def test_deallocate_vxlan_id(self): # enable vxlan routing on project proj = self._vnc_lib.project_read( fq_name=["default-domain", "default-project"]) proj.set_vxlan_routing(True) self._vnc_lib.project_update(proj) mock_zk = self._api_server._db_conn._zk_db vn_obj = VirtualNetwork('%s-vn' % self.id()) vn_obj_properties = VirtualNetworkType(forwarding_mode='l3') vn_obj_properties.set_vxlan_network_identifier(6002) vn_obj.set_virtual_network_properties(vn_obj_properties) self.api.virtual_network_create(vn_obj) # VN created, now read back the VN data to check if vxlan_id is set vn_obj = self.api.virtual_network_read(id=vn_obj.uuid) vn_obj_properties = vn_obj.get_virtual_network_properties() if not vn_obj_properties: self.fail("VN properties are not set") vxlan_id = vn_obj_properties.get_vxlan_network_identifier() self.assertEqual(vxlan_id, 6002) self.api.virtual_network_delete(id=vn_obj.uuid) self.assertNotEqual(vn_obj.get_fq_name_str() + "_vxlan", mock_zk.get_vn_from_id(vxlan_id)) logger.debug('PASS - test_deallocate_vxlan_id')
def test_deallocate_vxlan_id(self): # enable vxlan routing on project proj = self._vnc_lib.project_read( fq_name=["default-domain", "default-project"]) proj.set_vxlan_routing(True) self._vnc_lib.project_update(proj) mock_zk = self._api_server._db_conn._zk_db vn_obj = VirtualNetwork('%s-vn' % self.id()) vn_obj_properties = VirtualNetworkType(forwarding_mode='l3') vn_obj_properties.set_vxlan_network_identifier(6002) vn_obj.set_virtual_network_properties(vn_obj_properties) self.api.virtual_network_create(vn_obj) # VN created, now read back the VN data to check if vxlan_id is set vn_obj = self.api.virtual_network_read(id=vn_obj.uuid) vn_obj_properties = vn_obj.get_virtual_network_properties() if not vn_obj_properties: self.fail("VN properties are not set") vxlan_id = vn_obj_properties.get_vxlan_network_identifier() self.assertEqual(vxlan_id, 6002) self.api.virtual_network_delete(id=vn_obj.uuid) self.assertNotEqual(vn_obj.get_fq_name_str() + "_vxlan", mock_zk.get_vn_from_id(vxlan_id)) logger.debug('PASS - test_deallocate_vxlan_id')
def test_deallocate_vn_id(self): mock_zk = self._api_server._db_conn._zk_db vn_obj = VirtualNetwork('%s-vn' % self.id()) self.api.virtual_network_create(vn_obj) vn_obj = self.api.virtual_network_read(id=vn_obj.uuid) vn_id = vn_obj.virtual_network_network_id self.api.virtual_network_delete(id=vn_obj.uuid) self.assertNotEqual(mock_zk.get_vn_from_id(vn_id), vn_obj.get_fq_name_str())
def test_allocate_vn_id(self): mock_zk = self._api_server._db_conn._zk_db vn_obj = VirtualNetwork('%s-vn' % self.id()) self.api.virtual_network_create(vn_obj) vn_obj = self.api.virtual_network_read(id=vn_obj.uuid) vn_id = vn_obj.virtual_network_network_id self.assertEqual(vn_obj.get_fq_name_str(), mock_zk.get_vn_from_id(vn_id)) self.assertGreaterEqual(vn_id, VNID_MIN_ALLOC)
def test_deallocate_vn_id(self): mock_zk = self._api_server._db_conn._zk_db vn_obj = VirtualNetwork('%s-vn' % self.id()) self.api.virtual_network_create(vn_obj) vn_obj = self.api.virtual_network_read(id=vn_obj.uuid) vn_id = vn_obj.virtual_network_network_id self.api.virtual_network_delete(id=vn_obj.uuid) self.assertNotEqual(mock_zk.get_vn_from_id(vn_id), vn_obj.get_fq_name_str())
def test_allocate_vn_id(self): mock_zk = self._api_server._db_conn._zk_db vn_obj = VirtualNetwork('%s-vn' % self.id()) self.api.virtual_network_create(vn_obj) vn_obj = self.api.virtual_network_read(id=vn_obj.uuid) vn_id = vn_obj.virtual_network_network_id self.assertEqual(vn_obj.get_fq_name_str(), mock_zk.get_vn_from_id(vn_id)) self.assertGreaterEqual(vn_id, VNID_MIN_ALLOC)
def test_cannot_allocate_vxlan_id(self): # enable vxlan routing on project proj = self._vnc_lib.project_read( fq_name=["default-domain", "default-project"]) proj.set_vxlan_routing(True) self._vnc_lib.project_update(proj) mock_zk = self._api_server._db_conn._zk_db vn1_obj = VirtualNetwork('%s-vn' % self.id()) vn1_obj_properties = VirtualNetworkType(forwarding_mode='l3') vn1_obj_properties.set_vxlan_network_identifier(6001) vn1_obj_properties.set_forwarding_mode('l2_l3') vn1_obj.set_virtual_network_properties(vn1_obj_properties) self.api.virtual_network_create(vn1_obj) # VN created, now read back the VN data to check if vxlan_id is set vn1_obj = self.api.virtual_network_read(id=vn1_obj.uuid) vn1_obj_properties = vn1_obj.get_virtual_network_properties() if not vn1_obj_properties: self.fail("VN properties are not set") vxlan_id = vn1_obj_properties.get_vxlan_network_identifier() self.assertEqual(vxlan_id, 6001) # Verified vxlan_id for VN1, now create VN2 with same vxlan_id vn2_obj = VirtualNetwork('%s-vn2' % self.id()) vn2_obj_properties = VirtualNetworkType(forwarding_mode='l3') vn2_obj_properties.set_vxlan_network_identifier(6001) vn2_obj_properties.set_forwarding_mode('l2_l3') vn2_obj.set_virtual_network_properties(vn2_obj_properties) with ExpectedException(BadRequest): self.api.virtual_network_create(vn2_obj) self.assertEqual(vn1_obj.get_fq_name_str() + "_vxlan", mock_zk.get_vn_from_id(vxlan_id)) self.assertGreaterEqual(vxlan_id, VNID_MIN_ALLOC) self.api.virtual_network_delete(id=vn1_obj.uuid) logger.debug('PASS - test_cannot_allocate_vxlan_id')
def test_cannot_allocate_vxlan_id(self): # enable vxlan routing on project proj = self._vnc_lib.project_read( fq_name=["default-domain", "default-project"]) proj.set_vxlan_routing(True) self._vnc_lib.project_update(proj) mock_zk = self._api_server._db_conn._zk_db vn1_obj = VirtualNetwork('%s-vn' % self.id()) vn1_obj_properties = VirtualNetworkType(forwarding_mode='l3') vn1_obj_properties.set_vxlan_network_identifier(6001) vn1_obj_properties.set_forwarding_mode('l2_l3') vn1_obj.set_virtual_network_properties(vn1_obj_properties) self.api.virtual_network_create(vn1_obj) # VN created, now read back the VN data to check if vxlan_id is set vn1_obj = self.api.virtual_network_read(id=vn1_obj.uuid) vn1_obj_properties = vn1_obj.get_virtual_network_properties() if not vn1_obj_properties: self.fail("VN properties are not set") vxlan_id = vn1_obj_properties.get_vxlan_network_identifier() self.assertEqual(vxlan_id, 6001) # Verified vxlan_id for VN1, now create VN2 with same vxlan_id vn2_obj = VirtualNetwork('%s-vn2' % self.id()) vn2_obj_properties = VirtualNetworkType(forwarding_mode='l3') vn2_obj_properties.set_vxlan_network_identifier(6001) vn2_obj_properties.set_forwarding_mode('l2_l3') vn2_obj.set_virtual_network_properties(vn2_obj_properties) with ExpectedException(BadRequest): self.api.virtual_network_create(vn2_obj) self.assertEqual(vn1_obj.get_fq_name_str() + "_vxlan", mock_zk.get_vn_from_id(vxlan_id)) self.assertGreaterEqual(vxlan_id, VNID_MIN_ALLOC) self.api.virtual_network_delete(id=vn1_obj.uuid) logger.debug('PASS - test_cannot_allocate_vxlan_id')
def test_provider_network(self): """ Test description. Verify: 1. Check creating a non-provider VNs with non-provider VNs connected to it is not allowed 2. Check a non provider-VN can not be created with is_provider_network property set to True 3. Check is_provider_network property of a provider-VN is True by default 4. Check is_provider_network property of a provider-VN can be set as True 5. Check is_provider_network property of provider-VN can not be set as False 6. Check is_provider_network property of non provider-VN can not be set as True 7. Check is_provider_network property of non provider-VN can be set as False 8. Check setting other parameters of a non provider-VN is not affected 9. Check db_resync sets is_provider_network property of provider-VN as True (simulating upgrade case) 10. Check non provider VNs can be added to provider VN 11. Check the provider-VN can be added to a VN 12. Check non provider-VN can not be added to a VN 13. Check many VNs can be linked to the provider-VN 14. Check (provider-vn -> any-VN),DENY acl rule is added to the provider-VN 15. Check (VN -> provider-VN),DENY acl rule is added to the VN 16. Adding a (VN -> provider-VN),PASS acl rule at VN removes (VN -> provider-VN),DENY acl rule Assumption: ip-fabric VN is the provider-VN """ # create two VNs - vn1, vn2 vn1_name = self.id() + '_vn1' vn2_name = self.id() + '_vn2' vn3_name = self.id() + '_vn3' vn4_name = self.id() + '_vn4' vn1_obj1 = VirtualNetwork(vn1_name) vn2_obj1 = VirtualNetwork(vn2_name) vn3_obj1 = VirtualNetwork(vn3_name) vn4_obj1 = VirtualNetwork(vn4_name) self._vnc_lib.virtual_network_create(vn1_obj1) self._vnc_lib.virtual_network_create(vn2_obj1) self._vnc_lib.virtual_network_create(vn3_obj1) # try creating non provider_vn with linked # non provider_vn (linked before creating) vn4_obj1.add_virtual_network(vn3_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) vn4_obj1.add_virtual_network(vn2_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) # remove vn3_obj1 and vn2_obj1 # as its not allowed vn4_obj1.del_virtual_network(vn3_obj1) vn4_obj1.del_virtual_network(vn2_obj1) # set is_provider_network on a non provider-vn # and try creating it vn4_obj1.set_is_provider_network(True) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) # set it as False and retry creating it vn4_obj1.set_is_provider_network(False) self._vnc_lib.virtual_network_create(vn4_obj1) # Check updating other parameters of a non provider VN # when no provider VN is not connected vn4_obj1.set_mac_aging_time(400) self._vnc_lib.virtual_network_update(vn4_obj1) # retrieve provider network, assuming ip-fabric for now provider_fq_name = ['default-domain', 'default-project', 'ip-fabric'] provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_fq_name) self.assertEqual(provider_vn.get_is_provider_network(), True) # check is_provider_network of provider_vn # can be set to True (ie only as its default) provider_vn.set_is_provider_network(True) self._vnc_lib.virtual_network_update(provider_vn) # check is_provider_network of provider_vn # can not be set to False provider_vn.set_is_provider_network(False) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, provider_vn) # check is_provider_network of non provider_vn # can be set to False vn4_obj1.set_is_provider_network(False) self._vnc_lib.virtual_network_update(vn4_obj1) # check is_provider_network of non provider_vn # can not be set to True vn4_obj1.set_is_provider_network(True) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, vn4_obj1) # check db_resync sets is_provider_network property # as True in provider-vn self._api_server._db_conn.db_resync() provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_fq_name) self.assertEqual(provider_vn.get_is_provider_network(), True) # check adding vn3 and vn2 to provider vn provider_vn.add_virtual_network(vn2_obj1) provider_vn.add_virtual_network(vn3_obj1) self._vnc_lib.virtual_network_update(provider_vn) gevent.sleep(5) provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_vn.get_fq_name()) self.assertEqual(len(provider_vn.virtual_network_refs), 2) linked_uuids = [ ref['uuid'] for ref in provider_vn.virtual_network_refs ] self.assertIn(vn3_obj1.uuid, linked_uuids) self.assertIn(vn2_obj1.uuid, linked_uuids) VirtualNetworkST._dict = {} VirtualNetworkST.reinit() provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_vn.get_fq_name()) vn3_obj1 = self._vnc_lib.virtual_network_read( fq_name=vn3_obj1.get_fq_name()) vn2_obj1 = self._vnc_lib.virtual_network_read( fq_name=vn2_obj1.get_fq_name()) self.assertEqual(len(provider_vn.virtual_network_refs), 2) linked_uuids = [ ref['uuid'] for ref in provider_vn.virtual_network_refs ] self.assertIn(vn3_obj1.uuid, linked_uuids) self.assertIn(vn2_obj1.uuid, linked_uuids) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any') self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn2_obj1), src_vn=vn2_obj1.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn3_obj1), src_vn=vn3_obj1.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) # check adding provider vn to vn1 works vn1_obj1.add_virtual_network(provider_vn) self._vnc_lib.virtual_network_update(vn1_obj1) gevent.sleep(2) vn1_obj2 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj1.get_fq_name()) self.assertEqual(vn1_obj2.virtual_network_refs[0]['to'], provider_fq_name) self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn1_obj2), src_vn=vn1_obj2.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) # Check updating other parameters of a non provider VN # when a provider VN is connected vn1_obj2.set_mac_aging_time(400) self._vnc_lib.virtual_network_update(vn1_obj2) # create a policy to allow icp between vn1 <> vn2 # and update vn1 vn1_to_vn2_rule = { "protocol": "icmp", "direction": "<>", "src": { "type": "vn", "value": vn1_obj2 }, "dst": [{ "type": "vn", "value": vn2_obj1 }], "action": "pass" } np = self.create_network_policy_with_multiple_rules([vn1_to_vn2_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj2.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1_obj2) vn1_obj3 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj2.get_fq_name()) # check linking a non provider network is not allowed vn1_obj3.add_virtual_network(vn2_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, vn1_obj3) vn1_obj4 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj3.get_fq_name()) self.assertEqual(vn1_obj4.virtual_network_refs[0]['to'], provider_fq_name) self.assertNotEqual(vn1_obj4.virtual_network_refs[0]['to'], vn2_obj1.get_fq_name()) # check the provider-network got a deny rule to any VN provider_to_vn1_rule = { "protocol": "icmp", "direction": ">", "src": { "type": "vn", "value": provider_vn }, "dst": [{ "type": "vn", "value": vn1_obj4 }], "action": "pass" } np = self.create_network_policy_with_multiple_rules( [provider_to_vn1_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) provider_vn.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(provider_vn) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any') # check the network connected to provider-network # got a deny rule to provider-network self.check_acl_implicit_deny_rule(fq_name=self.get_ri_name(vn1_obj4), src_vn=':'.join( vn1_obj4.get_fq_name()), dst_vn=':'.join(provider_fq_name)) # add an explicit policy to allow traffic to provider network # and the implicit deny is removed vn1_to_provider_rule = { "protocol": "any", "direction": ">", "src": { "type": "vn", "value": vn1_obj4 }, "dst": [{ "type": "vn", "value": provider_vn }], "action": "pass" } np = self.create_network_policy_with_multiple_rules( [vn1_to_provider_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj4.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1_obj4) vn1_obj5 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj4.get_fq_name()) self.check_acl_no_implicit_deny_rule( fq_name=self.get_ri_name(vn1_obj5), src_vn=':'.join(vn1_obj5.get_fq_name()), dst_vn=':'.join(provider_fq_name)) self.check_acl_allow_rule(fq_name=self.get_ri_name(vn1_obj5), src_vn=':'.join(vn1_obj5.get_fq_name()), dst_vn=':'.join(provider_fq_name)) # adding explicit policy to allow traffic to provider network # do not change deny rule in provider network self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any')
def test_provider_network(self): ''' Verify: 1. Check creating a non-provider VNs with non-provider VNs connected to it is not allowed 2. Check a non provider-VN can not be created with is_provider_network property set to True 3. Check is_provider_network property of a provider-VN is True by default 4. Check is_provider_network property of a provider-VN can be set as True 5. Check is_provider_network property of provider-VN can not be set as False 6. Check is_provider_network property of non provider-VN can not be set as True 7. Check is_provider_network property of non provider-VN can be set as False 8. Check setting other parameters of a non provider-VN is not affected 9. Check db_resync sets is_provider_network property of provider-VN as True (simulating upgrade case) 10. Check non provider VNs can be added to provider VN 11. Check the provider-VN can be added to a VN 12. Check non provider-VN can not be added to a VN 13. Check many VNs can be linked to the provider-VN 14. Check (provider-vn -> any-VN),DENY acl rule is added to the provider-VN 15. Check (VN -> provider-VN),DENY acl rule is added to the VN 16. Adding a (VN -> provider-VN),PASS acl rule at VN removes (VN -> provider-VN),DENY acl rule Assumption: ip-fabric VN is the provider-VN ''' # create two VNs - vn1, vn2 vn1_name = self.id() + '_vn1' vn2_name = self.id() + '_vn2' vn3_name = self.id() + '_vn3' vn4_name = self.id() + '_vn4' vn1_obj1 = VirtualNetwork(vn1_name) vn2_obj1 = VirtualNetwork(vn2_name) vn3_obj1 = VirtualNetwork(vn3_name) vn4_obj1 = VirtualNetwork(vn4_name) self._vnc_lib.virtual_network_create(vn1_obj1) self._vnc_lib.virtual_network_create(vn2_obj1) self._vnc_lib.virtual_network_create(vn3_obj1) # try creating non provider_vn with linked # non provider_vn (linked before creating) vn4_obj1.add_virtual_network(vn3_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) vn4_obj1.add_virtual_network(vn2_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) # remove vn3_obj1 and vn2_obj1 # as its not allowed vn4_obj1.del_virtual_network(vn3_obj1) vn4_obj1.del_virtual_network(vn2_obj1) # set is_provider_network on a non provider-vn # and try creating it vn4_obj1.set_is_provider_network(True) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_create, vn4_obj1) # set it as False and retry creating it vn4_obj1.set_is_provider_network(False) self._vnc_lib.virtual_network_create(vn4_obj1) # Check updating other parameters of a non provider VN # when no provider VN is not connected vn4_obj1.set_mac_aging_time(400) self._vnc_lib.virtual_network_update(vn4_obj1) # retrieve provider network, assuming ip-fabric for now provider_fq_name = ['default-domain', 'default-project', 'ip-fabric'] provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_fq_name) self.assertEqual(provider_vn.get_is_provider_network(), True) # check is_provider_network of provider_vn # can be set to True (ie only as its default) provider_vn.set_is_provider_network(True) self._vnc_lib.virtual_network_update(provider_vn) # check is_provider_network of provider_vn # can not be set to False provider_vn.set_is_provider_network(False) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, provider_vn) # check is_provider_network of non provider_vn # can be set to False vn4_obj1.set_is_provider_network(False) self._vnc_lib.virtual_network_update(vn4_obj1) # check is_provider_network of non provider_vn # can not be set to True vn4_obj1.set_is_provider_network(True) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, vn4_obj1) # check db_resync sets is_provider_network property # as True in provider-vn self._api_server._db_conn.db_resync() provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_fq_name) self.assertEqual(provider_vn.get_is_provider_network(), True) # check adding vn3 and vn2 to provider vn provider_vn.add_virtual_network(vn2_obj1) provider_vn.add_virtual_network(vn3_obj1) self._vnc_lib.virtual_network_update(provider_vn) gevent.sleep(5) provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_vn.get_fq_name()) self.assertEqual(len(provider_vn.virtual_network_refs), 2) linked_uuids = [ref['uuid'] for ref in provider_vn.virtual_network_refs] self.assertIn(vn3_obj1.uuid, linked_uuids) self.assertIn(vn2_obj1.uuid, linked_uuids) config_db.VirtualNetworkST._dict = {} config_db.VirtualNetworkST.reinit() provider_vn = self._vnc_lib.virtual_network_read( fq_name=provider_vn.get_fq_name()) vn3_obj1 = self._vnc_lib.virtual_network_read( fq_name=vn3_obj1.get_fq_name()) vn2_obj1 = self._vnc_lib.virtual_network_read( fq_name=vn2_obj1.get_fq_name()) self.assertEqual(len(provider_vn.virtual_network_refs), 2) linked_uuids = [ref['uuid'] for ref in provider_vn.virtual_network_refs] self.assertIn(vn3_obj1.uuid, linked_uuids) self.assertIn(vn2_obj1.uuid, linked_uuids) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any') self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(vn2_obj1), src_vn=vn2_obj1.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(vn3_obj1), src_vn=vn3_obj1.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) # check adding provider vn to vn1 works vn1_obj1.add_virtual_network(provider_vn) self._vnc_lib.virtual_network_update(vn1_obj1) gevent.sleep(2) vn1_obj2 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj1.get_fq_name()) self.assertEqual(vn1_obj2.virtual_network_refs[0]['to'], provider_fq_name) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(vn1_obj2), src_vn=vn1_obj2.get_fq_name_str(), dst_vn=':'.join(provider_fq_name)) # Check updating other parameters of a non provider VN # when a provider VN is connected vn1_obj2.set_mac_aging_time(400) self._vnc_lib.virtual_network_update(vn1_obj2) # create a policy to allow icp between vn1 <> vn2 # and update vn1 vn1_to_vn2_rule = {"protocol": "icmp", "direction": "<>", "src": {"type": "vn", "value": vn1_obj2}, "dst": [{"type": "vn", "value": vn2_obj1}], "action": "pass"} np = self.create_network_policy_with_multiple_rules([vn1_to_vn2_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj2.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1_obj2) vn1_obj3 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj2.get_fq_name()) # check linking a non provider network is not allowed vn1_obj3.add_virtual_network(vn2_obj1) self.assertRaises(BadRequest, self._vnc_lib.virtual_network_update, vn1_obj3) vn1_obj4 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj3.get_fq_name()) self.assertEqual(vn1_obj4.virtual_network_refs[0]['to'], provider_fq_name) self.assertNotEqual(vn1_obj4.virtual_network_refs[0]['to'], vn2_obj1.get_fq_name()) # check the provider-network got a deny rule to any VN provider_to_vn1_rule = {"protocol": "icmp", "direction": ">", "src": {"type": "vn", "value": provider_vn}, "dst": [{"type": "vn", "value": vn1_obj4}], "action": "pass"} np = self.create_network_policy_with_multiple_rules( [provider_to_vn1_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) provider_vn.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(provider_vn) self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any') # check the network connected to provider-network # got a deny rule to provider-network self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(vn1_obj4), src_vn=':'.join(vn1_obj4.get_fq_name()), dst_vn=':'.join(provider_fq_name)) # add an explicit policy to allow traffic to provider network # and the implicit deny is removed vn1_to_provider_rule = {"protocol": "any", "direction": ">", "src": {"type": "vn", "value": vn1_obj4}, "dst": [{"type": "vn", "value": provider_vn}], "action": "pass"} np = self.create_network_policy_with_multiple_rules( [vn1_to_provider_rule]) seq = SequenceType(1, 1) vnp = VirtualNetworkPolicyType(seq) vn1_obj4.set_network_policy(np, vnp) self._vnc_lib.virtual_network_update(vn1_obj4) vn1_obj5 = self._vnc_lib.virtual_network_read( fq_name=vn1_obj4.get_fq_name()) self.check_acl_no_implicit_deny_rule( fq_name=self.get_ri_name(vn1_obj5), src_vn=':'.join(vn1_obj5.get_fq_name()), dst_vn=':'.join(provider_fq_name)) self.check_acl_allow_rule( fq_name=self.get_ri_name(vn1_obj5), src_vn=':'.join(vn1_obj5.get_fq_name()), dst_vn=':'.join(provider_fq_name)) # adding explicit policy to allow traffic to provider network # do not change deny rule in provider network self.check_acl_implicit_deny_rule( fq_name=self.get_ri_name(provider_vn), src_vn=':'.join(provider_fq_name), dst_vn='any')