def test_add_acls_with_sec_group(self): expected_acls = [] expected_acls += ovn_acl.drop_all_ip_traffic_for_port( self.fake_port_sg) expected_acls += ovn_acl.add_acl_dhcp( self.fake_port_sg, self.fake_subnet) sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port( self.fake_port_sg, self.fake_sg_rule, 'outport == "' + self.fake_port_sg['id'] + '" ' + '&& ip4 && ip4.src == 0.0.0.0/0 ' + '&& tcp && tcp.dst == 22') expected_acls.append(sg_rule_acl) # Test with caches acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), self.fake_port_sg, self.sg_cache, self.sg_ports_cache, self.subnet_cache) self.assertEqual(expected_acls, acls) # Test without caches with mock.patch('neutron.db.db_base_plugin_v2.' 'NeutronDbPluginV2.get_subnet', return_value=self.fake_subnet), \ mock.patch('neutron.db.securitygroups_db.' 'SecurityGroupDbMixin.get_security_group', return_value=self.fake_sg): acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), self.fake_port_sg, {}, {}, {}) self.assertEqual(expected_acls, acls)
def _add_acls(self, admin_context, port, sg_cache, sg_ports_cache, subnet_cache): acl_list = [] sec_groups = port.get('security_groups', []) if not sec_groups: return acl_list # Drop all IP traffic to and from the logical port by default. acl_list += ovn_acl.drop_all_ip_traffic_for_port(port) for ip in port['fixed_ips']: subnet = ovn_acl._get_subnet_from_cache(self._plugin, admin_context, subnet_cache, ip['subnet_id']) if subnet['ip_version'] != 4: continue acl_list += ovn_acl.add_acl_dhcp(port, subnet) # We create an ACL entry for each rule on each security group applied # to this port. for sg_id in sec_groups: sg = ovn_acl._get_sg_from_cache(self._plugin, admin_context, sg_cache, sg_id) for r in sg['security_group_rules']: acl = self._add_sg_rule_acl_for_port(admin_context, port, r, sg_ports_cache, subnet_cache) if acl and acl not in acl_list: acl_list.append(acl) return acl_list
def test_drop_all_ip_traffic_for_port(self): acls = ovn_acl.drop_all_ip_traffic_for_port(self.fake_port) acl_to_lport = { 'action': 'drop', 'direction': 'to-lport', 'external_ids': { 'neutron:lport': self.fake_port['id'] }, 'log': False, 'lport': self.fake_port['id'], 'lswitch': 'neutron-network_id1', 'match': 'outport == "fake_port_id1" && ip', 'priority': 1001 } acl_from_lport = { 'action': 'drop', 'direction': 'from-lport', 'external_ids': { 'neutron:lport': self.fake_port['id'] }, 'log': False, 'lport': self.fake_port['id'], 'lswitch': 'neutron-network_id1', 'match': 'inport == "fake_port_id1" && ip', 'priority': 1001 } for acl in acls: if 'to-lport' in acl.values(): self.assertEqual(acl_to_lport, acl) if 'from-lport' in acl.values(): self.assertEqual(acl_from_lport, acl)
def _test_add_acls_with_sec_group_helper(self, native_dhcp=True): fake_port_sg = fakes.FakePort.create_one_port( attrs={ 'security_groups': [self.fake_sg['id']], 'fixed_ips': [{ 'subnet_id': self.fake_subnet['id'], 'ip_address': '10.10.10.20' }] }).info() expected_acls = [] expected_acls += ovn_acl.drop_all_ip_traffic_for_port(fake_port_sg) if not native_dhcp: expected_acls += ovn_acl.add_acl_dhcp(fake_port_sg, self.fake_subnet) sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port( fake_port_sg, self.fake_sg_rule, 'outport == "' + fake_port_sg['id'] + '" ' + '&& ip4 && ip4.src == 0.0.0.0/0 ' + '&& tcp && tcp.dst == 22') expected_acls.append(sg_rule_acl) # Test with caches acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual(expected_acls, acls) # Test without caches with mock.patch('neutron.db.db_base_plugin_v2.' 'NeutronDbPluginV2.get_subnet', return_value=self.fake_subnet), \ mock.patch('neutron.db.securitygroups_db.' 'SecurityGroupDbMixin.get_security_group', return_value=self.fake_sg): acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, {}, {}) self.assertEqual(expected_acls, acls) # Test with security groups disabled with mock.patch('networking_ovn.common.acl.is_sg_enabled', return_value=False): acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual([], acls) # Test with multiple fixed IPs on the same subnet. fake_port_sg['fixed_ips'].append({ 'subnet_id': self.fake_subnet['id'], 'ip_address': '10.10.10.21' }) acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual(expected_acls, acls)
def _test_add_acls_with_sec_group_helper(self, native_dhcp=True): fake_port_sg = fakes.FakePort.create_one_port( attrs={ "security_groups": [self.fake_sg["id"]], "fixed_ips": [{"subnet_id": self.fake_subnet["id"], "ip_address": "10.10.10.20"}], } ).info() expected_acls = [] expected_acls += ovn_acl.drop_all_ip_traffic_for_port(fake_port_sg) if not native_dhcp: expected_acls += ovn_acl.add_acl_dhcp(fake_port_sg, self.fake_subnet) sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port( fake_port_sg, self.fake_sg_rule, 'outport == "' + fake_port_sg["id"] + '" ' + "&& ip4 && ip4.src == 0.0.0.0/0 " + "&& tcp && tcp.dst == 22", ) expected_acls.append(sg_rule_acl) # Test with caches acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual(expected_acls, acls) # Test without caches with mock.patch( "neutron.db.db_base_plugin_v2." "NeutronDbPluginV2.get_subnet", return_value=self.fake_subnet ), mock.patch( "neutron.db.securitygroups_db." "SecurityGroupDbMixin.get_security_group", return_value=self.fake_sg ): acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, {}, {}) self.assertEqual(expected_acls, acls) # Test with security groups disabled with mock.patch("networking_ovn.common.acl.is_sg_enabled", return_value=False): acls = ovn_acl.add_acls( self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache ) self.assertEqual([], acls) # Test with multiple fixed IPs on the same subnet. fake_port_sg["fixed_ips"].append({"subnet_id": self.fake_subnet["id"], "ip_address": "10.10.10.21"}) acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual(expected_acls, acls)
def test_drop_all_ip_traffic_for_port(self): acls = ovn_acl.drop_all_ip_traffic_for_port(self.fake_port) acl_to_lport = {'action': 'drop', 'direction': 'to-lport', 'external_ids': {'neutron:lport': self.fake_port['id']}, 'log': False, 'lport': self.fake_port['id'], 'lswitch': 'neutron-network_id1', 'match': 'outport == "fake_port_id1" && ip', 'priority': 1001} acl_from_lport = {'action': 'drop', 'direction': 'from-lport', 'external_ids': {'neutron:lport': self.fake_port['id']}, 'log': False, 'lport': self.fake_port['id'], 'lswitch': 'neutron-network_id1', 'match': 'inport == "fake_port_id1" && ip', 'priority': 1001} for acl in acls: if 'to-lport' in acl.values(): self.assertEqual(acl_to_lport, acl) if 'from-lport' in acl.values(): self.assertEqual(acl_from_lport, acl)
def _add_acls(self, admin_context, port, sg_cache, sg_ports_cache, subnet_cache): acl_list = [] sec_groups = port.get('security_groups', []) if not sec_groups: return acl_list # Drop all IP traffic to and from the logical port by default. acl_list += ovn_acl.drop_all_ip_traffic_for_port(port) for ip in port['fixed_ips']: subnet = ovn_acl._get_subnet_from_cache(self._plugin, admin_context, subnet_cache, ip['subnet_id']) if subnet['ip_version'] != 4: continue acl_list += ovn_acl.add_acl_dhcp(port, subnet) # We create an ACL entry for each rule on each security group applied # to this port. for sg_id in sec_groups: sg = ovn_acl._get_sg_from_cache(self._plugin, admin_context, sg_cache, sg_id) for r in sg['security_group_rules']: acl = self._add_sg_rule_acl_for_port(admin_context, port, r, sg_ports_cache, subnet_cache) if acl and acl not in acl_list: acl_list.append(acl) return acl_list
def _test_add_acls_with_sec_group_helper(self, native_dhcp=True): fake_port_sg = fakes.FakePort.create_one_port( attrs={'security_groups': [self.fake_sg['id']], 'fixed_ips': [{'subnet_id': self.fake_subnet['id'], 'ip_address': '10.10.10.20'}]} ).info() expected_acls = [] expected_acls += ovn_acl.drop_all_ip_traffic_for_port( fake_port_sg) if not native_dhcp: expected_acls += ovn_acl.add_acl_dhcp( fake_port_sg, self.fake_subnet) sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port( fake_port_sg, self.fake_sg_rule, 'outport == "' + fake_port_sg['id'] + '" ' + '&& ip4 && ip4.src == 0.0.0.0/0 ' + '&& tcp && tcp.dst == 22') expected_acls.append(sg_rule_acl) # Test with caches acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual(expected_acls, acls) # Test without caches with mock.patch('neutron.db.db_base_plugin_v2.' 'NeutronDbPluginV2.get_subnet', return_value=self.fake_subnet), \ mock.patch('neutron.db.securitygroups_db.' 'SecurityGroupDbMixin.get_security_group', return_value=self.fake_sg): acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, {}, {}) self.assertEqual(expected_acls, acls) # Test with security groups disabled with mock.patch('networking_ovn.common.acl.is_sg_enabled', return_value=False): acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual([], acls) # Test with multiple fixed IPs on the same subnet. fake_port_sg['fixed_ips'].append({'subnet_id': self.fake_subnet['id'], 'ip_address': '10.10.10.21'}) acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache) self.assertEqual(expected_acls, acls)