def generate_random_rules(max_rule_num): src_ip_list = ['10.1.1.%d' % x for x in range(1, 255)] src_ip6_list = ['1000::%d' % x for x in range(101, 300)] dst_port_list = range(20, 200) dst_ip4 = '192.168.0.1' dst_ip6 = '1::1' rule_type_list = [cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, cfg.VrfIncomingSvcsRule.RULE_TYPE_IP] af_list = [socket.AF_INET, socket.AF_INET6] proto_list = [cfg.VrfIncomingSvcsRule.RULE_PROTO_TCP, cfg.VrfIncomingSvcsRule.RULE_PROTO_UDP] action_list = [cfg.VrfIncomingSvcsRule.RULE_ACTION_DENY, cfg.VrfIncomingSvcsRule.RULE_ACTION_ALLOW] prefix_list = [8, 16, 24, 32] prefix6_list = [8, 16, 24, 32, 64, 128] bool_list = [True, False] rule_id_list = range(10000, 10200) intf_list = [None, 'vdef-nsid1024', 'lo'] rules = [] for idx in xrange(max_rule_num): vrf_name = get_rand_list_item(vrf_name_list) af = get_rand_list_item(af_list) action = get_rand_list_item(action_list) rule_type = get_rand_list_item(rule_type_list) seq_num = random.randint(1, 1000) if get_rand_list_item(bool_list): rule_id = get_rand_list_item(rule_id_list, True) else: rule_id = None high_prio = get_rand_list_item(bool_list) if rule_type == cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL: if af == socket.AF_INET: src_ip = get_rand_list_item(src_ip_list, True) prefix_len = get_rand_list_item(prefix_list) else: src_ip = get_rand_list_item(src_ip6_list, True) prefix_len = get_rand_list_item(prefix6_list) if src_ip is None: break in_intf = get_rand_list_item(intf_list) rule = cfg.VrfIncomingSvcsRule(rule_type, vrf_name, action, af, src_ip = socket.inet_pton(af, src_ip), prefix_len = prefix_len, seq_num = seq_num, rule_id = rule_id, high_prio = high_prio, in_intf = in_intf) else: proto = get_rand_list_item(proto_list) dst_port = get_rand_list_item(dst_port_list, True) if dst_port is None: break if vrf_name != 'default': action = cfg.VrfIncomingSvcsRule.RULE_ACTION_DNAT if af == socket.AF_INET: dst_ip = dst_ip4 else: dst_ip = dst_ip6 else: dst_ip = None rule = cfg.VrfIncomingSvcsRule(rule_type, vrf_name, action, af, protocol = proto, dst_port = dst_port, dst_ip = (None if dst_ip is None else socket.inet_pton(af, dst_ip)), seq_num = seq_num, rule_id = rule_id, high_prio = high_prio) rules.append(rule) return rules
def test_rule_obj(): af = socket.AF_INET rule1 = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, 'test_vrf', cfg.VrfIncomingSvcsRule.RULE_ACTION_ALLOW, af, src_ip = socket.inet_pton(af, '1.1.1.0'), prefix_len = 24, protocol = cfg.VrfIncomingSvcsRule.RULE_PROTO_TCP, dst_port = 8080, seq_num = 100, rule_id = 1) rule2 = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, 'test_vrf', cfg.VrfIncomingSvcsRule.RULE_ACTION_DENY, af, src_ip = socket.inet_pton(af, '1.1.2.0'), prefix_len = 24, protocol = cfg.VrfIncomingSvcsRule.RULE_PROTO_UDP, dst_port = 1000, seq_num = 110, rule_id = 2) assert rule1.get_rule_type_name() == 'ACL' assert rule1.get_af_name() == 'IPv4' assert rule1.get_action_name() == 'allow' assert rule1.get_proto_name() == 'tcp' print 'IPv4 rule created:' print str(rule1) print str(rule2) assert rule1 == rule1 assert not rule1 == rule2 assert rule1.match(src_ip = socket.inet_pton(af, '1.1.1.0'), prefix_len = 24) assert not rule2.match(src_ip = socket.inet_pton(af, '1.1.1.0'), prefix_len = 24) af = socket.AF_INET6 rule1 = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_IP, 'test_vrf', cfg.VrfIncomingSvcsRule.RULE_ACTION_DNAT, af, src_ip = socket.inet_pton(af, '1::1'), prefix_len = 128, dst_ip = socket.inet_pton(af, '2::1'), protocol = cfg.VrfIncomingSvcsRule.RULE_PROTO_ICMP) rule2 = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_IP, 'test_vrf', cfg.VrfIncomingSvcsRule.RULE_ACTION_DNAT, af, src_ip = socket.inet_pton(af, '1::2'), prefix_len = 128, dst_ip = socket.inet_pton(af, '2::1'), seq_num = 20) print 'IPv6 rule created:' print str(rule1) print str(rule2) assert rule1 == rule1 assert not rule1 == rule2 assert rule1.match(src_ip = socket.inet_pton(af, '1::1')) assert not rule2.match(src_ip = socket.inet_pton(af, '1::1')) with pytest.raises(ValueError): rule = cfg.VrfIncomingSvcsRule(100, 'vrf', 1, socket.AF_INET6) with pytest.raises(ValueError): rule = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, 'vrf', 1, 50) with pytest.raises(ValueError): rule = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, 'vrf', 1, socket.AF_INET, protocol = 6) with pytest.raises(ValueError): rule = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, 'vrf', 6, socket.AF_INET)
def test_rule_list(): id_gen = IdGenerator() prefix_len_list = [8, 16, 24, 32] action_list = [cfg.VrfIncomingSvcsRule.RULE_ACTION_ALLOW, cfg.VrfIncomingSvcsRule.RULE_ACTION_DENY] src_ip_list = [] for idx in range(1, 250): src_ip_list.append('2.2.2.' + str(idx)) rule_list = cfg.VrfIncomingSvcsRuleList() af = socket.AF_INET rule1 = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, 'test_vrf', cfg.VrfIncomingSvcsRule.RULE_ACTION_ALLOW, af, src_ip = socket.inet_pton(af, '1.1.1.0'), prefix_len = 24, protocol = cfg.VrfIncomingSvcsRule.RULE_PROTO_TCP, dst_port = 8080, seq_num = 100) assert rule_list.insert(rule1) is None rule1.rule_id = 5 assert rule_list.insert(rule1) == 0 assert len(rule_list) == 1 new_rule = copy.deepcopy(rule1) # duplicate insert is not allowed assert rule_list.insert(new_rule) is None new_rule.rule_id = None # delete rule by rule attribute match assert rule_list.remove(new_rule) is not None assert len(rule_list) == 0 rule1.rule_id = 10 assert rule_list.insert(rule1) == 0 assert rule_list.remove_by_id(10) is not None assert len(rule_list) == 0 assert len(rule_list.seq_num_list) == 0 assert len(rule_list.rule_id_map) == 0 test_rule_num = 20 rule_id_list = [] while test_rule_num > 0: src_ip = get_rand_list_item(src_ip_list, True) if src_ip is None: break prefix_len = get_rand_list_item(prefix_len_list) action = get_rand_list_item(action_list) rule = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, "test_vrf", action, af, src_ip = socket.inet_pton(socket.AF_INET, src_ip), prefix_len = prefix_len, seq_num = random.randint(1, 1000), rule_id = id_gen.get_new_id()) print 'Add rule to list: %s' % rule idx = rule_list.insert(rule) assert idx is not None check_rule_list(rule_list) rule_id_list.append(rule.rule_id) test_rule_num -= 1 assert len(rule_list) == 20 assert len(rule_id_list) == 20 print 'Rule IDs: %s' % rule_id_list # clone rule list new_list = copy.deepcopy(rule_list) assert len(new_list) == 20 # delete all rules while len(rule_id_list) > 0: rule_id = get_rand_list_item(rule_id_list, True) print 'Delete rule ID %d' % rule_id assert rule_list.remove_by_id(rule_id) is not None check_rule_list(rule_list) assert len(rule_list) == 0 assert len(rule_list.seq_num_list) == 0 assert len(rule_list.rule_id_map) == 0 print 'All rules were deleted' new_list.clear() assert len(new_list) == 0 assert len(new_list.seq_num_list) == 0 assert len(new_list.rule_id_map) == 0
def test_ipt_rule_check(): print 'Test system rule check with cache' rule_list = generate_random_rules(test_rule_count) # test for 0 ip address matching rule_list.append(cfg.VrfIncomingSvcsRule(cfg.VrfSvcsRuleType.RULE_TYPE_ACL, 'test_management', cfg.VrfSvcsRuleAction.RULE_ACTION_ALLOW, socket.AF_INET, src_ip = socket.inet_pton(socket.AF_INET, '0.0.0.0'), src_prefix_len = 0, seq_num = 9998)) rule_list.append(cfg.VrfIncomingSvcsRule(cfg.VrfSvcsRuleType.RULE_TYPE_ACL, 'test_management', cfg.VrfSvcsRuleAction.RULE_ACTION_ALLOW, socket.AF_INET6, src_ip = socket.inet_pton(socket.AF_INET6, '::'), src_prefix_len = 0, seq_num = 9999)) print 'Install ACL rules to system:' for rule in rule_list: print str(rule) assert cfg.VrfIncomingSvcsRuleCache.insert_rule(rule) print 'Checking installed ACL rules' for af in [socket.AF_INET, socket.AF_INET6]: for vrf_name in cfg.VrfIncomingSvcsRuleCache.acl_rules[af]: assert cfg.VrfIncomingSvcsRuleCache.check_ipt_rules(cfg.VrfSvcsRuleType.RULE_TYPE_ACL, af, vrf_name) for vrf_name in cfg.VrfIncomingSvcsRuleCache.ip_rules[af]: assert cfg.VrfIncomingSvcsRuleCache.check_ipt_rules(cfg.VrfSvcsRuleType.RULE_TYPE_IP, af, vrf_name) print '%d rules in cache and system are synchronized' % len(rule_list) # Get installed rules from system get_rule_list = [] for rule_type in [cfg.VrfSvcsRuleType.RULE_TYPE_ACL, cfg.VrfSvcsRuleType.RULE_TYPE_IP]: for af in [socket.AF_INET, socket.AF_INET6]: for vrf_name in vrf_name_list: assert cfg.IptablesHandler.get_rule_from_ipt(rule_type, af, vrf_name, get_rule_list) assert len(get_rule_list) == len(rule_list) print 'ACL rules read from system:' for rule in get_rule_list: print str(rule) rule_idx_list = range(len(rule_list)) cache_del_rules = [] ipt_del_rules = [] sync_key_set = set() for num in range(len(rule_list) / 2): idx = get_rand_list_item(rule_idx_list, True) rule = rule_list[idx] if num <= len(rule_list) / 4: cache_del_rules.append(rule) else: ipt_del_rules.append(rule) sync_key_set.add((rule.rule_type, rule.af, rule.vrf_name)) for rule in cache_del_rules: if rule.rule_type == cfg.VrfSvcsRuleType.RULE_TYPE_ACL: rule_list = cfg.VrfIncomingSvcsRuleCache.acl_rules[rule.af][rule.vrf_name] else: rule_list = cfg.VrfIncomingSvcsRuleCache.ip_rules[rule.af][rule.vrf_name] assert rule_list.remove(rule) is not None assert cfg.VrfIncomingSvcsRuleCache.id_generator.release_id(rule.rule_id) for rule in ipt_del_rules: assert cfg.IptablesHandler.proc_rule('delete', rule) for rule_type, af, vrf_name in sync_key_set: print 'Expect failure for checking rules for TYPE %d AF %d VRF %s' % (rule_type, af, vrf_name) assert not cfg.VrfIncomingSvcsRuleCache.check_ipt_rules(rule_type, af, vrf_name) # Clear all rules from cache and system for rule in ipt_del_rules: if rule.rule_type == cfg.VrfSvcsRuleType.RULE_TYPE_ACL: rule_list = cfg.VrfIncomingSvcsRuleCache.acl_rules[rule.af][rule.vrf_name] else: rule_list = cfg.VrfIncomingSvcsRuleCache.ip_rules[rule.af][rule.vrf_name] assert rule_list.remove(rule) is not None assert cfg.VrfIncomingSvcsRuleCache.id_generator.release_id(rule.rule_id) for rule in cache_del_rules: assert cfg.IptablesHandler.proc_rule('delete', rule) cfg.VrfIncomingSvcsRuleCache.clear_all_rules() # Check if system rule cleared rule_list = [] for rule_type in [cfg.VrfSvcsRuleType.RULE_TYPE_ACL, cfg.VrfSvcsRuleType.RULE_TYPE_IP]: for af in [socket.AF_INET, socket.AF_INET6]: for vrf_name in vrf_name_list: assert cfg.IptablesHandler.get_rule_from_ipt(rule_type, af, vrf_name, rule_list) assert len(rule_list) == 0