コード例 #1
0
    def _setup_firewall(self, ri, fw):
        client = self._get_vyatta_client(ri.router)

        fw_cmd_list = []

        # Create firewall
        fw_name = vyatta_utils.get_firewall_name(ri, fw)
        fw_cmd_list.append(
            vyatta_client.SetCmd(FW_NAME.format(parse.quote_plus(fw_name))))

        if fw.get('description'):
            fw_cmd_list.append(
                vyatta_client.SetCmd(
                    FW_DESCRIPTION.format(parse.quote_plus(fw_name),
                                          parse.quote_plus(
                                              fw['description']))))

        # Set firewall state policy
        fw_cmd_list.append(vyatta_client.SetCmd(FW_ESTABLISHED_ACCEPT))
        fw_cmd_list.append(vyatta_client.SetCmd(FW_RELATED_ACCEPT))

        # Create firewall rules
        rule_num = 0
        for rule in fw['firewall_rule_list']:
            if not rule['enabled']:
                continue
            if rule['ip_version'] == 4:
                rule_num += 1
                fw_cmd_list += self._set_firewall_rule(fw_name, rule_num, rule)
            else:
                LOG.warning(_LW("IPv6 rules are not supported."))

        # Configure router zones
        zone_cmd_list = vyatta_utils.get_zone_cmds(client, ri, fw_name)
        client.exec_cmd_batch(fw_cmd_list + zone_cmd_list)
コード例 #2
0
    def test_update_static_routes(self):
        cmd_batch_mock = mock.Mock()
        mock_object(vyatta_client.VRouterRestAPIClient, 'exec_cmd_batch',
                    cmd_batch_mock)

        RouteRule = vyatta_utils.RouteRule

        routes_to_add = tuple((
            RouteRule(dest_cidr='10.1.0.0/24', next_hop='192.168.1.1'),
            RouteRule(dest_cidr='10.2.0.0/24', next_hop='192.168.1.1'),
        ))
        routes_to_del = tuple((RouteRule(dest_cidr='10.3.0.0/24',
                                         next_hop='192.168.1.1'), ))

        client = self._create_client()
        client.update_static_routes(routes_to_add, routes_to_del)

        expected_batch = list()
        for rule in routes_to_add:
            cmd = vyatta_client.SetCmd(
                ('protocols/static/route/{0}/next-hop/{1}').format(
                    urllib.quote_plus(rule.dest_cidr),
                    urllib.quote_plus(rule.next_hop)))
            expected_batch.append(cmd)
        for rule in routes_to_del:
            cmd = vyatta_client.DeleteCmd('protocols/static/route/{0}'.format(
                urllib.quote_plus(rule.dest_cidr)))
            expected_batch.append(cmd)

        cmd_batch_mock.assert_called_once_with(expected_batch)
コード例 #3
0
    def test_get_zone_cmds(self):
        firewall_name = 'fake_firewall0'
        eth_iface = 'eth0'
        fake_api = mock.NonCallableMock()
        fake_api.get_ethernet_if_id.return_value = eth_iface

        mac_address = '00:00:00:00:00:00'
        fake_apply_rule = mock.NonCallableMock()
        fake_apply_rule.router = {
            'gw_port': {
                'mac_address': mac_address
            },
            l3_constants.INTERFACE_KEY: [{
                'mac_address': mac_address
            }]
        }

        trusted_zone_name = vyatta_utils.get_trusted_zone_name(fake_apply_rule)
        untrusted_zone_name = vyatta_utils.get_untrusted_zone_name(
            fake_apply_rule)

        cmds_actual = vyatta_utils.get_zone_cmds(fake_api, fake_apply_rule,
                                                 firewall_name)
        cmds_expect = [
            vyatta_client.DeleteCmd('zone-policy'),
            vyatta_client.SetCmd(
                vyatta_utils.ZONE_INTERFACE_CMD.format(trusted_zone_name,
                                                       eth_iface)),
            vyatta_client.SetCmd(
                vyatta_utils.ZONE_INTERFACE_CMD.format(untrusted_zone_name,
                                                       eth_iface)),
            vyatta_client.SetCmd(
                vyatta_utils.ZONE_FIREWALL_CMD.format(
                    trusted_zone_name, untrusted_zone_name,
                    parse.quote_plus(firewall_name))),
            vyatta_client.SetCmd(
                vyatta_utils.ZONE_FIREWALL_CMD.format(
                    untrusted_zone_name, trusted_zone_name,
                    parse.quote_plus(firewall_name))),
        ]

        self.assertEqual(cmds_expect, cmds_actual)

        fake_api.get_ethernet_if_id.assert_has_calls([
            mock.call(mac_address),
            mock.call(mac_address),
        ])
コード例 #4
0
def get_zone_cmds(rest_api, ri, opt_name):
    """Return zone update commands for Vyatta vRouter.

    Commands chain drops all zone-policy zones and create new zones
    based on internal interfaces and external gateway.
    """
    cmd_list = []

    # Delete the zone policies
    cmd_list.append(vyatta_client.DeleteCmd("zone-policy"))

    # Configure trusted zone
    trusted_zone_name = None
    # Add internal ports to trusted zone
    if l3_constants.INTERFACE_KEY in ri.router:
        trusted_zone_name = parse.quote_plus(get_trusted_zone_name(ri))
        for port in ri.router[l3_constants.INTERFACE_KEY]:
            eth_if_id = rest_api.get_ethernet_if_id(port['mac_address'])
            cmd_list.append(
                vyatta_client.SetCmd(
                    ZONE_INTERFACE_CMD.format(trusted_zone_name, eth_if_id)))
    # Configure untrusted zone
    untrusted_zone_name = get_untrusted_zone_name(ri)
    if untrusted_zone_name is not None:
        # Add external ports to untrusted zone
        if 'gw_port' in ri.router:
            gw_port = ri.router['gw_port']
            eth_if_id = rest_api.get_ethernet_if_id(gw_port['mac_address'])
            cmd_list.append(
                vyatta_client.SetCmd(
                    ZONE_INTERFACE_CMD.format(untrusted_zone_name, eth_if_id)))

            if trusted_zone_name is not None:
                # Associate optimizer to zone
                cmd_list.append(
                    vyatta_client.SetCmd(
                        ZONE_OPTIMIZER_CMD.format(trusted_zone_name,
                                                  untrusted_zone_name,
                                                  parse.quote_plus(opt_name))))

                cmd_list.append(
                    vyatta_client.SetCmd(
                        ZONE_OPTIMIZER_CMD.format(untrusted_zone_name,
                                                  trusted_zone_name,
                                                  parse.quote_plus(opt_name))))

    return cmd_list
コード例 #5
0
    def test_set_optimizer_rule_internal(self):
        fake_rule = self._make_fake_opt_rule()
        fake_optimizer_name = 'fake-opt-name'

        fake_rule.update({
            'description': 'rule description',
            'source_port': '2080',
            'destination_ip_address': '172.16.1.1'
        })
        action_map = {
            'allow': 'accept',
        }

        cmds_actual = self.oaas_driver._set_optimizer_rule(
            fake_optimizer_name, 1, fake_rule)
        cmds_expect = [
            vyatta_client.SetCmd(
                vyatta_oaas.FW_RULE_DESCRIPTION.format(
                    parse.quote_plus(fake_optimizer_name), 1,
                    parse.quote_plus(fake_rule['description'])))
        ]

        rules = [
            ('protocol', vyatta_oaas.FW_RULE_PROTOCOL),
            ('source_port', vyatta_oaas.FW_RULE_SRC_PORT),
            ('destination_port', vyatta_oaas.FW_RULE_DEST_PORT),
            ('source_ip_address', vyatta_oaas.FW_RULE_SRC_ADDR),
            ('destination_ip_address', vyatta_oaas.FW_RULE_DEST_ADDR),
        ]

        for key, url in rules:
            cmds_expect.append(
                vyatta_client.SetCmd(
                    url.format(parse.quote_plus(fake_optimizer_name), 1,
                               parse.quote_plus(fake_rule[key]))))

        cmds_expect.append(
            vyatta_client.SetCmd(
                vyatta_oaas.FW_RULE_ACTION.format(
                    parse.quote_plus(fake_optimizer_name), 1,
                    action_map.get(fake_rule['action'], 'drop'))))

        self.assertEqual(cmds_expect, cmds_actual)
コード例 #6
0
    def test_configure_cmd_batch(self):
        client = self._create_client()
        cmd_list = [
            vyatta_client.SetCmd('cmd1'),
            vyatta_client.DeleteCmd('cmd2')
        ]

        client.exec_cmd_batch(cmd_list)

        self.assertEqual(self._rest_mock.call_count, len(cmd_list) + 4)
コード例 #7
0
    def _set_firewall_rule(self, fw_name, rule_num, rule):
        cmd_list = []

        if 'description' in rule and len(rule['description']) > 0:
            cmd_list.append(
                vyatta_client.SetCmd(
                    FW_RULE_DESCRIPTION.format(
                        parse.quote_plus(fw_name), rule_num,
                        parse.quote_plus(rule['description']))))

        rules = [
            ('protocol', FW_RULE_PROTOCOL),
            ('source_port', FW_RULE_SRC_PORT),
            ('destination_port', FW_RULE_DEST_PORT),
            ('source_ip_address', FW_RULE_SRC_ADDR),
            ('destination_ip_address', FW_RULE_DEST_ADDR),
        ]

        for key, url in rules:
            field = rule.get(key)
            if field is None:
                continue

            # For safety and extensibility we need to use quote_plus
            # for all data retrieved from external sources.
            cmd_list.append(
                vyatta_client.SetCmd(
                    url.format(parse.quote_plus(fw_name), rule_num,
                               parse.quote_plus(field))))

        if 'action' in rule:
            if rule['action'] == 'allow':
                action = 'accept'
            else:
                action = 'drop'
            cmd_list.append(
                vyatta_client.SetCmd(
                    FW_RULE_ACTION.format(parse.quote_plus(fw_name), rule_num,
                                          action)))
        return cmd_list
コード例 #8
0
    def test_setup_firewall_internal(self):
        fake_rule = self._make_fake_fw_rule()
        fake_router_info = self._make_fake_router_info()
        fake_rule_cmd = 'fake-fw-rule0'
        fake_zone_configure_rules = ['fake-config-rule0']

        mock_api = mock.Mock()
        mock_api_gen = mock.Mock(return_value=mock_api)
        mock_get_firewall_rule = mock.Mock(return_value=[fake_rule_cmd])
        mock_get_zone_cmds = mock.Mock(return_value=fake_zone_configure_rules)
        with mock.patch.object(self.fwaas_driver, '_get_vyatta_client',
                               mock_api_gen), \
                mock.patch.object(vyatta_fwaas.vyatta_utils, 'get_zone_cmds',
                                  mock_get_zone_cmds), \
                mock.patch.object(self.fwaas_driver, '_set_firewall_rule',
                                  mock_get_firewall_rule):
            self.fwaas_driver._setup_firewall(fake_router_info,
                                              self.fake_firewall)

            mock_api_gen.assert_called_once_with(fake_router_info.router)
            mock_get_firewall_rule.assert_called_once_with(
                self.fake_firewall_name, 1, fake_rule)
            mock_get_zone_cmds.assert_called_once_with(mock_api,
                                                       fake_router_info,
                                                       self.fake_firewall_name)

            cmds = [
                vyatta_client.SetCmd(
                    vyatta_fwaas.FW_NAME.format(self.fake_firewall_name)),
                vyatta_client.SetCmd(
                    vyatta_fwaas.FW_DESCRIPTION.format(
                        self.fake_firewall_name,
                        parse.quote_plus(self.fake_firewall['description']))),
                vyatta_client.SetCmd(vyatta_fwaas.FW_ESTABLISHED_ACCEPT),
                vyatta_client.SetCmd(vyatta_fwaas.FW_RELATED_ACCEPT),
                fake_rule_cmd,
            ] + fake_zone_configure_rules
            mock_api.exec_cmd_batch.assert_called_once_with(cmds)
コード例 #9
0
    def _setup_optimizer(self, ri, opt):
        client = self._get_vyatta_client(ri.router)

        opt_cmd_list = []

        # Create optimizer
        opt_name = vyatta_utils.get_optimizer_name(ri, opt)
        opt_cmd_list.append(
            vyatta_client.SetCmd(FW_NAME.format(parse.quote_plus(opt_name))))

        if opt.get('description'):
            opt_cmd_list.append(
                vyatta_client.SetCmd(
                    FW_DESCRIPTION.format(parse.quote_plus(opt_name),
                                          parse.quote_plus(
                                              opt['description']))))

        # Set optimizer state policy
        opt_cmd_list.append(vyatta_client.SetCmd(FW_ESTABLISHED_ACCEPT))
        opt_cmd_list.append(vyatta_client.SetCmd(FW_RELATED_ACCEPT))

        # Create optimizer rules
        rule_num = 0
        for rule in opt['optimizer_rule_list']:
            if not rule['enabled']:
                continue
            if rule['ip_version'] == 4:
                rule_num += 1
                opt_cmd_list += self._set_optimizer_rule(
                    opt_name, rule_num, rule)
            else:
                LOG.warn(_LW("IPv6 rules are not supported."))

        # Configure router zones
        zone_cmd_list = vyatta_utils.get_zone_cmds(client, ri, opt_name)
        client.exec_cmd_batch(opt_cmd_list + zone_cmd_list)