Example #1
0
    def test_provider_firewall_rules(self, mock_lock):
        mock_lock.return_value = threading.Semaphore()
        # setup basic instance data
        instance_ref = self._create_instance_ref()
        # FRAGILE: peeks at how the firewall names chains
        chain_name = 'inst-%s' % instance_ref['id']

        # create a firewall via setup_basic_filtering like libvirt_conn.spawn
        # should have a chain with 0 rules
        network_info = _fake_network_info(self.stubs, 1)
        self.fw.setup_basic_filtering(instance_ref, network_info)
        self.assertIn('provider', self.fw.iptables.ipv4['filter'].chains)
        rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
                      if rule.chain == 'provider']
        self.assertEqual(0, len(rules))

        admin_ctxt = context.get_admin_context()
        # add a rule and send the update message, check for 1 rule
        db.provider_fw_rule_create(admin_ctxt,
                                   {'protocol': 'tcp',
                                    'cidr': '10.99.99.99/32',
                                    'from_port': 1,
                                    'to_port': 65535})
        self.fw.refresh_provider_fw_rules()
        rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
                      if rule.chain == 'provider']
        self.assertEqual(1, len(rules))

        # Add another, refresh, and make sure number of rules goes to two
        provider_fw1 = db.provider_fw_rule_create(admin_ctxt,
                                                  {'protocol': 'udp',
                                                   'cidr': '10.99.99.99/32',
                                                   'from_port': 1,
                                                   'to_port': 65535})
        self.fw.refresh_provider_fw_rules()
        rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
                      if rule.chain == 'provider']
        self.assertEqual(2, len(rules))

        # create the instance filter and make sure it has a jump rule
        self.fw.prepare_instance_filter(instance_ref, network_info)
        self.fw.apply_instance_filter(instance_ref, network_info)
        inst_rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
                           if rule.chain == chain_name]
        jump_rules = [rule for rule in inst_rules if '-j' in rule.rule]
        provjump_rules = []
        # IptablesTable doesn't make rules unique internally
        for rule in jump_rules:
            if 'provider' in rule.rule and rule not in provjump_rules:
                provjump_rules.append(rule)
        self.assertEqual(1, len(provjump_rules))

        # remove a rule from the db, cast to compute to refresh rule
        db.provider_fw_rule_destroy(admin_ctxt, provider_fw1['id'])
        self.fw.refresh_provider_fw_rules()
        rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules
                      if rule.chain == 'provider']
        self.assertEqual(1, len(rules))
Example #2
0
 def block_external_addresses(self, context, cidr):
     """Add provider-level firewall rules to block incoming traffic."""
     LOG.audit(_('Blocking traffic to all projects incoming from %s'),
               cidr,
               context=context)
     cidr = urllib.unquote(cidr).decode()
     # raise if invalid
     netaddr.IPNetwork(cidr)
     rule = {'cidr': cidr}
     tcp_rule = rule.copy()
     tcp_rule.update({'protocol': 'tcp', 'from_port': 1, 'to_port': 65535})
     udp_rule = rule.copy()
     udp_rule.update({'protocol': 'udp', 'from_port': 1, 'to_port': 65535})
     icmp_rule = rule.copy()
     icmp_rule.update({
         'protocol': 'icmp',
         'from_port': -1,
         'to_port': None
     })
     rules_added = 0
     if not self._provider_fw_rule_exists(context, tcp_rule):
         db.provider_fw_rule_create(context, tcp_rule)
         rules_added += 1
     if not self._provider_fw_rule_exists(context, udp_rule):
         db.provider_fw_rule_create(context, udp_rule)
         rules_added += 1
     if not self._provider_fw_rule_exists(context, icmp_rule):
         db.provider_fw_rule_create(context, icmp_rule)
         rules_added += 1
     if not rules_added:
         raise exception.ApiError(_('Duplicate rule'))
     self.compute_api.trigger_provider_fw_rules_refresh(context)
     return {'status': 'OK', 'message': 'Added %s rules' % rules_added}
Example #3
0
 def block_external_addresses(self, context, cidr):
     """Add provider-level firewall rules to block incoming traffic."""
     LOG.audit(_('Blocking traffic to all projects incoming from %s'),
               cidr, context=context)
     cidr = urllib.unquote(cidr).decode()
     # raise if invalid
     netaddr.IPNetwork(cidr)
     rule = {'cidr': cidr}
     tcp_rule = rule.copy()
     tcp_rule.update({'protocol': 'tcp', 'from_port': 1, 'to_port': 65535})
     udp_rule = rule.copy()
     udp_rule.update({'protocol': 'udp', 'from_port': 1, 'to_port': 65535})
     icmp_rule = rule.copy()
     icmp_rule.update({'protocol': 'icmp', 'from_port': -1,
                       'to_port': None})
     rules_added = 0
     if not self._provider_fw_rule_exists(context, tcp_rule):
         db.provider_fw_rule_create(context, tcp_rule)
         rules_added += 1
     if not self._provider_fw_rule_exists(context, udp_rule):
         db.provider_fw_rule_create(context, udp_rule)
         rules_added += 1
     if not self._provider_fw_rule_exists(context, icmp_rule):
         db.provider_fw_rule_create(context, icmp_rule)
         rules_added += 1
     if not rules_added:
         raise exception.ApiError(_('Duplicate rule'))
     self.compute_api.trigger_provider_fw_rules_refresh(context)
     return {'status': 'OK', 'message': 'Added %s rules' % rules_added}
Example #4
0
 def block_external_addresses(self, context, cidr):
     """Add provider-level firewall rules to block incoming traffic."""
     LOG.audit(_("Blocking traffic to all projects incoming from %s"), cidr, context=context)
     cidr = urllib.unquote(cidr).decode()
     # raise if invalid
     netaddr.IPNetwork(cidr)
     rule = {"cidr": cidr}
     tcp_rule = rule.copy()
     tcp_rule.update({"protocol": "tcp", "from_port": 1, "to_port": 65535})
     udp_rule = rule.copy()
     udp_rule.update({"protocol": "udp", "from_port": 1, "to_port": 65535})
     icmp_rule = rule.copy()
     icmp_rule.update({"protocol": "icmp", "from_port": -1, "to_port": None})
     rules_added = 0
     if not self._provider_fw_rule_exists(context, tcp_rule):
         db.provider_fw_rule_create(context, tcp_rule)
         rules_added += 1
     if not self._provider_fw_rule_exists(context, udp_rule):
         db.provider_fw_rule_create(context, udp_rule)
         rules_added += 1
     if not self._provider_fw_rule_exists(context, icmp_rule):
         db.provider_fw_rule_create(context, icmp_rule)
         rules_added += 1
     if not rules_added:
         raise exception.ApiError(_("Duplicate rule"))
     self.compute_api.trigger_provider_fw_rules_refresh(context)
     return {"status": "OK", "message": "Added %s rules" % rules_added}
Example #5
0
 def block_external_addresses(self, context, cidr):
     """Add provider-level firewall rules to block incoming traffic."""
     LOG.audit(_('Blocking traffic to all projects incoming from %s'),
               cidr, context=context)
     cidr = urllib.unquote(cidr).decode()
     failed = {'status': 'Failed', 'message': ' 0 rules added'}
     if not utils.is_valid_cidr(cidr):
         msg = 'Improper input. Please provide a valid cidr: ' \
                                                     'e.g. 121.12.10.11/24.'
         failed['message'] = msg + failed['message']
         return failed
     #Normalizing cidr. e.g. '20.20.20.11/24' -> '20.20.20.0/24', so that
     #db values stay in sync with filters' values (e.g. in iptables)
     cidr = str(netaddr.IPNetwork(cidr).cidr)
     rule = {'cidr': cidr}
     tcp_rule = rule.copy()
     tcp_rule.update({'protocol': 'tcp', 'from_port': 1, 'to_port': 65535})
     udp_rule = rule.copy()
     udp_rule.update({'protocol': 'udp', 'from_port': 1, 'to_port': 65535})
     icmp_rule = rule.copy()
     icmp_rule.update({'protocol': 'icmp', 'from_port': -1,
                       'to_port': None})
     rules_added = 0
     if not self._provider_fw_rule_exists(context, tcp_rule):
         db.provider_fw_rule_create(context, tcp_rule)
         rules_added += 1
     if not self._provider_fw_rule_exists(context, udp_rule):
         db.provider_fw_rule_create(context, udp_rule)
         rules_added += 1
     if not self._provider_fw_rule_exists(context, icmp_rule):
         db.provider_fw_rule_create(context, icmp_rule)
         rules_added += 1
     if not rules_added:
             msg = 'Duplicate Rule.'
             failed['message'] = msg + failed['message']
             return failed
     self.compute_api.trigger_provider_fw_rules_refresh(context)
     return {'status': 'OK', 'message': 'Added %s rules' % rules_added}
Example #6
0
    def test_provider_firewall_rules(self, mock_lock):
        mock_lock.return_value = threading.Semaphore()
        # setup basic instance data
        instance_ref = self._create_instance_ref()
        # FRAGILE: peeks at how the firewall names chains
        chain_name = 'inst-%s' % instance_ref['id']

        # create a firewall via setup_basic_filtering like libvirt_conn.spawn
        # should have a chain with 0 rules
        network_info = _fake_network_info(self.stubs, 1)
        self.fw.setup_basic_filtering(instance_ref, network_info)
        self.assertIn('provider', self.fw.iptables.ipv4['filter'].chains)
        rules = [
            rule for rule in self.fw.iptables.ipv4['filter'].rules
            if rule.chain == 'provider'
        ]
        self.assertEqual(0, len(rules))

        admin_ctxt = context.get_admin_context()
        # add a rule and send the update message, check for 1 rule
        db.provider_fw_rule_create(
            admin_ctxt, {
                'protocol': 'tcp',
                'cidr': '10.99.99.99/32',
                'from_port': 1,
                'to_port': 65535
            })
        self.fw.refresh_provider_fw_rules()
        rules = [
            rule for rule in self.fw.iptables.ipv4['filter'].rules
            if rule.chain == 'provider'
        ]
        self.assertEqual(1, len(rules))

        # Add another, refresh, and make sure number of rules goes to two
        provider_fw1 = db.provider_fw_rule_create(
            admin_ctxt, {
                'protocol': 'udp',
                'cidr': '10.99.99.99/32',
                'from_port': 1,
                'to_port': 65535
            })
        self.fw.refresh_provider_fw_rules()
        rules = [
            rule for rule in self.fw.iptables.ipv4['filter'].rules
            if rule.chain == 'provider'
        ]
        self.assertEqual(2, len(rules))

        # create the instance filter and make sure it has a jump rule
        self.fw.prepare_instance_filter(instance_ref, network_info)
        self.fw.apply_instance_filter(instance_ref, network_info)
        inst_rules = [
            rule for rule in self.fw.iptables.ipv4['filter'].rules
            if rule.chain == chain_name
        ]
        jump_rules = [rule for rule in inst_rules if '-j' in rule.rule]
        provjump_rules = []
        # IptablesTable doesn't make rules unique internally
        for rule in jump_rules:
            if 'provider' in rule.rule and rule not in provjump_rules:
                provjump_rules.append(rule)
        self.assertEqual(1, len(provjump_rules))

        # remove a rule from the db, cast to compute to refresh rule
        db.provider_fw_rule_destroy(admin_ctxt, provider_fw1['id'])
        self.fw.refresh_provider_fw_rules()
        rules = [
            rule for rule in self.fw.iptables.ipv4['filter'].rules
            if rule.chain == 'provider'
        ]
        self.assertEqual(1, len(rules))