def _add_sg_rule_acl_for_port(self, admin_context, port, r, sg_ports_cache,
subnet_cache):
# Update the match based on which direction this rule is for (ingress
# or egress).
match, remote_portdir = ovn_acl.acl_direction(r, port)
# Update the match for IPv4 vs IPv6.
ip_match, ip_version, icmp = ovn_acl.acl_ethertype(r)
match += ip_match
# Update the match if an IPv4 or IPv6 prefix was specified.
match += ovn_acl.acl_remote_ip_prefix(r, ip_version)
group_match, empty_match = self._acl_remote_group_id(
admin_context, r, sg_ports_cache, subnet_cache, port,
remote_portdir, ip_version)
if empty_match:
# If there are no other ports on this security group, then this
# rule can never match, so no ACL row will be created for this
# rule.
return None
match += group_match
# Update the match for the protocol (tcp, udp, icmp) and port/type
# range if specified.
match += ovn_acl.acl_protocol_and_ports(r, icmp)
# Finally, create the ACL entry for the direction specified.
return ovn_acl.add_sg_rule_acl_for_port(port, r, match)
def _add_sg_rule_acl_for_port(self, admin_context, port, r,
sg_ports_cache, subnet_cache):
# Update the match based on which direction this rule is for (ingress
# or egress).
match, remote_portdir = ovn_acl.acl_direction(r, port)
# Update the match for IPv4 vs IPv6.
ip_match, ip_version, icmp = ovn_acl.acl_ethertype(r)
match += ip_match
# Update the match if an IPv4 or IPv6 prefix was specified.
match += ovn_acl.acl_remote_ip_prefix(r, ip_version)
group_match, empty_match = self._acl_remote_group_id(admin_context, r,
sg_ports_cache,
subnet_cache,
port,
remote_portdir,
ip_version)
if empty_match:
# If there are no other ports on this security group, then this
# rule can never match, so no ACL row will be created for this
# rule.
return None
match += group_match
# Update the match for the protocol (tcp, udp, icmp) and port/type
# range if specified.
match += ovn_acl.acl_protocol_and_ports(r, icmp)
# Finally, create the ACL entry for the direction specified.
return ovn_acl.add_sg_rule_acl_for_port(port, r, match)
def test_acl_remote_ip_prefix(self):
sg_rule = fakes.FakeSecurityGroupRule.create_one_security_group_rule({
'direction': 'ingress',
'remote_ip_prefix': None
}).info()
ip_version = 'ip4'
remote_ip_prefix = '10.10.0.0/24'
match = ovn_acl.acl_remote_ip_prefix(sg_rule, ip_version)
self.assertEqual('', match)
sg_rule['remote_ip_prefix'] = remote_ip_prefix
match = ovn_acl.acl_remote_ip_prefix(sg_rule, ip_version)
expected_match = ' && %s.src == %s' % (ip_version, remote_ip_prefix)
self.assertEqual(expected_match, match)
sg_rule['direction'] = 'egress'
match = ovn_acl.acl_remote_ip_prefix(sg_rule, ip_version)
expected_match = ' && %s.dst == %s' % (ip_version, remote_ip_prefix)
self.assertEqual(expected_match, match)
def test_acl_remote_ip_prefix(self):
sg_rule = fakes.FakeSecurityGroupRule.create_one_security_group_rule({
'direction': 'ingress',
'remote_ip_prefix': None
}).info()
ip_version = 'ip4'
remote_ip_prefix = '10.10.0.0/24'
match = ovn_acl.acl_remote_ip_prefix(sg_rule, ip_version)
self.assertEqual('', match)
sg_rule['remote_ip_prefix'] = remote_ip_prefix
match = ovn_acl.acl_remote_ip_prefix(sg_rule, ip_version)
expected_match = ' && %s.src == %s' % (ip_version, remote_ip_prefix)
self.assertEqual(expected_match, match)
sg_rule['direction'] = 'egress'
match = ovn_acl.acl_remote_ip_prefix(sg_rule, ip_version)
expected_match = ' && %s.dst == %s' % (ip_version, remote_ip_prefix)
self.assertEqual(expected_match, match)