def _assect_ndp_proxy_rules_is_set(self, ip_wrapper, iptables_manager,
interface_name, namespace):
expected_iptable_rules = []
expected_proxy_address = []
for ndp_proxy in self.ndp_proxies:
rule = '-i %s --destination %s -j ACCEPT' % (interface_name,
ndp_proxy.ip_address)
rule_obj = iptable_mng.IptablesRule('NDP', rule, True, True,
iptables_manager.wrap_name)
expected_iptable_rules.append(rule_obj)
expected_proxy_address.append(str(ndp_proxy.ip_address))
def check_rules_is_set():
existing_iptable_rules = iptables_manager.ipv6['filter'].rules
for iptable_rule in expected_iptable_rules:
if iptable_rule not in existing_iptable_rules:
return False
existing_proxy_addresses = self._get_existing_ndp_proxies(
interface_name, namespace)
for address in expected_proxy_address:
if address not in existing_proxy_addresses:
return False
return True
common_utils.wait_until_true(check_rules_is_set)
def _assert_ndp_proxy_state_iptable_rules_is_set(
self, ri, iptables_manager, interface_name):
wrap_name = iptables_manager.wrap_name
expected_rules = []
for port in ri.internal_ports:
for subnet in port['subnets']:
if netaddr.IPNetwork(subnet['cidr']).version == \
constants.IP_VERSION_4:
continue
rule = (
'-i %s --destination %s -j '
'%s-NDP') % (interface_name,
subnet['cidr'],
wrap_name)
rule_obj = iptable_mng.IptablesRule(
'FORWARD', rule, True, False, iptables_manager.wrap_name)
expected_rules.append(rule_obj)
def check_rules_is_set():
existing_rules = iptables_manager.ipv6['filter'].rules
for rule in expected_rules:
if rule not in existing_rules:
return False
return True
common_utils.wait_until_true(check_rules_is_set)
def _assert_ndp_iptable_chain_is_set(self, iptables_manager,
interface_name):
rule = '-i %s -j DROP' % interface_name
rule_obj = iptable_mng.IptablesRule('NDP', rule, True, False,
iptables_manager.wrap_name)
def check_chain_is_set():
existing_chains = iptables_manager.ipv6['filter'].chains
if 'NDP' not in existing_chains:
return False
existing_rules = iptables_manager.ipv6['filter'].rules
if rule_obj in existing_rules:
return True
common_utils.wait_until_true(check_chain_is_set)
def _assert_port_forwarding_iptables_is_set(self, router_info, pf):
(interface_name, namespace, iptables_manager
) = self.fip_pf_ext._get_resource_by_router(router_info)
chain_rule = self.fip_pf_ext._get_fip_rules(
pf, iptables_manager.wrap_name)[1]
chain_name = chain_rule[0]
rule = chain_rule[1]
rule_tag = 'fip_portforwarding-' + pf.id
rule_obj = iptable_mng.IptablesRule(chain_name, rule, True, False,
iptables_manager.wrap_name,
rule_tag, None)
def check_chain_rules_set():
existing_chains = iptables_manager.ipv4['nat'].chains
if chain_name not in existing_chains:
return False
existing_rules = iptables_manager.ipv4['nat'].rules
return rule_obj in existing_rules
common_utils.wait_until_true(check_chain_rules_set)
def _assert_conntrack_helper_iptables_is_set(self, router_info, cth):
iptables_manager = self.cth_ext._get_iptables_manager(router_info)
tag = conntrack_helper.CONNTRACK_HELPER_PREFIX + cth.id
chain_name = (conntrack_helper.CONNTRACK_HELPER_CHAIN_PREFIX +
cth.id)[:constants.MAX_IPTABLES_CHAIN_LEN_WRAP]
rule = ('-p %s --dport %s -j CT --helper %s' %
(cth.protocol, cth.port, cth.helper))
rule_obj = iptable_mng.IptablesRule(chain_name, rule, True, False,
iptables_manager.wrap_name, tag,
None)
def check_chain_rules_set():
existing_ipv4_chains = iptables_manager.ipv4['raw'].chains
existing_ipv6_chains = iptables_manager.ipv6['raw'].chains
if (chain_name not in existing_ipv4_chains
or chain_name not in existing_ipv6_chains):
return False
existing_ipv4_rules = iptables_manager.ipv4['raw'].rules
existing_ipv6_rules = iptables_manager.ipv6['raw'].rules
return (rule_obj in existing_ipv4_rules
and rule_obj in existing_ipv6_rules)
common_utils.wait_until_true(check_chain_rules_set)
def _assert_iptables_rules_exist(self, router_iptables_manager, table_name,
expected_rules):
rules = router_iptables_manager.get_rules_for_table(table_name)
for rule in expected_rules:
self.assertIn(str(iptables_manager.IptablesRule(rule[0], rule[1])),
rules)
def is_prevent_snat_rule_exist(router_iptables_manager):
rules = router_iptables_manager.get_rules_for_table('nat')
return all(
str(iptables_manager.IptablesRule(nat_rule[0], nat_rule[1])) in
rules for nat_rule in prevent_snat_rule)
