def _validate_iptables_rules(self, vms): """Check if rules from iptables firewall are configured. Raises IptablesNotConfiguredException exception if no rules are found. """ for vm in vms: vm_tap_device = iptables_firewall.get_hybrid_port_name( vm.neutron_port['id']) filter_rules = self.iptables_manager.get_rules_for_table('filter') if not any(vm_tap_device in line for line in filter_rules): raise IptablesNotConfiguredException( "There are no iptables rules configured for interface %s" % vm_tap_device)
def _validate_stateless_rules(self, vms): """Check if stateless rules from iptables firewall are configured. Raises StatelessRulesNotConfiguredException exception if no stateless rules are found. """ for vm in vms: iptables = iptables_manager.IptablesManager( namespace=vm.host.host_namespace) vm_tap_device = iptables_firewall.get_hybrid_port_name( vm.neutron_port['id']) common_utils.wait_until_true( lambda: self._is_stateless_configured(iptables, vm_tap_device), exception=StatelessRulesNotConfiguredException( "There are no stateless rules configured for " "interface %s" % vm_tap_device))
def hybrid_plug_port(self, port_name): """Plug port with linux bridge in the middle. """ ip_wrapper = ip_lib.IPWrapper(self.namespace) qvb_name, qvo_name = self._get_veth_pair_names(self.port_id) qvb, qvo = self.useFixture(NamedVethFixture(qvb_name, qvo_name)).ports qvb.link.set_up() qvo.link.set_up() qbr_name = self._get_br_name(self.port_id) self.qbr = self.useFixture( LinuxBridgeFixture(qbr_name, namespace=None, prefix_is_full_name=True)).bridge self.qbr.link.set_up() self.qbr.setfd(0) self.qbr.disable_stp() self.qbr.addif(qvb_name) qvo_attrs = ('external_ids', { 'iface-id': self.port_id, 'iface-status': 'active', 'attached-mac': self.mac }) self.bridge.add_port(qvo_name, qvo_attrs) # NOTE(jlibosva): Create fake vm port, instead of tap device, we use # veth pair here in order to be able to attach it to linux bridge in # root namespace. Name with tap is in root namespace and its peer is in # the namespace hybrid_port_name = iptables_firewall.get_hybrid_port_name(self.port_id) bridge_port, self.port = self.useFixture( NamedVethFixture(hybrid_port_name)).ports self.addCleanup(self.port.link.delete) ip_wrapper.add_device_to_namespace(self.port) bridge_port.link.set_up() self.qbr.addif(bridge_port) self.port.link.set_address(self.mac) self.port.link.set_up()
def hybrid_plug_port(self, port_name): """Plug port with linux bridge in the middle. """ ip_wrapper = ip_lib.IPWrapper(self.namespace) qvb_name, qvo_name = self._get_veth_pair_names(self.port_id) qvb, qvo = self.useFixture(NamedVethFixture(qvb_name, qvo_name)).ports qvb.link.set_up() qvo.link.set_up() qbr_name = self._get_br_name(self.port_id) self.qbr = self.useFixture( LinuxBridgeFixture(qbr_name, namespace=None, prefix_is_full_name=True)).bridge self.qbr.link.set_up() self.qbr.setfd(0) self.qbr.disable_stp() self.qbr.addif(qvb_name) qvo_attrs = ('external_ids', {'iface-id': self.port_id, 'iface-status': 'active', 'attached-mac': self.mac}) self.bridge.add_port(qvo_name, qvo_attrs) # NOTE(jlibosva): Create fake vm port, instead of tap device, we use # veth pair here in order to be able to attach it to linux bridge in # root namespace. Name with tap is in root namespace and its peer is in # the namespace hybrid_port_name = iptables_firewall.get_hybrid_port_name(self.port_id) bridge_port, self.port = self.useFixture( NamedVethFixture(hybrid_port_name)).ports self.addCleanup(self.port.link.delete) ip_wrapper.add_device_to_namespace(self.port) bridge_port.link.set_up() self.qbr.addif(bridge_port) self.port.link.set_address(self.mac) self.port.link.set_up()