def assert_connection(self, *args, **kwargs): netcat = net_helpers.NetcatTester(*args, **kwargs) def test_connectivity(): try: return netcat.test_connectivity() except RuntimeError: return False try: common_utils.wait_until_true(test_connectivity) finally: netcat.stop_processes()
def _test_with_nc(self, fw_manager, direction, port, protocol): netcat = net_helpers.NetcatTester(self.client.namespace, self.server.namespace, self.server.ip, self.port, protocol) self.addCleanup(netcat.stop_processes) self.assertTrue(netcat.test_connectivity()) self.filter_add_rule(fw_manager, self.server.ip, direction, protocol, port) with testtools.ExpectedException(RuntimeError): netcat.test_connectivity() self.filter_remove_rule(fw_manager, self.server.ip, direction, protocol, port) self.assertTrue(netcat.test_connectivity(True))
def _test_conntrack_disassociate_fip(self, ha): '''Test that conntrack immediately drops stateful connection that uses floating IP once it's disassociated. ''' router_info = self.generate_router_info(enable_ha=ha) router = self.manage_router(self.agent, router_info) port = net_helpers.get_free_namespace_port(constants.PROTO_NAME_TCP, router.ns_name) client_address = '19.4.4.3' server_address = '35.4.0.4' def clean_fips(router): router.router[constants.FLOATINGIP_KEY] = [] clean_fips(router) self._add_fip(router, client_address, fixed_address=server_address) router.process() router_ns = ip_lib.IPWrapper(namespace=router.ns_name) netcat = net_helpers.NetcatTester( router.ns_name, router.ns_name, client_address, port, protocol=net_helpers.NetcatTester.TCP) self.addCleanup(netcat.stop_processes) def assert_num_of_conntrack_rules(n): out = router_ns.netns.execute( ["conntrack", "-L", "--orig-src", client_address], privsep_exec=True) self.assertEqual( n, len([line for line in out.strip().split('\n') if line])) if ha: common_utils.wait_until_true(lambda: router.ha_state == 'primary') with self.assert_max_execution_time(100): assert_num_of_conntrack_rules(0) self.assertTrue(netcat.test_connectivity()) assert_num_of_conntrack_rules(1) clean_fips(router) router.process() assert_num_of_conntrack_rules(0) with testtools.ExpectedException(RuntimeError): netcat.test_connectivity()
def test_find_listen_pids_namespace(self): ns = self.useFixture(net_helpers.NamespaceFixture()).name ip_wrapper = ip_lib.IPWrapper(namespace=ns) ip_wrapper.add_dummy('device') device = ip_lib.IPDevice('device', namespace=ns) device.addr.add('10.20.30.40/24') device.link.set_up() self.assertEqual(tuple(), priv_utils.find_listen_pids_namespace(ns)) netcat = net_helpers.NetcatTester(ns, ns, '10.20.30.40', 12345, 'udp') proc = netcat.server_process self.assertEqual((str(proc.child_pid), ), priv_utils.find_listen_pids_namespace(ns)) netcat.stop_processes() self.assertEqual(tuple(), priv_utils.find_listen_pids_namespace(ns))
def test_fip_connection_from_same_subnet(self): '''Test connection to floatingip which is associated with fixed_ip on the same subnet of the source fixed_ip. In other words it confirms that return packets surely go through the router. ''' src_machine, dst_machine, dst_fip = ( self._setup_fip_with_fixed_ip_from_same_subnet(enable_snat=True)) protocol_port = net_helpers.get_free_namespace_port( lib_constants.PROTO_NAME_TCP, dst_machine.namespace) # client sends to fip netcat = net_helpers.NetcatTester( src_machine.namespace, dst_machine.namespace, dst_fip, protocol_port, protocol=net_helpers.NetcatTester.TCP) self.addCleanup(netcat.stop_processes) self.assertTrue(netcat.test_connectivity())
def _test_with_nc(self, fw_manager, direction, port, protocol): netcat = net_helpers.NetcatTester(self.client.namespace, self.server.namespace, self.server.ip, self.port, protocol) self.addCleanup(netcat.stop_processes) filter_params = 'direction %s, port %s and protocol %s' % ( direction, port, protocol) self.assertTrue( netcat.test_connectivity(), 'Failed connectivity check before applying a filter ' 'with %s' % filter_params) self.filter_add_rule(fw_manager, self.server.ip, direction, protocol, port) with testtools.ExpectedException( RuntimeError, msg='Wrongfully passed a connectivity check after applying ' 'a filter with %s' % filter_params): netcat.test_connectivity() self.filter_remove_rule(fw_manager, self.server.ip, direction, protocol, port) self.assertTrue( netcat.test_connectivity(True), 'Failed connectivity check after removing a filter ' 'with %s' % filter_params)
def assert_no_connection(self, *args, **kwargs): netcat = net_helpers.NetcatTester(*args, **kwargs) try: self.assertRaises(RuntimeError, netcat.test_connectivity) finally: netcat.stop_processes()
def assert_connection(self, *args, **kwargs): netcat = net_helpers.NetcatTester(*args, **kwargs) try: self.assertTrue(netcat.test_connectivity()) finally: netcat.stop_processes()
def test_securitygroup(self): """Tests if a security group rules are working, by confirming that 0. traffic is allowed when port security is disabled, 1. connection from outside of allowed security group is blocked 2. connection from allowed security group is permitted 3. traffic not explicitly allowed (eg. ICMP) is blocked, 4. a security group update takes effect, 5. a remote security group member addition works, and 6. an established connection stops by deleting a SG rule. 7. multiple overlapping remote rules work, 8. test other protocol functionality by using SCTP protocol 9. test two vms with same mac on the same host in different networks """ index_to_sg = [0, 0, 1, 2] if self.firewall_driver == 'iptables_hybrid': # The iptables_hybrid driver lacks isolation between agents index_to_host = [0] * 4 else: index_to_host = [0, 1, 1, 0] tenant_uuid = uuidutils.generate_uuid() network = self.safe_client.create_network(tenant_uuid) self.safe_client.create_subnet(tenant_uuid, network['id'], '20.0.0.0/24') sgs = [ self.safe_client.create_security_group(tenant_uuid) for i in range(3) ] ports = [ self.safe_client.create_port(tenant_uuid, network['id'], self.environment.hosts[host].hostname, security_groups=[], port_security_enabled=False) for host in index_to_host ] self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3333, port_range_max=3333) vms = [ self.useFixture( machine.FakeFullstackMachine(self.environment.hosts[host], network['id'], tenant_uuid, self.safe_client, neutron_port=ports[port], use_dhcp=True)) for port, host in enumerate(index_to_host) ] for vm in vms: vm.block_until_boot() # 0. check that traffic is allowed when port security is disabled self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) net_helpers.assert_ping(vms[0].namespace, vms[1].ip) net_helpers.assert_ping(vms[0].namespace, vms[2].ip) net_helpers.assert_ping(vms[1].namespace, vms[2].ip) # Apply security groups to the ports for port, sg in zip(ports, index_to_sg): self.safe_client.client.update_port( port['id'], body={ 'port': { 'port_security_enabled': True, 'security_groups': [sgs[sg]['id']] } }) # 1. connection from outside of allowed security group is blocked netcat = net_helpers.NetcatTester(vms[2].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # Wait until port update takes effect on the ports common_utils.wait_until_true( netcat.test_no_connectivity, exception=AssertionError( "Still can connect to the VM from different host.")) netcat.stop_processes() # 2. check if connection from allowed security group is permitted self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # 3. check if traffic not explicitly allowed (eg. ICMP) is blocked net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip) net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip) net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip) # 4. check if a security group update takes effect self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3344, port_range_max=3344) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) # 5. check if a remote security group member addition works rule2 = self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[1]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3355, port_range_max=3355) self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip, 3355, net_helpers.NetcatTester.TCP) # 6. check if an established connection stops by deleting # the supporting SG rule. index_to_host.append(index_to_host[2]) index_to_sg.append(1) ports.append( self.safe_client.create_port( tenant_uuid, network['id'], self.environment.hosts[index_to_host[-1]].hostname, security_groups=[sgs[1]['id']])) vms.append( self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[index_to_host[-1]], network['id'], tenant_uuid, self.safe_client, neutron_port=ports[-1], use_dhcp=True))) self.assertEqual(5, len(vms)) vms[4].block_until_boot() netcat = net_helpers.NetcatTester(vms[4].namespace, vms[0].namespace, vms[0].ip, 3355, net_helpers.NetcatTester.TCP) self.addCleanup(netcat.stop_processes) self.assertTrue(netcat.test_connectivity()) self.client.delete_security_group_rule(rule2['id']) common_utils.wait_until_true(lambda: netcat.test_no_connectivity(), sleep=8) netcat.stop_processes() # 7. check if multiple overlapping remote rules work self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[1]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3333, port_range_max=3333) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[2]['id'], direction='ingress', ethertype=constants.IPv4) for i in range(2): self.assert_connection(vms[0].namespace, vms[1].namespace, vms[1].ip, 3333, net_helpers.NetcatTester.TCP) self.assert_connection(vms[2].namespace, vms[1].namespace, vms[1].ip, 3333, net_helpers.NetcatTester.TCP) self.assert_connection(vms[3].namespace, vms[0].namespace, vms[0].ip, 8080, net_helpers.NetcatTester.TCP) # 8. check SCTP is supported by security group self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.SCTP) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NUM_SCTP, port_range_min=3366, port_range_max=3366) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.SCTP) # 9. test two vms with same mac on the same host in different networks self._test_overlapping_mac_addresses()
def assert_no_connection(self, *args, **kwargs): netcat = net_helpers.NetcatTester(*args, **kwargs) try: utils.wait_until_true(netcat.test_no_connectivity) finally: netcat.stop_processes()
def test_securitygroup(self): """Tests if a security group rules are working, by confirming that 0. traffic is allowed when port security is disabled, 1. connection from outside of allowed security group is blocked 2. connection from allowed security group is permitted 3. traffic not explicitly allowed (eg. ICMP) is blocked, 4. a security group update takes effect, 5. a security group update for entire port range works 6. a remote security group member addition works, and 7. an established connection stops by deleting a SG rule. 8. multiple overlapping remote rules work, 9. test other protocol functionality by using SCTP protocol 10. test two vms with same mac on the same host in different networks 11. test using multiple security groups 12. test stateless security groups when firewall driver is iptables or iptables_hybrid. """ tenant_uuid = uuidutils.generate_uuid() subnet_cidr = '20.0.0.0/24' vms, ports, sgs, network, index_to_host = self._create_resources( tenant_uuid, subnet_cidr) # 0. check that traffic is allowed when port security is disabled self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) vms[0].block_until_ping(vms[1].ip) vms[0].block_until_ping(vms[2].ip) vms[1].block_until_ping(vms[2].ip) # Apply security groups to the ports for port, sg in zip(ports, self.index_to_sg): self.safe_client.client.update_port( port['id'], body={ 'port': { 'port_security_enabled': True, 'security_groups': [sgs[sg]['id']] } }) # 1. connection from outside of allowed security group is blocked netcat = net_helpers.NetcatTester(vms[2].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # Wait until port update takes effect on the ports common_utils.wait_until_true( netcat.test_no_connectivity, exception=AssertionError( "Still can connect to the VM from different host.")) netcat.stop_processes() # 2. check if connection from allowed security group is permitted self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # 3. check if traffic not explicitly allowed (eg. ICMP) is blocked vms[0].block_until_no_ping(vms[1].ip) vms[0].block_until_no_ping(vms[2].ip) vms[1].block_until_no_ping(vms[2].ip) # 4. check if a security group update takes effect self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) rule1 = self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3344, port_range_max=3344) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) # 5. check if a security group update for entire port range works self.client.delete_security_group_rule(rule1['id']) self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.TCP) rule1 = self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=1, port_range_max=65535) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.TCP) self.client.delete_security_group_rule(rule1['id']) # 6. check if a remote security group member addition works rule2 = self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[1]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3355, port_range_max=3355) self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip, 3355, net_helpers.NetcatTester.TCP) # 7. check if an established connection stops by deleting # the supporting SG rule. index_to_host.append(index_to_host[2]) self.index_to_sg.append(1) ports.append( self.safe_client.create_port( tenant_uuid, network['id'], self.environment.hosts[index_to_host[-1]].hostname, security_groups=[sgs[1]['id']])) vms.append( self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[index_to_host[-1]], network['id'], tenant_uuid, self.safe_client, neutron_port=ports[-1], use_dhcp=True))) self.assertEqual(5, len(vms)) vms[4].block_until_boot() netcat = net_helpers.NetcatTester(vms[4].namespace, vms[0].namespace, vms[0].ip, 3355, net_helpers.NetcatTester.TCP) self.addCleanup(netcat.stop_processes) self.assertTrue(netcat.test_connectivity()) self.client.delete_security_group_rule(rule2['id']) common_utils.wait_until_true(lambda: netcat.test_no_connectivity(), sleep=8) netcat.stop_processes() # 8. check if multiple overlapping remote rules work self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[1]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3333, port_range_max=3333) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[2]['id'], direction='ingress', ethertype=constants.IPv4) for i in range(2): self.assert_connection(vms[0].namespace, vms[1].namespace, vms[1].ip, 3333, net_helpers.NetcatTester.TCP) self.assert_connection(vms[2].namespace, vms[1].namespace, vms[1].ip, 3333, net_helpers.NetcatTester.TCP) self.assert_connection(vms[3].namespace, vms[0].namespace, vms[0].ip, 8080, net_helpers.NetcatTester.TCP) # 9. check SCTP is supported by security group self.assert_no_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.SCTP) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NUM_SCTP, port_range_min=3366, port_range_max=3366) self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.SCTP) # 10. test two vms with same mac on the same host in different networks self._test_overlapping_mac_addresses() # 11. Check using multiple security groups self._test_using_multiple_security_groups() # 12. test stateless security groups when firewall driver is iptables # or iptables_hybrid. # TODO(njohnston): Re-add the iptables here once it is stable if self.firewall_driver == 'iptables_hybrid': self._test_stateless_security_groups()
def test_securitygroup(self): """Tests if a security group rules are working, by confirming that 1. connection from allowed security group is allowed, 2. connection from elsewhere is blocked, 3. traffic not explicitly allowed (eg. ICMP) is blocked, 4. a security group update takes effect, 5. a remote security group member addition works, and 6. an established connection stops by deleting a SG rule. 7. test other protocol functionality by using SCTP protocol """ index_to_sg = [0, 0, 1] if self.firewall_driver == 'iptables_hybrid': # The iptables_hybrid driver lacks isolation between agents index_to_host = [0] * 3 else: index_to_host = [0, 1, 1] tenant_uuid = uuidutils.generate_uuid() network = self.safe_client.create_network(tenant_uuid) self.safe_client.create_subnet( tenant_uuid, network['id'], '20.0.0.0/24') sgs = [self.safe_client.create_security_group(tenant_uuid) for i in range(2)] ports = [ self.safe_client.create_port(tenant_uuid, network['id'], self.environment.hosts[host].hostname, security_groups=[sgs[sg]['id']]) for host, sg in zip(index_to_host, index_to_sg)] self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3333, port_range_max=3333) vms = [ self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[host], network['id'], tenant_uuid, self.safe_client, neutron_port=ports[port])) for port, host in enumerate(index_to_host)] for vm in vms: vm.block_until_boot() # 1. check if connection from allowed security group is allowed self.assert_connection( vms[1].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # 2. check if connection from elsewhere is blocked self.assert_no_connection( vms[2].namespace, vms[0].namespace, vms[0].ip, 3333, net_helpers.NetcatTester.TCP) # 3. check if traffic not explicitly allowed (eg. ICMP) is blocked net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip) net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip) net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip) # 4. check if a security group update takes effect self.assert_no_connection( vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3344, port_range_max=3344) self.assert_connection( vms[1].namespace, vms[0].namespace, vms[0].ip, 3344, net_helpers.NetcatTester.TCP) # 5. check if a remote security group member addition works rule2 = self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[1]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NAME_TCP, port_range_min=3355, port_range_max=3355) self.assert_connection( vms[2].namespace, vms[0].namespace, vms[0].ip, 3355, net_helpers.NetcatTester.TCP) # NOTE(slaweq) iptables driver currently contains a bug # https://bugs.launchpad.net/neutron/+bug/1657260 # where established connections are not dropped after security group # rule is removed. Remove this workaround once bug #1657260 is fixed. if self.firewall_driver != 'iptables': # 6. check if an established connection stops by deleting # the supporting SG rule. index_to_host.append(index_to_host[2]) index_to_sg.append(1) ports.append( self.safe_client.create_port(tenant_uuid, network['id'], self.environment.hosts[ index_to_host[3]].hostname, security_groups=[sgs[1]['id']])) vms.append( self.useFixture( machine.FakeFullstackMachine( self.environment.hosts[index_to_host[3]], network['id'], tenant_uuid, self.safe_client, neutron_port=ports[3]))) vms[3].block_until_boot() netcat = net_helpers.NetcatTester(vms[3].namespace, vms[0].namespace, vms[0].ip, 3355, net_helpers.NetcatTester.TCP) self.addCleanup(netcat.stop_processes) self.assertTrue(netcat.test_connectivity()) self.client.delete_security_group_rule(rule2['id']) common_utils.wait_until_true(lambda: netcat.test_no_connectivity(), sleep=8) netcat.stop_processes() # 7. check SCTP is supported by security group self.assert_no_connection( vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.SCTP) self.safe_client.create_security_group_rule( tenant_uuid, sgs[0]['id'], remote_group_id=sgs[0]['id'], direction='ingress', ethertype=constants.IPv4, protocol=constants.PROTO_NUM_SCTP, port_range_min=3366, port_range_max=3366) self.assert_connection( vms[1].namespace, vms[0].namespace, vms[0].ip, 3366, net_helpers.NetcatTester.SCTP)
def assert_no_connection(self, *args, **kwargs): netcat = net_helpers.NetcatTester(*args, **kwargs) self.addCleanup(netcat.stop_processes) self.assertRaises(RuntimeError, netcat.test_connectivity) netcat.stop_processes()
def assert_connection(self, *args, **kwargs): netcat = net_helpers.NetcatTester(*args, **kwargs) self.addCleanup(netcat.stop_processes) self.assertTrue(netcat.test_connectivity()) netcat.stop_processes()