def _setup_firewall(self, ri, fw):
client = self._get_vyatta_client(ri.router)
fw_cmd_list = []
# Create firewall
fw_name = vyatta_utils.get_firewall_name(ri, fw)
fw_cmd_list.append(
vyatta_client.SetCmd(FW_NAME.format(parse.quote_plus(fw_name))))
if fw.get('description'):
fw_cmd_list.append(
vyatta_client.SetCmd(
FW_DESCRIPTION.format(parse.quote_plus(fw_name),
parse.quote_plus(
fw['description']))))
# Set firewall state policy
fw_cmd_list.append(vyatta_client.SetCmd(FW_ESTABLISHED_ACCEPT))
fw_cmd_list.append(vyatta_client.SetCmd(FW_RELATED_ACCEPT))
# Create firewall rules
rule_num = 0
for rule in fw['firewall_rule_list']:
if not rule['enabled']:
continue
if rule['ip_version'] == 4:
rule_num += 1
fw_cmd_list += self._set_firewall_rule(fw_name, rule_num, rule)
else:
LOG.warning(_LW("IPv6 rules are not supported."))
# Configure router zones
zone_cmd_list = vyatta_utils.get_zone_cmds(client, ri, fw_name)
client.exec_cmd_batch(fw_cmd_list + zone_cmd_list)
def test_update_static_routes(self):
cmd_batch_mock = mock.Mock()
mock_object(vyatta_client.VRouterRestAPIClient, 'exec_cmd_batch',
cmd_batch_mock)
RouteRule = vyatta_utils.RouteRule
routes_to_add = tuple((
RouteRule(dest_cidr='10.1.0.0/24', next_hop='192.168.1.1'),
RouteRule(dest_cidr='10.2.0.0/24', next_hop='192.168.1.1'),
))
routes_to_del = tuple((RouteRule(dest_cidr='10.3.0.0/24',
next_hop='192.168.1.1'), ))
client = self._create_client()
client.update_static_routes(routes_to_add, routes_to_del)
expected_batch = list()
for rule in routes_to_add:
cmd = vyatta_client.SetCmd(
('protocols/static/route/{0}/next-hop/{1}').format(
urllib.quote_plus(rule.dest_cidr),
urllib.quote_plus(rule.next_hop)))
expected_batch.append(cmd)
for rule in routes_to_del:
cmd = vyatta_client.DeleteCmd('protocols/static/route/{0}'.format(
urllib.quote_plus(rule.dest_cidr)))
expected_batch.append(cmd)
cmd_batch_mock.assert_called_once_with(expected_batch)
def test_get_zone_cmds(self):
firewall_name = 'fake_firewall0'
eth_iface = 'eth0'
fake_api = mock.NonCallableMock()
fake_api.get_ethernet_if_id.return_value = eth_iface
mac_address = '00:00:00:00:00:00'
fake_apply_rule = mock.NonCallableMock()
fake_apply_rule.router = {
'gw_port': {
'mac_address': mac_address
},
l3_constants.INTERFACE_KEY: [{
'mac_address': mac_address
}]
}
trusted_zone_name = vyatta_utils.get_trusted_zone_name(fake_apply_rule)
untrusted_zone_name = vyatta_utils.get_untrusted_zone_name(
fake_apply_rule)
cmds_actual = vyatta_utils.get_zone_cmds(fake_api, fake_apply_rule,
firewall_name)
cmds_expect = [
vyatta_client.DeleteCmd('zone-policy'),
vyatta_client.SetCmd(
vyatta_utils.ZONE_INTERFACE_CMD.format(trusted_zone_name,
eth_iface)),
vyatta_client.SetCmd(
vyatta_utils.ZONE_INTERFACE_CMD.format(untrusted_zone_name,
eth_iface)),
vyatta_client.SetCmd(
vyatta_utils.ZONE_FIREWALL_CMD.format(
trusted_zone_name, untrusted_zone_name,
parse.quote_plus(firewall_name))),
vyatta_client.SetCmd(
vyatta_utils.ZONE_FIREWALL_CMD.format(
untrusted_zone_name, trusted_zone_name,
parse.quote_plus(firewall_name))),
]
self.assertEqual(cmds_expect, cmds_actual)
fake_api.get_ethernet_if_id.assert_has_calls([
mock.call(mac_address),
mock.call(mac_address),
])
def get_zone_cmds(rest_api, ri, opt_name):
"""Return zone update commands for Vyatta vRouter.
Commands chain drops all zone-policy zones and create new zones
based on internal interfaces and external gateway.
"""
cmd_list = []
# Delete the zone policies
cmd_list.append(vyatta_client.DeleteCmd("zone-policy"))
# Configure trusted zone
trusted_zone_name = None
# Add internal ports to trusted zone
if l3_constants.INTERFACE_KEY in ri.router:
trusted_zone_name = parse.quote_plus(get_trusted_zone_name(ri))
for port in ri.router[l3_constants.INTERFACE_KEY]:
eth_if_id = rest_api.get_ethernet_if_id(port['mac_address'])
cmd_list.append(
vyatta_client.SetCmd(
ZONE_INTERFACE_CMD.format(trusted_zone_name, eth_if_id)))
# Configure untrusted zone
untrusted_zone_name = get_untrusted_zone_name(ri)
if untrusted_zone_name is not None:
# Add external ports to untrusted zone
if 'gw_port' in ri.router:
gw_port = ri.router['gw_port']
eth_if_id = rest_api.get_ethernet_if_id(gw_port['mac_address'])
cmd_list.append(
vyatta_client.SetCmd(
ZONE_INTERFACE_CMD.format(untrusted_zone_name, eth_if_id)))
if trusted_zone_name is not None:
# Associate optimizer to zone
cmd_list.append(
vyatta_client.SetCmd(
ZONE_OPTIMIZER_CMD.format(trusted_zone_name,
untrusted_zone_name,
parse.quote_plus(opt_name))))
cmd_list.append(
vyatta_client.SetCmd(
ZONE_OPTIMIZER_CMD.format(untrusted_zone_name,
trusted_zone_name,
parse.quote_plus(opt_name))))
return cmd_list
def test_set_optimizer_rule_internal(self):
fake_rule = self._make_fake_opt_rule()
fake_optimizer_name = 'fake-opt-name'
fake_rule.update({
'description': 'rule description',
'source_port': '2080',
'destination_ip_address': '172.16.1.1'
})
action_map = {
'allow': 'accept',
}
cmds_actual = self.oaas_driver._set_optimizer_rule(
fake_optimizer_name, 1, fake_rule)
cmds_expect = [
vyatta_client.SetCmd(
vyatta_oaas.FW_RULE_DESCRIPTION.format(
parse.quote_plus(fake_optimizer_name), 1,
parse.quote_plus(fake_rule['description'])))
]
rules = [
('protocol', vyatta_oaas.FW_RULE_PROTOCOL),
('source_port', vyatta_oaas.FW_RULE_SRC_PORT),
('destination_port', vyatta_oaas.FW_RULE_DEST_PORT),
('source_ip_address', vyatta_oaas.FW_RULE_SRC_ADDR),
('destination_ip_address', vyatta_oaas.FW_RULE_DEST_ADDR),
]
for key, url in rules:
cmds_expect.append(
vyatta_client.SetCmd(
url.format(parse.quote_plus(fake_optimizer_name), 1,
parse.quote_plus(fake_rule[key]))))
cmds_expect.append(
vyatta_client.SetCmd(
vyatta_oaas.FW_RULE_ACTION.format(
parse.quote_plus(fake_optimizer_name), 1,
action_map.get(fake_rule['action'], 'drop'))))
self.assertEqual(cmds_expect, cmds_actual)
def test_configure_cmd_batch(self):
client = self._create_client()
cmd_list = [
vyatta_client.SetCmd('cmd1'),
vyatta_client.DeleteCmd('cmd2')
]
client.exec_cmd_batch(cmd_list)
self.assertEqual(self._rest_mock.call_count, len(cmd_list) + 4)
def _set_firewall_rule(self, fw_name, rule_num, rule):
cmd_list = []
if 'description' in rule and len(rule['description']) > 0:
cmd_list.append(
vyatta_client.SetCmd(
FW_RULE_DESCRIPTION.format(
parse.quote_plus(fw_name), rule_num,
parse.quote_plus(rule['description']))))
rules = [
('protocol', FW_RULE_PROTOCOL),
('source_port', FW_RULE_SRC_PORT),
('destination_port', FW_RULE_DEST_PORT),
('source_ip_address', FW_RULE_SRC_ADDR),
('destination_ip_address', FW_RULE_DEST_ADDR),
]
for key, url in rules:
field = rule.get(key)
if field is None:
continue
# For safety and extensibility we need to use quote_plus
# for all data retrieved from external sources.
cmd_list.append(
vyatta_client.SetCmd(
url.format(parse.quote_plus(fw_name), rule_num,
parse.quote_plus(field))))
if 'action' in rule:
if rule['action'] == 'allow':
action = 'accept'
else:
action = 'drop'
cmd_list.append(
vyatta_client.SetCmd(
FW_RULE_ACTION.format(parse.quote_plus(fw_name), rule_num,
action)))
return cmd_list
def test_setup_firewall_internal(self):
fake_rule = self._make_fake_fw_rule()
fake_router_info = self._make_fake_router_info()
fake_rule_cmd = 'fake-fw-rule0'
fake_zone_configure_rules = ['fake-config-rule0']
mock_api = mock.Mock()
mock_api_gen = mock.Mock(return_value=mock_api)
mock_get_firewall_rule = mock.Mock(return_value=[fake_rule_cmd])
mock_get_zone_cmds = mock.Mock(return_value=fake_zone_configure_rules)
with mock.patch.object(self.fwaas_driver, '_get_vyatta_client',
mock_api_gen), \
mock.patch.object(vyatta_fwaas.vyatta_utils, 'get_zone_cmds',
mock_get_zone_cmds), \
mock.patch.object(self.fwaas_driver, '_set_firewall_rule',
mock_get_firewall_rule):
self.fwaas_driver._setup_firewall(fake_router_info,
self.fake_firewall)
mock_api_gen.assert_called_once_with(fake_router_info.router)
mock_get_firewall_rule.assert_called_once_with(
self.fake_firewall_name, 1, fake_rule)
mock_get_zone_cmds.assert_called_once_with(mock_api,
fake_router_info,
self.fake_firewall_name)
cmds = [
vyatta_client.SetCmd(
vyatta_fwaas.FW_NAME.format(self.fake_firewall_name)),
vyatta_client.SetCmd(
vyatta_fwaas.FW_DESCRIPTION.format(
self.fake_firewall_name,
parse.quote_plus(self.fake_firewall['description']))),
vyatta_client.SetCmd(vyatta_fwaas.FW_ESTABLISHED_ACCEPT),
vyatta_client.SetCmd(vyatta_fwaas.FW_RELATED_ACCEPT),
fake_rule_cmd,
] + fake_zone_configure_rules
mock_api.exec_cmd_batch.assert_called_once_with(cmds)
def _setup_optimizer(self, ri, opt):
client = self._get_vyatta_client(ri.router)
opt_cmd_list = []
# Create optimizer
opt_name = vyatta_utils.get_optimizer_name(ri, opt)
opt_cmd_list.append(
vyatta_client.SetCmd(FW_NAME.format(parse.quote_plus(opt_name))))
if opt.get('description'):
opt_cmd_list.append(
vyatta_client.SetCmd(
FW_DESCRIPTION.format(parse.quote_plus(opt_name),
parse.quote_plus(
opt['description']))))
# Set optimizer state policy
opt_cmd_list.append(vyatta_client.SetCmd(FW_ESTABLISHED_ACCEPT))
opt_cmd_list.append(vyatta_client.SetCmd(FW_RELATED_ACCEPT))
# Create optimizer rules
rule_num = 0
for rule in opt['optimizer_rule_list']:
if not rule['enabled']:
continue
if rule['ip_version'] == 4:
rule_num += 1
opt_cmd_list += self._set_optimizer_rule(
opt_name, rule_num, rule)
else:
LOG.warn(_LW("IPv6 rules are not supported."))
# Configure router zones
zone_cmd_list = vyatta_utils.get_zone_cmds(client, ri, opt_name)
client.exec_cmd_batch(opt_cmd_list + zone_cmd_list)
