def test_multinic_iptables(self, mock_secgroup): mock_secgroup.return_value = objects.SecurityGroupList() ipv4_rules_per_addr = 1 ipv4_addr_per_network = 2 ipv6_rules_per_addr = 1 ipv6_addr_per_network = 1 networks_count = 5 instance_ref = self._create_instance_ref() network_info = _fake_network_info(self.stubs, networks_count, ipv4_addr_per_network) network_info[0]['network']['subnets'][0]['meta']['dhcp_server'] = \ '1.1.1.1' ipv4_len = len(self.fw.iptables.ipv4['filter'].rules) ipv6_len = len(self.fw.iptables.ipv6['filter'].rules) inst_ipv4, inst_ipv6 = self.fw.instance_rules(instance_ref, network_info) self.fw.prepare_instance_filter(instance_ref, network_info) ipv4 = self.fw.iptables.ipv4['filter'].rules ipv6 = self.fw.iptables.ipv6['filter'].rules ipv4_network_rules = len(ipv4) - len(inst_ipv4) - ipv4_len ipv6_network_rules = len(ipv6) - len(inst_ipv6) - ipv6_len # Extra rules are for the DHCP request rules = (ipv4_rules_per_addr * ipv4_addr_per_network * networks_count) + 2 self.assertEqual(ipv4_network_rules, rules) self.assertEqual(ipv6_network_rules, ipv6_rules_per_addr * ipv6_addr_per_network * networks_count)
def _create_security_group(self, instance_ref): secgroup = objects.SecurityGroup(id=1, user_id='fake', project_id='fake', name='testgroup', description='test group description') secgroup_list = objects.SecurityGroupList() secgroup_list.objects.append(secgroup) instance_ref.security_groups = secgroup_list return secgroup
def make_secgroup_list(security_groups): """A helper to make security group objects from a list of names. Note that this does not make them save-able or have the rest of the attributes they would normally have, but provides a quick way to fill, for example, an instance object during create. """ secgroups = objects.SecurityGroupList() secgroups.objects = [] for name in security_groups: secgroup = objects.SecurityGroup() secgroup.name = name secgroups.objects.append(secgroup) return secgroups
def test_unfilter_instance_undefines_nwfilter(self, mock_secgroup, mock_secrule, mock_instlist, mock_define, mock_lookup): fakefilter = NWFilterFakes() mock_lookup.side_effect = fakefilter.nwfilterLookupByName mock_define.side_effect = fakefilter.filterDefineXMLMock instance_ref = self._create_instance_ref() mock_secgroup.return_value = objects.SecurityGroupList() network_info = _fake_network_info(self.stubs, 1) self.fw.setup_basic_filtering(instance_ref, network_info) self.fw.prepare_instance_filter(instance_ref, network_info) self.fw.apply_instance_filter(instance_ref, network_info) original_filter_count = len(fakefilter.filters) self.fw.unfilter_instance(instance_ref, network_info) # should undefine just the instance filter self.assertEqual(original_filter_count - len(fakefilter.filters), 1)
def populate_security_groups(self, instance, security_groups): # Setting to empty list since we do not want to populate this field # in the patron database if using the neutron driver instance.security_groups = objects.SecurityGroupList()
def test_provider_firewall_rules(self, mock_secgroup, mock_fwrules): mock_secgroup.return_value = objects.SecurityGroupList() # setup basic instance data instance_ref = self._create_instance_ref() # FRAGILE: peeks at how the firewall names chains chain_name = 'inst-%s' % instance_ref['id'] # create a firewall via setup_basic_filtering like libvirt_conn.spawn # should have a chain with 0 rules network_info = _fake_network_info(self.stubs, 1) self.fw.setup_basic_filtering(instance_ref, network_info) self.assertIn('provider', self.fw.iptables.ipv4['filter'].chains) rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider'] self.assertEqual(0, len(rules)) # add a rule angd send the update message, check for 1 rule mock_fwrules.return_value = [{'protocol': 'tcp', 'cidr': '10.99.99.99/32', 'from_port': 1, 'to_port': 65535}] self.fw.refresh_provider_fw_rules() rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider'] self.assertEqual(1, len(rules)) # Add another, refresh, and make sure number of rules goes to two mock_fwrules.return_value = [{'protocol': 'tcp', 'cidr': '10.99.99.99/32', 'from_port': 1, 'to_port': 65535}, {'protocol': 'udp', 'cidr': '10.99.99.99/32', 'from_port': 1, 'to_port': 65535}] self.fw.refresh_provider_fw_rules() rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider'] self.assertEqual(2, len(rules)) # create the instance filter and make sure it has a jump rule self.fw.prepare_instance_filter(instance_ref, network_info) self.fw.apply_instance_filter(instance_ref, network_info) inst_rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == chain_name] jump_rules = [rule for rule in inst_rules if '-j' in rule.rule] provjump_rules = [] # IptablesTable doesn't make rules unique internally for rule in jump_rules: if 'provider' in rule.rule and rule not in provjump_rules: provjump_rules.append(rule) self.assertEqual(1, len(provjump_rules)) # remove a rule from the db, cast to compute to refresh rule mock_fwrules.return_value = [{'protocol': 'udp', 'cidr': '10.99.99.99/32', 'from_port': 1, 'to_port': 65535}] self.fw.refresh_provider_fw_rules() rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider'] self.assertEqual(1, len(rules))
def test_static_filters(self, mock_secgroup, mock_secrule, mock_instlist): UUID = "2674993b-6adb-4733-abd9-a7c10cc1f146" SRC_UUID = "0e0a76b2-7c52-4bc0-9a60-d83017e42c1a" instance_ref = self._create_instance_ref(UUID) src_instance_ref = self._create_instance_ref(SRC_UUID) secgroup = objects.SecurityGroup(id=1, user_id='fake', project_id='fake', name='testgroup', description='test group') src_secgroup = objects.SecurityGroup(id=2, user_id='fake', project_id='fake', name='testsourcegroup', description='src group') r1 = objects.SecurityGroupRule(parent_group_id=secgroup['id'], protocol='icmp', from_port=-1, to_port=-1, cidr='192.168.11.0/24', grantee_group=None) r2 = objects.SecurityGroupRule(parent_group_id=secgroup['id'], protocol='icmp', from_port=8, to_port=-1, cidr='192.168.11.0/24', grantee_group=None) r3 = objects.SecurityGroupRule(parent_group_id=secgroup['id'], protocol='tcp', from_port=80, to_port=81, cidr='192.168.10.0/24', grantee_group=None) r4 = objects.SecurityGroupRule(parent_group_id=secgroup['id'], protocol='tcp', from_port=80, to_port=81, cidr=None, grantee_group=src_secgroup, group_id=src_secgroup['id']) r5 = objects.SecurityGroupRule(parent_group_id=secgroup['id'], protocol=None, cidr=None, grantee_group=src_secgroup, group_id=src_secgroup['id']) secgroup_list = objects.SecurityGroupList() secgroup_list.objects.append(secgroup) src_secgroup_list = objects.SecurityGroupList() src_secgroup_list.objects.append(src_secgroup) instance_ref.security_groups = secgroup_list src_instance_ref.security_groups = src_secgroup_list def _fake_secgroup(ctxt, instance): if instance.uuid == UUID: return instance_ref.security_groups else: return src_instance_ref.security_groups mock_secgroup.side_effect = _fake_secgroup def _fake_secrule(ctxt, id): if id == secgroup.id: rules = objects.SecurityGroupRuleList() rules.objects.extend([r1, r2, r3, r4, r5]) return rules else: return [] mock_secrule.side_effect = _fake_secrule def _fake_instlist(ctxt, id): if id == src_secgroup['id']: insts = objects.InstanceList() insts.objects.append(src_instance_ref) return insts else: insts = objects.InstanceList() insts.objects.append(instance_ref) return insts mock_instlist.side_effect = _fake_instlist def fake_iptables_execute(*cmd, **kwargs): process_input = kwargs.get('process_input', None) if cmd == ('ip6tables-save', '-c'): return '\n'.join(self.in6_filter_rules), None if cmd == ('iptables-save', '-c'): return '\n'.join(self.in_rules), None if cmd == ('iptables-restore', '-c'): lines = process_input.split('\n') if '*filter' in lines: self.out_rules = lines return '', '' if cmd == ('ip6tables-restore', '-c',): lines = process_input.split('\n') if '*filter' in lines: self.out6_rules = lines return '', '' network_model = _fake_network_info(self.stubs, 1) linux_net.iptables_manager.execute = fake_iptables_execute self.stubs.Set(compute_utils, 'get_nw_info_for_instance', lambda instance: network_model) self.fw.prepare_instance_filter(instance_ref, network_model) self.fw.apply_instance_filter(instance_ref, network_model) in_rules = filter(lambda l: not l.startswith('#'), self.in_rules) for rule in in_rules: if 'patron' not in rule: self.assertIn(rule, self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now # last two octets change if re.search('-d 192.168.[0-9]{1,3}.[0-9]{1,3} -j', rule): instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp ' '-s 192.168.11.0/24') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "ICMP acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp -m icmp ' '--icmp-type 8 -s 192.168.11.0/24') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "ICMP Echo Request acceptance rule wasn't added") for ip in network_model.fixed_ips(): if ip['version'] != 4: continue regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp -m multiport ' '--dports 80:81 -s %s' % ip['address']) self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -s ' '%s' % ip['address']) self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "Protocol/port-less acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp ' '-m multiport --dports 80:81 -s 192.168.10.0/24') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added")