def test_slo_fw_update(self): """ Description: Verify security logging for inter-VN inter-Node traffic with firewall policy and rules and verify SLO update Steps: 1. create 2 VNs and connect them using network and firewall policy 2. launch 1 VM in each VN on diff compute node 3. set session export rate to 0 4. start udp traffic and verify the session logs in agent log Pass criteria: step 4 should pass """ created_objs = self._test_slo_with_fw() eth_type = 'IPv4' if (self.inputs.get_af() == 'v4') else 'IPv6' proto_str = 'any' sg_rule_id_ingress = list_sg_rules(self.connections, created_objs['sg_obj'].uuid, eth_type=eth_type, proto=proto_str, direction='ingress')[0]['id'] sg_rule_id_egress = list_sg_rules(self.connections, created_objs['sg_obj'].uuid, eth_type=eth_type, proto=proto_str, direction='egress')[0]['id'] #Remove old slo from VNs for vn in self.vn_fixtures: vn.set_slo_list([]) #Create tenant level SLO with sg_rule_id_egress and add to VNs project_name = self.project.project_name parent_obj = self.vnc_h.project_read( fq_name=[self.connections.domain_name, project_name]) rules_list = [{'uuid': sg_rule_id_egress, 'rate': 1}] slo_fixture = self.create_slo(parent_obj, rate=10, rules_list=rules_list) for vn in self.vn_fixtures: self.add_slo_to_vn(slo_fixture, vn) #With tenant level SLO created above, Client session will match and logged self._test_slo_with_fw(create_resources=False, slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'], exp_srv_session_count=0) #Update SLO with both rules rules_list.append({'uuid': sg_rule_id_ingress, 'rate': 1}) self.update_slo(slo_fixture.obj, rules_list) #Now both client and server sessions should get logged self._test_slo_with_fw(create_resources=False, slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'])
def test_slo_fw_update(self): """ Description: Verify security logging for inter-VN inter-Node traffic with firewall policy and rules and verify SLO update Steps: 1. create 2 VNs and connect them using network and firewall policy 2. launch 1 VM in each VN on diff compute node 3. set session export rate to 0 4. start udp traffic and verify the session logs in agent log Pass criteria: step 4 should pass """ created_objs = self._test_slo_with_fw() eth_type = 'IPv4' if (self.inputs.get_af() == 'v4') else 'IPv6' proto_str = 'any' sg_rule_id_ingress = list_sg_rules(self.connections, created_objs['sg_obj'].uuid, eth_type=eth_type, proto=proto_str, direction='ingress')[0]['id'] sg_rule_id_egress = list_sg_rules(self.connections, created_objs['sg_obj'].uuid, eth_type=eth_type, proto=proto_str, direction='egress')[0]['id'] #Remove old slo from VNs for vn in self.vn_fixtures: vn.set_slo_list([]) #Create tenant level SLO with sg_rule_id_egress and add to VNs project_name = self.project.project_name parent_obj = self.vnc_h.project_read( fq_name=[self.connections.domain_name, project_name]) rules_list = [{'uuid':sg_rule_id_egress, 'rate':1}] slo_fixture = self.create_slo(parent_obj, rate=10, rules_list=rules_list) for vn in self.vn_fixtures: self.add_slo_to_vn(slo_fixture, vn) #With tenant level SLO created above, Client session will match and logged self._test_slo_with_fw(create_resources=False, slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'], exp_srv_session_count=0) #Update SLO with both rules rules_list.append({'uuid':sg_rule_id_ingress, 'rate':1}) self.update_slo(slo_fixture.obj, rules_list) #Now both client and server sessions should get logged self._test_slo_with_fw(create_resources=False, slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'])
def verify_flow_to_sg_rule_mapping( self, src_vm_fix, dst_vm_fix, src_vn_fix, dst_vn_fix, secgrp_id, proto, port): ''' this method verifies flow to security group mapping for both forward and reverse flow for the given sec grp id''' if self.option == 'openstack': src_vn_fq_name = src_vn_fix.vn_fq_name dst_vn_fq_name = dst_vn_fix.vn_fq_name else: src_vn_fq_name = ':'.join(src_vn_fix._obj.get_fq_name()) dst_vn_fq_name = ':'.join(dst_vn_fix._obj.get_fq_name()) nh_src = src_vm_fix.tap_intf[src_vn_fq_name]['flow_key_idx'] nh_dst = dst_vm_fix.tap_intf[dst_vn_fq_name]['flow_key_idx'] proto_num = {'udp': '17', 'tcp': '6', 'icmp': '1'} test_result = True rule_uuid = None # get the egress rule uuid rules = list_sg_rules(self.connections, secgrp_id) af = self.inputs.get_af() for rule in rules: if rule['direction'] == 'egress' and \ ((af == 'v4' and (rule['ethertype'] == 'IPv4' or \ rule['remote_ip_prefix'] == '0.0.0.0/0')) or \ (af == 'v6' and (rule['ethertype'] == 'IPv6' or \ rule['remote_ip_prefix'] == '::/0'))) and \ (rule['protocol'] == 'any' or rule['protocol'] == proto): rule_uuid = rule['id'] break assert rule_uuid, "Egress rule id could not be found" # verify forward flow on src compute node if not self.fetch_flow_verify_sg_uuid( nh_src, src_vm_fix, dst_vm_fix, port, port, proto_num[proto], rule_uuid, src_vm_fix.vm_node_ip): test_result = False # verify reverse flow on src compute node if src_vm_fix.vm_node_ip == dst_vm_fix.vm_node_ip: nh = nh_dst else: nh = nh_src if not self.fetch_flow_verify_sg_uuid( nh, dst_vm_fix, src_vm_fix, port, port, proto_num[proto], rule_uuid, src_vm_fix.vm_node_ip): test_result = False if src_vm_fix.vm_node_ip != dst_vm_fix.vm_node_ip: self.logger.info("verify on destination compute too, \ as source and destination computes are different") # get the ingress rule uuid rule_uuid = None rules = list_sg_rules(self.connections, secgrp_id) for rule in rules: if rule['direction'] == 'ingress' and \ ((af == 'v4' and (rule['ethertype'] == 'IPv4' or \ rule['remote_ip_prefix'] == '0.0.0.0/0' or \ rule['remote_group_id'] == secgrp_id)) or \ (af == 'v6' and (rule['ethertype'] == 'IPv6' or \ rule['remote_group_id'] == secgrp_id or \ rule['remote_ip_prefix'] == '::/0'))) and \ (rule['protocol'] == 'any' or rule['protocol'] == proto): rule_uuid = rule['id'] break assert rule_uuid, "Ingress rule id could not be found" # verify forward flow on dst compute node if not self.fetch_flow_verify_sg_uuid( nh_dst, src_vm_fix, dst_vm_fix, port, port, proto_num[proto], rule_uuid, dst_vm_fix.vm_node_ip): test_result = False # verify reverse flow on dst compute node if not self.fetch_flow_verify_sg_uuid( nh_dst, dst_vm_fix, src_vm_fix, port, port, proto_num[proto], rule_uuid, dst_vm_fix.vm_node_ip): test_result = False return test_result
def verify_flow_to_sg_rule_mapping( self, src_vm_fix, dst_vm_fix, src_vn_fix, dst_vn_fix, secgrp_id, proto, port): ''' this method verifies flow to security group mapping for both forward and reverse flow for the given sec grp id''' if self.option == 'openstack': src_vn_fq_name = src_vn_fix.vn_fq_name dst_vn_fq_name = dst_vn_fix.vn_fq_name else: src_vn_fq_name = ':'.join(src_vn_fix._obj.get_fq_name()) dst_vn_fq_name = ':'.join(dst_vn_fix._obj.get_fq_name()) nh_src = src_vm_fix.tap_intf[src_vn_fq_name]['flow_key_idx'] nh_dst = dst_vm_fix.tap_intf[dst_vn_fq_name]['flow_key_idx'] proto_num = {'udp': '17', 'tcp': '6', 'icmp': '1'} test_result = True rule_uuid = None # get the egress rule uuid rules = list_sg_rules(self.connections, secgrp_id) for rule in rules: if rule['direction'] == 'egress' and (rule['ethertype'] == 'IPv4' or \ rule['remote_ip_prefix'] == '0.0.0.0/0') and \ (rule['protocol'] == 'any' or rule['protocol'] == proto): rule_uuid = rule['id'] break assert rule_uuid, "Egress rule id could not be found" # verify forward flow on src compute node if not self.fetch_flow_verify_sg_uuid( nh_src, src_vm_fix, dst_vm_fix, port, port, proto_num[proto], rule_uuid, src_vm_fix.vm_node_ip): test_result = False # verify reverse flow on src compute node if src_vm_fix.vm_node_ip == dst_vm_fix.vm_node_ip: nh = nh_dst else: nh = nh_src if not self.fetch_flow_verify_sg_uuid( nh, dst_vm_fix, src_vm_fix, port, port, proto_num[proto], rule_uuid, src_vm_fix.vm_node_ip): test_result = False if src_vm_fix.vm_node_ip != dst_vm_fix.vm_node_ip: self.logger.info("verify on destination compute too, \ as source and destination computes are different") # get the ingress rule uuid rule_uuid = None rules = list_sg_rules(self.connections, secgrp_id) for rule in rules: if rule['direction'] == 'ingress' and \ (rule['ethertype'] == 'IPv4' or \ rule['remote_group_id'] == secgrp_id or \ rule['remote_ip_prefix'] == '0.0.0.0/0') and \ (rule['protocol'] == 'any' or rule['protocol'] == proto): rule_uuid = rule['id'] break assert rule_uuid, "Ingress rule id could not be found" # verify forward flow on dst compute node if not self.fetch_flow_verify_sg_uuid( nh_dst, src_vm_fix, dst_vm_fix, port, port, proto_num[proto], rule_uuid, dst_vm_fix.vm_node_ip): test_result = False # verify reverse flow on dst compute node if not self.fetch_flow_verify_sg_uuid( nh_dst, dst_vm_fix, src_vm_fix, port, port, proto_num[proto], rule_uuid, dst_vm_fix.vm_node_ip): test_result = False return test_result
def test_slo_global(self): """ Description: Verify global security logging for inter-VN inter-Node traffic with firewall policy and rules Steps: 1. disable/enable global SLO flag and verify logging 2. Create global and tenant level SLO and verify logging 3. Delete global SLO and verify session get logged only matching tenant level SLO Pass criteria: All logging verifications should pass """ self.set_global_slo_flag(enable=False) #Logged session should be 0 when global slo is disabled created_objs = self._test_slo_with_fw(exp_srv_session_count=0, exp_clnt_session_count=0) self.set_global_slo_flag(enable=True) #Logged session should be seen when global slo is enabled self._test_slo_with_fw(create_resources=False, slo_fixture=created_objs['slo_fix'], fw_objs_dict=created_objs['fw_objs']) eth_type = 'IPv4' if (self.inputs.get_af() == 'v4') else 'IPv6' proto_str = 'any' sg_rule_id_ingress = list_sg_rules(self.connections, created_objs['sg_obj'].uuid, eth_type=eth_type, proto=proto_str, direction='ingress')[0]['id'] sg_rule_id_egress = list_sg_rules(self.connections, created_objs['sg_obj'].uuid, eth_type=eth_type, proto=proto_str, direction='egress')[0]['id'] #Create global SLO using sg_rule_id_ingress slo_rate = 10 rules_list = [{'uuid': sg_rule_id_ingress, 'rate': 100}] g_slo_fixture = self.create_slo(rate=slo_rate, rules_list=rules_list) #Remove old slo from VNs for vn in self.vn_fixtures: vn.set_slo_list([]) #Create tenant level SLO with sg_rule_id_egress and add to VNs project_name = self.project.project_name parent_obj = self.vnc_h.project_read( fq_name=[self.connections.domain_name, project_name]) rules_list = [{'uuid': sg_rule_id_egress, 'rate': 1}] slo_fixture = self.create_slo(parent_obj, rate=slo_rate, rules_list=rules_list) for vn in self.vn_fixtures: self.add_slo_to_vn(slo_fixture, vn) #With tenant level SLO created above, Client session will match and logged #With global SLO, server session will match and logged self._test_slo_with_fw(create_resources=False, slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs']) #Disable global slo again self.set_global_slo_flag(enable=False) #Now no logging should happen self._test_slo_with_fw(create_resources=False, slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'], exp_srv_session_count=0, exp_clnt_session_count=0) #Enable global slo again self.set_global_slo_flag(enable=True) #Delete global SLO g_slo_fixture.cleanUp() self._remove_fixture_from_cleanup(g_slo_fixture) #Now only Client session should get logged matching tenant level SLO #Server session should be 0 as it will match ingress rule self._test_slo_with_fw(create_resources=False, exp_srv_session_count=0, slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'])
def start_traffic_validate_slo(self, client_fixture, server_fixture, policy_fixture=None, proto=1, underlay_proto=0, slo_rate=1, sg_uuid=None): ''' Start the traffic for protocol proto and validates the client and server sessions logged matching SLO in agent log. Supported proto is(are) 1, 17 ''' assert self.start_traffic(client_fixture, server_fixture, proto) pkt_count = self.pkt_count pkt_count2 = self.pkt_count2 client_port = self.client_port service_port = self.service_port srv_session_c_port = self.srv_session_c_port srv_session_s_port = self.srv_session_s_port proto = self.proto exp_session_count = pkt_count / slo_rate if proto == 1 else None eth_type = 'IPv4' if (self.inputs.get_af() == 'v4') else 'IPv6' proto_str = 'any' if sg_uuid is not None: sg_rule_id_ingress = list_sg_rules(self.connections, sg_uuid, eth_type=eth_type, proto=proto_str, direction='ingress')[0]['id'] sg_rule_id_egress = list_sg_rules(self.connections, sg_uuid, eth_type=eth_type, proto=proto_str, direction='egress')[0]['id'] else: sg_rule_id_ingress = sg_rule_id_egress = UUID_RE tcp_flags = 120 if proto == 6 else 0 project_fqname = ':'.join(self.project.project_fq_name) client_vmi_fqname = project_fqname + ':' +\ client_fixture.vmi_ids[client_fixture.vn_fq_name] is_client_session = 1 if policy_fixture: policy_api_obj = self.vnc_lib.network_policy_read( id=policy_fixture.get_id()) nw_ace_uuid = policy_api_obj.get_network_policy_entries( ).policy_rule[0].rule_uuid else: nw_ace_uuid = UUID_RE expected_client_session = LOGGED_SESSION % ( client_vmi_fqname, client_fixture.vn_fq_name, FIREWALL_RULE_ID_DEFAULT, server_fixture.vn_fq_name, is_client_session, 0, client_fixture.vm_node_ip, client_fixture.vm_ip, service_port, proto, INT_RE, pkt_count2, INT_RE, pkt_count2, server_fixture.vm_ip, client_port, INT_RE, pkt_count2, UUID_RE, tcp_flags, INT_RE, #Fwd flow info 'pass', sg_rule_id_egress, nw_ace_uuid, INT_RE, INT_RE, pkt_count2, UUID_RE, tcp_flags, INT_RE, #Reverse flow info 'pass', sg_rule_id_egress, nw_ace_uuid, INT_RE, client_fixture.vm_id, server_fixture.vm_node_ip, underlay_proto) self.sleep(1) #Verify No. of Client sessions result, output = self.verify_no_of_sessions_in_agent_log( client_fixture.vm_node_ip, expected_client_session, exp_session_count) assert result, ( "Expected no. of client session not found in agent log " "for protocol %s, exp:%s, got:%s" % (proto, exp_session_count, output)) server_vmi_fqname = project_fqname + ':' +\ server_fixture.vmi_ids[server_fixture.vn_fq_name] is_client_session = 0 expected_server_session = LOGGED_SESSION % ( server_vmi_fqname, server_fixture.vn_fq_name, FIREWALL_RULE_ID_DEFAULT, client_fixture.vn_fq_name, is_client_session, 0, server_fixture.vm_node_ip, server_fixture.vm_ip, srv_session_s_port, proto, INT_RE, pkt_count2, INT_RE, pkt_count2, client_fixture.vm_ip, srv_session_c_port, INT_RE, pkt_count2, UUID_RE, tcp_flags, INT_RE, 'pass', sg_rule_id_ingress, nw_ace_uuid, INT_RE, INT_RE, pkt_count2, UUID_RE, tcp_flags, INT_RE, 'pass', sg_rule_id_ingress, nw_ace_uuid, INT_RE, server_fixture.vm_id, client_fixture.vm_node_ip, underlay_proto) #Verify No. of Server sessions result, output = self.verify_no_of_sessions_in_agent_log( server_fixture.vm_node_ip, expected_server_session, exp_session_count) import pdb pdb.set_trace() assert result, ( "Expected no. of server sessions not found in agent log" " for protocol %s, exp:%s, got:%s" % (proto, exp_session_count, output)) self.sleep(1) self.delete_all_flows_on_vms_compute([client_fixture, server_fixture])
def test_slo_global(self): """ Description: Verify global security logging for inter-VN inter-Node traffic with firewall policy and rules Steps: 1. disable/enable global SLO flag and verify logging 2. Create global and tenant level SLO and verify logging 3. Delete global SLO and verify session get logged only matching tenant level SLO Pass criteria: All logging verifications should pass """ self.set_global_slo_flag(enable=False) #Logged session should be 0 when global slo is disabled created_objs = self._test_slo_with_fw(exp_srv_session_count=0,exp_clnt_session_count=0) self.set_global_slo_flag(enable=True) #Logged session should be seen when global slo is enabled self._test_slo_with_fw(create_resources=False, slo_fixture=created_objs['slo_fix'], fw_objs_dict=created_objs['fw_objs']) eth_type = 'IPv4' if (self.inputs.get_af() == 'v4') else 'IPv6' proto_str = 'any' sg_rule_id_ingress = list_sg_rules(self.connections, created_objs['sg_obj'].uuid, eth_type=eth_type, proto=proto_str, direction='ingress')[0]['id'] sg_rule_id_egress = list_sg_rules(self.connections, created_objs['sg_obj'].uuid, eth_type=eth_type, proto=proto_str, direction='egress')[0]['id'] #Create global SLO using sg_rule_id_ingress slo_rate = 10 rules_list = [{'uuid':sg_rule_id_ingress, 'rate':100}] g_slo_fixture = self.create_slo(rate=slo_rate, rules_list=rules_list) #Remove old slo from VNs for vn in self.vn_fixtures: vn.set_slo_list([]) #Create tenant level SLO with sg_rule_id_egress and add to VNs project_name = self.project.project_name parent_obj = self.vnc_h.project_read( fq_name=[self.connections.domain_name, project_name]) rules_list = [{'uuid':sg_rule_id_egress, 'rate':1}] slo_fixture = self.create_slo(parent_obj, rate=slo_rate, rules_list=rules_list) for vn in self.vn_fixtures: self.add_slo_to_vn(slo_fixture, vn) #With tenant level SLO created above, Client session will match and logged #With global SLO, server session will match and logged self._test_slo_with_fw(create_resources=False, slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs']) #Disable global slo again self.set_global_slo_flag(enable=False) #Now no logging should happen self._test_slo_with_fw(create_resources=False, slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'], exp_srv_session_count=0, exp_clnt_session_count=0) #Enable global slo again self.set_global_slo_flag(enable=True) #Delete global SLO g_slo_fixture.cleanUp() self._remove_fixture_from_cleanup(g_slo_fixture) #Now only Client session should get logged matching tenant level SLO #Server session should be 0 as it will match ingress rule self._test_slo_with_fw(create_resources=False, exp_srv_session_count=0, slo_fixture=slo_fixture, fw_objs_dict=created_objs['fw_objs'])