def check(self): super(zstack_kvm_pf_rule_exist_checker, self).check() test_result = test_lib.lib_check_vm_pf_rule_exist_in_iptables( self.test_obj.get_port_forwarding()) test_util.test_logger( 'Check result: [Port Forwarding] %s finishes rule existance testing' % self.test_obj.get_port_forwarding().uuid) return self.judge(test_result)
def check(self): super(zstack_vcenter_pf_rule_exist_checker, self).check() test_result = test_lib.lib_check_vm_pf_rule_exist_in_iptables(self.test_obj.get_port_forwarding()) test_util.test_logger('Check result: [Port Forwarding] %s finishes rule existance testing' % self.test_obj.get_port_forwarding().uuid) return self.judge(test_result)
def check(self): super(pf_checker, self).check() test_result = True try: test_vip = test_lib.lib_get_vip_by_uuid(self.test_obj.get_vip().uuid) except: test_util.test_logger('Check Result: [vip:] %s is not exist' % self.test_obj.get_vip().uuid) self.test_obj.update() return self.judge(False) if not self.test_obj.get_pf_list(): test_util.test_logger('Check Result: [vip:] %s is not attached to any pf.' % self.test_obj.get_vip().uuid) self.test_obj.update() return self.judge(False) vip = self.test_obj.get_vip() vipIp = vip.ip all_ports = port_header.all_ports pf_running_list = self.test_obj.get_pf_list_for_running_vm() pf_tcp_list, pf_udp_list = self.separate_tcp_udp_list(pf_running_list) pf_tcp_dict = self.gen_tcp_dict_by_allowed_cidr(pf_tcp_list) pf_stopped_list = self.test_obj.get_pf_list_for_stopped_vm() pf_detached_list = self.test_obj.get_detached_pf_list() vip_l3 = self.test_obj.get_vip().l3NetworkUuid if not pf_running_list: # all ports should be denied, since no living vm. for pf in pf_stopped_list: test_result = self.check_denied_pf(pf) if test_result != self.exp_result: return self.judge(test_result) for pf in pf_detached_list: test_result = self.check_denied_pf(pf) if test_result != self.exp_result: return self.judge(test_result) else: #open TCP ports for living vms for pf in pf_tcp_list: target_vm = pf.get_target_vm().vm vm_l3 = test_lib.lib_get_nic_by_uuid(pf.get_port_forwarding().vmNicUuid).l3NetworkUuid test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_l3) #calc allowed ports, per allowed_cidr for allowed_vr_ip, pf_dict_list in pf_tcp_dict.iteritems(): allowed_ports = [] denied_ports = all_ports #find all pf rules on running vm. These rules are supposed to be connectable, unless they are blocked by target vm's sg. allowed_ports, denied_ports = \ self.count_pf_allowed_denied_ports( pf_dict_list, allowed_ports, denied_ports) #although the target_vm might be different, but the denied_vr_vm should be same. target_vm_nic_uuid = pf_dict_list[0].get_port_forwarding().vmNicUuid allowed_vr_vm, denied_vr_vm = \ self.get_allowed_denied_vr_vm(allowed_vr_ip, target_vm_nic_uuid) denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm) try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCP [rules] for allowed Cidr: %s from [vm:] %s . " % \ (vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) if test_result != self.exp_result: return self.judge(test_result) test_util.test_logger("Checking pass for [vip:] %s Port Forwardings TCP rules for allowed Cidr: %s from [vm:] %s " % \ (vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid)) #check denied vr access. allowed_ports = [] denied_ports = all_ports #the denied vr might be in other pf rule. if denied_vr_ip in pf_tcp_dict.keys(): allowed_ports, denied_ports = \ self.count_pf_allowed_denied_ports( pf_tcp_dict[denied_vr_ip], allowed_ports, denied_ports) try: test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, allowed_ports, denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCPs for not allowed Cidr from [vm:] %s" % (vip.uuid, allowed_vr_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (vip.uuid, allowed_vr_vm.uuid)) if test_result != self.exp_result: return self.judge(test_result) #check pf_udp rule existance. for pf in pf_udp_list: test_result = test_lib.lib_check_vm_pf_rule_exist_in_iptables(pf.get_port_forwarding()) test_util.test_logger('Check result: [Port Forwarding] %s finishes UDP rule existance testing' % pf.get_port_forwarding().uuid) return self.judge(test_result) test_util.test_logger('Check result: [Port Forwarding] finishes [vip:] %s TCP testing.' % vip.uuid) return self.judge(test_result)
def check(self): super(pf_checker, self).check() test_result = True try: test_vip = test_lib.lib_get_vip_by_uuid(self.test_obj.get_vip().uuid) except: test_util.test_logger('Check Result: [vip:] %s is not exist' % self.test_obj.get_vip().uuid) self.test_obj.update() return self.judge(False) if not self.test_obj.get_pf_list(): test_util.test_logger('Check Result: [vip:] %s is not attached to any pf.' % self.test_obj.get_vip().uuid) self.test_obj.update() return self.judge(False) vip = self.test_obj.get_vip() vipIp = vip.ip all_ports = port_header.all_ports pf_running_list = self.test_obj.get_pf_list_for_running_vm() pf_tcp_list, pf_udp_list = self.separate_tcp_udp_list(pf_running_list) pf_tcp_dict = self.gen_tcp_dict_by_allowed_cidr(pf_tcp_list) pf_stopped_list = self.test_obj.get_pf_list_for_stopped_vm() pf_detached_list = self.test_obj.get_detached_pf_list() vip_l3 = self.test_obj.get_vip().l3NetworkUuid if not pf_running_list: # all ports should be denied, since no living vm. for pf in pf_stopped_list: test_result = self.check_denied_pf(pf) if test_result != self.exp_result: return self.judge(test_result) for pf in pf_detached_list: test_result = self.check_denied_pf(pf) if test_result != self.exp_result: return self.judge(test_result) else: #open TCP ports for living vms for pf in pf_tcp_list: target_vm = pf.get_target_vm().vm vm_l3 = test_lib.lib_get_nic_by_uuid(pf.get_port_forwarding().vmNicUuid).l3NetworkUuid test_lib.lib_open_vm_listen_ports(target_vm, all_ports, vm_l3) #calc allowed ports, per allowed_cidr for allowed_vr_ip, pf_dict_list in pf_tcp_dict.iteritems(): allowed_ports = [] denied_ports = all_ports #find all pf rules on running vm. These rules are supposed to be connectable, unless they are blocked by target vm's sg. allowed_ports, denied_ports = \ self.count_pf_allowed_denied_ports( pf_dict_list, allowed_ports, denied_ports) #although the target_vm might be different, but the denied_vr_vm should be same. target_vm_nic_uuid = pf_dict_list[0].get_port_forwarding().vmNicUuid allowed_vr_vm, denied_vr_vm = \ self.get_allowed_denied_vr_vm(allowed_vr_ip, target_vm_nic_uuid) denied_vr_ip = test_lib.lib_find_vr_pub_ip(denied_vr_vm) try: test_lib.lib_check_ports_in_a_command(allowed_vr_vm, allowed_vr_ip, vipIp, allowed_ports, denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCP [rules] for allowed Cidr: %s from [vm:] %s . " % \ (vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) if test_result != self.exp_result: return self.judge(test_result) test_util.test_logger("Checking pass for [vip:] %s Port Forwardings TCP rules for allowed Cidr: %s from [vm:] %s " % \ (vip.uuid, allowed_vr_ip, allowed_vr_vm.uuid)) #check denied vr access. allowed_ports = [] denied_ports = all_ports #the denied vr might be in other pf rule. if denied_vr_ip in pf_tcp_dict.keys(): allowed_ports, denied_ports = \ self.count_pf_allowed_denied_ports( pf_tcp_dict[denied_vr_ip], allowed_ports, denied_ports) try: test_lib.lib_check_ports_in_a_command(denied_vr_vm, denied_vr_ip, vipIp, allowed_ports, denied_ports, target_vm) except: traceback.print_exc(file=sys.stdout) test_util.test_logger("Catch failure when checking [vip:] %s Port Forwarding TCPs for not allowed Cidr from [vm:] %s" % (vip.uuid, allowed_vr_vm.uuid)) test_result = False if test_result != self.exp_result: return self.judge(test_result) test_util.test_logger("Checking pass for Port Forwarding TCP [rule:] %s for not allowed Cidr from [vm:] %s . All ports should be blocked. " % (vip.uuid, allowed_vr_vm.uuid)) if test_result != self.exp_result: return self.judge(test_result) #check pf_udp rule existance. for pf in pf_udp_list: test_result = test_lib.lib_check_vm_pf_rule_exist_in_iptables(pf.get_port_forwarding()) test_util.test_logger('Check result: [Port Forwarding] %s finishes UDP rule existance testing' % pf.get_port_forwarding().uuid) return self.judge(test_result) test_util.test_logger('Check result: [Port Forwarding] finishes [vip:] %s TCP testing.' % vip.uuid) return self.judge(test_result)