def test_remove_metering_label(self): routers = [{'_metering_labels': [ {'id': 'c5df2fe5-c600-4a2a-b2f4-c0fb6df73c83', 'rules': [{ 'direction': 'ingress', 'excluded': False, 'id': '7f1a261f-2489-4ed1-870c-a62754501379', 'metering_label_id': 'c5df2fe5-c600-4a2a-b2f4-c0fb6df73c83', 'remote_ip_prefix': '10.0.0.0/24'}] }], 'admin_state_up': True, 'gw_port_id': '7d411f48-ecc7-45e0-9ece-3b5bdb54fcee', 'id': '473ec392-1711-44e3-b008-3251ccfc5099', 'name': 'router1', 'status': 'ACTIVE', 'tenant_id': '6c5f5d2a1fa2441e88e35422926f48e8'}] self.metering.add_metering_label(None, routers) self.metering.remove_metering_label(None, routers) calls = [call.add_chain('neutron-meter-l-c5df2fe5-c60', wrap=False), call.add_chain('neutron-meter-r-c5df2fe5-c60', wrap=False), call.add_rule('neutron-meter-FORWARD', '-j ' 'neutron-meter-r-c5df2fe5-c60', wrap=False), call.add_rule('neutron-meter-l-c5df2fe5-c60', '', wrap=False), call.add_rule('neutron-meter-r-c5df2fe5-c60', '-i qg-7d411f48-ec -d 10.0.0.0/24' ' -j neutron-meter-l-c5df2fe5-c60', wrap=False, top=False), call.remove_chain('neutron-meter-l-c5df2fe5-c60', wrap=False), call.remove_chain('neutron-meter-r-c5df2fe5-c60', wrap=False)] self.v4filter_inst.assert_has_calls(calls)
def test_filter_ipv4_ingress_udp(self): rule = {'ethertype': 'IPv4', 'direction': 'ingress', 'protocol': 'udp'} ingress = call.add_rule('ifake_dev', '-p udp -m udp -j RETURN') egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv4_egress_icmp(self): rule = {'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'icmp'} egress = call.add_rule('ofake_dev', '-p icmp -j RETURN') ingress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv6_egress_udp(self): rule = {'ethertype': 'IPv6', 'direction': 'egress', 'protocol': 'udp'} egress = call.add_rule('ofake_dev', '-j RETURN -p udp') ingress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv6_ingress_icmp(self): rule = {'ethertype': 'IPv6', 'direction': 'ingress', 'protocol': 'icmp'} ingress = call.add_rule('ifake_dev', '-j RETURN -p icmpv6') egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv6_egress_prefix(self): prefix = FAKE_PREFIX['IPv6'] rule = {'ethertype': 'IPv6', 'direction': 'egress', 'source_ip_prefix': prefix} egress = call.add_rule('ofake_dev', '-j RETURN -s %s' % prefix) ingress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv4_ingress_prefix(self): prefix = FAKE_PREFIX['IPv4'] rule = {'ethertype': 'IPv4', 'direction': 'ingress', 'source_ip_prefix': prefix} ingress = call.add_rule('ifake_dev', '-s %s -j RETURN' % prefix) egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_create_firewall_no_rules(self): apply_list = self._fake_apply_list() firewall = self._fake_firewall_no_rule() self.firewall.create_firewall(apply_list, firewall) invalid_rule = '-m state --state INVALID -j DROP' est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT' bname = fwaas.iptables_manager.binary_name for ip_version in (4, 6): ingress_chain = ('iv%s%s' % (ip_version, firewall['id'])) egress_chain = ('ov%s%s' % (ip_version, firewall['id'])) calls = [call.ensure_remove_chain('iv%sfake-fw-uuid' % ip_version), call.ensure_remove_chain('ov%sfake-fw-uuid' % ip_version), call.ensure_remove_chain('fwaas-default-policy'), call.add_chain('fwaas-default-policy'), call.add_rule('fwaas-default-policy', '-j DROP'), call.add_chain(ingress_chain), call.add_rule(ingress_chain, invalid_rule), call.add_rule(ingress_chain, est_rule), call.add_chain(egress_chain), call.add_rule(egress_chain, invalid_rule), call.add_rule(egress_chain, est_rule), call.add_rule('FORWARD', '-o qr-+ -j %s-fwaas-defau' % bname), call.add_rule('FORWARD', '-i qr-+ -j %s-fwaas-defau' % bname)] if ip_version == 4: v4filter_inst = apply_list[0].iptables_manager.ipv4['filter'] v4filter_inst.assert_has_calls(calls) else: v6filter_inst = apply_list[0].iptables_manager.ipv6['filter'] v6filter_inst.assert_has_calls(calls)
def test_filter_ipv6_ingress_udp_prefix(self): prefix = FAKE_PREFIX['IPv6'] rule = {'ethertype': 'IPv6', 'direction': 'ingress', 'protocol': 'udp', 'source_ip_prefix': prefix} ingress = call.add_rule('ifake_dev', '-j RETURN -p udp -s %s' % prefix) egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv6_egress_tcp_port(self): rule = {'ethertype': 'IPv6', 'direction': 'egress', 'protocol': 'tcp', 'port_range_min': 10, 'port_range_max': 10} egress = call.add_rule('ofake_dev', '-j RETURN -p tcp --dport 10') ingress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv4_ingress_udp_port(self): rule = {'ethertype': 'IPv4', 'direction': 'ingress', 'protocol': 'udp', 'port_range_min': 10, 'port_range_max': 10} ingress = call.add_rule('ifake_dev', '-j RETURN -p udp --dport 10') egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv4_egress_udp_prefix(self): prefix = FAKE_PREFIX['IPv4'] rule = {'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'udp', 'source_ip_prefix': prefix} egress = call.add_rule('ofake_dev', '-s %s -p udp -m udp -j RETURN' % prefix) ingress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv4_ingress_udp_port(self): rule = { "ethertype": "IPv4", "direction": "ingress", "protocol": "udp", "port_range_min": 10, "port_range_max": 10, } ingress = call.add_rule("ifake_dev", "-j RETURN -p udp --dport 10") egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv6_egress_udp_mport(self): rule = { "ethertype": "IPv6", "direction": "egress", "protocol": "udp", "port_range_min": 10, "port_range_max": 100, } egress = call.add_rule("ofake_dev", "-j RETURN -p udp -m multiport --dports 10:100") ingress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_create_firewall_with_admin_down(self): rule_list = self._fake_rules_v4(FAKE_FW_ID) apply_list = self._fake_apply_list() firewall = self._fake_firewall_with_admin_down(rule_list) self.firewall.create_firewall(apply_list, firewall) calls = [call.ensure_remove_chain('iv4fake-fw-uuid'), call.ensure_remove_chain('ov4fake-fw-uuid'), call.ensure_remove_chain('fwaas-default-policy'), call.add_chain('fwaas-default-policy'), call.add_rule('fwaas-default-policy', '-j DROP')] self.v4filter_inst.assert_has_calls(calls)
def test_filter_ipv6_egress_tcp_port(self): rule = { "ethertype": "IPv6", "direction": "egress", "protocol": "tcp", "port_range_min": 10, "port_range_max": 10, } egress = call.add_rule("ofake_dev", "-j RETURN -p tcp --dport 10") ingress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv6_egress_udp_mport(self): rule = {'ethertype': 'IPv6', 'direction': 'egress', 'protocol': 'udp', 'port_range_min': 10, 'port_range_max': 100} egress = call.add_rule( 'ofake_dev', '-j RETURN -p udp -m multiport --dports 10:100') ingress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_create_firewall_with_admin_down(self): apply_list = self._fake_apply_list() rule_list = self._fake_rules_v4(FAKE_FW_ID, apply_list) firewall = self._fake_firewall_with_admin_down(rule_list) self.firewall.create_firewall(apply_list, firewall) calls = [call.ensure_remove_chain('iv4fake-fw-uuid'), call.ensure_remove_chain('ov4fake-fw-uuid'), call.ensure_remove_chain('fwaas-default-policy'), call.add_chain('fwaas-default-policy'), call.add_rule('fwaas-default-policy', '-j DROP')] apply_list[0].iptables_manager.ipv4['filter'].assert_has_calls(calls)
def test_filter_ipv4_ingress_tcp_mport(self): rule = {'ethertype': 'IPv4', 'direction': 'ingress', 'protocol': 'tcp', 'port_range_min': 10, 'port_range_max': 100} ingress = call.add_rule( 'ifake_dev', '-j RETURN -p tcp -m multiport --dports 10:100') egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv4_ingress_tcp_mport(self): rule = { "ethertype": "IPv4", "direction": "ingress", "protocol": "tcp", "port_range_min": 10, "port_range_max": 100, } ingress = call.add_rule("ifake_dev", "-j RETURN -p tcp -m multiport --dports 10:100") egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_add_metering_label(self): routers = [{'_metering_labels': [ {'id': 'c5df2fe5-c600-4a2a-b2f4-c0fb6df73c83', 'rules': []}], 'admin_state_up': True, 'gw_port_id': '7d411f48-ecc7-45e0-9ece-3b5bdb54fcee', 'id': '473ec392-1711-44e3-b008-3251ccfc5099', 'name': 'router1', 'status': 'ACTIVE', 'tenant_id': '6c5f5d2a1fa2441e88e35422926f48e8'}] self.metering.add_metering_label(None, routers) calls = [call.add_chain('neutron-meter-l-c5df2fe5-c60', wrap=False), call.add_chain('neutron-meter-r-c5df2fe5-c60', wrap=False), call.add_rule('neutron-meter-FORWARD', '-j ' 'neutron-meter-r-c5df2fe5-c60', wrap=False), call.add_rule('neutron-meter-l-c5df2fe5-c60', '', wrap=False)] self.v4filter_inst.assert_has_calls(calls)
def test_filter_ipv6_egress_udp_mport_prefix(self): prefix = FAKE_PREFIX["IPv6"] rule = { "ethertype": "IPv6", "direction": "egress", "protocol": "udp", "port_range_min": 10, "port_range_max": 100, "source_ip_prefix": prefix, } egress = call.add_rule("ofake_dev", "-j RETURN -p udp -m multiport " "--dports 10:100 -s %s" % prefix) ingress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv6_ingress_tcp_mport_prefix(self): prefix = FAKE_PREFIX["IPv6"] rule = { "ethertype": "IPv6", "direction": "ingress", "protocol": "tcp", "port_range_min": 10, "port_range_max": 100, "source_ip_prefix": prefix, } ingress = call.add_rule("ifake_dev", "-s %s -p tcp -m tcp -m multiport --dports 10:100 " "-j RETURN" % prefix) egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv6_egress_udp_mport_prefix(self): prefix = FAKE_PREFIX['IPv6'] rule = {'ethertype': 'IPv6', 'direction': 'egress', 'protocol': 'udp', 'port_range_min': 10, 'port_range_max': 100, 'source_ip_prefix': prefix} egress = call.add_rule( 'ofake_dev', '-s %s -p udp -m udp -m multiport --dports 10:100 ' '-j RETURN' % prefix) ingress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv4_ingress_tcp_mport_prefix(self): prefix = FAKE_PREFIX['IPv4'] rule = {'ethertype': 'IPv4', 'direction': 'ingress', 'protocol': 'tcp', 'port_range_min': 10, 'port_range_max': 100, 'source_ip_prefix': prefix} ingress = call.add_rule( 'ifake_dev', '-s %s -p tcp -m tcp -m multiport --dports 10:100 ' '-j RETURN' % prefix) egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv6_ingress_tcp_mport_prefix(self): prefix = FAKE_PREFIX['IPv6'] rule = {'ethertype': 'IPv6', 'direction': 'ingress', 'protocol': 'tcp', 'port_range_min': 10, 'port_range_max': 100, 'source_ip_prefix': prefix} ingress = call.add_rule( 'ifake_dev', '-s %s -p tcp -m tcp -m multiport --dports 10:100 ' '-j RETURN' % prefix) egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv6_egress_udp_mport_prefix(self): prefix = FAKE_PREFIX['IPv6'] rule = {'ethertype': 'IPv6', 'direction': 'egress', 'protocol': 'udp', 'port_range_min': 10, 'port_range_max': 100, 'source_ip_prefix': prefix} egress = call.add_rule( 'ofake_dev', '-j RETURN -p udp -m multiport ' '--dports 10:100 -s %s' % prefix) ingress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_add_metering_label_with_rules(self): routers = [{'_metering_labels': [ {'id': 'c5df2fe5-c600-4a2a-b2f4-c0fb6df73c83', 'rules': [{ 'direction': 'ingress', 'excluded': False, 'id': '7f1a261f-2489-4ed1-870c-a62754501379', 'metering_label_id': 'c5df2fe5-c600-4a2a-b2f4-c0fb6df73c83', 'remote_ip_prefix': '10.0.0.0/24'}]}], 'admin_state_up': True, 'gw_port_id': '6d411f48-ecc7-45e0-9ece-3b5bdb54fcee', 'id': '473ec392-1711-44e3-b008-3251ccfc5099', 'name': 'router1', 'status': 'ACTIVE', 'tenant_id': '6c5f5d2a1fa2441e88e35422926f48e8'}, {'_metering_labels': [ {'id': 'eeef45da-c600-4a2a-b2f4-c0fb6df73c83', 'rules': [{ 'direction': 'ingress', 'excluded': True, 'id': 'fa2441e8-2489-4ed1-870c-a62754501379', 'metering_label_id': 'eeef45da-c600-4a2a-b2f4-c0fb6df73c83', 'remote_ip_prefix': '20.0.0.0/24'}]}], 'admin_state_up': True, 'gw_port_id': '7d411f48-ecc7-45e0-9ece-3b5bdb54fcee', 'id': '373ec392-1711-44e3-b008-3251ccfc5099', 'name': 'router2', 'status': 'ACTIVE', 'tenant_id': '6c5f5d2a1fa2441e88e35422926f48e8'}] self.metering.add_metering_label(None, routers) calls = [call.add_chain('neutron-meter-l-c5df2fe5-c60', wrap=False), call.add_chain('neutron-meter-r-c5df2fe5-c60', wrap=False), call.add_rule('neutron-meter-FORWARD', '-j ' 'neutron-meter-r-c5df2fe5-c60', wrap=False), call.add_rule('neutron-meter-l-c5df2fe5-c60', '', wrap=False), call.add_rule('neutron-meter-r-c5df2fe5-c60', '-i qg-6d411f48-ec -d 10.0.0.0/24' ' -j neutron-meter-l-c5df2fe5-c60', wrap=False, top=False), call.add_chain('neutron-meter-l-eeef45da-c60', wrap=False), call.add_chain('neutron-meter-r-eeef45da-c60', wrap=False), call.add_rule('neutron-meter-FORWARD', '-j ' 'neutron-meter-r-eeef45da-c60', wrap=False), call.add_rule('neutron-meter-l-eeef45da-c60', '', wrap=False), call.add_rule('neutron-meter-r-eeef45da-c60', '-i qg-7d411f48-ec -d 20.0.0.0/24 -j ' 'neutron-meter-l-eeef45da-c60', wrap=False, top=False)] self.v4filter_inst.assert_has_calls(calls)
def test_create_firewall_no_rules(self): apply_list = self._fake_apply_list() firewall = self._fake_firewall_no_rule() self.firewall.create_firewall(apply_list, firewall) invalid_rule = '-m state --state INVALID -j DROP' est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT' ingress_chain = ('iv4%s' % firewall['id']) egress_chain = ('ov4%s' % firewall['id']) bname = fwaas.iptables_manager.binary_name calls = [call.ensure_remove_chain('iv4fake-fw-uuid'), call.ensure_remove_chain('ov4fake-fw-uuid'), call.ensure_remove_chain('fwaas-default-policy'), call.add_chain('fwaas-default-policy'), call.add_rule('fwaas-default-policy', '-j DROP'), call.add_chain(ingress_chain), call.add_rule(ingress_chain, invalid_rule), call.add_rule(ingress_chain, est_rule), call.add_chain(egress_chain), call.add_rule(egress_chain, invalid_rule), call.add_rule(egress_chain, est_rule), call.add_rule('FORWARD', '-o qr-+ -j %s-fwaas-defau' % bname), call.add_rule('FORWARD', '-i qr-+ -j %s-fwaas-defau' % bname)] self.v4filter_inst.assert_has_calls(calls)
def test_update_delete_port_filter(self): port = self._fake_port() port["security_group_rules"] = [{"ethertype": "IPv4", "direction": "ingress"}] self.firewall.prepare_port_filter(port) port["security_group_rules"] = [{"ethertype": "IPv4", "direction": "egress"}] self.firewall.update_port_filter(port) self.firewall.update_port_filter({"device": "no-exist-device"}) self.firewall.remove_port_filter(port) self.firewall.remove_port_filter({"device": "no-exist-device"}) calls = [ call.add_chain("sg-fallback"), call.add_rule("sg-fallback", "-j DROP"), call.ensure_remove_chain("sg-chain"), call.add_chain("sg-chain"), call.add_chain("ifake_dev"), call.add_rule("FORWARD", "-m physdev --physdev-is-bridged " "--physdev-out tapfake_dev -j $sg-chain"), call.add_rule("sg-chain", "-m physdev --physdev-is-bridged " "--physdev-out tapfake_dev -j $ifake_dev"), call.add_rule("ifake_dev", "-m state --state INVALID -j DROP"), call.add_rule("ifake_dev", "-m state --state ESTABLISHED,RELATED -j RETURN"), call.add_rule("ifake_dev", "-j RETURN"), call.add_rule("ifake_dev", "-j $sg-fallback"), call.add_chain("ofake_dev"), call.add_rule("FORWARD", "-m physdev --physdev-is-bridged " "--physdev-in tapfake_dev -j $sg-chain"), call.add_rule("sg-chain", "-m physdev --physdev-is-bridged " "--physdev-in tapfake_dev -j $ofake_dev"), call.add_rule("INPUT", "-m physdev --physdev-is-bridged " "--physdev-in tapfake_dev -j $ofake_dev"), call.add_rule("ofake_dev", "-m mac ! --mac-source ff:ff:ff:ff -j DROP"), call.add_rule("ofake_dev", "-p udp --sport 68 --dport 67 -j RETURN"), call.add_rule("ofake_dev", "! -s 10.0.0.1 -j DROP"), call.add_rule("ofake_dev", "-p udp --sport 67 --dport 68 -j DROP"), call.add_rule("ofake_dev", "-m state --state INVALID -j DROP"), call.add_rule("ofake_dev", "-m state --state ESTABLISHED,RELATED -j RETURN"), call.add_rule("ofake_dev", "-j $sg-fallback"), call.add_rule("sg-chain", "-j ACCEPT"), call.ensure_remove_chain("ifake_dev"), call.ensure_remove_chain("ofake_dev"), call.ensure_remove_chain("sg-chain"), call.add_chain("sg-chain"), call.add_chain("ifake_dev"), call.add_rule("FORWARD", "-m physdev --physdev-is-bridged " "--physdev-out tapfake_dev -j $sg-chain"), call.add_rule("sg-chain", "-m physdev --physdev-is-bridged " "--physdev-out tapfake_dev -j $ifake_dev"), call.add_rule("ifake_dev", "-m state --state INVALID -j DROP"), call.add_rule("ifake_dev", "-m state --state ESTABLISHED,RELATED -j RETURN"), call.add_rule("ifake_dev", "-j $sg-fallback"), call.add_chain("ofake_dev"), call.add_rule("FORWARD", "-m physdev --physdev-is-bridged " "--physdev-in tapfake_dev -j $sg-chain"), call.add_rule("sg-chain", "-m physdev --physdev-is-bridged " "--physdev-in tapfake_dev -j $ofake_dev"), call.add_rule("INPUT", "-m physdev --physdev-is-bridged " "--physdev-in tapfake_dev -j $ofake_dev"), call.add_rule("ofake_dev", "-m mac ! --mac-source ff:ff:ff:ff -j DROP"), call.add_rule("ofake_dev", "-p udp --sport 68 --dport 67 -j RETURN"), call.add_rule("ofake_dev", "! -s 10.0.0.1 -j DROP"), call.add_rule("ofake_dev", "-p udp --sport 67 --dport 68 -j DROP"), call.add_rule("ofake_dev", "-m state --state INVALID -j DROP"), call.add_rule("ofake_dev", "-m state --state ESTABLISHED,RELATED -j RETURN"), call.add_rule("ofake_dev", "-j RETURN"), call.add_rule("ofake_dev", "-j $sg-fallback"), call.add_rule("sg-chain", "-j ACCEPT"), call.ensure_remove_chain("ifake_dev"), call.ensure_remove_chain("ofake_dev"), call.ensure_remove_chain("sg-chain"), call.add_chain("sg-chain"), ] self.v4filter_inst.assert_has_calls(calls)
def _test_prepare_port_filter(self, rule, ingress_expected_call=None, egress_expected_call=None): port = self._fake_port() ethertype = rule["ethertype"] prefix = FAKE_IP[ethertype] filter_inst = self.v4filter_inst dhcp_rule = call.add_rule("ofake_dev", "-p udp --sport 68 --dport 67 -j RETURN") if ethertype == "IPv6": filter_inst = self.v6filter_inst dhcp_rule = call.add_rule("ofake_dev", "-p icmpv6 -j RETURN") sg = [rule] port["security_group_rules"] = sg self.firewall.prepare_port_filter(port) calls = [ call.add_chain("sg-fallback"), call.add_rule("sg-fallback", "-j DROP"), call.ensure_remove_chain("sg-chain"), call.add_chain("sg-chain"), call.add_chain("ifake_dev"), call.add_rule("FORWARD", "-m physdev --physdev-is-bridged " "--physdev-out tapfake_dev " "-j $sg-chain"), call.add_rule("sg-chain", "-m physdev --physdev-is-bridged " "--physdev-out tapfake_dev " "-j $ifake_dev"), call.add_rule("ifake_dev", "-m state --state INVALID -j DROP"), call.add_rule("ifake_dev", "-m state --state ESTABLISHED,RELATED -j RETURN"), ] if ingress_expected_call: calls.append(ingress_expected_call) calls += [ call.add_rule("ifake_dev", "-j $sg-fallback"), call.add_chain("ofake_dev"), call.add_rule("FORWARD", "-m physdev --physdev-is-bridged " "--physdev-in tapfake_dev " "-j $sg-chain"), call.add_rule("sg-chain", "-m physdev --physdev-is-bridged " "--physdev-in tapfake_dev " "-j $ofake_dev"), call.add_rule("INPUT", "-m physdev --physdev-is-bridged " "--physdev-in tapfake_dev " "-j $ofake_dev"), call.add_rule("ofake_dev", "-m mac ! --mac-source ff:ff:ff:ff -j DROP"), dhcp_rule, call.add_rule("ofake_dev", "! -s %s -j DROP" % prefix), ] if ethertype == "IPv4": calls.append(call.add_rule("ofake_dev", "-p udp --sport 67 --dport 68 -j DROP")) calls += [ call.add_rule("ofake_dev", "-m state --state INVALID -j DROP"), call.add_rule("ofake_dev", "-m state --state ESTABLISHED,RELATED -j RETURN"), ] if egress_expected_call: calls.append(egress_expected_call) calls += [call.add_rule("ofake_dev", "-j $sg-fallback"), call.add_rule("sg-chain", "-j ACCEPT")] filter_inst.assert_has_calls(calls)
def test_filter_ipv6_ingress_udp(self): rule = {'ethertype': 'IPv6', 'direction': 'ingress', 'protocol': 'udp'} ingress = call.add_rule('ifake_dev', '-p udp -m udp -j RETURN') egress = None self._test_prepare_port_filter(rule, ingress, egress)
def _setup_firewall_with_rules(self, func, router_count=1): apply_list = self._fake_apply_list(router_count=router_count) rule_list = self._fake_rules_v4(FAKE_FW_ID, apply_list) firewall = self._fake_firewall(rule_list) func(apply_list, firewall) invalid_rule = '-m state --state INVALID -j DROP' est_rule = '-m state --state ESTABLISHED,RELATED -j ACCEPT' rule1 = '-p tcp --dport 80 -s 10.24.4.2 -j ACCEPT' rule2 = '-p tcp --dport 22 -j DROP' ingress_chain = 'iv4%s' % firewall['id'] egress_chain = 'ov4%s' % firewall['id'] bname = fwaas.iptables_manager.binary_name ipt_mgr_ichain = '%s-%s' % (bname, ingress_chain[:11]) ipt_mgr_echain = '%s-%s' % (bname, egress_chain[:11]) for router_info_inst in apply_list: v4filter_inst = router_info_inst.iptables_manager.ipv4['filter'] calls = [ call.ensure_remove_chain('iv4fake-fw-uuid'), call.ensure_remove_chain('ov4fake-fw-uuid'), call.ensure_remove_chain('fwaas-default-policy'), call.add_chain('fwaas-default-policy'), call.add_rule('fwaas-default-policy', '-j DROP'), call.add_chain(ingress_chain), call.add_rule(ingress_chain, invalid_rule), call.add_rule(ingress_chain, est_rule), call.add_chain(egress_chain), call.add_rule(egress_chain, invalid_rule), call.add_rule(egress_chain, est_rule), call.add_rule(ingress_chain, rule1), call.add_rule(egress_chain, rule1), call.add_rule(ingress_chain, rule2), call.add_rule(egress_chain, rule2), call.add_rule('FORWARD', '-o qr-+ -j %s' % ipt_mgr_ichain), call.add_rule('FORWARD', '-i qr-+ -j %s' % ipt_mgr_echain), call.add_rule('FORWARD', '-o qr-+ -j %s-fwaas-defau' % bname), call.add_rule('FORWARD', '-i qr-+ -j %s-fwaas-defau' % bname) ] v4filter_inst.assert_has_calls(calls)
def test_filter_ipv6_egress(self): rule = {'ethertype': 'IPv6', 'direction': 'egress'} egress = call.add_rule('ofake_dev', '-j RETURN') ingress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_prepare_port_filter_with_no_sg(self): port = self._fake_port() self.firewall.prepare_port_filter(port) calls = [call.add_chain('sg-fallback'), call.add_rule('sg-fallback', '-j DROP'), call.ensure_remove_chain('sg-chain'), call.add_chain('sg-chain'), call.add_chain('ifake_dev'), call.add_rule('FORWARD', '-m physdev --physdev-is-bridged ' '--physdev-out tapfake_dev ' '-j $sg-chain'), call.add_rule('sg-chain', '-m physdev --physdev-is-bridged ' '--physdev-out tapfake_dev ' '-j $ifake_dev'), call.add_rule( 'ifake_dev', '-m state --state INVALID -j DROP'), call.add_rule( 'ifake_dev', '-m state --state ESTABLISHED,RELATED -j RETURN'), call.add_rule('ifake_dev', '-j $sg-fallback'), call.add_chain('ofake_dev'), call.add_rule('FORWARD', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev ' '-j $sg-chain'), call.add_rule('sg-chain', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev ' '-j $ofake_dev'), call.add_rule('INPUT', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev ' '-j $ofake_dev'), call.add_rule( 'ofake_dev', '-m mac ! --mac-source ff:ff:ff:ff -j DROP'), call.add_rule( 'ofake_dev', '-p udp --sport 68 --dport 67 -j RETURN'), call.add_rule('ofake_dev', '! -s 10.0.0.1 -j DROP'), call.add_rule( 'ofake_dev', '-p udp --sport 67 --dport 68 -j DROP'), call.add_rule( 'ofake_dev', '-m state --state INVALID -j DROP'), call.add_rule( 'ofake_dev', '-m state --state ESTABLISHED,RELATED -j RETURN'), call.add_rule('ofake_dev', '-j $sg-fallback'), call.add_rule('sg-chain', '-j ACCEPT')] self.v4filter_inst.assert_has_calls(calls)
def _test_prepare_port_filter(self, rule, ingress_expected_call=None, egress_expected_call=None): port = self._fake_port() ethertype = rule['ethertype'] prefix = FAKE_IP[ethertype] filter_inst = self.v4filter_inst dhcp_rule = call.add_rule( 'ofake_dev', '-p udp --sport 68 --dport 67 -j RETURN') if ethertype == 'IPv6': filter_inst = self.v6filter_inst dhcp_rule = call.add_rule('ofake_dev', '-p icmpv6 -j RETURN') sg = [rule] port['security_group_rules'] = sg self.firewall.prepare_port_filter(port) calls = [call.add_chain('sg-fallback'), call.add_rule('sg-fallback', '-j DROP'), call.ensure_remove_chain('sg-chain'), call.add_chain('sg-chain'), call.add_chain('ifake_dev'), call.add_rule('FORWARD', '-m physdev --physdev-is-bridged ' '--physdev-out tapfake_dev ' '-j $sg-chain'), call.add_rule('sg-chain', '-m physdev --physdev-is-bridged ' '--physdev-out tapfake_dev ' '-j $ifake_dev'), call.add_rule( 'ifake_dev', '-m state --state INVALID -j DROP'), call.add_rule( 'ifake_dev', '-m state --state ESTABLISHED,RELATED -j RETURN')] if ingress_expected_call: calls.append(ingress_expected_call) calls += [call.add_rule('ifake_dev', '-j $sg-fallback'), call.add_chain('ofake_dev'), call.add_rule('FORWARD', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev ' '-j $sg-chain'), call.add_rule('sg-chain', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev ' '-j $ofake_dev'), call.add_rule('INPUT', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev ' '-j $ofake_dev'), call.add_rule( 'ofake_dev', '-m mac ! --mac-source ff:ff:ff:ff -j DROP'), dhcp_rule, call.add_rule('ofake_dev', '! -s %s -j DROP' % prefix)] if ethertype == 'IPv4': calls.append(call.add_rule( 'ofake_dev', '-p udp --sport 67 --dport 68 -j DROP')) calls += [call.add_rule( 'ofake_dev', '-m state --state INVALID -j DROP'), call.add_rule( 'ofake_dev', '-m state --state ESTABLISHED,RELATED -j RETURN')] if egress_expected_call: calls.append(egress_expected_call) calls += [call.add_rule('ofake_dev', '-j $sg-fallback'), call.add_rule('sg-chain', '-j ACCEPT')] filter_inst.assert_has_calls(calls)
def test_update_delete_port_filter(self): port = self._fake_port() port['security_group_rules'] = [{'ethertype': 'IPv4', 'direction': 'ingress'}] self.firewall.prepare_port_filter(port) port['security_group_rules'] = [{'ethertype': 'IPv4', 'direction': 'egress'}] self.firewall.update_port_filter(port) self.firewall.update_port_filter({'device': 'no-exist-device'}) self.firewall.remove_port_filter(port) self.firewall.remove_port_filter({'device': 'no-exist-device'}) calls = [call.add_chain('sg-fallback'), call.add_rule('sg-fallback', '-j DROP'), call.ensure_remove_chain('sg-chain'), call.add_chain('sg-chain'), call.add_chain('ifake_dev'), call.add_rule( 'FORWARD', '-m physdev --physdev-is-bridged ' '--physdev-out tapfake_dev -j $sg-chain'), call.add_rule( 'sg-chain', '-m physdev --physdev-is-bridged ' '--physdev-out tapfake_dev -j $ifake_dev'), call.add_rule( 'ifake_dev', '-m state --state INVALID -j DROP'), call.add_rule( 'ifake_dev', '-m state --state ESTABLISHED,RELATED -j RETURN'), call.add_rule('ifake_dev', '-j RETURN'), call.add_rule('ifake_dev', '-j $sg-fallback'), call.add_chain('ofake_dev'), call.add_rule( 'FORWARD', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev -j $sg-chain'), call.add_rule( 'sg-chain', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev -j $ofake_dev'), call.add_rule( 'INPUT', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev -j $ofake_dev'), call.add_rule( 'ofake_dev', '-m mac ! --mac-source ff:ff:ff:ff -j DROP'), call.add_rule( 'ofake_dev', '-p udp --sport 68 --dport 67 -j RETURN'), call.add_rule( 'ofake_dev', '! -s 10.0.0.1 -j DROP'), call.add_rule( 'ofake_dev', '-p udp --sport 67 --dport 68 -j DROP'), call.add_rule( 'ofake_dev', '-m state --state INVALID -j DROP'), call.add_rule( 'ofake_dev', '-m state --state ESTABLISHED,RELATED -j RETURN'), call.add_rule('ofake_dev', '-j $sg-fallback'), call.add_rule('sg-chain', '-j ACCEPT'), call.ensure_remove_chain('ifake_dev'), call.ensure_remove_chain('ofake_dev'), call.ensure_remove_chain('sfake_dev'), call.ensure_remove_chain('sg-chain'), call.add_chain('sg-chain'), call.add_chain('ifake_dev'), call.add_rule( 'FORWARD', '-m physdev --physdev-is-bridged ' '--physdev-out tapfake_dev -j $sg-chain'), call.add_rule( 'sg-chain', '-m physdev --physdev-is-bridged ' '--physdev-out tapfake_dev -j $ifake_dev'), call.add_rule( 'ifake_dev', '-m state --state INVALID -j DROP'), call.add_rule( 'ifake_dev', '-m state --state ESTABLISHED,RELATED -j RETURN'), call.add_rule('ifake_dev', '-j $sg-fallback'), call.add_chain('ofake_dev'), call.add_rule( 'FORWARD', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev -j $sg-chain'), call.add_rule( 'sg-chain', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev -j $ofake_dev'), call.add_rule( 'INPUT', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev -j $ofake_dev'), call.add_rule( 'ofake_dev', '-m mac ! --mac-source ff:ff:ff:ff -j DROP'), call.add_rule( 'ofake_dev', '-p udp --sport 68 --dport 67 -j RETURN'), call.add_rule( 'ofake_dev', '! -s 10.0.0.1 -j DROP'), call.add_rule( 'ofake_dev', '-p udp --sport 67 --dport 68 -j DROP'), call.add_rule( 'ofake_dev', '-m state --state INVALID -j DROP'), call.add_rule( 'ofake_dev', '-m state --state ESTABLISHED,RELATED -j RETURN'), call.add_rule('ofake_dev', '-j RETURN'), call.add_rule('ofake_dev', '-j $sg-fallback'), call.add_rule('sg-chain', '-j ACCEPT'), call.ensure_remove_chain('ifake_dev'), call.ensure_remove_chain('ofake_dev'), call.ensure_remove_chain('sfake_dev'), call.ensure_remove_chain('sg-chain'), call.add_chain('sg-chain')] self.v4filter_inst.assert_has_calls(calls)
def test_ip_spoofing_filter_with_multiple_ips(self): port = {'device': 'tapfake_dev', 'mac_address': 'ff:ff:ff:ff', 'fixed_ips': ['10.0.0.1', 'fe80::1', '10.0.0.2']} self.firewall.prepare_port_filter(port) calls = [call.add_chain('sg-fallback'), call.add_rule('sg-fallback', '-j DROP'), call.ensure_remove_chain('sg-chain'), call.add_chain('sg-chain'), call.add_chain('ifake_dev'), call.add_rule('FORWARD', '-m physdev --physdev-is-bridged ' '--physdev-out tapfake_dev ' '-j $sg-chain'), call.add_rule('sg-chain', '-m physdev --physdev-is-bridged ' '--physdev-out tapfake_dev ' '-j $ifake_dev'), call.add_rule( 'ifake_dev', '-m state --state INVALID -j DROP'), call.add_rule( 'ifake_dev', '-m state --state ESTABLISHED,RELATED -j RETURN'), call.add_rule('ifake_dev', '-j $sg-fallback'), call.add_chain('ofake_dev'), call.add_rule('FORWARD', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev ' '-j $sg-chain'), call.add_rule('sg-chain', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev ' '-j $ofake_dev'), call.add_rule('INPUT', '-m physdev --physdev-is-bridged ' '--physdev-in tapfake_dev ' '-j $ofake_dev'), call.add_chain('sfake_dev'), call.add_rule('sfake_dev', '-s 10.0.0.1 -j RETURN'), call.add_rule('sfake_dev', '-s 10.0.0.2 -j RETURN'), call.add_rule('sfake_dev', '-j DROP'), call.add_rule( 'ofake_dev', '-m mac ! --mac-source ff:ff:ff:ff -j DROP'), call.add_rule( 'ofake_dev', '-p udp --sport 68 --dport 67 -j RETURN'), call.add_rule('ofake_dev', '-j $sfake_dev'), call.add_rule( 'ofake_dev', '-p udp --sport 67 --dport 68 -j DROP'), call.add_rule( 'ofake_dev', '-m state --state INVALID -j DROP'), call.add_rule( 'ofake_dev', '-m state --state ESTABLISHED,RELATED -j RETURN'), call.add_rule('ofake_dev', '-j $sg-fallback'), call.add_rule('sg-chain', '-j ACCEPT')] self.v4filter_inst.assert_has_calls(calls)
def test_filter_ipv4_ingress_prefix(self): prefix = FAKE_PREFIX["IPv4"] rule = {"ethertype": "IPv4", "direction": "ingress", "source_ip_prefix": prefix} ingress = call.add_rule("ifake_dev", "-j RETURN -s %s" % prefix) egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv4_ingress_tcp(self): rule = {"ethertype": "IPv4", "direction": "ingress", "protocol": "tcp"} ingress = call.add_rule("ifake_dev", "-j RETURN -p tcp") egress = None self._test_prepare_port_filter(rule, ingress, egress)
def test_filter_ipv4_ingress_tcp(self): rule = {'ethertype': 'IPv4', 'direction': 'ingress', 'protocol': 'tcp'} ingress = call.add_rule('ifake_dev', '-j RETURN -p tcp') egress = None self._test_prepare_port_filter(rule, ingress, egress)