def test_icmp_ttl_packet_with_rate_limit(self): ignore_action = app_testing_objects.IgnoreAction() port_policy = self._create_rate_limit_port_policies( cfg.CONF.df_l3_app.router_ttl_invalid_max_rate, app_testing_objects.RyuICMPTimeExceedFilter) initial_packet = self._create_packet( self.port2.port.get_logical_port().ip, ryu.lib.packet.ipv4.inet.IPPROTO_ICMP, ttl=1) send_action = app_testing_objects.SendAction(self.subnet1.subnet_id, self.port1.port_id, initial_packet) policy = self.store( app_testing_objects.Policy(initial_actions=[ send_action, send_action, send_action, send_action ], port_policies=port_policy, unknown_port_action=ignore_action)) policy.start(self.topology) # Since the rate limit, we expect timeout to wait for 4th packet hit # the policy. self.assertRaises(app_testing_objects.TimeoutException, policy.wait, const.DEFAULT_RESOURCE_READY_TIMEOUT) if len(policy.exceptions) > 0: raise policy.exceptions[0]
def setUp(self): super(TestL3App, self).setUp() self.topology = None self.policy = None self._ping = None try: self.topology = self.store( app_testing_objects.Topology(self.neutron, self.nb_api)) self.subnet1 = self.topology.create_subnet(cidr='192.168.12.0/24') self.subnet2 = self.topology.create_subnet(cidr='192.168.13.0/24') self.port1 = self.subnet1.create_port() self.port2 = self.subnet2.create_port() self.router = self.topology.create_router([ self.subnet1.subnet_id, self.subnet2.subnet_id, ]) time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) port_policies = self._create_port_policies() self.policy = self.store( app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, self._create_ping_packet), ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction())) except Exception: if self.topology: self.topology.close() raise
def _update_policy(self): packet1, self.icmp_request1 = \ self._create_ping_packet(self.port1, self.port3) packet2, self.icmp_request2 = \ self._create_ping_packet(self.port2, self.port3) port_policies = self._create_port_policies() self.policy = self.store( app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, packet1.data, ), app_testing_objects.SendAction( self.subnet.subnet_id, self.port2.port_id, packet2.data, ) ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction() ) )
def setUp(self): super(TestDHCPApp, self).setUp() self.topology = None self.policy = None try: self.topology = self.store( app_testing_objects.Topology(self.neutron, self.nb_api)) self.subnet1 = self.topology.create_subnet(cidr='192.168.11.0/24') self.port1 = self.subnet1.create_port() self.port2 = self.subnet1.create_port() time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) # Create policy dhcp_packet = self._create_dhcp_discover() send_dhcp_offer = app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, str(dhcp_packet)) port_policies = self._create_port_policies() self.policy = self.store( app_testing_objects.Policy( initial_actions=[send_dhcp_offer], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction())) except Exception: if self.topology: self.topology.close() raise
def setUp(self): super(TestPortSecApp, self).setUp() self.topology = None self.policy = None self._ping = None self.icmp_id_cursor = int(time.mktime(time.gmtime())) & 0xffff try: self._init_topology() time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) port_policies = self._create_port_policies() self.policy = self.store( app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, self._create_ping_using_fake_ip), app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, self._create_ping_using_fake_mac), app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, self._create_ping_using_vm_ip_mac), app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, self._create_ping_using_allowed_address_pair), ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction())) except Exception: if self.topology: self.topology.close() raise
def test_ttl_packet_rate_limit(self): initial_packet = self._create_packet( self.topology.external_network.get_gw_ip(), ryu.lib.packet.ipv4.inet.IPPROTO_ICMP, ttl=1) send_action = app_testing_objects.SendAction( self.subnet.subnet_id, self.port.port_id, initial_packet) ignore_action = app_testing_objects.IgnoreAction() policy = app_testing_objects.Policy( initial_actions=[ send_action, send_action, send_action, send_action, ], port_policies=self._create_rate_limit_port_policies( cfg.CONF.df_dnat_app.dnat_ttl_invalid_max_rate, app_testing_objects.RyuICMPTimeExceedFilter), unknown_port_action=ignore_action ) self.addCleanup(policy.close) policy.start(self.topology) # Since the rate limit, we expect timeout to wait for 4th packet hit # the policy. self.assertRaises( app_testing_objects.TimeoutException, policy.wait, const.DEFAULT_RESOURCE_READY_TIMEOUT) if len(policy.exceptions) > 0: raise policy.exceptions[0]
def setUp(self): super(TestArpResponder, self).setUp() self.topology = None self.policy = None try: self.topology = app_testing_objects.Topology( self.neutron, self.nb_api) subnet1 = self.topology.create_subnet(cidr='192.168.10.0/24') port1 = subnet1.create_port() port2 = subnet1.create_port() time.sleep(test_utils.DEFAULT_CMD_TIMEOUT) # Create policy arp_packet = self._create_arp_request( src_port=port1.port.get_logical_port(), dst_port=port2.port.get_logical_port(), ) send_arp_request = app_testing_objects.SendAction( subnet1.subnet_id, port1.port_id, str(arp_packet), ) ignore_action = app_testing_objects.IgnoreAction() log_action = app_testing_objects.LogAction() key1 = (subnet1.subnet_id, port1.port_id) port_policies = { key1: app_testing_objects.PortPolicy( rules=[ app_testing_objects.PortPolicyRule( # Detect arp replies app_testing_objects.RyuARPReplyFilter(), actions=[ log_action, app_testing_objects.StopSimulationAction() ] ), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ ignore_action ] ), ], default_action=app_testing_objects.RaiseAction( "Unexpected packet" ) ), } self.policy = app_testing_objects.Policy( initial_actions=[send_arp_request], port_policies=port_policies, unknown_port_action=ignore_action ) except Exception: if self.topology: self.topology.close() raise self.store(self.topology) self.store(self.policy)
def test_dhcp_app_dos_block(self): def internal_predicate(): ovs = test_utils.OvsFlowsParser() return (self._check_dhcp_block_rule( ovs.dump(self.integration_bridge))) self._create_topology() dhcp_packet = self._create_dhcp_discover() send_dhcp_offer = app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, dhcp_packet, ) port_policies = self._create_port_policies(disable_rule=False) policy = app_testing_objects.Policy( initial_actions=[ send_dhcp_offer, send_dhcp_offer, send_dhcp_offer, send_dhcp_offer ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction()) self.addCleanup(policy.close) policy.start(self.topology) test_utils.wait_until_true(internal_predicate, const.DEFAULT_RESOURCE_READY_TIMEOUT, 1, None)
def test_nat_embedded_rate_limit(self): self.port.port.update({"security_groups": []}) initial_packet = self._create_packet( self.topology.external_network.get_gw_ip(), ryu.lib.packet.ipv4.inet.IPPROTO_UDP) send_action = app_testing_objects.SendAction( self.subnet.subnet_id, self.port.port_id, initial_packet) ignore_action = app_testing_objects.IgnoreAction() policy = self.store( app_testing_objects.Policy( initial_actions=[ send_action, send_action, send_action, send_action, ], port_policies=self._create_rate_limit_port_policies( cfg.CONF.df_dnat_app.dnat_icmp_error_max_rate, app_testing_objects.RyuICMPUnreachFilter), unknown_port_action=ignore_action ) ) policy.start(self.topology) # Since the rate limit, we expect timeout to wait for 4th packet hit # the policy. self.assertRaises( app_testing_objects.TimeoutException, policy.wait, const.DEFAULT_RESOURCE_READY_TIMEOUT) if len(policy.exceptions) > 0: raise policy.exceptions[0]
def test_nat_embedded_packet(self): ignore_action = app_testing_objects.IgnoreAction() self.port.port.update({"security_groups": []}) initial_packet = self._create_packet( self.topology.external_network.get_gw_ip(), ryu.lib.packet.ipv4.inet.IPPROTO_UDP) policy = self.store( app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet.subnet_id, self.port.port_id, initial_packet, ), ], port_policies=self._create_icmp_test_port_policies( app_testing_objects.RyuICMPUnreachFilter), unknown_port_action=ignore_action ) ) policy.start(self.topology) policy.wait(const.DEFAULT_RESOURCE_READY_TIMEOUT) if len(policy.exceptions) > 0: raise policy.exceptions[0]
def setUp(self): super(TestNeighborAdvertiser, self).setUp() self.topology = None self.policy = None # Disable Duplicate Address Detection requests from the interface self.dad_conf = utils.execute( ['sysctl', '-n', 'net.ipv6.conf.default.accept_dad']) utils.execute(['sysctl', '-w', 'net.ipv6.conf.default.accept_dad=0'], run_as_root=True) # Disable Router Solicitation requests from the interface self.router_solicit_conf = utils.execute( ['sysctl', '-n', 'net.ipv6.conf.default.router_solicitations']) utils.execute( ['sysctl', '-w', 'net.ipv6.conf.default.router_solicitations=0'], run_as_root=True) self.topology = app_testing_objects.Topology(self.neutron, self.nb_api) self.addCleanup(self.topology.close) subnet1 = self.topology.create_subnet(cidr='1111:1111:1111::/64') port1 = subnet1.create_port() port2 = subnet1.create_port() time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) # Create Neighbor Solicitation packet ns_packet = self._create_ns_request( src_port=port1.port.get_logical_port(), dst_port=port2.port.get_logical_port(), ) send_ns_request = app_testing_objects.SendAction( subnet1.subnet_id, port1.port_id, ns_packet, ) ignore_action = app_testing_objects.IgnoreAction() log_action = app_testing_objects.LogAction() key1 = (subnet1.subnet_id, port1.port_id) adv_filter = app_testing_objects.RyuNeighborAdvertisementFilter() port_policies = { key1: app_testing_objects.PortPolicy( rules=[ app_testing_objects.PortPolicyRule( # Detect advertisements adv_filter, actions=[ log_action, app_testing_objects.StopSimulationAction() ]), app_testing_objects.PortPolicyRule( # Filter local VM's Multicast requests app_testing_objects.RyuIpv6MulticastFilter(), actions=[ignore_action]) ], default_action=app_testing_objects.RaiseAction( "Unexpected packet")), } self.policy = app_testing_objects.Policy( initial_actions=[send_ns_request], port_policies=port_policies, unknown_port_action=ignore_action) self.addCleanup(self.policy.close)
def _create_policy(self): port_policies = self._create_port_policies() initial_packet = self._create_packet( '10.0.1.2', os_ken.lib.packet.ipv4.inet.IPPROTO_ICMP) policy = app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction(self.subnet1.subnet_id, self.port1.port_id, initial_packet), ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction()) self.addCleanup(policy.close) return policy
def test_udp_virtual_router_interface_with_rate_limit(self): if 'zmq_pubsub_driver' == cfg.CONF.df.pub_sub_driver: # NOTE(nick-ma-z): This test case directly calls nb_api which # relies on a publisher running on local process. In ZMQ driver, # a socket needs to be binded which causes conflicts with other # df-services. But in Redis driver, the publisher is virtual and # does not actually run which makes this test case work. self.skipTest("ZMQ_PUBSUB does not support this test case") # Delete the concrete router interface. router_port_id = self.router.router_interfaces[ self.subnet1.subnet_id]['port_id'] topic = self.router.router_interfaces[ self.subnet1.subnet_id]['tenant_id'] self.nb_api.delete(l2.LogicalPort(id=router_port_id, topic=topic)) lrouter = self.nb_api.get( l3.LogicalRouter(id=self.router.router.router_id, topic=topic)) lrouter.version += 1 original_lrouter = copy.deepcopy(lrouter) lrouter.remove_router_port(router_port_id) self.nb_api.update(lrouter) # Update router with virtual router interface. original_lrouter.version += 1 self.nb_api.update(original_lrouter) time.sleep(const.DEFAULT_CMD_TIMEOUT) self.port1.port.update({"security_groups": []}) ignore_action = app_testing_objects.IgnoreAction() port_policy = self._create_rate_limit_port_policies( cfg.CONF.df_l3_app.router_port_unreach_max_rate, app_testing_objects.RyuICMPUnreachFilter) initial_packet = self._create_packet( "192.168.12.1", ryu.lib.packet.ipv4.inet.IPPROTO_UDP) send_action = app_testing_objects.SendAction(self.subnet1.subnet_id, self.port1.port_id, initial_packet) policy = self.store( app_testing_objects.Policy(initial_actions=[ send_action, send_action, send_action, send_action ], port_policies=port_policy, unknown_port_action=ignore_action)) policy.start(self.topology) # Since the rate limit, we expect timeout to wait for 4th packet hit # the policy. self.assertRaises(app_testing_objects.TimeoutException, policy.wait, const.DEFAULT_RESOURCE_READY_TIMEOUT) if len(policy.exceptions) > 0: raise policy.exceptions[0]
def _create_allowed_address_pairs_policy(self): packet1, self.allowed_address_pairs_icmp_request = \ self._create_ping_packet(self.port4, self.port3) port_policies = self._create_allowed_address_pairs_port_policies() self.allowed_address_pairs_policy = app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction(self.subnet.subnet_id, self.port4.port_id, packet1.data) ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction()) self.addCleanup(self.allowed_address_pairs_policy.close)
def _test_enable_dhcp(self): # Create policy dhcp_packet = self._create_dhcp_discover() send_dhcp_offer = app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, dhcp_packet, ) port_policies = self._create_port_policies() policy = app_testing_objects.Policy( initial_actions=[send_dhcp_offer], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction()) self.addCleanup(policy.close) apps.start_policy(policy, self.topology, const.DEFAULT_RESOURCE_READY_TIMEOUT)
def _test_disable_dhcp(self): dhcp_packet = self._create_dhcp_discover() send_dhcp_offer = app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, dhcp_packet, ) key = (self.subnet1.subnet_id, self.port1.port_id) rules = [ app_testing_objects.PortPolicyRule( # Detect arp replies app_testing_objects.OsKenDHCPFilter(), actions=[ app_testing_objects.RaiseAction( "Received DHCP packet" ) ] ), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.OsKenIPv6Filter(), actions=[ app_testing_objects.IgnoreAction() ] ), ] raise_action = app_testing_objects.RaiseAction("Unexpected packet") port_policy = app_testing_objects.PortPolicy( rules=rules, default_action=raise_action ) policy = app_testing_objects.Policy( initial_actions=[send_dhcp_offer], port_policies={key: port_policy}, unknown_port_action=app_testing_objects.IgnoreAction() ) self.addCleanup(policy.close) policy.start(self.topology) # Since there is no dhcp response, we are expecting timeout # exception here. self.assertRaises( app_testing_objects.TimeoutException, policy.wait, const.DEFAULT_RESOURCE_READY_TIMEOUT) policy.stop() if len(policy.exceptions) > 0: raise policy.exceptions[0]
def _test_icmp_address(self, dst_ip): port_policies = self._create_port_policies() initial_packet = self._create_packet( dst_ip, ryu.lib.packet.ipv4.inet.IPPROTO_ICMP) policy = self.store( app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, initial_packet, ), ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction())) apps.start_policy(policy, self.topology, const.DEFAULT_RESOURCE_READY_TIMEOUT)
def setUp(self): super(TestAllowedAddressPairsDetectActive, self).setUp() if not self.check_app_loaded("active_port_detection"): self.skipTest("ActivePortDetectionApp is not enabled") self.topology = None self.policy = None self.allowed_address_pair_ip_address = None self.allowed_address_pair_mac_address = None try: self.topology = self.store(app_testing_objects.Topology( self.neutron, self.nb_api)) subnet = self.topology.create_subnet(cidr='192.168.98.0/24') self.subnet = subnet port = subnet.create_port() self.port = port time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) port.update({'allowed_address_pairs': [{ 'ip_address': '192.168.98.100'}]}) time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) port_lport = port.port.get_logical_port() self.assertIsNotNone(port_lport) self.allowed_address_pair_mac_address, \ self.allowed_address_pair_ip_address = \ apps.get_port_mac_and_ip(port, True) # Create policy to reply arp request sent from controller self.policy = self.store( app_testing_objects.Policy( initial_actions=[], port_policies=self._create_policy_to_reply_arp_request(), unknown_port_action=app_testing_objects.IgnoreAction() ) ) except Exception: if self.topology: self.topology.close() raise
def test_sfc(self): initial_packet = self._get_bytes( self._gen_ethernet() / self._gen_ipv4(proto=inet.IPPROTO_UDP) / self._gen_udp(src_port=SRC_PORT, dst_port=DST_PORT) / ('0' * 64)) final_packet = self._get_bytes( self._gen_ethernet() / self._gen_ipv4(proto=inet.IPPROTO_UDP) / self._gen_udp(src_port=SRC_PORT, dst_port=DST_PORT) / ('{len}'.format(len=len(self.layout)) * 64)) fc = self.store( objects.FlowClassifierTestObj(self.neutron, self.nb_api), ) fc.create({'logical_source_port': self.src_port.port.port_id}, ) pc = self._create_pc(fc, self.layout) time.sleep(_QUICK_RESOURCE_READY_TIMEOUT) dst_key = (self.subnet.subnet_id, self.dst_port.port_id) port_policies = { dst_key: app_testing_objects.PortPolicy( rules=[ app_testing_objects.PortPolicyRule( app_testing_objects.ExactMatchFilter(final_packet), actions=[app_testing_objects.StopSimulationAction()], ), ], default_action=app_testing_objects.IgnoreAction(), ), } port_policies.update(self._create_port_policies(pc)) policy = self.store( app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet.subnet_id, self.src_port.port_id, initial_packet, ), ], port_policies=port_policies, unknown_port_action=app_testing_objects.LogAction()), ) policy.start(self.topology) policy.wait(10) if policy.exceptions: raise policy.exceptions[0]
def test_icmp_ttl_packet(self): ignore_action = app_testing_objects.IgnoreAction() initial_packet = self._create_packet( self.topology.external_network.get_gw_ip(), os_ken.lib.packet.ipv4.inet.IPPROTO_ICMP, ttl=1) policy = app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet.subnet_id, self.port.port_id, initial_packet, ), ], port_policies=self._create_icmp_test_port_policies( app_testing_objects.OsKenICMPTimeExceedFilter), unknown_port_action=ignore_action) self.addCleanup(policy.close) apps.start_policy(policy, self.topology, const.DEFAULT_RESOURCE_READY_TIMEOUT)
def test_dhcp_app_dos_block(self): def internal_predicate(): ovs = test_utils.OvsFlowsParser() return (self._check_dhcp_block_rule(ovs.dump())) dhcp_packet = self._create_dhcp_discover() send_dhcp_offer = app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, str(dhcp_packet)) port_policies = self._create_port_policies(disable_rule=False) policy = self.store( app_testing_objects.Policy( initial_actions=[ send_dhcp_offer, send_dhcp_offer, send_dhcp_offer, send_dhcp_offer ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction())) policy.start(self.topology) wait_until_true(internal_predicate, 30, 1, None)
def test_udp_concrete_router_interface(self): # By default, fullstack will start l3 agent. So there will be concrete # router interface. self.port1.port.update({"security_groups": []}) ignore_action = app_testing_objects.IgnoreAction() port_policy = self._create_icmp_test_port_policies( app_testing_objects.RyuICMPUnreachFilter) initial_packet = self._create_packet( "192.168.12.1", ryu.lib.packet.ipv4.inet.IPPROTO_UDP) policy = self.store( app_testing_objects.Policy(initial_actions=[ app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, initial_packet, ), ], port_policies=port_policy, unknown_port_action=ignore_action)) apps.start_policy(policy, self.topology, const.DEFAULT_RESOURCE_READY_TIMEOUT)
def test_router_extra_route(self): nexthop_port = self.subnet1.create_port() nexthop_ip = nexthop_port.port.get_logical_port().ip self.router.router.update({ "routes": [{ "nexthop": nexthop_ip, "destination": "30.0.0.0/24" }] }) time.sleep(const.DEFAULT_CMD_TIMEOUT) ignore_action = app_testing_objects.IgnoreAction() port_policy = self._create_extra_route_policies(nexthop_port) initial_packet = self._create_packet( "30.0.0.12", ryu.lib.packet.ipv4.inet.IPPROTO_ICMP) send_action = app_testing_objects.SendAction(self.subnet1.subnet_id, self.port1.port_id, initial_packet) policy = self.store( app_testing_objects.Policy(initial_actions=[send_action], port_policies=port_policy, unknown_port_action=ignore_action)) apps.start_policy(policy, self.topology, const.DEFAULT_RESOURCE_READY_TIMEOUT)
def test_fc(self): fc = self.store( objects.FlowClassifierTestObj(self.neutron, self.nb_api), ) fc.create(self._fc_params) pc = self._create_pc(fc, [1]) time.sleep(_QUICK_RESOURCE_READY_TIMEOUT) dst_key = (self.subnet.subnet_id, self.dst_port.port_id) port_policies = { dst_key: app_testing_objects.PortPolicy( rules=[ app_testing_objects.PortPolicyRule( app_testing_objects.ExactMatchFilter( self._final_packet, ), actions=[app_testing_objects.StopSimulationAction()], ), ], default_action=app_testing_objects.IgnoreAction(), ), } port_policies.update(self._create_port_policies(pc)) policy = self.store( app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet.subnet_id, self.src_port.port_id, self._initial_packet, ), ], port_policies=port_policies, unknown_port_action=app_testing_objects.LogAction()), ) policy.start(self.topology) policy.wait(10) if policy.exceptions: raise policy.exceptions[0]
def test_reconnect_of_controller(self): cmd = ["ovs-vsctl", "get-controller", cfg.CONF.df.integration_bridge] controller = utils.execute(cmd, run_as_root=True).strip() cmd[1] = "del-controller" utils.execute(cmd, run_as_root=True) dst_ip = self.port2.port.get_logical_port().ip port_policies = self._create_port_policies(connected=False) initial_packet = self._create_packet( dst_ip, ryu.lib.packet.ipv4.inet.IPPROTO_ICMP) policy = self.store( app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, initial_packet, ), ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction())) policy.start(self.topology) # Since there is no OpenFlow in vswitch, we are expecting timeout # exception here. self.assertRaises(app_testing_objects.TimeoutException, policy.wait, const.DEFAULT_RESOURCE_READY_TIMEOUT) policy.stop() if len(policy.exceptions) > 0: raise policy.exceptions[0] cmd[1] = "set-controller" cmd.append(controller) utils.execute(cmd, run_as_root=True) time.sleep(apps.CONTROLLER_RECONNECT_TIMEOUT) self._test_icmp_address(dst_ip)
def test_icmp_ping_pong(self): # Setup base components - two ports on 1 network self.topology = app_testing_objects.Topology(self.neutron, self.nb_api) self.addCleanup(self.topology.close) self.subnet1 = self.topology.create_subnet(cidr='192.168.12.0/24') self.port1 = self.subnet1.create_port() self.port2 = self.subnet1.create_port() time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) # Setup VLAN ports self.network = objects.NetworkTestObj(self.neutron, self.nb_api) self.addCleanup(self.network.close) self.network.create() self.subnet = objects.SubnetTestObj(self.neutron, self.nb_api, network_id=self.network.network_id) self.addCleanup(self.subnet.close) self.subnet.create() self.vlan_port1 = objects.PortTestObj( self.neutron, self.nb_api, network_id=self.network.network_id) self.addCleanup(self.vlan_port1.close) self.vlan_port1.create() self.vlan_port2 = objects.PortTestObj( self.neutron, self.nb_api, network_id=self.network.network_id) self.addCleanup(self.vlan_port2.close) self.vlan_port2.create() self.cps1 = objects.ChildPortSegmentationTestObj( self.neutron, self.nb_api) self.addCleanup(self.cps1.close) self.cps1.create(self.port1.port.port_id, self.vlan_port1.port_id, 'vlan', 7) self.addCleanup(self.port1.unbind) self.cps2 = objects.ChildPortSegmentationTestObj( self.neutron, self.nb_api) self.addCleanup(self.cps2.close) self.cps2.create(self.port2.port.port_id, self.vlan_port2.port_id, 'vlan', 8) self.addCleanup(self.port2.unbind) # Setup policy ignore_action = app_testing_objects.IgnoreAction() key1 = (self.subnet1.subnet_id, self.port1.port_id) rules1 = [ app_testing_objects.PortPolicyRule( # Detect pong, end simulation app_testing_objects.AndingFilter( app_testing_objects.OsKenVLANTagFilter(7), app_testing_objects.OsKenICMPPongFilter(self._get_ping)), actions=[ app_testing_objects.DisableRuleAction(), app_testing_objects.StopSimulationAction() ]), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.OsKenARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.OsKenIPv6Filter(), actions=[ignore_action]), ] key2 = (self.subnet1.subnet_id, self.port2.port_id) rules2 = [ app_testing_objects.PortPolicyRule( # Detect ping, reply with pong app_testing_objects.AndingFilter( app_testing_objects.OsKenVLANTagFilter(8), app_testing_objects.OsKenICMPPingFilter()), actions=[ app_testing_objects.SendAction(self.subnet1.subnet_id, self.port2.port_id, self._create_pong_packet), app_testing_objects.DisableRuleAction() ]), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.OsKenARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.OsKenIPv6Filter(), actions=[ignore_action]), ] raise_action = app_testing_objects.RaiseAction("Unexpected packet") policy1 = app_testing_objects.PortPolicy(rules=rules1, default_action=raise_action) policy2 = app_testing_objects.PortPolicy(rules=rules2, default_action=raise_action) port_policies = {key1: policy1, key2: policy2} initial_packet = self._create_ping_packet() policy = app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, initial_packet, ), ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction()) self.addCleanup(policy.close) time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) # Verify port is up neutron_vlan_port1 = objects.get_port_by_id(self.neutron, self.vlan_port1.port_id) self.assertEqual(n_const.PORT_STATUS_ACTIVE, neutron_vlan_port1['status']) neutron_vlan_port2 = objects.get_port_by_id(self.neutron, self.vlan_port2.port_id) self.assertEqual(n_const.PORT_STATUS_ACTIVE, neutron_vlan_port2['status']) # Verify connectivity apps.start_policy(policy, self.topology, const.DEFAULT_RESOURCE_READY_TIMEOUT)
def setUp(self): super(TestPortSecApp, self).setUp() self.topology = None self.policy = None self._ping = None self.icmp_id_cursor = int(time.mktime(time.gmtime())) & 0xffff try: security_group = self.store( objects.SecGroupTestObj(self.neutron, self.nb_api)) security_group_id = security_group.create() self.assertTrue(security_group.exists()) egress_rule_info = { 'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'icmp' } egress_rule_id = security_group.rule_create( secrule=egress_rule_info) self.assertTrue(security_group.rule_exists(egress_rule_id)) ingress_rule_info = { 'ethertype': 'IPv4', 'direction': 'ingress', 'protocol': 'icmp', 'remote_ip_prefix': "192.168.196.0/24" } ingress_rule_id = security_group.rule_create( secrule=ingress_rule_info) self.assertTrue(security_group.rule_exists(ingress_rule_id)) self.topology = self.store( app_testing_objects.Topology(self.neutron, self.nb_api)) self.subnet = self.topology.create_subnet(cidr='192.168.196.0/24') self.port1 = self.subnet.create_port() self.port1.update({ "allowed_address_pairs": [{ "ip_address": "192.168.196.100", "mac_address": "10:20:99:99:99:99" }] }) self.port2 = self.subnet.create_port([security_group_id]) time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) port_policies = self._create_port_policies() self.policy = self.store( app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, self._create_ping_using_fake_ip), app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, self._create_ping_using_fake_mac), app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, self._create_ping_using_vm_ip_mac), app_testing_objects.SendAction( self.subnet.subnet_id, self.port1.port_id, self._create_ping_using_allowed_address_pair), ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction())) except Exception: if self.topology: self.topology.close() raise