def _test_add_filter_rule_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager( root_helper=self.root_helper, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() filter_dump_mod = ('# Generated by iptables_manager\n' '*filter\n' ':neutron-filter-top - [0:0]\n' ':%(bn)s-FORWARD - [0:0]\n' ':%(bn)s-INPUT - [0:0]\n' ':%(bn)s-OUTPUT - [0:0]\n' ':%(bn)s-filter - [0:0]\n' ':%(bn)s-local - [0:0]\n' '[0:0] -A FORWARD -j neutron-filter-top\n' '[0:0] -A OUTPUT -j neutron-filter-top\n' '[0:0] -A neutron-filter-top -j %(bn)s-local\n' '[0:0] -A INPUT -j %(bn)s-INPUT\n' '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n' '[0:0] -A FORWARD -j %(bn)s-FORWARD\n' '[0:0] -A %(bn)s-filter -j DROP\n' '[0:0] -A %(bn)s-INPUT -s 0/0 -d 192.168.0.2 -j ' '%(bn)s-filter\n' 'COMMIT\n' '# Completed by iptables_manager\n' % IPTABLES_ARG) expected_calls_and_values = [ (mock.call(['iptables-save', '-c'], root_helper=self.root_helper), ''), (mock.call(['iptables-restore', '-c'], process_input=NAT_DUMP + filter_dump_mod, root_helper=self.root_helper), None), (mock.call(['iptables-save', '-c'], root_helper=self.root_helper), ''), (mock.call(['iptables-restore', '-c'], process_input=NAT_DUMP + FILTER_DUMP, root_helper=self.root_helper), None), ] if use_ipv6: self._extend_with_ip6tables_filter(expected_calls_and_values, FILTER_DUMP) tools.setup_mock_calls(self.execute, expected_calls_and_values) self.iptables.ipv4['filter'].add_chain('filter') self.iptables.ipv4['filter'].add_rule('filter', '-j DROP') self.iptables.ipv4['filter'].add_rule( 'INPUT', '-s 0/0 -d 192.168.0.2 -j' ' %(bn)s-filter' % IPTABLES_ARG) self.iptables.apply() self.iptables.ipv4['filter'].remove_rule('filter', '-j DROP') self.iptables.ipv4['filter'].remove_rule( 'INPUT', '-s 0/0 -d 192.168.0.2 -j' ' %(bn)s-filter' % IPTABLES_ARG) self.iptables.ipv4['filter'].remove_chain('filter') self.iptables.apply() tools.verify_mock_calls(self.execute, expected_calls_and_values)
def __init__(self): self.iptables = iptables_manager.IptablesManager( root_helper=cfg.CONF.AGENT.root_helper, use_ipv6=True) # list of port which has security group self.filtered_ports = {} self._add_fallback_chain_v4v6() self._defer_apply = False self._pre_defer_filtered_ports = None
def setUp(self): super(IptablesManagerStateFulTestCase, self).setUp() self.mox = mox.Mox() self.root_helper = 'sudo' self.iptables = (iptables_manager.IptablesManager( root_helper=self.root_helper)) self.mox.StubOutWithMock(self.iptables, "execute") self.addCleanup(self.mox.UnsetStubs)
def setUp(self): super(IptablesManagerStateFulTestCase, self).setUp() cfg.CONF.register_opts(a_cfg.IPTABLES_OPTS, 'AGENT') cfg.CONF.set_override('comment_iptables_rules', False, 'AGENT') self.root_helper = 'sudo' self.iptables = iptables_manager.IptablesManager( root_helper=self.root_helper) self.execute = mock.patch.object(self.iptables, "execute").start()
def fill_dhcp_udp_checksums(self, namespace): """Ensure DHCP reply packets always have correct UDP checksums.""" iptables_mgr = iptables_manager.IptablesManager(use_ipv6=False, namespace=namespace) ipv4_rule = ('-p udp --dport %d -j CHECKSUM --checksum-fill' % constants.DHCP_RESPONSE_PORT) iptables_mgr.ipv4['mangle'].add_rule('POSTROUTING', ipv4_rule) iptables_mgr.apply()
def _test_add_filter_rule_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager( use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() iptables_args = {} iptables_args.update(IPTABLES_ARG) filter_rules = ('-I %(bn)s-INPUT 1 -s 0/0 -d 192.168.0.2 -j ' '%(bn)s-filter\n-I %(bn)s-filter 1 -j DROP\n' % iptables_args) iptables_args['filter_rules'] = filter_rules filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % iptables_args raw_dump = RAW_DUMP % IPTABLES_ARG expected_calls_and_values = [ (mock.call(['iptables-save'], run_as_root=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), run_as_root=True), None), (mock.call(['iptables-save'], run_as_root=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), run_as_root=True ), None), ] if use_ipv6: self._extend_with_ip6tables_filter( expected_calls_and_values, FILTER_DUMP + MANGLE_DUMP_V6 + raw_dump) tools.setup_mock_calls(self.execute, expected_calls_and_values) self.iptables.ipv4['filter'].add_chain('filter') self.iptables.ipv4['filter'].add_rule('filter', '-j DROP') self.iptables.ipv4['filter'].add_rule('INPUT', '-s 0/0 -d 192.168.0.2 -j' ' %(bn)s-filter' % IPTABLES_ARG) self.iptables.apply() self.iptables.ipv4['filter'].remove_rule('filter', '-j DROP') self.iptables.ipv4['filter'].remove_rule('INPUT', '-s 0/0 -d 192.168.0.2 -j' ' %(bn)s-filter' % IPTABLES_ARG) self.iptables.ipv4['filter'].remove_chain('filter') self.iptables.apply() tools.verify_mock_calls(self.execute, expected_calls_and_values)
def _test_add_raw_rule_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager( use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() raw_dump_mod = ('# Generated by iptables_manager\n' '*raw\n' ':OUTPUT - [0:0]\n' ':PREROUTING - [0:0]\n' ':%(bn)s-OUTPUT - [0:0]\n' ':%(bn)s-PREROUTING - [0:0]\n' ':%(bn)s-raw - [0:0]\n' '-I OUTPUT 1 -j %(bn)s-OUTPUT\n' '-I PREROUTING 1 -j %(bn)s-PREROUTING\n' '-I %(bn)s-PREROUTING 1 -j CT --notrack\n' 'COMMIT\n' '# Completed by iptables_manager\n' % IPTABLES_ARG) expected_calls_and_values = [ (mock.call(['iptables-save'], run_as_root=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + raw_dump_mod), run_as_root=True), None), (mock.call(['iptables-save'], run_as_root=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(FILTER_DUMP + MANGLE_DUMP + NAT_DUMP + RAW_DUMP), run_as_root=True), None), ] if use_ipv6: self._extend_with_ip6tables_filter( expected_calls_and_values, FILTER_DUMP + MANGLE_DUMP_V6 + RAW_DUMP) tools.setup_mock_calls(self.execute, expected_calls_and_values) self.iptables.ipv4['raw'].add_chain('raw') self.iptables.ipv4['raw'].add_rule('PREROUTING', '-j CT --notrack') self.iptables.apply() self.iptables.ipv4['raw'].remove_rule('PREROUTING', '-j CT --notrack') self.iptables.ipv4['raw'].remove_chain('raw') self.iptables.apply() tools.verify_mock_calls(self.execute, expected_calls_and_values)
def _test_add_mangle_rule_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager(use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() mangle_dump_mod = ( '# Generated by iptables_manager\n' '*mangle\n' ':%(bn)s-FORWARD - [0:0]\n' ':%(bn)s-INPUT - [0:0]\n' ':%(bn)s-OUTPUT - [0:0]\n' ':%(bn)s-POSTROUTING - [0:0]\n' ':%(bn)s-PREROUTING - [0:0]\n' ':%(bn)s-mangle - [0:0]\n' ':%(bn)s-mark - [0:0]\n' '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n' '[0:0] -A INPUT -j %(bn)s-INPUT\n' '[0:0] -A FORWARD -j %(bn)s-FORWARD\n' '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n' '[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING\n' '[0:0] -A %(bn)s-PREROUTING -j %(bn)s-mark\n' '[0:0] -A %(bn)s-PREROUTING -j MARK --set-xmark 0x1/%(mark)s\n' 'COMMIT\n' '# Completed by iptables_manager\n' % IPTABLES_ARG) expected_calls_and_values = [ (mock.call(['iptables-save', '-c'], run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + NAT_DUMP + mangle_dump_mod + FILTER_DUMP), run_as_root=True), None), (mock.call(['iptables-save', '-c'], run_as_root=True), ''), (mock.call(['iptables-restore', '-c'], process_input=(RAW_DUMP + NAT_DUMP + MANGLE_DUMP + FILTER_DUMP), run_as_root=True), None), ] if use_ipv6: self._extend_with_ip6tables_filter(expected_calls_and_values, RAW_DUMP + FILTER_DUMP) tools.setup_mock_calls(self.execute, expected_calls_and_values) self.iptables.ipv4['mangle'].add_chain('mangle') self.iptables.ipv4['mangle'].add_rule( 'PREROUTING', '-j MARK --set-xmark 0x1/%s' % constants.ROUTER_MARK_MASK) self.iptables.apply() self.iptables.ipv4['mangle'].remove_rule( 'PREROUTING', '-j MARK --set-xmark 0x1/%s' % constants.ROUTER_MARK_MASK) self.iptables.ipv4['mangle'].remove_chain('mangle') self.iptables.apply() tools.verify_mock_calls(self.execute, expected_calls_and_values)
def _test_empty_chain_custom_binary_name_helper(self, use_ipv6): bn = ("xbcdef" * 5)[:16] self.iptables = iptables_manager.IptablesManager( binary_name=bn, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() iptables_args = {'bn': bn} filter_dump = FILTER_TEMPLATE % iptables_args filter_rules = ('-I %(bn)s-filter 1 -s 0/0 -d 192.168.0.2\n' % iptables_args) iptables_args['filter_rules'] = filter_rules filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % iptables_args nat_dump = NAT_TEMPLATE % iptables_args raw_dump = _generate_raw_dump(iptables_args) mangle_dump = _generate_mangle_dump(iptables_args) expected_calls_and_values = [ (mock.call(['iptables-save'], run_as_root=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump_mod + mangle_dump + nat_dump + raw_dump), run_as_root=True), None), (mock.call(['iptables-save'], run_as_root=True), ''), (mock.call(['iptables-restore', '-n'], process_input=(filter_dump + mangle_dump + nat_dump + raw_dump), run_as_root=True), None), ] if use_ipv6: mangle_dump_v6 = _generate_mangle_dump_v6(iptables_args) self._extend_with_ip6tables_filter( expected_calls_and_values, filter_dump + mangle_dump_v6 + raw_dump) tools.setup_mock_calls(self.execute, expected_calls_and_values) self.iptables.ipv4['filter'].add_chain('filter') self.iptables.ipv4['filter'].add_rule('filter', '-s 0/0 -d 192.168.0.2') self.iptables.apply() self.iptables.ipv4['filter'].remove_chain('filter') self.iptables.apply() tools.verify_mock_calls(self.execute, expected_calls_and_values)
def __init__(self, namespace=None): self.iptables = iptables_manager.IptablesManager( root_helper=cfg.CONF.AGENT.root_helper, namespace=namespace, use_ipv6=ipv6_utils.is_enabled()) # list of port which has security group self.filtered_ports = {} self._add_fallback_chain_v4v6() self._defer_apply = False self._pre_defer_filtered_ports = None
def ds__init__(self, conf, router): self.conf = conf self.id = router['id'] self.router = router self.ns_name = NS_PREFIX + self.id if conf.use_namespaces else None self.iptables_manager = iptables_manager.IptablesManager( namespace=self.ns_name, binary_name=WRAP_NAME, use_ipv6=ipv6_utils.is_enabled()) self.metering_labels = {}
def __init__(self, conf, router): self.conf = conf self.id = router['id'] self.router = router self.root_helper = config.get_root_helper(self.conf) self.iptables_manager = iptables_manager.IptablesManager( root_helper=self.root_helper, namespace=self.ns_name(), binary_name=WRAP_NAME) self.metering_labels = {}
def _test_get_traffic_counters_with_zero_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager(use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() exp_packets = 800 exp_bytes = 131802 expected_calls_and_values = [ (mock.call([ 'iptables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z' ], run_as_root=True), TRAFFIC_COUNTERS_DUMP), (mock.call([ 'iptables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z' ], run_as_root=True), ''), (mock.call([ 'iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z' ], run_as_root=True), ''), (mock.call([ 'iptables', '-t', 'nat', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z' ], run_as_root=True), '') ] if use_ipv6: expected_calls_and_values.append((mock.call([ 'ip6tables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z' ], run_as_root=True), '')) expected_calls_and_values.append( (mock.call([ 'ip6tables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z' ], run_as_root=True), TRAFFIC_COUNTERS_DUMP)) expected_calls_and_values.append((mock.call([ 'ip6tables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z' ], run_as_root=True), '')) exp_packets *= 2 exp_bytes *= 2 tools.setup_mock_calls(self.execute, expected_calls_and_values) acc = self.iptables.get_traffic_counters('OUTPUT', zero=True) self.assertEqual(acc['pkts'], exp_packets) self.assertEqual(acc['bytes'], exp_bytes) tools.verify_mock_calls(self.execute, expected_calls_and_values, any_order=True)
def _test_get_traffic_counters_with_zero_helper(self, use_ipv6): self.iptables = iptables_manager.IptablesManager( root_helper=self.root_helper, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() exp_packets = 800 exp_bytes = 131802 iptables_dump = ( 'Chain OUTPUT (policy ACCEPT 400 packets, 65901 bytes)\n' ' pkts bytes target prot opt in out source' ' destination \n' ' 400 65901 chain1 all -- * * 0.0.0.0/0' ' 0.0.0.0/0 \n' ' 400 65901 chain2 all -- * * 0.0.0.0/0' ' 0.0.0.0/0 \n') expected_calls_and_values = [ (mock.call([ 'iptables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z' ], root_helper=self.root_helper), iptables_dump), (mock.call([ 'iptables', '-t', 'raw', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z' ], root_helper=self.root_helper), ''), (mock.call([ 'iptables', '-t', 'mangle', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z' ], root_helper=self.root_helper), ''), (mock.call([ 'iptables', '-t', 'nat', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z' ], root_helper=self.root_helper), '') ] if use_ipv6: expected_calls_and_values.append( (mock.call([ 'ip6tables', '-t', 'filter', '-L', 'OUTPUT', '-n', '-v', '-x', '-Z' ], root_helper=self.root_helper), iptables_dump)) exp_packets *= 2 exp_bytes *= 2 tools.setup_mock_calls(self.execute, expected_calls_and_values) acc = self.iptables.get_traffic_counters('OUTPUT', zero=True) self.assertEqual(acc['pkts'], exp_packets) self.assertEqual(acc['bytes'], exp_bytes) tools.verify_mock_calls(self.execute, expected_calls_and_values, any_order=True)
def initialize(self): LOG.info("Initializing Linux bridge QoS extension") if self.agent_api: self.iptables_manager = self.agent_api.get_iptables_manager() if not self.iptables_manager: # If agent_api can't provide iptables_manager, it can be # created here for extension needs self.iptables_manager = iptables_manager.IptablesManager( state_less=True, use_ipv6=netutils.is_ipv6_enabled()) self.iptables_manager.initialize_mangle_table()
def __init__(self, conf, router): self.conf = conf self.id = router['id'] self.router = router # TODO(cbrandily): deduplicate ns_name generation in metering/l3 self.ns_name = NS_PREFIX + self.id self.iptables_manager = iptables_manager.IptablesManager( namespace=self.ns_name, binary_name=WRAP_NAME, use_ipv6=ipv6_utils.is_enabled()) self.metering_labels = {}
def wait_until_dscp_marking_rule_applied_linuxbridge(namespace, port_vif, expected_rule): iptables = iptables_manager.IptablesManager(namespace=namespace) def _dscp_marking_rule_applied(): mangle_rules = iptables.get_rules_for_table("mangle") dscp_mark = extract_dscp_value_from_iptables_rules(mangle_rules) return dscp_mark == expected_rule common_utils.wait_until_true(_dscp_marking_rule_applied)
def setUp(self): super(IpsetBase, self).setUp() self.src_ns, self.dst_ns = self.prepare_veth_pairs() self.ipset = self._create_ipset_manager_and_set(self.dst_ns, IPSET_SET) self.dst_iptables = iptables_manager.IptablesManager( namespace=self.dst_ns.namespace) self._add_iptables_ipset_rules(self.dst_iptables)
def setUp(self): super(IpsetBase, self).setUp() self.src_ns, self.dst_ns = self.prepare_veth_pairs() self.ipset = self._create_ipset_manager_and_chain(self.dst_ns, IPSET_CHAIN) self.dst_iptables = iptables_manager.IptablesManager( root_helper=self.root_helper, namespace=self.dst_ns.namespace) self._add_iptables_ipset_rules(self.dst_iptables)
def _create_dvr_gateway(self, ex_gw_port, gw_interface_name): snat_ns = self._create_snat_namespace() # connect snat_ports to br_int from SNAT namespace for port in self.get_snat_interfaces(): self._plug_snat_port(port) self._external_gateway_added(ex_gw_port, gw_interface_name, snat_ns.name, preserve_ips=[]) self.snat_iptables_manager = iptables_manager.IptablesManager( namespace=snat_ns.name, use_ipv6=self.use_ipv6) self._initialize_address_scope_iptables(self.snat_iptables_manager)
def _test_add_and_remove_chain_custom_binary_name_helper(self, use_ipv6): bn = ("abcdef" * 5) self.iptables = iptables_manager.IptablesManager( root_helper=self.root_helper, binary_name=bn, use_ipv6=use_ipv6) self.execute = mock.patch.object(self.iptables, "execute").start() iptables_args = {'bn': bn[:16], 'filter_rules': ''} filter_dump = FILTER_WITH_RULES_TEMPLATE % iptables_args filter_dump_ipv6 = FILTER_TEMPLATE % iptables_args filter_dump_mod = filter_dump nat_dump = NAT_TEMPLATE % iptables_args raw_dump = _generate_raw_dump(iptables_args) mangle_dump = _generate_mangle_dump(iptables_args) expected_calls_and_values = [ (mock.call(['iptables-save', '-c'], root_helper=self.root_helper), ''), (mock.call(['iptables-restore', '-c'], process_input=(raw_dump + nat_dump + mangle_dump + filter_dump_mod), root_helper=self.root_helper), None), (mock.call(['iptables-save', '-c'], root_helper=self.root_helper), ''), (mock.call(['iptables-restore', '-c'], process_input=(raw_dump + nat_dump + mangle_dump + filter_dump), root_helper=self.root_helper), None), ] if use_ipv6: self._extend_with_ip6tables_filter(expected_calls_and_values, filter_dump_ipv6) tools.setup_mock_calls(self.execute, expected_calls_and_values) self.iptables.ipv4['filter'].add_chain('filter') self.iptables.apply() self.iptables.ipv4['filter'].empty_chain('filter') self.iptables.apply() tools.verify_mock_calls(self.execute, expected_calls_and_values)
def __init__(self, ext_net_id, agent_conf, driver, use_ipv6): self._ext_net_id = ext_net_id self.agent_conf = agent_conf self.driver = driver self.use_ipv6 = use_ipv6 self.agent_gateway_port = None self._subscribers = set() self._rule_priorities = set(range(FIP_PR_START, FIP_PR_END)) self._iptables_manager = iptables_manager.IptablesManager( namespace=self.get_name(), use_ipv6=self.use_ipv6) path = os.path.join(agent_conf.state_path, 'fip-linklocal-networks') self.local_subnets = lla.LinkLocalAllocator(path, FIP_LL_SUBNET) self.destroyed = False
def create_iptables_managers(self): """Creates iptables managers if the are not already created Returns True if any manager is created """ created = False if self.router['distributed'] and self.snat_iptables_manager is None: # If distributed routers then we need to apply the # metering agent label rules in the snat namespace as well. snat_ns_name = dvr_snat_ns.SnatNamespace.get_snat_ns_name(self.id) # Check for namespace existence before we assign the # snat_iptables_manager if ip_lib.network_namespace_exists(snat_ns_name): self.snat_iptables_manager = iptables_manager.IptablesManager( namespace=snat_ns_name, binary_name=WRAP_NAME, state_less=True, use_ipv6=netutils.is_ipv6_enabled()) created = True if self.iptables_manager is None: # Check of namespace existence before we assign the # iptables_manager # NOTE(Swami): If distributed routers, all external traffic on a # compute node will flow through the rfp interface in the router # namespace. if ip_lib.network_namespace_exists(self.ns_name): self.iptables_manager = iptables_manager.IptablesManager( namespace=self.ns_name, binary_name=WRAP_NAME, state_less=True, use_ipv6=netutils.is_ipv6_enabled()) created = True return created
def _make_dvr_edge_router_info_for_test(self): router = dvr_edge_router.DvrEdgeRouter(mock.sentinel.agent, mock.sentinel.myhost, FAKE_ROUTER_ID, **self.ri_kwargs) router.router['distributed'] = True router.snat_namespace = dvr_snat_ns.SnatNamespace( router.router['id'], mock.sentinel.agent, self.driver, mock.ANY) router.snat_namespace.create() router.snat_iptables_manager = iptables_manager.IptablesManager( namespace='snat-' + FAKE_ROUTER_ID, use_ipv6=mock.ANY) router.snat_iptables_manager.ipv4['nat'] = self.iptables router.snat_iptables_manager.apply = self.apply_mock self.driver.routers[FAKE_ROUTER_ID] = router
def _create_dvr_gateway(self, ex_gw_port, gw_interface_name): """Create SNAT namespace.""" snat_ns = self._create_snat_namespace() # connect snat_ports to br_int from SNAT namespace for port in self.get_snat_interfaces(): # create interface_name self._plug_snat_port(port) self._external_gateway_added(ex_gw_port, gw_interface_name, snat_ns.name, preserve_ips=[]) self.snat_iptables_manager = iptables_manager.IptablesManager( namespace=snat_ns.name, use_ipv6=self.use_ipv6) # kicks the FW Agent to add rules for the snat namespace self.agent.process_router_add(self)
def setUp(self): super(IpsetBase, self).setUp() bridge = self.useFixture(net_helpers.VethBridgeFixture()).bridge self.source, self.destination = self.useFixture( machine_fixtures.PeerMachines(bridge)).machines self.ipset = self._create_ipset_manager_and_set( ip_lib.IPWrapper(self.destination.namespace), IPSET_SET) self.dst_iptables = iptables_manager.IptablesManager( namespace=self.destination.namespace) self._add_iptables_ipset_rules(self.dst_iptables)
def __init__(self, router_id, root_helper, router): self.router_id = router_id self.ex_gw_port = None self._snat_enabled = None self._snat_action = None self.internal_ports = [] self.root_helper = root_helper # Invoke the setter for establishing initial SNAT action self.router = router self.ns_name = None self.iptables_manager = iptables_manager.IptablesManager( root_helper=root_helper, # FIXME(danwent): use_ipv6=True, namespace=self.ns_name) self.routes = []
def __init__(self): self.iptables = iptables_manager.IptablesManager( root_helper=cfg.CONF.AGENT.root_helper, use_ipv6=ipv6_utils.is_enabled()) # list of port which has security group self.filtered_ports = {} self._add_fallback_chain_v4v6() self._defer_apply = False self._pre_defer_filtered_ports = None # List of security group rules for ports residing on this host self.sg_rules = {} self.pre_sg_rules = None # List of security group member ips for ports residing on this host self.sg_members = {} self.pre_sg_members = None
def setUp(self): host_descriptions = [ environment.HostDescription( l3_agent=False, l2_agent_type=constants.AGENT_TYPE_OVS, firewall_driver='iptables_hybrid', dhcp_agent=False, ) ] env = environment.Environment(environment.EnvironmentDescription(), host_descriptions) super(FirewallMigrationTestCase, self).setUp(env) # fullstack doesn't separate nodes running ovs agent so iptables rules # are implemented in root namespace self.iptables_manager = iptables_manager.IptablesManager()
def setUp(self): super(IpsetBase, self).setUp() self.src_ns, self.dst_ns = self.prepare_veth_pairs() self.ipset_name = self.get_rand_name(MAX_IPSET_NAME_LENGTH, 'set-') self.icmp_accept_rule = ( '-p icmp -m set --match-set %s src -j ACCEPT' % self.ipset_name) self.ipset = self._create_ipset_manager_and_set( self.dst_ns, self.ipset_name) self.dst_iptables = iptables_manager.IptablesManager( root_helper=self.root_helper, namespace=self.dst_ns.namespace) self._add_iptables_ipset_rules() self.addCleanup(self._remove_iptables_ipset_rules)