def _assect_ndp_proxy_rules_is_set(self, ip_wrapper, iptables_manager, interface_name, namespace): expected_iptable_rules = [] expected_proxy_address = [] for ndp_proxy in self.ndp_proxies: rule = '-i %s --destination %s -j ACCEPT' % (interface_name, ndp_proxy.ip_address) rule_obj = iptable_mng.IptablesRule('NDP', rule, True, True, iptables_manager.wrap_name) expected_iptable_rules.append(rule_obj) expected_proxy_address.append(str(ndp_proxy.ip_address)) def check_rules_is_set(): existing_iptable_rules = iptables_manager.ipv6['filter'].rules for iptable_rule in expected_iptable_rules: if iptable_rule not in existing_iptable_rules: return False existing_proxy_addresses = self._get_existing_ndp_proxies( interface_name, namespace) for address in expected_proxy_address: if address not in existing_proxy_addresses: return False return True common_utils.wait_until_true(check_rules_is_set)
def _assert_ndp_proxy_state_iptable_rules_is_set( self, ri, iptables_manager, interface_name): wrap_name = iptables_manager.wrap_name expected_rules = [] for port in ri.internal_ports: for subnet in port['subnets']: if netaddr.IPNetwork(subnet['cidr']).version == \ constants.IP_VERSION_4: continue rule = ( '-i %s --destination %s -j ' '%s-NDP') % (interface_name, subnet['cidr'], wrap_name) rule_obj = iptable_mng.IptablesRule( 'FORWARD', rule, True, False, iptables_manager.wrap_name) expected_rules.append(rule_obj) def check_rules_is_set(): existing_rules = iptables_manager.ipv6['filter'].rules for rule in expected_rules: if rule not in existing_rules: return False return True common_utils.wait_until_true(check_rules_is_set)
def _assert_ndp_iptable_chain_is_set(self, iptables_manager, interface_name): rule = '-i %s -j DROP' % interface_name rule_obj = iptable_mng.IptablesRule('NDP', rule, True, False, iptables_manager.wrap_name) def check_chain_is_set(): existing_chains = iptables_manager.ipv6['filter'].chains if 'NDP' not in existing_chains: return False existing_rules = iptables_manager.ipv6['filter'].rules if rule_obj in existing_rules: return True common_utils.wait_until_true(check_chain_is_set)
def _assert_port_forwarding_iptables_is_set(self, router_info, pf): (interface_name, namespace, iptables_manager ) = self.fip_pf_ext._get_resource_by_router(router_info) chain_rule = self.fip_pf_ext._get_fip_rules( pf, iptables_manager.wrap_name)[1] chain_name = chain_rule[0] rule = chain_rule[1] rule_tag = 'fip_portforwarding-' + pf.id rule_obj = iptable_mng.IptablesRule(chain_name, rule, True, False, iptables_manager.wrap_name, rule_tag, None) def check_chain_rules_set(): existing_chains = iptables_manager.ipv4['nat'].chains if chain_name not in existing_chains: return False existing_rules = iptables_manager.ipv4['nat'].rules return rule_obj in existing_rules common_utils.wait_until_true(check_chain_rules_set)
def _assert_conntrack_helper_iptables_is_set(self, router_info, cth): iptables_manager = self.cth_ext._get_iptables_manager(router_info) tag = conntrack_helper.CONNTRACK_HELPER_PREFIX + cth.id chain_name = (conntrack_helper.CONNTRACK_HELPER_CHAIN_PREFIX + cth.id)[:constants.MAX_IPTABLES_CHAIN_LEN_WRAP] rule = ('-p %s --dport %s -j CT --helper %s' % (cth.protocol, cth.port, cth.helper)) rule_obj = iptable_mng.IptablesRule(chain_name, rule, True, False, iptables_manager.wrap_name, tag, None) def check_chain_rules_set(): existing_ipv4_chains = iptables_manager.ipv4['raw'].chains existing_ipv6_chains = iptables_manager.ipv6['raw'].chains if (chain_name not in existing_ipv4_chains or chain_name not in existing_ipv6_chains): return False existing_ipv4_rules = iptables_manager.ipv4['raw'].rules existing_ipv6_rules = iptables_manager.ipv6['raw'].rules return (rule_obj in existing_ipv4_rules and rule_obj in existing_ipv6_rules) common_utils.wait_until_true(check_chain_rules_set)
def _assert_iptables_rules_exist(self, router_iptables_manager, table_name, expected_rules): rules = router_iptables_manager.get_rules_for_table(table_name) for rule in expected_rules: self.assertIn(str(iptables_manager.IptablesRule(rule[0], rule[1])), rules)
def is_prevent_snat_rule_exist(router_iptables_manager): rules = router_iptables_manager.get_rules_for_table('nat') return all( str(iptables_manager.IptablesRule(nat_rule[0], nat_rule[1])) in rules for nat_rule in prevent_snat_rule)