def setUp(self):
super(TestSGApp, self).setUp()
self.topology = None
self.policy = None
self.security_group = objects.SecGroupTestObj(self.neutron,
self.nb_api)
self.addCleanup(self.security_group.close)
security_group_id = self.security_group.create()
self.assertTrue(self.security_group.exists())
self.security_group2 = objects.SecGroupTestObj(self.neutron,
self.nb_api)
self.addCleanup(self.security_group2.close)
security_group_id2 = self.security_group2.create()
self.assertTrue(self.security_group2.exists())
self.security_group3 = objects.SecGroupTestObj(self.neutron,
self.nb_api)
self.addCleanup(self.security_group3.close)
security_group_id3 = self.security_group3.create()
self.assertTrue(self.security_group3.exists())
self.topology = app_testing_objects.Topology(self.neutron, self.nb_api)
self.addCleanup(self.topology.close)
self.active_security_group_id = security_group_id
self.inactive_security_group_id = security_group_id2
self.allowed_address_pairs_security_group_id = security_group_id3
self.permit_icmp_request = self._get_icmp_request1
self.no_permit_icmp_request = self._get_icmp_request2
def _init_topology(self):
network = netaddr.IPNetwork(self.cidr)
security_group = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
security_group_id = security_group.create()
self.assertTrue(security_group.exists())
egress_rule_info = {
'ethertype': self.ethertype,
'direction': 'egress',
'protocol': self.icmp_proto
}
egress_rule_id = security_group.rule_create(secrule=egress_rule_info)
self.assertTrue(security_group.rule_exists(egress_rule_id))
ingress_rule_info = {
'ethertype': self.ethertype,
'direction': 'ingress',
'protocol': self.icmp_proto,
'remote_ip_prefix': self.cidr
}
ingress_rule_id = security_group.rule_create(secrule=ingress_rule_info)
self.assertTrue(security_group.rule_exists(ingress_rule_id))
self.topology = self.store(
app_testing_objects.Topology(self.neutron, self.nb_api))
self.subnet = self.topology.create_subnet(cidr=self.cidr)
self.port1 = self.subnet.create_port()
self.port1.update({
"allowed_address_pairs": [{
"ip_address": network[100],
"mac_address": "10:20:99:99:99:99"
}]
})
self.port2 = self.subnet.create_port([security_group_id])
def test_create_delete_security_group(self):
secgroup = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
secgroup.create()
self.assertTrue(secgroup.exists())
secgroup.close()
self.assertFalse(secgroup.exists())
def test_create_delete_security_group_rule(self):
secgroup = objects.SecGroupTestObj(self.neutron, self.nb_api)
self.addCleanup(secgroup.close)
secgroup.create()
self.assertTrue(secgroup.exists())
secrule_id = secgroup.rule_create()
self.assertTrue(secgroup.rule_exists(secrule_id))
secgroup.rule_delete(secrule_id)
self.assertFalse(secgroup.rule_exists(secrule_id))
secgroup.close()
self.assertFalse(secgroup.exists())
def _create_fake_default_security_group(self):
security_group = objects.SecGroupTestObj(self.neutron, self.nb_api)
security_group_id = security_group.create(
secgroup={'name': 'fakedefault'})
ingress_rule_info = {'ethertype': 'IPv4',
'direction': 'ingress',
'remote_group_id': security_group_id}
security_group.rule_create(secrule=ingress_rule_info)
return security_group
def test_create_delete_security_group(self):
secgroup = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
sg_id = secgroup.create()
self.assertTrue(secgroup.exists())
version1 = self.nb_api.get_security_group(sg_id).get_version()
secgroup.update()
self.assertTrue(secgroup.exists())
version2 = self.nb_api.get_security_group(sg_id).get_version()
self.assertNotEqual(version1, version2)
secgroup.close()
self.assertFalse(secgroup.exists())
def test_create_delete_security_group(self):
secgroup = objects.SecGroupTestObj(self.neutron, self.nb_api)
self.addCleanup(secgroup.close)
sg_id = secgroup.create()
self.assertTrue(secgroup.exists())
secgroup_obj = secgroups.SecurityGroup(id=sg_id)
version1 = self.nb_api.get(secgroup_obj).version
secgroup.update()
self.assertTrue(secgroup.exists())
secgroup_obj = secgroups.SecurityGroup(id=sg_id)
version2 = self.nb_api.get(secgroup_obj).version
self.assertNotEqual(version1, version2)
secgroup.close()
self.assertFalse(secgroup.exists())
def test_sg_version(self):
secgroup = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
sg_id = secgroup.create()
self.assertTrue(secgroup.exists())
version = self.nb_api.get_security_group(sg_id).get_version()
secrule_id = secgroup.rule_create()
self.assertTrue(secgroup.rule_exists(secrule_id))
new_version = self.nb_api.get_security_group(sg_id).get_version()
self.assertGreater(new_version, version)
secgroup.rule_delete(secrule_id)
self.assertFalse(secgroup.rule_exists(secrule_id))
version = new_version
new_version = self.nb_api.get_security_group(sg_id).get_version()
self.assertGreater(new_version, version)
secgroup.close()
self.assertFalse(secgroup.exists())
def test_sg_version(self):
secgroup = objects.SecGroupTestObj(self.neutron, self.nb_api)
self.addCleanup(secgroup.close)
sg_id = secgroup.create()
self.assertTrue(secgroup.exists())
sg_obj = secgroups.SecurityGroup(id=sg_id)
version = self.nb_api.get(sg_obj).version
secrule_id = secgroup.rule_create()
self.assertTrue(secgroup.rule_exists(secrule_id))
sg_obj = secgroups.SecurityGroup(id=sg_id)
new_version = self.nb_api.get(sg_obj).version
self.assertGreater(new_version, version)
secgroup.rule_delete(secrule_id)
self.assertFalse(secgroup.rule_exists(secrule_id))
version = new_version
sg_obj = secgroups.SecurityGroup(id=sg_id)
new_version = self.nb_api.get(sg_obj).version
self.assertGreater(new_version, version)
secgroup.close()
self.assertFalse(secgroup.exists())
def _test_associating_flows(self, subnet_info):
network = self.store(objects.NetworkTestObj(self.neutron, self.nb_api))
network_id = network.create()
self.assertTrue(network.exists())
subnet_info['network_id'] = network_id
subnet = self.store(
objects.SubnetTestObj(self.neutron,
self.nb_api,
network_id=network_id))
subnet.create(subnet_info)
self.assertTrue(subnet.exists())
security_group = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
security_group_id = security_group.create()
self.assertTrue(security_group.exists())
vm = self.store(objects.VMTestObj(self, self.neutron))
vm.create(network=network, security_groups=[security_group_id])
addresses = vm.server.addresses['mynetwork']
self.assertIsNotNone(addresses)
ip = addresses[0]['addr']
self.assertIsNotNone(ip)
mac = addresses[0]['OS-EXT-IPS-MAC:mac_addr']
self.assertIsNotNone(mac)
port = utils.wait_until_is_and_return(
lambda: utils.get_vm_port(self.nb_api, ip, mac),
exception=Exception('No port assigned to VM'))
tunnel_key = port.unique_key
tunnel_key_hex = hex(tunnel_key)
of_port = self.vswitch_api.get_port_ofport_by_id(port.id)
self.assertIsNotNone(of_port)
ovs = utils.OvsFlowsParser()
flows_after_change = ovs.dump(self.integration_bridge)
# Check if the associating flows were installed.
ingress_associating_flow, egress_associating_flow = \
self._find_associating_flows(flows_after_change, tunnel_key_hex)
LOG.info(
"flows after associating a port and a security group"
" are: %s", ovs.get_ovs_flows(self.integration_bridge))
self.assertIsNotNone(ingress_associating_flow)
self.assertIsNotNone(egress_associating_flow)
vm.close()
time.sleep(test_const.DEFAULT_RESOURCE_READY_TIMEOUT)
flows_after_update = ovs.dump(self.integration_bridge)
# Check if the associating flows were removed.
ingress_associating_flow, egress_associating_flow = \
self._find_associating_flows(flows_after_update, tunnel_key_hex)
self.assertIsNone(ingress_associating_flow)
self.assertIsNone(egress_associating_flow)
def setUp(self):
super(TestSGApp, self).setUp()
self.topology = None
self.policy = None
try:
security_group = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
security_group_id = security_group.create()
self.assertTrue(security_group.exists())
security_group2 = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
security_group_id2 = security_group2.create()
self.assertTrue(security_group2.exists())
self.topology = self.store(
app_testing_objects.Topology(self.neutron, self.nb_api))
self.subnet = self.topology.create_subnet(cidr='192.168.14.0/24')
self.port1 = self.subnet.create_port()
self.port2 = self.subnet.create_port()
self.port3 = self.subnet.create_port([security_group_id])
port1_lport = self.port1.port.get_logical_port()
self.assertIsNotNone(port1_lport)
port1_fixed_ip = port1_lport.get_ip()
port2_lport = self.port2.port.get_logical_port()
self.assertIsNotNone(port2_lport)
port2_fixed_ip = port2_lport.get_ip()
egress_rule_info = {
'ethertype': 'IPv4',
'direction': 'egress',
'protocol': 'icmp'
}
egress_rule_id = security_group.rule_create(
secrule=egress_rule_info)
self.assertTrue(security_group.rule_exists(egress_rule_id))
egress_rule_id2 = security_group2.rule_create(
secrule=egress_rule_info)
self.assertTrue(security_group2.rule_exists(egress_rule_id2))
ingress_rule_info = {
'ethertype': 'IPv4',
'direction': 'ingress',
'protocol': 'icmp',
'remote_ip_prefix': port1_fixed_ip + "/32"
}
ingress_rule_id = security_group.rule_create(
secrule=ingress_rule_info)
self.assertTrue(security_group.rule_exists(ingress_rule_id))
ingress_rule_info2 = {
'ethertype': 'IPv4',
'direction': 'ingress',
'protocol': 'icmp',
'remote_ip_prefix': port2_fixed_ip + "/32"
}
ingress_rule_id2 = security_group2.rule_create(
secrule=ingress_rule_info2)
self.assertTrue(security_group2.rule_exists(ingress_rule_id2))
self.active_security_group_id = security_group_id
self.inactive_security_group_id = security_group_id2
self.permit_port_id = self.port1.port_id
self.no_permit_port_id = self.port2.port_id
self.permit_icmp_request = self._get_icmp_request1
self.no_permit_icmp_request = self._get_icmp_request2
time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT)
self._update_policy()
except Exception:
if self.topology:
self.topology.close()
raise
def setUp(self):
super(SfcTestsCommonBase, self).setUp()
self.security_group = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
security_group_id = self.security_group.create()
self.assertTrue(self.security_group.exists())
for direction, ethertype, protocol in itertools.product(
('ingress', 'egress'),
(constants.IPv4, constants.IPv6),
(constants.PROTO_NAME_TCP, constants.PROTO_NAME_UDP),
):
rule = {
'direction': direction,
'ethertype': ethertype,
'protocol': protocol,
'port_range_min': 1,
'port_range_max': 65535,
}
rule_id = self.security_group.rule_create(secrule=rule)
self.assertTrue(self.security_group.rule_exists(rule_id))
self.topology = self.store(
app_testing_objects.Topology(
self.neutron,
self.nb_api,
), )
self.subnet = self.topology.create_subnet(
cidr=IPV4_CIDR,
enable_dhcp=True,
allocation_pool=IPV4_ALLOCATION_POOL,
)
self.subnet_ipv6 = self.topology.create_subnet(
cidr=IPV6_CIDR,
enable_dhcp=True,
allocation_pool=IPV6_ALLOCATION_POOL,
)
self.src_port = self.subnet.create_port([security_group_id])
self.dst_port = self.subnet.create_port([security_group_id])
self.src_port.update({
'name':
'src_port',
'admin_state_up':
True,
'fixed_ips': [
{
'ip_address': SRC_IPV4_1
},
{
'ip_address': SRC_IPV4_2
},
{
'ip_address': SRC_IPV6_1
},
{
'ip_address': SRC_IPV6_2
},
],
})
self.dst_port.update({
'name':
'dst_port',
'admin_state_up':
True,
'fixed_ips': [
{
'ip_address': DST_IPV4_1
},
{
'ip_address': DST_IPV4_2
},
{
'ip_address': DST_IPV6_1
},
{
'ip_address': DST_IPV6_2
},
],
})
self.src_lport = self.nb_api.get(
l2.LogicalPort(id=self.src_port.port.port_id), )
self.dst_lport = self.nb_api.get(
l2.LogicalPort(id=self.dst_port.port.port_id), )
def setUp(self):
super(TestPortSecApp, self).setUp()
self.topology = None
self.policy = None
self._ping = None
self.icmp_id_cursor = int(time.mktime(time.gmtime())) & 0xffff
try:
security_group = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
security_group_id = security_group.create()
self.assertTrue(security_group.exists())
egress_rule_info = {
'ethertype': 'IPv4',
'direction': 'egress',
'protocol': 'icmp'
}
egress_rule_id = security_group.rule_create(
secrule=egress_rule_info)
self.assertTrue(security_group.rule_exists(egress_rule_id))
ingress_rule_info = {
'ethertype': 'IPv4',
'direction': 'ingress',
'protocol': 'icmp',
'remote_ip_prefix': "192.168.196.0/24"
}
ingress_rule_id = security_group.rule_create(
secrule=ingress_rule_info)
self.assertTrue(security_group.rule_exists(ingress_rule_id))
self.topology = self.store(
app_testing_objects.Topology(self.neutron, self.nb_api))
self.subnet = self.topology.create_subnet(cidr='192.168.196.0/24')
self.port1 = self.subnet.create_port()
self.port1.update({
"allowed_address_pairs": [{
"ip_address": "192.168.196.100",
"mac_address": "10:20:99:99:99:99"
}]
})
self.port2 = self.subnet.create_port([security_group_id])
time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT)
port_policies = self._create_port_policies()
self.policy = self.store(
app_testing_objects.Policy(
initial_actions=[
app_testing_objects.SendAction(
self.subnet.subnet_id, self.port1.port_id,
self._create_ping_using_fake_ip),
app_testing_objects.SendAction(
self.subnet.subnet_id, self.port1.port_id,
self._create_ping_using_fake_mac),
app_testing_objects.SendAction(
self.subnet.subnet_id, self.port1.port_id,
self._create_ping_using_vm_ip_mac),
app_testing_objects.SendAction(
self.subnet.subnet_id, self.port1.port_id,
self._create_ping_using_allowed_address_pair),
],
port_policies=port_policies,
unknown_port_action=app_testing_objects.IgnoreAction()))
except Exception:
if self.topology:
self.topology.close()
raise
def test_rule_flows(self):
network = self.store(objects.NetworkTestObj(self.neutron, self.nb_api))
network_id = network.create(network={'name': 'test_network2'})
self.assertTrue(network.exists())
subnet_info = {
'network_id': network_id,
'cidr': '192.168.124.0/24',
'gateway_ip': '192.168.124.1',
'ip_version': 4,
'name': 'test_subnet4',
'enable_dhcp': True
}
subnet = self.store(
objects.SubnetTestObj(self.neutron,
self.nb_api,
network_id=network_id))
subnet.create(subnet_info)
security_group = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
security_group_id = security_group.create()
self.assertTrue(security_group.exists())
ingress_rule_info = {
'ethertype': 'IPv4',
'direction': 'ingress',
'protocol': 'tcp',
'port_range_min': '80',
'port_range_max': '81',
'remote_ip_prefix': '192.168.124.0/24'
}
ingress_rule_id = security_group.rule_create(secrule=ingress_rule_info)
self.assertTrue(security_group.rule_exists(ingress_rule_id))
egress_rule_info = {
'ethertype': 'IPv4',
'direction': 'egress',
'protocol': '17',
'port_range_min': '53',
'port_range_max': '53',
'remote_group_id': security_group_id
}
egress_rule_id = security_group.rule_create(secrule=egress_rule_info)
self.assertTrue(security_group.rule_exists(egress_rule_id))
vm1 = self.store(objects.VMTestObj(self, self.neutron))
vm1.create(network=network,
security_groups=[security_group_id],
net_address='192.168.124.8')
vm2 = self.store(objects.VMTestObj(self, self.neutron))
vm2.create(network=network,
security_groups=[security_group_id],
net_address='192.168.124.9')
time.sleep(test_const.DEFAULT_RESOURCE_READY_TIMEOUT)
ovs = utils.OvsFlowsParser()
flows = ovs.dump(self.integration_bridge)
LOG.info(_LI("flows after adding rules are: %s"),
ovs.get_ovs_flows(self.integration_bridge))
# Check if the rule flows were installed.
expected_ingress_rule_match = \
"tcp,nw_src=192.168.124.0/24,tp_dst=0x50/0xfffe"
expected_egress_rule_match = \
"udp,nw_dst=192.168.124.8/31,tp_dst=53"
self._check_rule_flows(flows, expected_ingress_rule_match,
expected_egress_rule_match, True)
vm1.close()
vm2.close()
def test_rule_flows(self):
network = self.store(objects.NetworkTestObj(self.neutron, self.nb_api))
network_id = network.create(network={'name': 'test_network2'})
self.assertTrue(network.exists())
subnet_info = {
'network_id': network_id,
'cidr': '192.168.124.0/24',
'gateway_ip': '192.168.124.1',
'ip_version': 4,
'name': 'test_subnet4',
'enable_dhcp': True
}
subnet = self.store(
objects.SubnetTestObj(self.neutron,
self.nb_api,
network_id=network_id))
subnet.create(subnet_info)
security_group = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
security_group_id = security_group.create()
self.assertTrue(security_group.exists())
ingress_rule_info = {
'ethertype': 'IPv4',
'direction': 'ingress',
'protocol': 'tcp',
'port_range_min': '8000',
'port_range_max': '8100',
'remote_ip_prefix': '192.168.124.0/24'
}
ingress_rule_id = security_group.rule_create(secrule=ingress_rule_info)
self.assertTrue(security_group.rule_exists(ingress_rule_id))
egress_rule_info = {
'ethertype': 'IPv4',
'direction': 'egress',
'protocol': '17',
'port_range_min': '53',
'port_range_max': '53',
'remote_group_id': security_group_id
}
egress_rule_id = security_group.rule_create(secrule=egress_rule_info)
self.assertTrue(security_group.rule_exists(egress_rule_id))
vm = self.store(objects.VMTestObj(self, self.neutron))
vm.create(network=network, security_groups=[security_group_id])
time.sleep(utils.DEFAULT_CMD_TIMEOUT)
ovs = utils.OvsFlowsParser()
flows_after_change = ovs.dump()
LOG.info(_LI("flows after adding rules are: %s"), ovs.get_ovs_flows())
# Check if the rule flows were installed.
self._check_rule_flows(flows_after_change, True)
vm.server.stop()
vm.close()
def test_associating_flows(self):
network = self.store(objects.NetworkTestObj(self.neutron, self.nb_api))
network_id = network.create(network={'name': 'test_network1'})
self.assertTrue(network.exists())
subnet_info = {
'network_id': network_id,
'cidr': '192.168.123.0/24',
'gateway_ip': '192.168.123.1',
'ip_version': 4,
'name': 'test_subnet1',
'enable_dhcp': True
}
subnet = self.store(
objects.SubnetTestObj(self.neutron,
self.nb_api,
network_id=network_id))
subnet.create(subnet_info)
self.assertTrue(subnet.exists())
security_group = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
security_group_id = security_group.create()
self.assertTrue(security_group.exists())
vm = self.store(objects.VMTestObj(self, self.neutron))
vm.create(network=network, security_groups=[security_group_id])
addresses = vm.server.addresses['test_network1']
self.assertIsNotNone(addresses)
ip = addresses[0]['addr']
self.assertIsNotNone(ip)
mac = addresses[0]['OS-EXT-IPS-MAC:mac_addr']
self.assertIsNotNone(mac)
port = utils.wait_until_is_and_return(
lambda: self._get_vm_port(ip, mac),
exception=Exception('No port assigned to VM'))
tunnel_key = port.get_tunnel_key()
tunnel_key_hex = hex(tunnel_key)
of_port = self._get_of_port(port.get_id())
self.assertIsNotNone(of_port)
ovs = utils.OvsFlowsParser()
flows_after_change = ovs.dump()
# Check if the associating flows were installed.
ingress_associating_flow, egress_associating_flow = \
self._find_associating_flows(flows_after_change, of_port,
tunnel_key_hex)
LOG.info(
_LI("flows after associating a port and a security group"
" are: %s"), ovs.get_ovs_flows())
self.assertIsNotNone(ingress_associating_flow)
self.assertIsNotNone(egress_associating_flow)
vm.server.stop()
vm.close()
time.sleep(utils.DEFAULT_CMD_TIMEOUT)
flows_after_update = ovs.dump()
# Check if the associating flows were removed.
ingress_associating_flow, egress_associating_flow = \
self._find_associating_flows(flows_after_update, of_port,
tunnel_key_hex)
self.assertIsNone(ingress_associating_flow)
self.assertIsNone(egress_associating_flow)
def _test_rule_flows(self, subnet_info):
network = self.store(objects.NetworkTestObj(self.neutron, self.nb_api))
network_id = network.create()
self.assertTrue(network.exists())
cidr = subnet_info['cidr']
network_obj = netaddr.IPNetwork(cidr)
ethertype = utils.ip_version_to_ethertype(subnet_info['ip_version'])
gateway_ip = network_obj[1]
subnet_info['gateway_ip'] = gateway_ip
subnet_info['network_id'] = network_id
subnet = self.store(
objects.SubnetTestObj(self.neutron,
self.nb_api,
network_id=network_id))
subnet.create(subnet_info)
security_group = self.store(
objects.SecGroupTestObj(self.neutron, self.nb_api))
security_group_id = security_group.create()
self.assertTrue(security_group.exists())
ingress_rule_info = {
'ethertype': ethertype,
'direction': 'ingress',
'protocol': 'tcp',
'port_range_min': '80',
'port_range_max': '81',
'remote_ip_prefix': cidr
}
ingress_rule_id = security_group.rule_create(secrule=ingress_rule_info)
self.assertTrue(security_group.rule_exists(ingress_rule_id))
egress_rule_info = {
'ethertype': ethertype,
'direction': 'egress',
'protocol': 'udp',
'port_range_min': '53',
'port_range_max': '53',
'remote_group_id': security_group_id
}
egress_rule_id = security_group.rule_create(secrule=egress_rule_info)
self.assertTrue(security_group.rule_exists(egress_rule_id))
# Get addresses for VMs
vm1_ip = network_obj[4]
vm2_ip = network_obj[5]
vm1 = self.store(objects.VMTestObj(self, self.neutron))
vm1.create(network=network,
security_groups=[security_group_id],
net_address=vm1_ip)
vm2 = self.store(objects.VMTestObj(self, self.neutron))
vm2.create(network=network,
security_groups=[security_group_id],
net_address=vm2_ip)
time.sleep(test_const.DEFAULT_RESOURCE_READY_TIMEOUT)
ovs = utils.OvsFlowsParser()
flows = ovs.dump(self.integration_bridge)
LOG.info("flows after adding rules are: %s",
ovs.get_ovs_flows(self.integration_bridge))
# Check if the rule flows were installed.
if ethertype == n_const.IPv4:
expected_ingress_match = "tcp,nw_src={}".format(network_obj)
elif ethertype == n_const.IPv6:
expected_ingress_match = "tcp6,ipv6_src={}".format(network_obj)
expected_ingress_match += ",tp_dst=0x50/0xfffe"
# Calculate vm1, vm2 network
vms_ip_set = netaddr.IPSet([vm1_ip, vm2_ip])
vms_ip_set.compact()
if ethertype == n_const.IPv4:
expected_egress_match = "udp,nw_dst={}".format(vms_ip_set.pop())
elif ethertype == n_const.IPv6:
expected_egress_match = "udp6,ipv6_dst={}".format(vms_ip_set.pop())
expected_egress_match += ",tp_dst=53"
self._check_rule_flows(flows, expected_ingress_match,
expected_egress_match, True)
vm1.close()
vm2.close()
