def test_add_acls_with_sec_group(self):
expected_acls = []
expected_acls += ovn_acl.drop_all_ip_traffic_for_port(
self.fake_port_sg)
expected_acls += ovn_acl.add_acl_dhcp(
self.fake_port_sg, self.fake_subnet)
sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port(
self.fake_port_sg, self.fake_sg_rule,
'outport == "' + self.fake_port_sg['id'] + '" ' +
'&& ip4 && ip4.src == 0.0.0.0/0 ' +
'&& tcp && tcp.dst == 22')
expected_acls.append(sg_rule_acl)
# Test with caches
acls = ovn_acl.add_acls(self.mech_driver._plugin,
mock.Mock(),
self.fake_port_sg,
self.sg_cache,
self.sg_ports_cache,
self.subnet_cache)
self.assertEqual(expected_acls, acls)
# Test without caches
with mock.patch('neutron.db.db_base_plugin_v2.'
'NeutronDbPluginV2.get_subnet',
return_value=self.fake_subnet), \
mock.patch('neutron.db.securitygroups_db.'
'SecurityGroupDbMixin.get_security_group',
return_value=self.fake_sg):
acls = ovn_acl.add_acls(self.mech_driver._plugin,
mock.Mock(),
self.fake_port_sg,
{}, {}, {})
self.assertEqual(expected_acls, acls)
def _add_acls(self, admin_context, port, sg_cache, sg_ports_cache,
subnet_cache):
acl_list = []
sec_groups = port.get('security_groups', [])
if not sec_groups:
return acl_list
# Drop all IP traffic to and from the logical port by default.
acl_list += ovn_acl.drop_all_ip_traffic_for_port(port)
for ip in port['fixed_ips']:
subnet = ovn_acl._get_subnet_from_cache(self._plugin,
admin_context,
subnet_cache,
ip['subnet_id'])
if subnet['ip_version'] != 4:
continue
acl_list += ovn_acl.add_acl_dhcp(port, subnet)
# We create an ACL entry for each rule on each security group applied
# to this port.
for sg_id in sec_groups:
sg = ovn_acl._get_sg_from_cache(self._plugin, admin_context,
sg_cache, sg_id)
for r in sg['security_group_rules']:
acl = self._add_sg_rule_acl_for_port(admin_context, port, r,
sg_ports_cache,
subnet_cache)
if acl and acl not in acl_list:
acl_list.append(acl)
return acl_list
def test_drop_all_ip_traffic_for_port(self):
acls = ovn_acl.drop_all_ip_traffic_for_port(self.fake_port)
acl_to_lport = {
'action': 'drop',
'direction': 'to-lport',
'external_ids': {
'neutron:lport': self.fake_port['id']
},
'log': False,
'lport': self.fake_port['id'],
'lswitch': 'neutron-network_id1',
'match': 'outport == "fake_port_id1" && ip',
'priority': 1001
}
acl_from_lport = {
'action': 'drop',
'direction': 'from-lport',
'external_ids': {
'neutron:lport': self.fake_port['id']
},
'log': False,
'lport': self.fake_port['id'],
'lswitch': 'neutron-network_id1',
'match': 'inport == "fake_port_id1" && ip',
'priority': 1001
}
for acl in acls:
if 'to-lport' in acl.values():
self.assertEqual(acl_to_lport, acl)
if 'from-lport' in acl.values():
self.assertEqual(acl_from_lport, acl)
def _test_add_acls_with_sec_group_helper(self, native_dhcp=True):
fake_port_sg = fakes.FakePort.create_one_port(
attrs={
'security_groups': [self.fake_sg['id']],
'fixed_ips': [{
'subnet_id': self.fake_subnet['id'],
'ip_address': '10.10.10.20'
}]
}).info()
expected_acls = []
expected_acls += ovn_acl.drop_all_ip_traffic_for_port(fake_port_sg)
if not native_dhcp:
expected_acls += ovn_acl.add_acl_dhcp(fake_port_sg,
self.fake_subnet)
sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port(
fake_port_sg, self.fake_sg_rule,
'outport == "' + fake_port_sg['id'] + '" ' +
'&& ip4 && ip4.src == 0.0.0.0/0 ' + '&& tcp && tcp.dst == 22')
expected_acls.append(sg_rule_acl)
# Test with caches
acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(),
fake_port_sg, self.sg_cache, self.subnet_cache)
self.assertEqual(expected_acls, acls)
# Test without caches
with mock.patch('neutron.db.db_base_plugin_v2.'
'NeutronDbPluginV2.get_subnet',
return_value=self.fake_subnet), \
mock.patch('neutron.db.securitygroups_db.'
'SecurityGroupDbMixin.get_security_group',
return_value=self.fake_sg):
acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(),
fake_port_sg, {}, {})
self.assertEqual(expected_acls, acls)
# Test with security groups disabled
with mock.patch('networking_ovn.common.acl.is_sg_enabled',
return_value=False):
acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(),
fake_port_sg, self.sg_cache,
self.subnet_cache)
self.assertEqual([], acls)
# Test with multiple fixed IPs on the same subnet.
fake_port_sg['fixed_ips'].append({
'subnet_id': self.fake_subnet['id'],
'ip_address': '10.10.10.21'
})
acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(),
fake_port_sg, self.sg_cache, self.subnet_cache)
self.assertEqual(expected_acls, acls)
def _test_add_acls_with_sec_group_helper(self, native_dhcp=True):
fake_port_sg = fakes.FakePort.create_one_port(
attrs={
"security_groups": [self.fake_sg["id"]],
"fixed_ips": [{"subnet_id": self.fake_subnet["id"], "ip_address": "10.10.10.20"}],
}
).info()
expected_acls = []
expected_acls += ovn_acl.drop_all_ip_traffic_for_port(fake_port_sg)
if not native_dhcp:
expected_acls += ovn_acl.add_acl_dhcp(fake_port_sg, self.fake_subnet)
sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port(
fake_port_sg,
self.fake_sg_rule,
'outport == "' + fake_port_sg["id"] + '" ' + "&& ip4 && ip4.src == 0.0.0.0/0 " + "&& tcp && tcp.dst == 22",
)
expected_acls.append(sg_rule_acl)
# Test with caches
acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache)
self.assertEqual(expected_acls, acls)
# Test without caches
with mock.patch(
"neutron.db.db_base_plugin_v2." "NeutronDbPluginV2.get_subnet", return_value=self.fake_subnet
), mock.patch(
"neutron.db.securitygroups_db." "SecurityGroupDbMixin.get_security_group", return_value=self.fake_sg
):
acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, {}, {})
self.assertEqual(expected_acls, acls)
# Test with security groups disabled
with mock.patch("networking_ovn.common.acl.is_sg_enabled", return_value=False):
acls = ovn_acl.add_acls(
self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache
)
self.assertEqual([], acls)
# Test with multiple fixed IPs on the same subnet.
fake_port_sg["fixed_ips"].append({"subnet_id": self.fake_subnet["id"], "ip_address": "10.10.10.21"})
acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache)
self.assertEqual(expected_acls, acls)
def test_drop_all_ip_traffic_for_port(self):
acls = ovn_acl.drop_all_ip_traffic_for_port(self.fake_port)
acl_to_lport = {'action': 'drop', 'direction': 'to-lport',
'external_ids': {'neutron:lport':
self.fake_port['id']},
'log': False, 'lport': self.fake_port['id'],
'lswitch': 'neutron-network_id1',
'match': 'outport == "fake_port_id1" && ip',
'priority': 1001}
acl_from_lport = {'action': 'drop', 'direction': 'from-lport',
'external_ids': {'neutron:lport':
self.fake_port['id']},
'log': False, 'lport': self.fake_port['id'],
'lswitch': 'neutron-network_id1',
'match': 'inport == "fake_port_id1" && ip',
'priority': 1001}
for acl in acls:
if 'to-lport' in acl.values():
self.assertEqual(acl_to_lport, acl)
if 'from-lport' in acl.values():
self.assertEqual(acl_from_lport, acl)
def _add_acls(self,
admin_context,
port,
sg_cache,
sg_ports_cache,
subnet_cache):
acl_list = []
sec_groups = port.get('security_groups', [])
if not sec_groups:
return acl_list
# Drop all IP traffic to and from the logical port by default.
acl_list += ovn_acl.drop_all_ip_traffic_for_port(port)
for ip in port['fixed_ips']:
subnet = ovn_acl._get_subnet_from_cache(self._plugin,
admin_context,
subnet_cache,
ip['subnet_id'])
if subnet['ip_version'] != 4:
continue
acl_list += ovn_acl.add_acl_dhcp(port, subnet)
# We create an ACL entry for each rule on each security group applied
# to this port.
for sg_id in sec_groups:
sg = ovn_acl._get_sg_from_cache(self._plugin,
admin_context,
sg_cache,
sg_id)
for r in sg['security_group_rules']:
acl = self._add_sg_rule_acl_for_port(admin_context,
port, r,
sg_ports_cache,
subnet_cache)
if acl and acl not in acl_list:
acl_list.append(acl)
return acl_list
def _test_add_acls_with_sec_group_helper(self, native_dhcp=True):
fake_port_sg = fakes.FakePort.create_one_port(
attrs={'security_groups': [self.fake_sg['id']],
'fixed_ips': [{'subnet_id': self.fake_subnet['id'],
'ip_address': '10.10.10.20'}]}
).info()
expected_acls = []
expected_acls += ovn_acl.drop_all_ip_traffic_for_port(
fake_port_sg)
if not native_dhcp:
expected_acls += ovn_acl.add_acl_dhcp(
fake_port_sg, self.fake_subnet)
sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port(
fake_port_sg, self.fake_sg_rule,
'outport == "' + fake_port_sg['id'] + '" ' +
'&& ip4 && ip4.src == 0.0.0.0/0 ' +
'&& tcp && tcp.dst == 22')
expected_acls.append(sg_rule_acl)
# Test with caches
acls = ovn_acl.add_acls(self.mech_driver._plugin,
mock.Mock(),
fake_port_sg,
self.sg_cache,
self.subnet_cache)
self.assertEqual(expected_acls, acls)
# Test without caches
with mock.patch('neutron.db.db_base_plugin_v2.'
'NeutronDbPluginV2.get_subnet',
return_value=self.fake_subnet), \
mock.patch('neutron.db.securitygroups_db.'
'SecurityGroupDbMixin.get_security_group',
return_value=self.fake_sg):
acls = ovn_acl.add_acls(self.mech_driver._plugin,
mock.Mock(),
fake_port_sg,
{}, {})
self.assertEqual(expected_acls, acls)
# Test with security groups disabled
with mock.patch('networking_ovn.common.acl.is_sg_enabled',
return_value=False):
acls = ovn_acl.add_acls(self.mech_driver._plugin,
mock.Mock(),
fake_port_sg,
self.sg_cache,
self.subnet_cache)
self.assertEqual([], acls)
# Test with multiple fixed IPs on the same subnet.
fake_port_sg['fixed_ips'].append({'subnet_id': self.fake_subnet['id'],
'ip_address': '10.10.10.21'})
acls = ovn_acl.add_acls(self.mech_driver._plugin,
mock.Mock(),
fake_port_sg,
self.sg_cache,
self.subnet_cache)
self.assertEqual(expected_acls, acls)
