0.0/8'), 'twenty': ipset('20.0.0.0/8'), 'unmanaged': ipset('0.0.0.0/0') - ipset('10.0.0.0/8') - ipset('20.0.0.0/8'), } routes = { ('ten', 'ten'): ['fw1.ten'], ('ten', 'twenty'): ['fw1.ten', 'fw1.twenty'], ('ten', 'unmanaged'): ['fw1.ten'], ('twenty', 'ten'): ['fw1.ten', 'fw1.twenty'], ('twenty', 'twenty'): ['fw1.twenty'], ('twenty', 'unmanaged'): ['fw1.twenty'], ('unmanaged', 'ten'): ['fw1.ten'], ('unmanaged', 'twenty'): ['fw1.twenty'], ('unmanaged', 'unmanaged'): [], } sources = { 'fw1.ten': RULES_10, 'fw1.twenty': RULES_20, } res = process.combine(address_spaces, routes, sources) res['http'].sort() eq_( res, { 'http': sorted([ Rule(src=ipset('10.10.0.0/16'), dst=ipset('10.20.0.0/16', '30.20.0.0/16'), app='http', name='10->10+10->30'), Rule(src=ipset('20.10.0.0/16'), dst=ipset('20.20.0.0/16', '30.20.0.0/16'), app='http', name='20->20+20->30'), Rule(src=ipset('30.10.0.0/16'), dst=ipset('10.20.0.0/16', '20.20.0.0/16'), app='http', name='30->10+30->20'), # note that only the intersection of these flows makes it through Rule(src=ipset('10.20.0.0/16'), dst=ipset('20.20.0.0/16'), app='http', name='10->20'), Rule(src=ipset('20.20.0.0/16'), dst=ipset('10.20.0.0/16'), app='http', name='20->10'), ]), })
def test_one_address_space(): rules = { 'app': [ Rule(ipset('1.2.3.4'), ipset('1.7.7.7'), 'app', 'p2p'), Rule(ipset('1.2.5.0/24'), ipset('1.7.7.7'), 'app', 'net'), ] } with no_simplify(): result = process.combine({'nyc': ipset('1.0.0.0/8')}, {('nyc', 'nyc'): ['fw1.nyc']}, {'fw1.nyc': rules}) eq_(sorted(result), sorted(rules))
def test_identical_rules(): rules = {'app': [ Rule(ipset('2.7.7.0/24'), ipset('1.7.7.0/24'), 'app', 'lga-ord'), ]} address_spaces = { 'lga': ipset('1.0.0.0/8'), 'ord': ipset('2.0.0.0/8'), } sources = {'fw1.ord': rules, 'fw1.lga': rules} with no_simplify(): result = process.combine(address_spaces, routes, sources) eq_(result, rules)
def test_multiple_matches(): lga_rules = { 'app': [ Rule(ipset('1.1.1.1'), ipset('2.0.0.0/8'), 'app', 'one'), Rule(ipset('1.1.1.2'), ipset('2.0.0.0/8'), 'app', 'two'), Rule(ipset('1.1.1.3'), ipset('2.0.0.0/8'), 'app', 'three'), ] } ord_rules = { 'app': [ Rule(ipset('1.0.0.0/8'), ipset('2.7.8.8'), 'app', 'eight'), Rule(ipset('1.0.0.0/8'), ipset('2.7.8.9'), 'app', 'nine'), ] } address_spaces = { 'lga': ipset('1.0.0.0/8'), 'ord': ipset('2.0.0.0/8'), } sources = {'fw1.ord': ord_rules, 'fw1.lga': lga_rules} with no_simplify(): result = process.combine(address_spaces, routes, sources) eq_( sorted(result['app']), sorted([ # takes the intersection of all rules: Rule(src=ipset('1.1.1.1'), dst=ipset('2.7.8.8'), app='app', name='eight+one'), Rule(src=ipset('1.1.1.1'), dst=ipset('2.7.8.9'), app='app', name='nine+one'), Rule(src=ipset('1.1.1.2'), dst=ipset('2.7.8.8'), app='app', name='eight+two'), Rule(src=ipset('1.1.1.2'), dst=ipset('2.7.8.9'), app='app', name='nine+two'), Rule(src=ipset('1.1.1.3'), dst=ipset('2.7.8.8'), app='app', name='eight+three'), Rule(src=ipset('1.1.1.3'), dst=ipset('2.7.8.9'), app='app', name='nine+three') ]))
def test_identical_rules(): rules = { 'app': [ Rule(ipset('2.7.7.0/24'), ipset('1.7.7.0/24'), 'app', 'lga-ord'), ] } address_spaces = { 'lga': ipset('1.0.0.0/8'), 'ord': ipset('2.0.0.0/8'), } sources = {'fw1.ord': rules, 'fw1.lga': rules} with no_simplify(): result = process.combine(address_spaces, routes, sources) eq_(result, rules)
def test_other_app(): ord_rules = { 'ordonly': [ Rule(ipset('1.1.0.0'), ipset('1.1.9.9'), 'ordonly', 'ordonly'), ], 'inboth': [ Rule(ipset('1.1.8.8'), ipset('1.1.9.9'), 'inboth', 'inboth_ord'), ], '@@other': [ Rule(ipset('1.1.0.0'), ipset('1.1.9.9'), '@@other', 'ordother'), ], } lga_rules = { 'lgaonly': [ Rule(ipset('65.1.0.0'), ipset('65.1.9.9'), 'lgaonly', 'lgaonly'), ], 'inboth': [ Rule(ipset('65.1.8.8'), ipset('65.1.9.9'), 'inboth', 'inboth_lga'), ], '@@other': [ Rule(ipset('65.1.0.0'), ipset('65.1.9.9'), '@@other', 'lgaother'), ], } address_spaces = { 'ord': ipset('0.0.0.0/2'), 'lga': ipset('64.0.0.0/2'), } sources = {'fw1.ord': ord_rules, 'fw1.lga': lga_rules} with no_simplify(): result = process.combine(address_spaces, routes, sources) for apprules in result.itervalues(): apprules.sort() eq_(result, { 'ordonly': sorted([ Rule(ipset('1.1.0.0'), ipset('1.1.9.9'), 'ordonly', 'ordonly'), Rule(ipset('65.1.0.0'), ipset('65.1.9.9'), 'ordonly', 'lgaother'), ]), 'lgaonly': sorted([ Rule(ipset('65.1.0.0'), ipset('65.1.9.9'), 'lgaonly', 'lgaonly'), Rule(ipset('1.1.0.0'), ipset('1.1.9.9'), 'lgaonly', 'ordother'), ]), 'inboth': sorted([ Rule(ipset('1.1.8.8'), ipset('1.1.9.9'), 'inboth', 'inboth_ord'), Rule(ipset('65.1.8.8'), ipset('65.1.9.9'), 'inboth', 'inboth_lga'), ]), '@@other': sorted([ Rule(ipset('1.1.0.0'), ipset('1.1.9.9'), '@@other', 'ordother'), Rule(ipset('65.1.0.0'), ipset('65.1.9.9'), '@@other', 'lgaother'), ]), })
def test_nonoverlapping_rules(): lga_rules = {'app': [ Rule(ipset('1.2.5.0/24'), ipset('2.2.5.0/24'), 'app', 'lga'), ]} ord_rules = {'app': [ Rule(ipset('2.7.7.0/24'), ipset('1.7.7.0/24'), 'app', 'ord'), ]} address_spaces = { 'ord': ipset('2.0.0.0/8'), 'lga': ipset('1.0.0.0/8'), } sources = {'fw1.ord': ord_rules, 'fw1.lga': lga_rules} with no_simplify(): result = process.combine(address_spaces, routes, sources) eq_(result, {})
def test_limited_by_space(): lax_rules = {'app': []} lga_rules = { 'app': [ # /7 covers both lax and lga Rule(ipset('0.0.0.0/7'), ipset('2.0.0.0/8'), 'app', 'lga'), ] } ord_rules = { 'app': [ Rule(ipset('0.0.0.0/7'), ipset('2.0.0.0/8'), 'app', 'ord'), ] } address_spaces = { 'lax': ipset('0.0.0.0/8'), 'lga': ipset('1.0.0.0/8'), 'ord': ipset('2.0.0.0/8'), } routes = { ('lax', 'lax'): ['fw1.lax'], ('lax', 'lga'): ['fw1.lga', 'fw1.lax'], ('lax', 'ord'): ['fw1.ord', 'fw1.lax'], ('lga', 'lax'): ['fw1.lax', 'fw1.lga'], ('lga', 'lga'): ['fw1.lga'], ('lga', 'ord'): ['fw1.ord', 'fw1.lga'], ('ord', 'lax'): ['fw1.ord', 'fw1.lax'], ('ord', 'lga'): ['fw1.ord', 'fw1.lga'], ('ord', 'ord'): ['fw1.ord'], } sources = { 'fw1.ord': ord_rules, 'fw1.lga': lga_rules, 'fw1.lax': lax_rules } with no_simplify(): result = process.combine(address_spaces, routes, sources) eq_( result, { 'app': [ # only lga's address space is allowed Rule(ipset('1.0.0.0/8'), ipset('2.0.0.0/8'), 'app', 'lga+ord'), ] })
def test_nonoverlapping_rules(): lga_rules = { 'app': [ Rule(ipset('1.2.5.0/24'), ipset('2.2.5.0/24'), 'app', 'lga'), ] } ord_rules = { 'app': [ Rule(ipset('2.7.7.0/24'), ipset('1.7.7.0/24'), 'app', 'ord'), ] } address_spaces = { 'ord': ipset('2.0.0.0/8'), 'lga': ipset('1.0.0.0/8'), } sources = {'fw1.ord': ord_rules, 'fw1.lga': lga_rules} with no_simplify(): result = process.combine(address_spaces, routes, sources) eq_(result, {})
def test_overlapping_rules(): lga_rules = {'app': [ Rule(ipset('1.1.0.0/16'), ipset('2.0.0.0/8'), 'app', 'lga'), ]} ord_rules = {'app': [ Rule(ipset('1.0.0.0/8'), ipset('2.1.0.0/16'), 'app', 'ord'), ]} address_spaces = { 'lga': ipset('1.0.0.0/8'), 'ord': ipset('2.0.0.0/8'), } sources = {'fw1.ord': ord_rules, 'fw1.lga': lga_rules} with no_simplify(): result = process.combine(address_spaces, routes, sources) eq_(result, {'app': [ # takes the intersection of both rules: Rule(ipset('1.1.0.0/16'), ipset('2.1.0.0/16'), 'app', 'lga+ord'), ]})
def test_combine(): address_spaces = { 'ten': ipset('10.0.0.0/8'), 'twenty': ipset('20.0.0.0/8'), 'unmanaged': ipset('0.0.0.0/0') - ipset('10.0.0.0/8') - ipset('20.0.0.0/8'), } routes = { ('ten', 'ten'): ['fw1.ten'], ('ten', 'twenty'): ['fw1.ten', 'fw1.twenty'], ('ten', 'unmanaged'): ['fw1.ten'], ('twenty', 'ten'): ['fw1.ten', 'fw1.twenty'], ('twenty', 'twenty'): ['fw1.twenty'], ('twenty', 'unmanaged'): ['fw1.twenty'], ('unmanaged', 'ten'): ['fw1.ten'], ('unmanaged', 'twenty'): ['fw1.twenty'], ('unmanaged', 'unmanaged'): [], } sources = { 'fw1.ten': RULES_10, 'fw1.twenty': RULES_20, } res = process.combine(address_spaces, routes, sources) res['http'].sort() eq_(res, { 'http': sorted([ Rule(src=ipset('10.10.0.0/16'), dst=ipset('10.20.0.0/16', '30.20.0.0/16'), app='http', name='10->10+10->30'), Rule(src=ipset('20.10.0.0/16'), dst=ipset('20.20.0.0/16', '30.20.0.0/16'), app='http', name='20->20+20->30'), Rule(src=ipset('30.10.0.0/16'), dst=ipset('10.20.0.0/16', '20.20.0.0/16'), app='http', name='30->10+30->20'), # note that only the intersection of these flows makes it through Rule(src=ipset('10.20.0.0/16'), dst=ipset('20.20.0.0/16'), app='http', name='10->20'), Rule(src=ipset('20.20.0.0/16'), dst=ipset('10.20.0.0/16'), app='http', name='20->10'), ]), })
def test_other_app(): ord_rules = { 'ordonly': [ Rule(ipset('1.1.0.0'), ipset('1.1.9.9'), 'ordonly', 'ordonly'), ], 'inboth': [ Rule(ipset('1.1.8.8'), ipset('1.1.9.9'), 'inboth', 'inboth_ord'), ], '@@other': [ Rule(ipset('1.1.0.0'), ipset('1.1.9.9'), '@@other', 'ordother'), ], } lga_rules = { 'lgaonly': [ Rule(ipset('65.1.0.0'), ipset('65.1.9.9'), 'lgaonly', 'lgaonly'), ], 'inboth': [ Rule(ipset('65.1.8.8'), ipset('65.1.9.9'), 'inboth', 'inboth_lga'), ], '@@other': [ Rule(ipset('65.1.0.0'), ipset('65.1.9.9'), '@@other', 'lgaother'), ], } address_spaces = { 'ord': ipset('0.0.0.0/2'), 'lga': ipset('64.0.0.0/2'), } sources = {'fw1.ord': ord_rules, 'fw1.lga': lga_rules} with no_simplify(): result = process.combine(address_spaces, routes, sources) for apprules in result.itervalues(): apprules.sort() eq_( result, { 'ordonly': sorted([ Rule(ipset('1.1.0.0'), ipset('1.1.9.9'), 'ordonly', 'ordonly'), Rule(ipset('65.1.0.0'), ipset('65.1.9.9'), 'ordonly', 'lgaother'), ]), 'lgaonly': sorted([ Rule(ipset('65.1.0.0'), ipset('65.1.9.9'), 'lgaonly', 'lgaonly'), Rule(ipset('1.1.0.0'), ipset('1.1.9.9'), 'lgaonly', 'ordother'), ]), 'inboth': sorted([ Rule(ipset('1.1.8.8'), ipset('1.1.9.9'), 'inboth', 'inboth_ord'), Rule(ipset('65.1.8.8'), ipset('65.1.9.9'), 'inboth', 'inboth_lga'), ]), '@@other': sorted([ Rule(ipset('1.1.0.0'), ipset('1.1.9.9'), '@@other', 'ordother'), Rule(ipset('65.1.0.0'), ipset('65.1.9.9'), '@@other', 'lgaother'), ]), })