def test_provider_firewall_rules(self, mock_lock): mock_lock.return_value = threading.Semaphore() # setup basic instance data instance_ref = self._create_instance_ref() # FRAGILE: peeks at how the firewall names chains chain_name = 'inst-%s' % instance_ref['id'] # create a firewall via setup_basic_filtering like libvirt_conn.spawn # should have a chain with 0 rules network_info = _fake_network_info(self.stubs, 1) self.fw.setup_basic_filtering(instance_ref, network_info) self.assertIn('provider', self.fw.iptables.ipv4['filter'].chains) rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider'] self.assertEqual(0, len(rules)) admin_ctxt = context.get_admin_context() # add a rule and send the update message, check for 1 rule db.provider_fw_rule_create(admin_ctxt, {'protocol': 'tcp', 'cidr': '10.99.99.99/32', 'from_port': 1, 'to_port': 65535}) self.fw.refresh_provider_fw_rules() rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider'] self.assertEqual(1, len(rules)) # Add another, refresh, and make sure number of rules goes to two provider_fw1 = db.provider_fw_rule_create(admin_ctxt, {'protocol': 'udp', 'cidr': '10.99.99.99/32', 'from_port': 1, 'to_port': 65535}) self.fw.refresh_provider_fw_rules() rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider'] self.assertEqual(2, len(rules)) # create the instance filter and make sure it has a jump rule self.fw.prepare_instance_filter(instance_ref, network_info) self.fw.apply_instance_filter(instance_ref, network_info) inst_rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == chain_name] jump_rules = [rule for rule in inst_rules if '-j' in rule.rule] provjump_rules = [] # IptablesTable doesn't make rules unique internally for rule in jump_rules: if 'provider' in rule.rule and rule not in provjump_rules: provjump_rules.append(rule) self.assertEqual(1, len(provjump_rules)) # remove a rule from the db, cast to compute to refresh rule db.provider_fw_rule_destroy(admin_ctxt, provider_fw1['id']) self.fw.refresh_provider_fw_rules() rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider'] self.assertEqual(1, len(rules))
def block_external_addresses(self, context, cidr): """Add provider-level firewall rules to block incoming traffic.""" LOG.audit(_('Blocking traffic to all projects incoming from %s'), cidr, context=context) cidr = urllib.unquote(cidr).decode() # raise if invalid netaddr.IPNetwork(cidr) rule = {'cidr': cidr} tcp_rule = rule.copy() tcp_rule.update({'protocol': 'tcp', 'from_port': 1, 'to_port': 65535}) udp_rule = rule.copy() udp_rule.update({'protocol': 'udp', 'from_port': 1, 'to_port': 65535}) icmp_rule = rule.copy() icmp_rule.update({ 'protocol': 'icmp', 'from_port': -1, 'to_port': None }) rules_added = 0 if not self._provider_fw_rule_exists(context, tcp_rule): db.provider_fw_rule_create(context, tcp_rule) rules_added += 1 if not self._provider_fw_rule_exists(context, udp_rule): db.provider_fw_rule_create(context, udp_rule) rules_added += 1 if not self._provider_fw_rule_exists(context, icmp_rule): db.provider_fw_rule_create(context, icmp_rule) rules_added += 1 if not rules_added: raise exception.ApiError(_('Duplicate rule')) self.compute_api.trigger_provider_fw_rules_refresh(context) return {'status': 'OK', 'message': 'Added %s rules' % rules_added}
def block_external_addresses(self, context, cidr): """Add provider-level firewall rules to block incoming traffic.""" LOG.audit(_('Blocking traffic to all projects incoming from %s'), cidr, context=context) cidr = urllib.unquote(cidr).decode() # raise if invalid netaddr.IPNetwork(cidr) rule = {'cidr': cidr} tcp_rule = rule.copy() tcp_rule.update({'protocol': 'tcp', 'from_port': 1, 'to_port': 65535}) udp_rule = rule.copy() udp_rule.update({'protocol': 'udp', 'from_port': 1, 'to_port': 65535}) icmp_rule = rule.copy() icmp_rule.update({'protocol': 'icmp', 'from_port': -1, 'to_port': None}) rules_added = 0 if not self._provider_fw_rule_exists(context, tcp_rule): db.provider_fw_rule_create(context, tcp_rule) rules_added += 1 if not self._provider_fw_rule_exists(context, udp_rule): db.provider_fw_rule_create(context, udp_rule) rules_added += 1 if not self._provider_fw_rule_exists(context, icmp_rule): db.provider_fw_rule_create(context, icmp_rule) rules_added += 1 if not rules_added: raise exception.ApiError(_('Duplicate rule')) self.compute_api.trigger_provider_fw_rules_refresh(context) return {'status': 'OK', 'message': 'Added %s rules' % rules_added}
def block_external_addresses(self, context, cidr): """Add provider-level firewall rules to block incoming traffic.""" LOG.audit(_("Blocking traffic to all projects incoming from %s"), cidr, context=context) cidr = urllib.unquote(cidr).decode() # raise if invalid netaddr.IPNetwork(cidr) rule = {"cidr": cidr} tcp_rule = rule.copy() tcp_rule.update({"protocol": "tcp", "from_port": 1, "to_port": 65535}) udp_rule = rule.copy() udp_rule.update({"protocol": "udp", "from_port": 1, "to_port": 65535}) icmp_rule = rule.copy() icmp_rule.update({"protocol": "icmp", "from_port": -1, "to_port": None}) rules_added = 0 if not self._provider_fw_rule_exists(context, tcp_rule): db.provider_fw_rule_create(context, tcp_rule) rules_added += 1 if not self._provider_fw_rule_exists(context, udp_rule): db.provider_fw_rule_create(context, udp_rule) rules_added += 1 if not self._provider_fw_rule_exists(context, icmp_rule): db.provider_fw_rule_create(context, icmp_rule) rules_added += 1 if not rules_added: raise exception.ApiError(_("Duplicate rule")) self.compute_api.trigger_provider_fw_rules_refresh(context) return {"status": "OK", "message": "Added %s rules" % rules_added}
def block_external_addresses(self, context, cidr): """Add provider-level firewall rules to block incoming traffic.""" LOG.audit(_('Blocking traffic to all projects incoming from %s'), cidr, context=context) cidr = urllib.unquote(cidr).decode() failed = {'status': 'Failed', 'message': ' 0 rules added'} if not utils.is_valid_cidr(cidr): msg = 'Improper input. Please provide a valid cidr: ' \ 'e.g. 121.12.10.11/24.' failed['message'] = msg + failed['message'] return failed #Normalizing cidr. e.g. '20.20.20.11/24' -> '20.20.20.0/24', so that #db values stay in sync with filters' values (e.g. in iptables) cidr = str(netaddr.IPNetwork(cidr).cidr) rule = {'cidr': cidr} tcp_rule = rule.copy() tcp_rule.update({'protocol': 'tcp', 'from_port': 1, 'to_port': 65535}) udp_rule = rule.copy() udp_rule.update({'protocol': 'udp', 'from_port': 1, 'to_port': 65535}) icmp_rule = rule.copy() icmp_rule.update({'protocol': 'icmp', 'from_port': -1, 'to_port': None}) rules_added = 0 if not self._provider_fw_rule_exists(context, tcp_rule): db.provider_fw_rule_create(context, tcp_rule) rules_added += 1 if not self._provider_fw_rule_exists(context, udp_rule): db.provider_fw_rule_create(context, udp_rule) rules_added += 1 if not self._provider_fw_rule_exists(context, icmp_rule): db.provider_fw_rule_create(context, icmp_rule) rules_added += 1 if not rules_added: msg = 'Duplicate Rule.' failed['message'] = msg + failed['message'] return failed self.compute_api.trigger_provider_fw_rules_refresh(context) return {'status': 'OK', 'message': 'Added %s rules' % rules_added}
def test_provider_firewall_rules(self, mock_lock): mock_lock.return_value = threading.Semaphore() # setup basic instance data instance_ref = self._create_instance_ref() # FRAGILE: peeks at how the firewall names chains chain_name = 'inst-%s' % instance_ref['id'] # create a firewall via setup_basic_filtering like libvirt_conn.spawn # should have a chain with 0 rules network_info = _fake_network_info(self.stubs, 1) self.fw.setup_basic_filtering(instance_ref, network_info) self.assertIn('provider', self.fw.iptables.ipv4['filter'].chains) rules = [ rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider' ] self.assertEqual(0, len(rules)) admin_ctxt = context.get_admin_context() # add a rule and send the update message, check for 1 rule db.provider_fw_rule_create( admin_ctxt, { 'protocol': 'tcp', 'cidr': '10.99.99.99/32', 'from_port': 1, 'to_port': 65535 }) self.fw.refresh_provider_fw_rules() rules = [ rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider' ] self.assertEqual(1, len(rules)) # Add another, refresh, and make sure number of rules goes to two provider_fw1 = db.provider_fw_rule_create( admin_ctxt, { 'protocol': 'udp', 'cidr': '10.99.99.99/32', 'from_port': 1, 'to_port': 65535 }) self.fw.refresh_provider_fw_rules() rules = [ rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider' ] self.assertEqual(2, len(rules)) # create the instance filter and make sure it has a jump rule self.fw.prepare_instance_filter(instance_ref, network_info) self.fw.apply_instance_filter(instance_ref, network_info) inst_rules = [ rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == chain_name ] jump_rules = [rule for rule in inst_rules if '-j' in rule.rule] provjump_rules = [] # IptablesTable doesn't make rules unique internally for rule in jump_rules: if 'provider' in rule.rule and rule not in provjump_rules: provjump_rules.append(rule) self.assertEqual(1, len(provjump_rules)) # remove a rule from the db, cast to compute to refresh rule db.provider_fw_rule_destroy(admin_ctxt, provider_fw1['id']) self.fw.refresh_provider_fw_rules() rules = [ rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider' ] self.assertEqual(1, len(rules))