def test_slo_fw_update(self):
"""
Description: Verify security logging for inter-VN inter-Node traffic
with firewall policy and rules and verify SLO update
Steps:
1. create 2 VNs and connect them using network and firewall policy
2. launch 1 VM in each VN on diff compute node
3. set session export rate to 0
4. start udp traffic and verify the session logs in agent log
Pass criteria:
step 4 should pass
"""
created_objs = self._test_slo_with_fw()
eth_type = 'IPv4' if (self.inputs.get_af() == 'v4') else 'IPv6'
proto_str = 'any'
sg_rule_id_ingress = list_sg_rules(self.connections,
created_objs['sg_obj'].uuid,
eth_type=eth_type,
proto=proto_str,
direction='ingress')[0]['id']
sg_rule_id_egress = list_sg_rules(self.connections,
created_objs['sg_obj'].uuid,
eth_type=eth_type,
proto=proto_str,
direction='egress')[0]['id']
#Remove old slo from VNs
for vn in self.vn_fixtures:
vn.set_slo_list([])
#Create tenant level SLO with sg_rule_id_egress and add to VNs
project_name = self.project.project_name
parent_obj = self.vnc_h.project_read(
fq_name=[self.connections.domain_name, project_name])
rules_list = [{'uuid': sg_rule_id_egress, 'rate': 1}]
slo_fixture = self.create_slo(parent_obj,
rate=10,
rules_list=rules_list)
for vn in self.vn_fixtures:
self.add_slo_to_vn(slo_fixture, vn)
#With tenant level SLO created above, Client session will match and logged
self._test_slo_with_fw(create_resources=False,
slo_fixture=slo_fixture,
fw_objs_dict=created_objs['fw_objs'],
exp_srv_session_count=0)
#Update SLO with both rules
rules_list.append({'uuid': sg_rule_id_ingress, 'rate': 1})
self.update_slo(slo_fixture.obj, rules_list)
#Now both client and server sessions should get logged
self._test_slo_with_fw(create_resources=False,
slo_fixture=slo_fixture,
fw_objs_dict=created_objs['fw_objs'])
def test_slo_fw_update(self):
"""
Description: Verify security logging for inter-VN inter-Node traffic
with firewall policy and rules and verify SLO update
Steps:
1. create 2 VNs and connect them using network and firewall policy
2. launch 1 VM in each VN on diff compute node
3. set session export rate to 0
4. start udp traffic and verify the session logs in agent log
Pass criteria:
step 4 should pass
"""
created_objs = self._test_slo_with_fw()
eth_type = 'IPv4' if (self.inputs.get_af() == 'v4') else 'IPv6'
proto_str = 'any'
sg_rule_id_ingress = list_sg_rules(self.connections,
created_objs['sg_obj'].uuid,
eth_type=eth_type, proto=proto_str, direction='ingress')[0]['id']
sg_rule_id_egress = list_sg_rules(self.connections,
created_objs['sg_obj'].uuid,
eth_type=eth_type, proto=proto_str, direction='egress')[0]['id']
#Remove old slo from VNs
for vn in self.vn_fixtures:
vn.set_slo_list([])
#Create tenant level SLO with sg_rule_id_egress and add to VNs
project_name = self.project.project_name
parent_obj = self.vnc_h.project_read(
fq_name=[self.connections.domain_name, project_name])
rules_list = [{'uuid':sg_rule_id_egress, 'rate':1}]
slo_fixture = self.create_slo(parent_obj, rate=10, rules_list=rules_list)
for vn in self.vn_fixtures:
self.add_slo_to_vn(slo_fixture, vn)
#With tenant level SLO created above, Client session will match and logged
self._test_slo_with_fw(create_resources=False,
slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'],
exp_srv_session_count=0)
#Update SLO with both rules
rules_list.append({'uuid':sg_rule_id_ingress, 'rate':1})
self.update_slo(slo_fixture.obj, rules_list)
#Now both client and server sessions should get logged
self._test_slo_with_fw(create_resources=False,
slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'])
def verify_flow_to_sg_rule_mapping(
self,
src_vm_fix,
dst_vm_fix,
src_vn_fix,
dst_vn_fix,
secgrp_id,
proto,
port):
''' this method verifies flow to security group mapping for both forward and reverse flow
for the given sec grp id'''
if self.option == 'openstack':
src_vn_fq_name = src_vn_fix.vn_fq_name
dst_vn_fq_name = dst_vn_fix.vn_fq_name
else:
src_vn_fq_name = ':'.join(src_vn_fix._obj.get_fq_name())
dst_vn_fq_name = ':'.join(dst_vn_fix._obj.get_fq_name())
nh_src = src_vm_fix.tap_intf[src_vn_fq_name]['flow_key_idx']
nh_dst = dst_vm_fix.tap_intf[dst_vn_fq_name]['flow_key_idx']
proto_num = {'udp': '17', 'tcp': '6', 'icmp': '1'}
test_result = True
rule_uuid = None
# get the egress rule uuid
rules = list_sg_rules(self.connections, secgrp_id)
af = self.inputs.get_af()
for rule in rules:
if rule['direction'] == 'egress' and \
((af == 'v4' and (rule['ethertype'] == 'IPv4' or \
rule['remote_ip_prefix'] == '0.0.0.0/0')) or \
(af == 'v6' and (rule['ethertype'] == 'IPv6' or \
rule['remote_ip_prefix'] == '::/0'))) and \
(rule['protocol'] == 'any' or rule['protocol'] == proto):
rule_uuid = rule['id']
break
assert rule_uuid, "Egress rule id could not be found"
# verify forward flow on src compute node
if not self.fetch_flow_verify_sg_uuid(
nh_src,
src_vm_fix,
dst_vm_fix,
port,
port,
proto_num[proto],
rule_uuid,
src_vm_fix.vm_node_ip):
test_result = False
# verify reverse flow on src compute node
if src_vm_fix.vm_node_ip == dst_vm_fix.vm_node_ip:
nh = nh_dst
else:
nh = nh_src
if not self.fetch_flow_verify_sg_uuid(
nh,
dst_vm_fix,
src_vm_fix,
port,
port,
proto_num[proto],
rule_uuid,
src_vm_fix.vm_node_ip):
test_result = False
if src_vm_fix.vm_node_ip != dst_vm_fix.vm_node_ip:
self.logger.info("verify on destination compute too, \
as source and destination computes are different")
# get the ingress rule uuid
rule_uuid = None
rules = list_sg_rules(self.connections, secgrp_id)
for rule in rules:
if rule['direction'] == 'ingress' and \
((af == 'v4' and (rule['ethertype'] == 'IPv4' or \
rule['remote_ip_prefix'] == '0.0.0.0/0' or \
rule['remote_group_id'] == secgrp_id)) or \
(af == 'v6' and (rule['ethertype'] == 'IPv6' or \
rule['remote_group_id'] == secgrp_id or \
rule['remote_ip_prefix'] == '::/0'))) and \
(rule['protocol'] == 'any' or rule['protocol'] == proto):
rule_uuid = rule['id']
break
assert rule_uuid, "Ingress rule id could not be found"
# verify forward flow on dst compute node
if not self.fetch_flow_verify_sg_uuid(
nh_dst,
src_vm_fix,
dst_vm_fix,
port,
port,
proto_num[proto],
rule_uuid,
dst_vm_fix.vm_node_ip):
test_result = False
# verify reverse flow on dst compute node
if not self.fetch_flow_verify_sg_uuid(
nh_dst,
dst_vm_fix,
src_vm_fix,
port,
port,
proto_num[proto],
rule_uuid,
dst_vm_fix.vm_node_ip):
test_result = False
return test_result
def verify_flow_to_sg_rule_mapping(
self,
src_vm_fix,
dst_vm_fix,
src_vn_fix,
dst_vn_fix,
secgrp_id,
proto,
port):
''' this method verifies flow to security group mapping for both forward and reverse flow
for the given sec grp id'''
if self.option == 'openstack':
src_vn_fq_name = src_vn_fix.vn_fq_name
dst_vn_fq_name = dst_vn_fix.vn_fq_name
else:
src_vn_fq_name = ':'.join(src_vn_fix._obj.get_fq_name())
dst_vn_fq_name = ':'.join(dst_vn_fix._obj.get_fq_name())
nh_src = src_vm_fix.tap_intf[src_vn_fq_name]['flow_key_idx']
nh_dst = dst_vm_fix.tap_intf[dst_vn_fq_name]['flow_key_idx']
proto_num = {'udp': '17', 'tcp': '6', 'icmp': '1'}
test_result = True
rule_uuid = None
# get the egress rule uuid
rules = list_sg_rules(self.connections, secgrp_id)
for rule in rules:
if rule['direction'] == 'egress' and (rule['ethertype'] == 'IPv4' or \
rule['remote_ip_prefix'] == '0.0.0.0/0') and \
(rule['protocol'] == 'any' or rule['protocol'] == proto):
rule_uuid = rule['id']
break
assert rule_uuid, "Egress rule id could not be found"
# verify forward flow on src compute node
if not self.fetch_flow_verify_sg_uuid(
nh_src,
src_vm_fix,
dst_vm_fix,
port,
port,
proto_num[proto],
rule_uuid,
src_vm_fix.vm_node_ip):
test_result = False
# verify reverse flow on src compute node
if src_vm_fix.vm_node_ip == dst_vm_fix.vm_node_ip:
nh = nh_dst
else:
nh = nh_src
if not self.fetch_flow_verify_sg_uuid(
nh,
dst_vm_fix,
src_vm_fix,
port,
port,
proto_num[proto],
rule_uuid,
src_vm_fix.vm_node_ip):
test_result = False
if src_vm_fix.vm_node_ip != dst_vm_fix.vm_node_ip:
self.logger.info("verify on destination compute too, \
as source and destination computes are different")
# get the ingress rule uuid
rule_uuid = None
rules = list_sg_rules(self.connections, secgrp_id)
for rule in rules:
if rule['direction'] == 'ingress' and \
(rule['ethertype'] == 'IPv4' or \
rule['remote_group_id'] == secgrp_id or \
rule['remote_ip_prefix'] == '0.0.0.0/0') and \
(rule['protocol'] == 'any' or rule['protocol'] == proto):
rule_uuid = rule['id']
break
assert rule_uuid, "Ingress rule id could not be found"
# verify forward flow on dst compute node
if not self.fetch_flow_verify_sg_uuid(
nh_dst,
src_vm_fix,
dst_vm_fix,
port,
port,
proto_num[proto],
rule_uuid,
dst_vm_fix.vm_node_ip):
test_result = False
# verify reverse flow on dst compute node
if not self.fetch_flow_verify_sg_uuid(
nh_dst,
dst_vm_fix,
src_vm_fix,
port,
port,
proto_num[proto],
rule_uuid,
dst_vm_fix.vm_node_ip):
test_result = False
return test_result
def test_slo_global(self):
"""
Description: Verify global security logging for inter-VN inter-Node traffic
with firewall policy and rules
Steps:
1. disable/enable global SLO flag and verify logging
2. Create global and tenant level SLO and verify logging
3. Delete global SLO and verify session get logged only matching tenant level SLO
Pass criteria:
All logging verifications should pass
"""
self.set_global_slo_flag(enable=False)
#Logged session should be 0 when global slo is disabled
created_objs = self._test_slo_with_fw(exp_srv_session_count=0,
exp_clnt_session_count=0)
self.set_global_slo_flag(enable=True)
#Logged session should be seen when global slo is enabled
self._test_slo_with_fw(create_resources=False,
slo_fixture=created_objs['slo_fix'],
fw_objs_dict=created_objs['fw_objs'])
eth_type = 'IPv4' if (self.inputs.get_af() == 'v4') else 'IPv6'
proto_str = 'any'
sg_rule_id_ingress = list_sg_rules(self.connections,
created_objs['sg_obj'].uuid,
eth_type=eth_type,
proto=proto_str,
direction='ingress')[0]['id']
sg_rule_id_egress = list_sg_rules(self.connections,
created_objs['sg_obj'].uuid,
eth_type=eth_type,
proto=proto_str,
direction='egress')[0]['id']
#Create global SLO using sg_rule_id_ingress
slo_rate = 10
rules_list = [{'uuid': sg_rule_id_ingress, 'rate': 100}]
g_slo_fixture = self.create_slo(rate=slo_rate, rules_list=rules_list)
#Remove old slo from VNs
for vn in self.vn_fixtures:
vn.set_slo_list([])
#Create tenant level SLO with sg_rule_id_egress and add to VNs
project_name = self.project.project_name
parent_obj = self.vnc_h.project_read(
fq_name=[self.connections.domain_name, project_name])
rules_list = [{'uuid': sg_rule_id_egress, 'rate': 1}]
slo_fixture = self.create_slo(parent_obj,
rate=slo_rate,
rules_list=rules_list)
for vn in self.vn_fixtures:
self.add_slo_to_vn(slo_fixture, vn)
#With tenant level SLO created above, Client session will match and logged
#With global SLO, server session will match and logged
self._test_slo_with_fw(create_resources=False,
slo_fixture=slo_fixture,
fw_objs_dict=created_objs['fw_objs'])
#Disable global slo again
self.set_global_slo_flag(enable=False)
#Now no logging should happen
self._test_slo_with_fw(create_resources=False,
slo_fixture=slo_fixture,
fw_objs_dict=created_objs['fw_objs'],
exp_srv_session_count=0,
exp_clnt_session_count=0)
#Enable global slo again
self.set_global_slo_flag(enable=True)
#Delete global SLO
g_slo_fixture.cleanUp()
self._remove_fixture_from_cleanup(g_slo_fixture)
#Now only Client session should get logged matching tenant level SLO
#Server session should be 0 as it will match ingress rule
self._test_slo_with_fw(create_resources=False,
exp_srv_session_count=0,
slo_fixture=slo_fixture,
fw_objs_dict=created_objs['fw_objs'])
def start_traffic_validate_slo(self,
client_fixture,
server_fixture,
policy_fixture=None,
proto=1,
underlay_proto=0,
slo_rate=1,
sg_uuid=None):
'''
Start the traffic for protocol proto and validates the client and server
sessions logged matching SLO in agent log.
Supported proto is(are) 1, 17
'''
assert self.start_traffic(client_fixture, server_fixture, proto)
pkt_count = self.pkt_count
pkt_count2 = self.pkt_count2
client_port = self.client_port
service_port = self.service_port
srv_session_c_port = self.srv_session_c_port
srv_session_s_port = self.srv_session_s_port
proto = self.proto
exp_session_count = pkt_count / slo_rate if proto == 1 else None
eth_type = 'IPv4' if (self.inputs.get_af() == 'v4') else 'IPv6'
proto_str = 'any'
if sg_uuid is not None:
sg_rule_id_ingress = list_sg_rules(self.connections,
sg_uuid,
eth_type=eth_type,
proto=proto_str,
direction='ingress')[0]['id']
sg_rule_id_egress = list_sg_rules(self.connections,
sg_uuid,
eth_type=eth_type,
proto=proto_str,
direction='egress')[0]['id']
else:
sg_rule_id_ingress = sg_rule_id_egress = UUID_RE
tcp_flags = 120 if proto == 6 else 0
project_fqname = ':'.join(self.project.project_fq_name)
client_vmi_fqname = project_fqname + ':' +\
client_fixture.vmi_ids[client_fixture.vn_fq_name]
is_client_session = 1
if policy_fixture:
policy_api_obj = self.vnc_lib.network_policy_read(
id=policy_fixture.get_id())
nw_ace_uuid = policy_api_obj.get_network_policy_entries(
).policy_rule[0].rule_uuid
else:
nw_ace_uuid = UUID_RE
expected_client_session = LOGGED_SESSION % (
client_vmi_fqname,
client_fixture.vn_fq_name,
FIREWALL_RULE_ID_DEFAULT,
server_fixture.vn_fq_name,
is_client_session,
0,
client_fixture.vm_node_ip,
client_fixture.vm_ip,
service_port,
proto,
INT_RE,
pkt_count2,
INT_RE,
pkt_count2,
server_fixture.vm_ip,
client_port,
INT_RE,
pkt_count2,
UUID_RE,
tcp_flags,
INT_RE, #Fwd flow info
'pass',
sg_rule_id_egress,
nw_ace_uuid,
INT_RE,
INT_RE,
pkt_count2,
UUID_RE,
tcp_flags,
INT_RE, #Reverse flow info
'pass',
sg_rule_id_egress,
nw_ace_uuid,
INT_RE,
client_fixture.vm_id,
server_fixture.vm_node_ip,
underlay_proto)
self.sleep(1)
#Verify No. of Client sessions
result, output = self.verify_no_of_sessions_in_agent_log(
client_fixture.vm_node_ip, expected_client_session,
exp_session_count)
assert result, (
"Expected no. of client session not found in agent log "
"for protocol %s, exp:%s, got:%s" %
(proto, exp_session_count, output))
server_vmi_fqname = project_fqname + ':' +\
server_fixture.vmi_ids[server_fixture.vn_fq_name]
is_client_session = 0
expected_server_session = LOGGED_SESSION % (
server_vmi_fqname, server_fixture.vn_fq_name,
FIREWALL_RULE_ID_DEFAULT, client_fixture.vn_fq_name,
is_client_session, 0, server_fixture.vm_node_ip,
server_fixture.vm_ip, srv_session_s_port, proto, INT_RE,
pkt_count2, INT_RE, pkt_count2, client_fixture.vm_ip,
srv_session_c_port, INT_RE, pkt_count2, UUID_RE, tcp_flags, INT_RE,
'pass', sg_rule_id_ingress, nw_ace_uuid, INT_RE, INT_RE,
pkt_count2, UUID_RE, tcp_flags, INT_RE, 'pass', sg_rule_id_ingress,
nw_ace_uuid, INT_RE, server_fixture.vm_id,
client_fixture.vm_node_ip, underlay_proto)
#Verify No. of Server sessions
result, output = self.verify_no_of_sessions_in_agent_log(
server_fixture.vm_node_ip, expected_server_session,
exp_session_count)
import pdb
pdb.set_trace()
assert result, (
"Expected no. of server sessions not found in agent log"
" for protocol %s, exp:%s, got:%s" %
(proto, exp_session_count, output))
self.sleep(1)
self.delete_all_flows_on_vms_compute([client_fixture, server_fixture])
def test_slo_global(self):
"""
Description: Verify global security logging for inter-VN inter-Node traffic
with firewall policy and rules
Steps:
1. disable/enable global SLO flag and verify logging
2. Create global and tenant level SLO and verify logging
3. Delete global SLO and verify session get logged only matching tenant level SLO
Pass criteria:
All logging verifications should pass
"""
self.set_global_slo_flag(enable=False)
#Logged session should be 0 when global slo is disabled
created_objs = self._test_slo_with_fw(exp_srv_session_count=0,exp_clnt_session_count=0)
self.set_global_slo_flag(enable=True)
#Logged session should be seen when global slo is enabled
self._test_slo_with_fw(create_resources=False,
slo_fixture=created_objs['slo_fix'],
fw_objs_dict=created_objs['fw_objs'])
eth_type = 'IPv4' if (self.inputs.get_af() == 'v4') else 'IPv6'
proto_str = 'any'
sg_rule_id_ingress = list_sg_rules(self.connections,
created_objs['sg_obj'].uuid,
eth_type=eth_type, proto=proto_str, direction='ingress')[0]['id']
sg_rule_id_egress = list_sg_rules(self.connections,
created_objs['sg_obj'].uuid,
eth_type=eth_type, proto=proto_str, direction='egress')[0]['id']
#Create global SLO using sg_rule_id_ingress
slo_rate = 10
rules_list = [{'uuid':sg_rule_id_ingress, 'rate':100}]
g_slo_fixture = self.create_slo(rate=slo_rate, rules_list=rules_list)
#Remove old slo from VNs
for vn in self.vn_fixtures:
vn.set_slo_list([])
#Create tenant level SLO with sg_rule_id_egress and add to VNs
project_name = self.project.project_name
parent_obj = self.vnc_h.project_read(
fq_name=[self.connections.domain_name, project_name])
rules_list = [{'uuid':sg_rule_id_egress, 'rate':1}]
slo_fixture = self.create_slo(parent_obj, rate=slo_rate, rules_list=rules_list)
for vn in self.vn_fixtures:
self.add_slo_to_vn(slo_fixture, vn)
#With tenant level SLO created above, Client session will match and logged
#With global SLO, server session will match and logged
self._test_slo_with_fw(create_resources=False,
slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'])
#Disable global slo again
self.set_global_slo_flag(enable=False)
#Now no logging should happen
self._test_slo_with_fw(create_resources=False,
slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'],
exp_srv_session_count=0, exp_clnt_session_count=0)
#Enable global slo again
self.set_global_slo_flag(enable=True)
#Delete global SLO
g_slo_fixture.cleanUp()
self._remove_fixture_from_cleanup(g_slo_fixture)
#Now only Client session should get logged matching tenant level SLO
#Server session should be 0 as it will match ingress rule
self._test_slo_with_fw(create_resources=False,
exp_srv_session_count=0,
slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'])
