def _setup_firewall(self, ri, fw): client = self._get_vyatta_client(ri.router) fw_cmd_list = [] # Create firewall fw_name = vyatta_utils.get_firewall_name(ri, fw) fw_cmd_list.append( vyatta_client.SetCmd(FW_NAME.format(parse.quote_plus(fw_name)))) if fw.get('description'): fw_cmd_list.append( vyatta_client.SetCmd( FW_DESCRIPTION.format(parse.quote_plus(fw_name), parse.quote_plus( fw['description'])))) # Set firewall state policy fw_cmd_list.append(vyatta_client.SetCmd(FW_ESTABLISHED_ACCEPT)) fw_cmd_list.append(vyatta_client.SetCmd(FW_RELATED_ACCEPT)) # Create firewall rules rule_num = 0 for rule in fw['firewall_rule_list']: if not rule['enabled']: continue if rule['ip_version'] == 4: rule_num += 1 fw_cmd_list += self._set_firewall_rule(fw_name, rule_num, rule) else: LOG.warning(_LW("IPv6 rules are not supported.")) # Configure router zones zone_cmd_list = vyatta_utils.get_zone_cmds(client, ri, fw_name) client.exec_cmd_batch(fw_cmd_list + zone_cmd_list)
def test_update_static_routes(self): cmd_batch_mock = mock.Mock() mock_object(vyatta_client.VRouterRestAPIClient, 'exec_cmd_batch', cmd_batch_mock) RouteRule = vyatta_utils.RouteRule routes_to_add = tuple(( RouteRule(dest_cidr='10.1.0.0/24', next_hop='192.168.1.1'), RouteRule(dest_cidr='10.2.0.0/24', next_hop='192.168.1.1'), )) routes_to_del = tuple((RouteRule(dest_cidr='10.3.0.0/24', next_hop='192.168.1.1'), )) client = self._create_client() client.update_static_routes(routes_to_add, routes_to_del) expected_batch = list() for rule in routes_to_add: cmd = vyatta_client.SetCmd( ('protocols/static/route/{0}/next-hop/{1}').format( urllib.quote_plus(rule.dest_cidr), urllib.quote_plus(rule.next_hop))) expected_batch.append(cmd) for rule in routes_to_del: cmd = vyatta_client.DeleteCmd('protocols/static/route/{0}'.format( urllib.quote_plus(rule.dest_cidr))) expected_batch.append(cmd) cmd_batch_mock.assert_called_once_with(expected_batch)
def test_get_zone_cmds(self): firewall_name = 'fake_firewall0' eth_iface = 'eth0' fake_api = mock.NonCallableMock() fake_api.get_ethernet_if_id.return_value = eth_iface mac_address = '00:00:00:00:00:00' fake_apply_rule = mock.NonCallableMock() fake_apply_rule.router = { 'gw_port': { 'mac_address': mac_address }, l3_constants.INTERFACE_KEY: [{ 'mac_address': mac_address }] } trusted_zone_name = vyatta_utils.get_trusted_zone_name(fake_apply_rule) untrusted_zone_name = vyatta_utils.get_untrusted_zone_name( fake_apply_rule) cmds_actual = vyatta_utils.get_zone_cmds(fake_api, fake_apply_rule, firewall_name) cmds_expect = [ vyatta_client.DeleteCmd('zone-policy'), vyatta_client.SetCmd( vyatta_utils.ZONE_INTERFACE_CMD.format(trusted_zone_name, eth_iface)), vyatta_client.SetCmd( vyatta_utils.ZONE_INTERFACE_CMD.format(untrusted_zone_name, eth_iface)), vyatta_client.SetCmd( vyatta_utils.ZONE_FIREWALL_CMD.format( trusted_zone_name, untrusted_zone_name, parse.quote_plus(firewall_name))), vyatta_client.SetCmd( vyatta_utils.ZONE_FIREWALL_CMD.format( untrusted_zone_name, trusted_zone_name, parse.quote_plus(firewall_name))), ] self.assertEqual(cmds_expect, cmds_actual) fake_api.get_ethernet_if_id.assert_has_calls([ mock.call(mac_address), mock.call(mac_address), ])
def get_zone_cmds(rest_api, ri, opt_name): """Return zone update commands for Vyatta vRouter. Commands chain drops all zone-policy zones and create new zones based on internal interfaces and external gateway. """ cmd_list = [] # Delete the zone policies cmd_list.append(vyatta_client.DeleteCmd("zone-policy")) # Configure trusted zone trusted_zone_name = None # Add internal ports to trusted zone if l3_constants.INTERFACE_KEY in ri.router: trusted_zone_name = parse.quote_plus(get_trusted_zone_name(ri)) for port in ri.router[l3_constants.INTERFACE_KEY]: eth_if_id = rest_api.get_ethernet_if_id(port['mac_address']) cmd_list.append( vyatta_client.SetCmd( ZONE_INTERFACE_CMD.format(trusted_zone_name, eth_if_id))) # Configure untrusted zone untrusted_zone_name = get_untrusted_zone_name(ri) if untrusted_zone_name is not None: # Add external ports to untrusted zone if 'gw_port' in ri.router: gw_port = ri.router['gw_port'] eth_if_id = rest_api.get_ethernet_if_id(gw_port['mac_address']) cmd_list.append( vyatta_client.SetCmd( ZONE_INTERFACE_CMD.format(untrusted_zone_name, eth_if_id))) if trusted_zone_name is not None: # Associate optimizer to zone cmd_list.append( vyatta_client.SetCmd( ZONE_OPTIMIZER_CMD.format(trusted_zone_name, untrusted_zone_name, parse.quote_plus(opt_name)))) cmd_list.append( vyatta_client.SetCmd( ZONE_OPTIMIZER_CMD.format(untrusted_zone_name, trusted_zone_name, parse.quote_plus(opt_name)))) return cmd_list
def test_set_optimizer_rule_internal(self): fake_rule = self._make_fake_opt_rule() fake_optimizer_name = 'fake-opt-name' fake_rule.update({ 'description': 'rule description', 'source_port': '2080', 'destination_ip_address': '172.16.1.1' }) action_map = { 'allow': 'accept', } cmds_actual = self.oaas_driver._set_optimizer_rule( fake_optimizer_name, 1, fake_rule) cmds_expect = [ vyatta_client.SetCmd( vyatta_oaas.FW_RULE_DESCRIPTION.format( parse.quote_plus(fake_optimizer_name), 1, parse.quote_plus(fake_rule['description']))) ] rules = [ ('protocol', vyatta_oaas.FW_RULE_PROTOCOL), ('source_port', vyatta_oaas.FW_RULE_SRC_PORT), ('destination_port', vyatta_oaas.FW_RULE_DEST_PORT), ('source_ip_address', vyatta_oaas.FW_RULE_SRC_ADDR), ('destination_ip_address', vyatta_oaas.FW_RULE_DEST_ADDR), ] for key, url in rules: cmds_expect.append( vyatta_client.SetCmd( url.format(parse.quote_plus(fake_optimizer_name), 1, parse.quote_plus(fake_rule[key])))) cmds_expect.append( vyatta_client.SetCmd( vyatta_oaas.FW_RULE_ACTION.format( parse.quote_plus(fake_optimizer_name), 1, action_map.get(fake_rule['action'], 'drop')))) self.assertEqual(cmds_expect, cmds_actual)
def test_configure_cmd_batch(self): client = self._create_client() cmd_list = [ vyatta_client.SetCmd('cmd1'), vyatta_client.DeleteCmd('cmd2') ] client.exec_cmd_batch(cmd_list) self.assertEqual(self._rest_mock.call_count, len(cmd_list) + 4)
def _set_firewall_rule(self, fw_name, rule_num, rule): cmd_list = [] if 'description' in rule and len(rule['description']) > 0: cmd_list.append( vyatta_client.SetCmd( FW_RULE_DESCRIPTION.format( parse.quote_plus(fw_name), rule_num, parse.quote_plus(rule['description'])))) rules = [ ('protocol', FW_RULE_PROTOCOL), ('source_port', FW_RULE_SRC_PORT), ('destination_port', FW_RULE_DEST_PORT), ('source_ip_address', FW_RULE_SRC_ADDR), ('destination_ip_address', FW_RULE_DEST_ADDR), ] for key, url in rules: field = rule.get(key) if field is None: continue # For safety and extensibility we need to use quote_plus # for all data retrieved from external sources. cmd_list.append( vyatta_client.SetCmd( url.format(parse.quote_plus(fw_name), rule_num, parse.quote_plus(field)))) if 'action' in rule: if rule['action'] == 'allow': action = 'accept' else: action = 'drop' cmd_list.append( vyatta_client.SetCmd( FW_RULE_ACTION.format(parse.quote_plus(fw_name), rule_num, action))) return cmd_list
def test_setup_firewall_internal(self): fake_rule = self._make_fake_fw_rule() fake_router_info = self._make_fake_router_info() fake_rule_cmd = 'fake-fw-rule0' fake_zone_configure_rules = ['fake-config-rule0'] mock_api = mock.Mock() mock_api_gen = mock.Mock(return_value=mock_api) mock_get_firewall_rule = mock.Mock(return_value=[fake_rule_cmd]) mock_get_zone_cmds = mock.Mock(return_value=fake_zone_configure_rules) with mock.patch.object(self.fwaas_driver, '_get_vyatta_client', mock_api_gen), \ mock.patch.object(vyatta_fwaas.vyatta_utils, 'get_zone_cmds', mock_get_zone_cmds), \ mock.patch.object(self.fwaas_driver, '_set_firewall_rule', mock_get_firewall_rule): self.fwaas_driver._setup_firewall(fake_router_info, self.fake_firewall) mock_api_gen.assert_called_once_with(fake_router_info.router) mock_get_firewall_rule.assert_called_once_with( self.fake_firewall_name, 1, fake_rule) mock_get_zone_cmds.assert_called_once_with(mock_api, fake_router_info, self.fake_firewall_name) cmds = [ vyatta_client.SetCmd( vyatta_fwaas.FW_NAME.format(self.fake_firewall_name)), vyatta_client.SetCmd( vyatta_fwaas.FW_DESCRIPTION.format( self.fake_firewall_name, parse.quote_plus(self.fake_firewall['description']))), vyatta_client.SetCmd(vyatta_fwaas.FW_ESTABLISHED_ACCEPT), vyatta_client.SetCmd(vyatta_fwaas.FW_RELATED_ACCEPT), fake_rule_cmd, ] + fake_zone_configure_rules mock_api.exec_cmd_batch.assert_called_once_with(cmds)
def _setup_optimizer(self, ri, opt): client = self._get_vyatta_client(ri.router) opt_cmd_list = [] # Create optimizer opt_name = vyatta_utils.get_optimizer_name(ri, opt) opt_cmd_list.append( vyatta_client.SetCmd(FW_NAME.format(parse.quote_plus(opt_name)))) if opt.get('description'): opt_cmd_list.append( vyatta_client.SetCmd( FW_DESCRIPTION.format(parse.quote_plus(opt_name), parse.quote_plus( opt['description'])))) # Set optimizer state policy opt_cmd_list.append(vyatta_client.SetCmd(FW_ESTABLISHED_ACCEPT)) opt_cmd_list.append(vyatta_client.SetCmd(FW_RELATED_ACCEPT)) # Create optimizer rules rule_num = 0 for rule in opt['optimizer_rule_list']: if not rule['enabled']: continue if rule['ip_version'] == 4: rule_num += 1 opt_cmd_list += self._set_optimizer_rule( opt_name, rule_num, rule) else: LOG.warn(_LW("IPv6 rules are not supported.")) # Configure router zones zone_cmd_list = vyatta_utils.get_zone_cmds(client, ri, opt_name) client.exec_cmd_batch(opt_cmd_list + zone_cmd_list)