def test_nwfilter_parameters(self, mock_define, mock_lookup): fakefilter = NWFilterFakes() mock_lookup.side_effect = fakefilter.nwfilterLookupByName mock_define.side_effect = fakefilter.filterDefineXMLMock instance_ref = self._create_instance() self._create_security_group(instance_ref) network_info = _fake_network_info(self.stubs, 1) self.fw.setup_basic_filtering(instance_ref, network_info) vif = network_info[0] nic_id = vif['address'].replace(':', '') instance_filter_name = self.fw._instance_filter_name(instance_ref, nic_id) f = fakefilter.nwfilterLookupByName(instance_filter_name) tree = etree.fromstring(f.xml) for fref in tree.findall('filterref'): parameters = fref.findall('./parameter') for parameter in parameters: subnet_v4, subnet_v6 = vif['network']['subnets'] if parameter.get('name') == 'IP': self.assertTrue(_ipv4_like(parameter.get('value'), '192.168')) elif parameter.get('name') == 'DHCPSERVER': dhcp_server = subnet_v4.get('dhcp_server') self.assertEqual(parameter.get('value'), dhcp_server) elif parameter.get('name') == 'RASERVER': ra_server = subnet_v6['gateway']['address'] + "/128" self.assertEqual(parameter.get('value'), ra_server) elif parameter.get('name') == 'PROJNET': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), mask) elif parameter.get('name') == 'PROJNET6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), prefix) else: raise exception.InvalidParameterValue('unknown parameter ' 'in filter')
def test_nwfilter_parameters(self, mock_define, mock_lookup): fakefilter = NWFilterFakes() mock_lookup.side_effect = fakefilter.nwfilterLookupByName mock_define.side_effect = fakefilter.filterDefineXMLMock instance_ref = self._create_instance() self._create_security_group(instance_ref) network_info = _fake_network_info(self, 1) self.fw.setup_basic_filtering(instance_ref, network_info) vif = network_info[0] nic_id = vif['address'].replace(':', '') instance_filter_name = self.fw._instance_filter_name(instance_ref, nic_id) f = fakefilter.nwfilterLookupByName(instance_filter_name) tree = etree.fromstring(f.xml) for fref in tree.findall('filterref'): parameters = fref.findall('./parameter') for parameter in parameters: subnet_v4, subnet_v6 = vif['network']['subnets'] if parameter.get('name') == 'IP': self.assertTrue(_ipv4_like(parameter.get('value'), '192.168')) elif parameter.get('name') == 'DHCPSERVER': dhcp_server = subnet_v4.get('dhcp_server') self.assertEqual(parameter.get('value'), dhcp_server) elif parameter.get('name') == 'RASERVER': ra_server = subnet_v6['gateway']['address'] + "/128" self.assertEqual(parameter.get('value'), ra_server) elif parameter.get('name') == 'PROJNET': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), mask) elif parameter.get('name') == 'PROJNET6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), prefix) else: raise exception.InvalidParameterValue('unknown parameter ' 'in filter')
def _get_instance_filter_parameters(self, network, mapping): parameters = [] def format_parameter(parameter, value): return ("<parameter name='%s' value='%s'/>" % (parameter, value)) for address in mapping['ips']: parameters.append(format_parameter('IP', address['ip'])) if mapping['dhcp_server']: parameters.append(format_parameter('DHCPSERVER', mapping['dhcp_server'])) if CONF.use_ipv6: ra_server = mapping.get('gateway_v6') + "/128" parameters.append(format_parameter('RASERVER', ra_server)) if CONF.allow_same_net_traffic: ipv4_cidr = network['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) parameters.append(format_parameter('PROJNET', net)) parameters.append(format_parameter('PROJMASK', mask)) if CONF.use_ipv6: ipv6_cidr = network['cidr_v6'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) parameters.append(format_parameter('PROJNET6', net)) parameters.append(format_parameter('PROJMASK6', prefix)) return parameters
def set_vif_host_backend_filter_config(conf, name, primary_addr, dhcp_server=None, ra_server=None, allow_same_net=False, ipv4_cidr=None, ipv6_cidr=None): """Populate a LibvirtConfigGuestInterface instance with host backend details for traffic filtering""" conf.filtername = name conf.add_filter_param("IP", primary_addr) if dhcp_server: conf.add_filter_param("DHCPSERVER", dhcp_server) if ra_server: conf.add_filter_param("RASERVER", ra_server) if allow_same_net: if ipv4_cidr: net, mask = netutils.get_net_and_mask(ipv4_cidr) conf.add_filter_param("PROJNET", net) conf.add_filter_param("PROJMASK", mask) if ipv6_cidr: net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) conf.add_filter_param("PROJNET6", net) conf.add_filter_param("PROJMASK6", prefix)
def _get_configurations(self, instance, network, mapping): """Get a dictionary of VIF configurations for bridge type.""" mac_id = mapping['mac'].replace(':', '') conf = config.LibvirtConfigGuestInterface() conf.net_type = "bridge" conf.mac_addr = mapping['mac'] conf.source_dev = network['bridge'] conf.script = "" if FLAGS.libvirt_use_virtio_for_bridges: conf.model = "virtio" conf.filtername = "nova-instance-" + instance['name'] + "-" + mac_id conf.add_filter_param("IP", mapping['ips'][0]['ip']) if mapping['dhcp_server']: conf.add_filter_param("DHCPSERVER", mapping['dhcp_server']) if FLAGS.use_ipv6: conf.add_filter_param("RASERVER", mapping.get('gateway_v6') + "/128") if FLAGS.allow_same_net_traffic: net, mask = netutils.get_net_and_mask(network['cidr']) conf.add_filter_param("PROJNET", net) conf.add_filter_param("PROJMASK", mask) if FLAGS.use_ipv6: net_v6, prefixlen_v6 = netutils.get_net_and_prefixlen( network['cidr_v6']) conf.add_filter_param("PROJNET6", net_v6) conf.add_filter_param("PROJMASK6", prefixlen_v6) return conf
def get_config(self, instance, network, mapping): """Get VIF configurations for bridge type.""" mac_id = mapping['mac'].replace(':', '') conf = super(LibvirtBridgeDriver, self).get_config(instance, network, mapping) conf.net_type = "bridge" conf.source_dev = network['bridge'] conf.script = "" conf.filtername = "nova-instance-" + instance['name'] + "-" + mac_id conf.add_filter_param("IP", mapping['ips'][0]['ip']) if mapping['dhcp_server']: conf.add_filter_param("DHCPSERVER", mapping['dhcp_server']) if CONF.use_ipv6: conf.add_filter_param("RASERVER", mapping.get('gateway_v6') + "/128") if CONF.allow_same_net_traffic: net, mask = netutils.get_net_and_mask(network['cidr']) conf.add_filter_param("PROJNET", net) conf.add_filter_param("PROJMASK", mask) if CONF.use_ipv6: net_v6, prefixlen_v6 = netutils.get_net_and_prefixlen( network['cidr_v6']) conf.add_filter_param("PROJNET6", net_v6) conf.add_filter_param("PROJMASK6", prefixlen_v6) return conf
def _get_configurations(self, network, mapping): """Get a dictionary of VIF configurations for bridge type.""" # Assume that the gateway also acts as the dhcp server. gateway_v6 = mapping.get('gateway_v6') mac_id = mapping['mac'].replace(':', '') if FLAGS.allow_same_net_traffic: template = "<parameter name=\"%s\" value=\"%s\" />\n" net, mask = netutils.get_net_and_mask(network['cidr']) values = [("PROJNET", net), ("PROJMASK", mask)] if FLAGS.use_ipv6: net_v6, prefixlen_v6 = netutils.get_net_and_prefixlen( network['cidr_v6']) values.extend([("PROJNETV6", net_v6), ("PROJMASKV6", prefixlen_v6)]) extra_params = "".join([template % value for value in values]) else: extra_params = "\n" result = { 'id': mac_id, 'bridge_name': network['bridge'], 'mac_address': mapping['mac'], 'ip_address': mapping['ips'][0]['ip'], 'dhcp_server': mapping['dhcp_server'], 'extra_params': extra_params, } if gateway_v6: result['gateway_v6'] = gateway_v6 + "/128" return result
def create(self, req, body): context = _authorize_context(req) sg_rule = self._from_body(body, 'security_group_rule') group_id = sg_rule.get('group_id') source_group = {} try: parent_group_id = security_group_api.validate_id( sg_rule.get('parent_group_id')) security_group = security_group_api.get( context, None, parent_group_id, map_exception=True) if group_id is not None: group_id = security_group_api.validate_id(group_id) source_group = security_group_api.get( context, id=group_id) new_rule = self._rule_args_to_dict(context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), ip_protocol=sg_rule.get('ip_protocol'), cidr=sg_rule.get('cidr'), group_id=group_id) except (exception.Invalid, exception.InvalidCidr) as exp: raise exc.HTTPBadRequest(explanation=exp.format_message()) except exception.SecurityGroupNotFound as exp: raise exc.HTTPNotFound(explanation=exp.format_message()) if new_rule is None: msg = _("Not enough parameters to build a valid rule.") raise exc.HTTPBadRequest(explanation=msg) new_rule['parent_group_id'] = security_group['id'] if 'cidr' in new_rule: net, prefixlen = netutils.get_net_and_prefixlen(new_rule['cidr']) if net not in ('0.0.0.0', '::') and prefixlen == '0': msg = _("Bad prefix for network in cidr %s") % new_rule['cidr'] raise exc.HTTPBadRequest(explanation=msg) group_rule_data = None try: if group_id: group_rule_data = {'name': source_group.get('name'), 'tenant_id': source_group.get('project_id')} security_group_rule = ( security_group_api.create_security_group_rule( context, security_group, new_rule)) except exception.Invalid as exp: raise exc.HTTPBadRequest(explanation=exp.format_message()) except exception.SecurityGroupNotFound as exp: raise exc.HTTPNotFound(explanation=exp.format_message()) except exception.SecurityGroupLimitExceeded as exp: raise exc.HTTPForbidden(explanation=exp.format_message()) formatted_rule = self._format_security_group_rule(context, security_group_rule, group_rule_data) return {"security_group_rule": formatted_rule}
def _get_configurations(self, instance, network, mapping): """Get a dictionary of VIF configurations for bridge type.""" mac_id = mapping['mac'].replace(':', '') conf = config.LibvirtConfigGuestInterface() conf.net_type = "bridge" conf.mac_addr = mapping['mac'] conf.source_dev = network['bridge'] conf.script = "" if FLAGS.libvirt_use_virtio_for_bridges: conf.model = "virtio" conf.filtername = "nova-instance-" + instance['name'] + "-" + mac_id conf.add_filter_param("IP", mapping['ips'][0]['ip']) conf.add_filter_param("DHCPSERVER", mapping['dhcp_server']) if FLAGS.use_ipv6: conf.add_filter_param("RASERVER", mapping.get('gateway_v6') + "/128") if FLAGS.allow_same_net_traffic: net, mask = netutils.get_net_and_mask(network['cidr']) conf.add_filter_param("PROJNET", net) conf.add_filter_param("PROJMASK", mask) if FLAGS.use_ipv6: net_v6, prefixlen_v6 = netutils.get_net_and_prefixlen( network['cidr_v6']) conf.add_filter_param("PROJNET6", net_v6) conf.add_filter_param("PROJMASK6", prefixlen_v6) return conf
def test_nwfilter_parameters(self, mock_define, mock_lookup): fakefilter = NWFilterFakes() mock_lookup.side_effect = fakefilter.nwfilterLookupByName mock_define.side_effect = fakefilter.filterDefineXMLMock instance_ref = self._create_instance() self._create_security_group(instance_ref) network_info = _fake_network_info(self, 1) self.fw.setup_basic_filtering(instance_ref, network_info) vif = network_info[0] nic_id = vif["address"].replace(":", "") instance_filter_name = self.fw._instance_filter_name(instance_ref, nic_id) f = fakefilter.nwfilterLookupByName(instance_filter_name) tree = etree.fromstring(f.xml) for fref in tree.findall("filterref"): parameters = fref.findall("./parameter") for parameter in parameters: subnet_v4, subnet_v6 = vif["network"]["subnets"] if parameter.get("name") == "IP": self.assertTrue(_ipv4_like(parameter.get("value"), "192.168")) elif parameter.get("name") == "DHCPSERVER": dhcp_server = subnet_v4.get("dhcp_server") self.assertEqual(parameter.get("value"), dhcp_server) elif parameter.get("name") == "RASERVER": ra_server = subnet_v6["gateway"]["address"] + "/128" self.assertEqual(parameter.get("value"), ra_server) elif parameter.get("name") == "PROJNET": ipv4_cidr = subnet_v4["cidr"] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get("value"), net) elif parameter.get("name") == "PROJMASK": ipv4_cidr = subnet_v4["cidr"] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get("value"), mask) elif parameter.get("name") == "PROJNET6": ipv6_cidr = subnet_v6["cidr"] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get("value"), net) elif parameter.get("name") == "PROJMASK6": ipv6_cidr = subnet_v6["cidr"] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get("value"), prefix) else: raise exception.InvalidParameterValue("unknown parameter " "in filter")
def create(self, req, body): context = _authorize_context(req) sg_rule = self._from_body(body, 'security_group_rule') try: parent_group_id = self.security_group_api.validate_id( sg_rule.get('parent_group_id')) security_group = self.security_group_api.get(context, None, parent_group_id, map_exception=True) new_rule = self._rule_args_to_dict(context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), ip_protocol=sg_rule.get('ip_protocol'), cidr=sg_rule.get('cidr'), group_id=sg_rule.get('group_id')) except (exception.Invalid, exception.InvalidCidr) as exp: raise exc.HTTPBadRequest(explanation=exp.format_message()) except exception.SecurityGroupNotFound as exp: raise exc.HTTPNotFound(explanation=exp.format_message()) if new_rule is None: msg = _("Not enough parameters to build a valid rule.") raise exc.HTTPBadRequest(explanation=msg) new_rule['parent_group_id'] = security_group['id'] if 'cidr' in new_rule: net, prefixlen = netutils.get_net_and_prefixlen(new_rule['cidr']) if net not in ('0.0.0.0', '::') and prefixlen == '0': msg = _("Bad prefix for network in cidr %s") % new_rule['cidr'] raise exc.HTTPBadRequest(explanation=msg) group_rule_data = None try: if sg_rule.get('group_id'): source_group = self.security_group_api.get( context, id=sg_rule['group_id']) group_rule_data = {'name': source_group.get('name'), 'tenant_id': source_group.get('project_id')} security_group_rule = ( self.security_group_api.create_security_group_rule( context, security_group, new_rule)) except exception.Invalid as exp: raise exc.HTTPBadRequest(explanation=exp.format_message()) except exception.SecurityGroupNotFound as exp: raise exc.HTTPNotFound(explanation=exp.format_message()) except exception.SecurityGroupLimitExceeded as exp: raise exc.HTTPForbidden(explanation=exp.format_message()) formatted_rule = self._format_security_group_rule(context, security_group_rule, group_rule_data) return {"security_group_rule": formatted_rule}
def create(self, req, body): context = _authorize_context(req) sg_rule = self._from_body(body, 'security_group_rule') with translate_exceptions(): parent_group_id = self.security_group_api.validate_id( sg_rule.get('parent_group_id', None)) security_group = self.security_group_api.get(context, None, parent_group_id, map_exception=True) try: new_rule = self._rule_args_to_dict( context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), ip_protocol=sg_rule.get('ip_protocol'), cidr=sg_rule.get('cidr'), group_id=sg_rule.get('group_id')) except Exception as exp: raise exc.HTTPBadRequest(explanation=unicode(exp)) if new_rule is None: msg = _("Not enough parameters to build a valid rule.") raise exc.HTTPBadRequest(explanation=msg) new_rule['parent_group_id'] = security_group['id'] if 'cidr' in new_rule: net, prefixlen = netutils.get_net_and_prefixlen(new_rule['cidr']) if net not in ('0.0.0.0', '::') and prefixlen == '0': msg = _("Bad prefix for network in cidr %s") % new_rule['cidr'] raise exc.HTTPBadRequest(explanation=msg) with translate_exceptions(): security_group_rule = ( self.security_group_api.create_security_group_rule( context, security_group, new_rule)) formatted_rule = self._format_security_group_rule( context, security_group_rule) if formatted_rule: return {"security_group_rule": formatted_rule} # TODO(arosen): if we first look up the security group information for # the group_id before creating the rule we can avoid the case that # the remote group (group_id) has been deleted when we go to look # up it's name. with translate_exceptions(): raise exception.SecurityGroupNotFound( security_group_id=sg_rule['group_id'])
def create(self, req, body): context = _authorize_context(req) sg_rule = self._from_body(body, 'security_group_rule') with translate_exceptions(): parent_group_id = self.security_group_api.validate_id( sg_rule.get('parent_group_id', None)) security_group = self.security_group_api.get(context, None, parent_group_id, map_exception=True) try: new_rule = self._rule_args_to_dict( context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), ip_protocol=sg_rule.get('ip_protocol'), cidr=sg_rule.get('cidr'), group_id=sg_rule.get('group_id')) except Exception as exp: raise exc.HTTPBadRequest(explanation=unicode(exp)) if new_rule is None: msg = _("Not enough parameters to build a valid rule.") raise exc.HTTPBadRequest(explanation=msg) new_rule['parent_group_id'] = security_group['id'] if 'cidr' in new_rule: net, prefixlen = netutils.get_net_and_prefixlen(new_rule['cidr']) if net not in ('0.0.0.0', '::') and prefixlen == '0': msg = _("Bad prefix for network in cidr %s") % new_rule['cidr'] raise exc.HTTPBadRequest(explanation=msg) group_rule_data = None with translate_exceptions(): if sg_rule.get('group_id'): source_group = self.security_group_api.get( context, id=sg_rule['group_id']) group_rule_data = { 'name': source_group.get('name'), 'tenant_id': source_group.get('project_id') } security_group_rule = ( self.security_group_api.create_security_group_rule( context, security_group, new_rule)) formatted_rule = self._format_security_group_rule( context, security_group_rule, group_rule_data) return {"security_group_rule": formatted_rule}
def create(self, req, body): context = _authorize_context(req) sg_rule = self._from_body(body, 'security_group_rule') with translate_exceptions(): parent_group_id = self.security_group_api.validate_id( sg_rule.get('parent_group_id', None)) security_group = self.security_group_api.get(context, None, parent_group_id, map_exception=True) try: new_rule = self._rule_args_to_dict(context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), ip_protocol=sg_rule.get('ip_protocol'), cidr=sg_rule.get('cidr'), group_id=sg_rule.get('group_id')) except Exception as exp: raise exc.HTTPBadRequest(explanation=unicode(exp)) if new_rule is None: msg = _("Not enough parameters to build a valid rule.") raise exc.HTTPBadRequest(explanation=msg) new_rule['parent_group_id'] = security_group['id'] if 'cidr' in new_rule: net, prefixlen = netutils.get_net_and_prefixlen(new_rule['cidr']) if net not in ('0.0.0.0', '::') and prefixlen == '0': msg = _("Bad prefix for network in cidr %s") % new_rule['cidr'] raise exc.HTTPBadRequest(explanation=msg) with translate_exceptions(): security_group_rule = ( self.security_group_api.create_security_group_rule( context, security_group, new_rule)) formatted_rule = self._format_security_group_rule(context, security_group_rule) if formatted_rule: return {"security_group_rule": formatted_rule} # TODO(arosen): if we first look up the security group information for # the group_id before creating the rule we can avoid the case that # the remote group (group_id) has been deleted when we go to look # up it's name. with translate_exceptions(): raise exception.SecurityGroupNotFound( security_group_id=sg_rule['group_id'])
def create(self, req, body): context = _authorize_context(req) sg_rule = self._from_body(body, "security_group_rule") try: parent_group_id = self.security_group_api.validate_id(sg_rule.get("parent_group_id")) security_group = self.security_group_api.get(context, None, parent_group_id, map_exception=True) new_rule = self._rule_args_to_dict( context, to_port=sg_rule.get("to_port"), from_port=sg_rule.get("from_port"), ip_protocol=sg_rule.get("ip_protocol"), cidr=sg_rule.get("cidr"), group_id=sg_rule.get("group_id"), ) except (exception.Invalid, exception.InvalidCidr) as exp: raise exc.HTTPBadRequest(explanation=exp.format_message()) except exception.SecurityGroupNotFound as exp: raise exc.HTTPNotFound(explanation=exp.format_message()) if new_rule is None: msg = _("Not enough parameters to build a valid rule.") raise exc.HTTPBadRequest(explanation=msg) new_rule["parent_group_id"] = security_group["id"] if "cidr" in new_rule: net, prefixlen = netutils.get_net_and_prefixlen(new_rule["cidr"]) if net not in ("0.0.0.0", "::") and prefixlen == "0": msg = _("Bad prefix for network in cidr %s") % new_rule["cidr"] raise exc.HTTPBadRequest(explanation=msg) group_rule_data = None try: if sg_rule.get("group_id"): source_group = self.security_group_api.get(context, id=sg_rule["group_id"]) group_rule_data = {"name": source_group.get("name"), "tenant_id": source_group.get("project_id")} security_group_rule = self.security_group_api.create_security_group_rule(context, security_group, new_rule) except exception.Invalid as exp: raise exc.HTTPBadRequest(explanation=exp.format_message()) except exception.SecurityGroupNotFound as exp: raise exc.HTTPNotFound(explanation=exp.format_message()) except exception.SecurityGroupLimitExceeded as exp: raise exc.HTTPForbidden(explanation=exp.format_message()) formatted_rule = self._format_security_group_rule(context, security_group_rule, group_rule_data) return {"security_group_rule": formatted_rule}
def create(self, req, body): context = self._authorize_context(req) sg_rule = self._from_body(body, 'security_group_rule') parent_group_id = self.security_group_api.validate_id( sg_rule.get('parent_group_id', None)) security_group = self.security_group_api.get(context, None, parent_group_id, map_exception=True) try: new_rule = self._rule_args_to_dict( context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), ip_protocol=sg_rule.get('ip_protocol'), cidr=sg_rule.get('cidr'), group_id=sg_rule.get('group_id')) except Exception as exp: raise exc.HTTPBadRequest(explanation=unicode(exp)) if new_rule is None: msg = _("Not enough parameters to build a valid rule.") raise exc.HTTPBadRequest(explanation=msg) new_rule['parent_group_id'] = security_group['id'] if 'cidr' in new_rule: net, prefixlen = netutils.get_net_and_prefixlen(new_rule['cidr']) if net != '0.0.0.0' and prefixlen == '0': msg = _("Bad prefix for network in cidr %s") % new_rule['cidr'] raise exc.HTTPBadRequest(explanation=msg) security_group_rule = ( self.security_group_api.create_security_group_rule( context, security_group, new_rule)) return { "security_group_rule": self._format_security_group_rule(context, security_group_rule) }
def create(self, req, body): context = self._authorize_context(req) sg_rule = self._from_body(body, 'security_group_rule') parent_group_id = self._validate_id(sg_rule.get('parent_group_id', None)) security_group = self.security_group_api.get(context, None, parent_group_id, map_exception=True) try: values = self._rule_args_to_dict(context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), ip_protocol=sg_rule.get('ip_protocol'), cidr=sg_rule.get('cidr'), group_id=sg_rule.get('group_id')) except Exception as exp: raise exc.HTTPBadRequest(explanation=unicode(exp)) if values is None: msg = _("Not enough parameters to build a valid rule.") raise exc.HTTPBadRequest(explanation=msg) values['parent_group_id'] = security_group.id if 'cidr' in values: net, prefixlen = netutils.get_net_and_prefixlen(values['cidr']) if net != '0.0.0.0' and prefixlen == '0': msg = _("Bad prefix for network in cidr %s") % values['cidr'] raise exc.HTTPBadRequest(explanation=msg) if self.security_group_api.rule_exists(security_group, values): msg = _('This rule already exists in group %s') % parent_group_id raise exc.HTTPBadRequest(explanation=msg) security_group_rule = self.security_group_api.add_rules( context, parent_group_id, security_group['name'], [values])[0] return {"security_group_rule": self._format_security_group_rule( context, security_group_rule)}
def _get_instance_filter_parameters(self, vif): parameters = [] def format_parameter(parameter, value): return ("<parameter name='%s' value='%s'/>" % (parameter, value)) network = vif['network'] if not vif['network'] or not vif['network']['subnets']: return parameters v4_subnets = [s for s in network['subnets'] if s['version'] == 4] v6_subnets = [s for s in network['subnets'] if s['version'] == 6] for subnet in v4_subnets: for ip in subnet['ips']: parameters.append(format_parameter('IP', ip['address'])) dhcp_server = subnet.get_meta('dhcp_server') if dhcp_server: parameters.append(format_parameter('DHCPSERVER', dhcp_server)) if CONF.use_ipv6: for subnet in v6_subnets: gateway = subnet.get('gateway') if gateway: ra_server = gateway['address'] + "/128" parameters.append(format_parameter('RASERVER', ra_server)) if CONF.allow_same_net_traffic: for subnet in v4_subnets: ipv4_cidr = subnet['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) parameters.append(format_parameter('PROJNET', net)) parameters.append(format_parameter('PROJMASK', mask)) if CONF.use_ipv6: for subnet in v6_subnets: ipv6_cidr = subnet['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) parameters.append(format_parameter('PROJNET6', net)) parameters.append(format_parameter('PROJMASK6', prefix)) return parameters
def _get_instance_filter_parameters(self, vif): parameters = [] def format_parameter(parameter, value): return "<parameter name='%s' value='%s'/>" % (parameter, value) network = vif["network"] if not vif["network"] or not vif["network"]["subnets"]: return parameters v4_subnets = [s for s in network["subnets"] if s["version"] == 4] v6_subnets = [s for s in network["subnets"] if s["version"] == 6] for subnet in v4_subnets: for ip in subnet["ips"]: parameters.append(format_parameter("IP", ip["address"])) dhcp_server = subnet.get_meta("dhcp_server") if dhcp_server: parameters.append(format_parameter("DHCPSERVER", dhcp_server)) if CONF.use_ipv6: for subnet in v6_subnets: gateway = subnet.get("gateway") if gateway: ra_server = gateway["address"] + "/128" parameters.append(format_parameter("RASERVER", ra_server)) if CONF.allow_same_net_traffic: for subnet in v4_subnets: ipv4_cidr = subnet["cidr"] net, mask = netutils.get_net_and_mask(ipv4_cidr) parameters.append(format_parameter("PROJNET", net)) parameters.append(format_parameter("PROJMASK", mask)) if CONF.use_ipv6: for subnet in v6_subnets: ipv6_cidr = subnet["cidr"] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) parameters.append(format_parameter("PROJNET6", net)) parameters.append(format_parameter("PROJMASK6", prefix)) return parameters
def create(self, req, body): context = _authorize_context(req) sg_rule = self._from_body(body, 'security_group_rule') with translate_exceptions(): parent_group_id = self.security_group_api.validate_id( sg_rule.get('parent_group_id', None)) security_group = self.security_group_api.get(context, None, parent_group_id, map_exception=True) try: new_rule = self._rule_args_to_dict(context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), ip_protocol=sg_rule.get('ip_protocol'), cidr=sg_rule.get('cidr'), group_id=sg_rule.get('group_id')) except Exception as exp: raise exc.HTTPBadRequest(explanation=unicode(exp)) if new_rule is None: msg = _("Not enough parameters to build a valid rule.") raise exc.HTTPBadRequest(explanation=msg) new_rule['parent_group_id'] = security_group['id'] if 'cidr' in new_rule: net, prefixlen = netutils.get_net_and_prefixlen(new_rule['cidr']) if net not in ('0.0.0.0', '::') and prefixlen == '0': msg = _("Bad prefix for network in cidr %s") % new_rule['cidr'] raise exc.HTTPBadRequest(explanation=msg) with translate_exceptions(): security_group_rule = ( self.security_group_api.create_security_group_rule( context, security_group, new_rule)) return {"security_group_rule": self._format_security_group_rule( context, security_group_rule)}
def create(self, req, body): context = _authorize_context(req) sg_rule = self._from_body(body, "security_group_rule") parent_group_id = self.security_group_api.validate_id(sg_rule.get("parent_group_id", None)) security_group = self.security_group_api.get(context, None, parent_group_id, map_exception=True) try: new_rule = self._rule_args_to_dict( context, to_port=sg_rule.get("to_port"), from_port=sg_rule.get("from_port"), ip_protocol=sg_rule.get("ip_protocol"), cidr=sg_rule.get("cidr"), group_id=sg_rule.get("group_id"), ) except Exception as exp: raise exc.HTTPBadRequest(explanation=unicode(exp)) if new_rule is None: msg = _("Not enough parameters to build a valid rule.") raise exc.HTTPBadRequest(explanation=msg) new_rule["parent_group_id"] = security_group["id"] if "cidr" in new_rule: net, prefixlen = netutils.get_net_and_prefixlen(new_rule["cidr"]) if net != "0.0.0.0" and prefixlen == "0": msg = _("Bad prefix for network in cidr %s") % new_rule["cidr"] raise exc.HTTPBadRequest(explanation=msg) try: security_group_rule = self.security_group_api.create_security_group_rule(context, security_group, new_rule) except exception.SecurityGroupLimitExceeded as err: raise exc.HTTPRequestEntityTooLarge(explanation=err.format_message()) return {"security_group_rule": self._format_security_group_rule(context, security_group_rule)}
def security_group_to_nwfilter_xml(security_group_id): security_group = db.security_group_get(context.get_admin_context(), security_group_id) rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} for rule in security_group.rules: rule_xml += "<rule action='accept' direction='in' priority='300'>" if rule.cidr: version = netutils.get_ip_version(rule.cidr) if (FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (rule.protocol, net, mask) if rule.protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif rule.protocol == 'icmp': LOG.info( 'rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', rule.protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "</rule>\n" xml = "<filter name='nova-secgroup-%s' " % security_group_id if (FLAGS.use_ipv6): xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def security_group_to_nwfilter_xml(security_group_id): security_group = db.security_group_get(context.get_admin_context(), security_group_id) rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} for rule in security_group.rules: rule_xml += "<rule action='accept' direction='in' priority='300'>" if rule.cidr: version = netutils.get_ip_version(rule.cidr) if(FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (rule.protocol, net, mask) if rule.protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif rule.protocol == 'icmp': LOG.info('rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', rule.protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "</rule>\n" xml = "<filter name='nova-secgroup-%s' " % security_group_id if(FLAGS.use_ipv6): xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def provider_fw_to_nwfilter_xml(): """Compose a filter of drop rules from specified cidrs.""" rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} rules = db.provider_fw_rule_get_all(context.get_admin_context()) for rule in rules: rule_xml += "<rule action='block' direction='in' priority='150'>" version = netutils.get_ip_version(rule.cidr) if (FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (rule.protocol, net, mask) if rule.protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif rule.protocol == 'icmp': LOG.info( 'rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', rule.protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "</rule>\n" xml = "<filter name='nova-provider-rules' " if (FLAGS.use_ipv6): xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def provider_fw_to_nwfilter_xml(): """Compose a filter of drop rules from specified cidrs.""" rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} rules = db.provider_fw_rule_get_all(context.get_admin_context()) for rule in rules: rule_xml += "<rule action='block' direction='in' priority='150'>" version = netutils.get_ip_version(rule.cidr) if(FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (rule.protocol, net, mask) if rule.protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif rule.protocol == 'icmp': LOG.info('rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', rule.protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "</rule>\n" xml = "<filter name='nova-provider-rules' " if(FLAGS.use_ipv6): xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def test_nwfilter_parameters(self): admin_ctxt = context.get_admin_context() fakefilter = NWFilterFakes() self.fw._conn.nwfilterDefineXML = fakefilter.filterDefineXMLMock self.fw._conn.nwfilterLookupByName = fakefilter.nwfilterLookupByName instance_ref = self._create_instance() inst_id = instance_ref['id'] inst_uuid = instance_ref['uuid'] self.security_group = self.setup_and_return_security_group() db.instance_add_security_group(self.context, inst_uuid, self.security_group['id']) instance = db.instance_get(self.context, inst_id) network_info = _fake_network_info(self.stubs, 1) self.fw.setup_basic_filtering(instance, network_info) vif = network_info[0] nic_id = vif['address'].replace(':', '') instance_filter_name = self.fw._instance_filter_name(instance, nic_id) f = fakefilter.nwfilterLookupByName(instance_filter_name) tree = etree.fromstring(f.xml) for fref in tree.findall('filterref'): parameters = fref.findall('./parameter') for parameter in parameters: subnet_v4, subnet_v6 = vif['network']['subnets'] if parameter.get('name') == 'IP': self.assertTrue( _ipv4_like(parameter.get('value'), '192.168')) elif parameter.get('name') == 'DHCPSERVER': dhcp_server = subnet_v4.get('dhcp_server') self.assertEqual(parameter.get('value'), dhcp_server) elif parameter.get('name') == 'RASERVER': ra_server = subnet_v6['gateway']['address'] + "/128" self.assertEqual(parameter.get('value'), ra_server) elif parameter.get('name') == 'PROJNET': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), mask) elif parameter.get('name') == 'PROJNET6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), prefix) else: raise exception.InvalidParameterValue('unknown parameter ' 'in filter') db.instance_destroy(admin_ctxt, instance_ref['uuid'])
def test_nwfilter_parameters(self): admin_ctxt = context.get_admin_context() fakefilter = NWFilterFakes() self.fw._conn.nwfilterDefineXML = fakefilter.filterDefineXMLMock self.fw._conn.nwfilterLookupByName = fakefilter.nwfilterLookupByName instance_ref = self._create_instance() inst_id = instance_ref['id'] inst_uuid = instance_ref['uuid'] self.security_group = self.setup_and_return_security_group() db.instance_add_security_group(self.context, inst_uuid, self.security_group['id']) instance = db.instance_get(self.context, inst_id) network_info = _fake_network_info(self.stubs, 1) self.fw.setup_basic_filtering(instance, network_info) vif = network_info[0] nic_id = vif['address'].replace(':', '') instance_filter_name = self.fw._instance_filter_name(instance, nic_id) f = fakefilter.nwfilterLookupByName(instance_filter_name) tree = etree.fromstring(f.xml) for fref in tree.findall('filterref'): parameters = fref.findall('./parameter') for parameter in parameters: subnet_v4, subnet_v6 = vif['network']['subnets'] if parameter.get('name') == 'IP': self.assertTrue(_ipv4_like(parameter.get('value'), '192.168')) elif parameter.get('name') == 'DHCPSERVER': dhcp_server = subnet_v4.get('dhcp_server') self.assertEqual(parameter.get('value'), dhcp_server) elif parameter.get('name') == 'RASERVER': ra_server = subnet_v6['gateway']['address'] + "/128" self.assertEqual(parameter.get('value'), ra_server) elif parameter.get('name') == 'PROJNET': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), mask) elif parameter.get('name') == 'PROJNET6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), prefix) else: raise exception.InvalidParameterValue('unknown parameter ' 'in filter') db.instance_destroy(admin_ctxt, instance_ref['uuid'])