def remove_external_address_block(self, context, cidr): LOG.audit(_('Removing ip block from %s'), cidr, context=context) cidr = urllib.unquote(cidr).decode() # Catch the exception and LOG for improper or malicious inputs. # Also return a proper status and message in that case failed = {'status': 'Failed', 'message': ' 0 rules deleted'} if not utils.is_valid_cidr(cidr): msg = 'Improper input. Please provide a valid cidr: ' \ 'e.g. 121.12.10.11/24.' failed['message'] = msg + failed['message'] return failed #Normalizing cidr. e.g. '20.20.20.11/24' -> '20.20.20.0/24', so that #db values stay in sync with filters' values (e.g. in iptables) cidr = str(netaddr.IPNetwork(cidr).cidr) rules = db.provider_fw_rule_get_all_by_cidr(context, cidr) if not rules: msg = 'No such CIDR currently blocked.' failed['message'] = msg + failed['message'] return failed else: for rule in rules: db.provider_fw_rule_destroy(context, rule['id']) self.compute_api.trigger_provider_fw_rules_refresh(context) return {'status': 'OK', 'message': 'Deleted %s rules' % len(rules)}
def test_provider_firewall_rules(self, mock_lock): mock_lock.return_value = threading.Semaphore() # setup basic instance data instance_ref = self._create_instance_ref() # FRAGILE: peeks at how the firewall names chains chain_name = 'inst-%s' % instance_ref['id'] # create a firewall via setup_basic_filtering like libvirt_conn.spawn # should have a chain with 0 rules network_info = _fake_network_info(self.stubs, 1) self.fw.setup_basic_filtering(instance_ref, network_info) self.assertIn('provider', self.fw.iptables.ipv4['filter'].chains) rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider'] self.assertEqual(0, len(rules)) admin_ctxt = context.get_admin_context() # add a rule and send the update message, check for 1 rule db.provider_fw_rule_create(admin_ctxt, {'protocol': 'tcp', 'cidr': '10.99.99.99/32', 'from_port': 1, 'to_port': 65535}) self.fw.refresh_provider_fw_rules() rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider'] self.assertEqual(1, len(rules)) # Add another, refresh, and make sure number of rules goes to two provider_fw1 = db.provider_fw_rule_create(admin_ctxt, {'protocol': 'udp', 'cidr': '10.99.99.99/32', 'from_port': 1, 'to_port': 65535}) self.fw.refresh_provider_fw_rules() rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider'] self.assertEqual(2, len(rules)) # create the instance filter and make sure it has a jump rule self.fw.prepare_instance_filter(instance_ref, network_info) self.fw.apply_instance_filter(instance_ref, network_info) inst_rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == chain_name] jump_rules = [rule for rule in inst_rules if '-j' in rule.rule] provjump_rules = [] # IptablesTable doesn't make rules unique internally for rule in jump_rules: if 'provider' in rule.rule and rule not in provjump_rules: provjump_rules.append(rule) self.assertEqual(1, len(provjump_rules)) # remove a rule from the db, cast to compute to refresh rule db.provider_fw_rule_destroy(admin_ctxt, provider_fw1['id']) self.fw.refresh_provider_fw_rules() rules = [rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider'] self.assertEqual(1, len(rules))
def remove_external_address_block(self, context, cidr): LOG.audit(_('Removing ip block from %s'), cidr, context=context) cidr = urllib.unquote(cidr).decode() # raise if invalid netaddr.IPNetwork(cidr) rules = db.provider_fw_rule_get_all_by_cidr(context, cidr) for rule in rules: db.provider_fw_rule_destroy(context, rule['id']) if rules: self.compute_api.trigger_provider_fw_rules_refresh(context) return {'status': 'OK', 'message': 'Deleted %s rules' % len(rules)}
def test_provider_firewall_rules(self, mock_lock): mock_lock.return_value = threading.Semaphore() # setup basic instance data instance_ref = self._create_instance_ref() # FRAGILE: peeks at how the firewall names chains chain_name = 'inst-%s' % instance_ref['id'] # create a firewall via setup_basic_filtering like libvirt_conn.spawn # should have a chain with 0 rules network_info = _fake_network_info(self.stubs, 1) self.fw.setup_basic_filtering(instance_ref, network_info) self.assertIn('provider', self.fw.iptables.ipv4['filter'].chains) rules = [ rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider' ] self.assertEqual(0, len(rules)) admin_ctxt = context.get_admin_context() # add a rule and send the update message, check for 1 rule db.provider_fw_rule_create( admin_ctxt, { 'protocol': 'tcp', 'cidr': '10.99.99.99/32', 'from_port': 1, 'to_port': 65535 }) self.fw.refresh_provider_fw_rules() rules = [ rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider' ] self.assertEqual(1, len(rules)) # Add another, refresh, and make sure number of rules goes to two provider_fw1 = db.provider_fw_rule_create( admin_ctxt, { 'protocol': 'udp', 'cidr': '10.99.99.99/32', 'from_port': 1, 'to_port': 65535 }) self.fw.refresh_provider_fw_rules() rules = [ rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider' ] self.assertEqual(2, len(rules)) # create the instance filter and make sure it has a jump rule self.fw.prepare_instance_filter(instance_ref, network_info) self.fw.apply_instance_filter(instance_ref, network_info) inst_rules = [ rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == chain_name ] jump_rules = [rule for rule in inst_rules if '-j' in rule.rule] provjump_rules = [] # IptablesTable doesn't make rules unique internally for rule in jump_rules: if 'provider' in rule.rule and rule not in provjump_rules: provjump_rules.append(rule) self.assertEqual(1, len(provjump_rules)) # remove a rule from the db, cast to compute to refresh rule db.provider_fw_rule_destroy(admin_ctxt, provider_fw1['id']) self.fw.refresh_provider_fw_rules() rules = [ rule for rule in self.fw.iptables.ipv4['filter'].rules if rule.chain == 'provider' ] self.assertEqual(1, len(rules))