def _test_assert_pings_during_br_phys_setup_not_lost(self, provider_net):
# Separate namespace is needed when pinging from one port to another,
# otherwise Linux ping uses loopback instead for sending and receiving
# ping, hence ignoring flow setup.
ns_phys = self.useFixture(net_helpers.NamespaceFixture()).name
ports = self.create_test_ports(amount=2)
port_int = ports[0]
port_phys = ports[1]
ip_int = port_int['fixed_ips'][0]['ip_address']
ip_phys = port_phys['fixed_ips'][0]['ip_address']
self.setup_agent_and_ports(port_dicts=[port_int], create_tunnels=False,
network=provider_net)
self.plug_ports_to_phys_br(provider_net, [port_phys],
namespace=ns_phys)
# The OVS agent doesn't monitor the physical bridges, no notification
# is sent when a port is up on a physical bridge, hence waiting only
# for the ports connected to br-int
self.wait_until_ports_state([port_int], up=True)
# sanity pings before we start
net_helpers.assert_ping(ns_phys, ip_int)
net_helpers.assert_ping(self.namespace, ip_phys)
with net_helpers.async_ping(ns_phys, [ip_int]) as done:
while not done():
self.agent.setup_physical_bridges(self.agent.bridge_mappings)
time.sleep(0.25)
with net_helpers.async_ping(self.namespace, [ip_phys]) as done:
while not done():
self.agent.setup_physical_bridges(self.agent.bridge_mappings)
time.sleep(0.25)
def test_fip_connection_for_address_scope(self):
self.agent.conf.agent_mode = 'dvr_snat'
(machine_same_scope, machine_diff_scope,
router) = self._setup_address_scope('scope1', 'scope2', 'scope1')
router.router[l3_constants.FLOATINGIP_KEY] = []
fip_same_scope = '19.4.4.10'
self._add_fip(router, fip_same_scope,
fixed_address=machine_same_scope.ip,
host=self.agent.conf.host,
fixed_ip_address_scope='scope1')
fip_diff_scope = '19.4.4.11'
self._add_fip(router, fip_diff_scope,
fixed_address=machine_diff_scope.ip,
host=self.agent.conf.host,
fixed_ip_address_scope='scope2')
router.process(self.agent)
br_ex = framework.get_ovs_bridge(
self.agent.conf.external_network_bridge)
src_machine = self.useFixture(
machine_fixtures.FakeMachine(br_ex, '19.4.4.12/24'))
# Floating ip should work no matter of address scope
net_helpers.assert_ping(src_machine.namespace, fip_same_scope, 5)
net_helpers.assert_ping(src_machine.namespace, fip_diff_scope, 5)
def test_connection_from_same_address_scope(self):
test_machine1, test_machine2, _ = self._setup_address_scope(
'scope1', 'scope1')
# Internal networks that are in the same address scope can connected
# each other
net_helpers.assert_ping(test_machine1.namespace, test_machine2.ip)
net_helpers.assert_ping(test_machine2.namespace, test_machine1.ip)
def check_ping(self, from_site, to_site, instance=0, success=True):
if success:
net_helpers.assert_ping(from_site.vm[instance].namespace, to_site.vm[instance].port_ip, timeout=8, count=4)
else:
net_helpers.assert_no_ping(
from_site.vm[instance].namespace, to_site.vm[instance].port_ip, timeout=8, count=4
)
def test_connection_from_same_address_scope(self):
self.agent.conf.agent_mode = "dvr_snat"
test_machine1, test_machine2, _ = self._setup_address_scope("scope1", "scope1")
# Internal networks that are in the same address scope can connected
# each other
net_helpers.assert_ping(test_machine1.namespace, test_machine2.ip, 5)
net_helpers.assert_ping(test_machine2.namespace, test_machine1.ip, 5)
def test_fip_connection_for_address_scope(self):
self.agent.conf.agent_mode = 'dvr_snat'
(machine_same_scope, machine_diff_scope,
router) = self._setup_address_scope('scope1', 'scope2', 'scope1')
router.router[l3_constants.FLOATINGIP_KEY] = []
fip_same_scope = '19.4.4.10'
self._add_fip(router,
fip_same_scope,
fixed_address=machine_same_scope.ip,
host=self.agent.conf.host,
fixed_ip_address_scope='scope1')
fip_diff_scope = '19.4.4.11'
self._add_fip(router,
fip_diff_scope,
fixed_address=machine_diff_scope.ip,
host=self.agent.conf.host,
fixed_ip_address_scope='scope2')
router.process(self.agent)
br_ex = framework.get_ovs_bridge(
self.agent.conf.external_network_bridge)
src_machine = self.useFixture(
machine_fixtures.FakeMachine(br_ex, '19.4.4.12/24'))
# Floating ip should work no matter of address scope
net_helpers.assert_ping(src_machine.namespace, fip_same_scope, 5)
net_helpers.assert_ping(src_machine.namespace, fip_diff_scope, 5)
def test_connection_from_same_address_scope(self):
test_machine1, test_machine2, _ = self._setup_address_scope(
'scope1', 'scope1')
# Internal networks that are in the same address scope can connected
# each other
net_helpers.assert_ping(test_machine1.namespace, test_machine2.ip)
net_helpers.assert_ping(test_machine2.namespace, test_machine1.ip)
def _test_assert_pings_during_br_phys_setup_not_lost(self, provider_net):
# Separate namespace is needed when pinging from one port to another,
# otherwise Linux ping uses loopback instead for sending and receiving
# ping, hence ignoring flow setup.
ns_phys = self.useFixture(net_helpers.NamespaceFixture()).name
ports = self.create_test_ports(amount=2)
port_int = ports[0]
port_phys = ports[1]
ip_int = port_int['fixed_ips'][0]['ip_address']
ip_phys = port_phys['fixed_ips'][0]['ip_address']
self.setup_agent_and_ports(port_dicts=[port_int], create_tunnels=False,
network=provider_net)
self.plug_ports_to_phys_br(provider_net, [port_phys],
namespace=ns_phys)
# The OVS agent doesn't monitor the physical bridges, no notification
# is sent when a port is up on a physical bridge, hence waiting only
# for the ports connected to br-int
self.wait_until_ports_state([port_int], up=True)
# sanity pings before we start
net_helpers.assert_ping(ns_phys, ip_int)
net_helpers.assert_ping(self.namespace, ip_phys)
with net_helpers.async_ping(ns_phys, [ip_int]) as done:
while not done():
self.agent.setup_physical_bridges(self.agent.bridge_mappings)
time.sleep(0.25)
with net_helpers.async_ping(self.namespace, [ip_phys]) as done:
while not done():
self.agent.setup_physical_bridges(self.agent.bridge_mappings)
time.sleep(0.25)
def test_arp_spoof_disable_network_port(self):
# block first and then disable port security to make sure old rules
# are cleared
self._setup_arp_spoof_for_port(self.dst_p.name, ["192.168.0.3"])
self._setup_arp_spoof_for_port(self.dst_p.name, ["192.168.0.3"], device_owner=n_const.DEVICE_OWNER_ROUTER_GW)
self.src_p.addr.add("%s/24" % self.src_addr)
self.dst_p.addr.add("%s/24" % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
def _test_icmp_connectivity(self, direction, protocol, src_port, dst_port):
src_namespace, ip_address = self._get_namespace_and_address(direction)
try:
net_helpers.assert_ping(src_namespace, ip_address)
except RuntimeError:
raise ConnectionTesterException(
"ICMP packets can't get from %s namespace to %s address" % (
src_namespace, ip_address))
def test_arp_spoof_disable_port_security(self):
# block first and then disable port security to make sure old rules
# are cleared
self._setup_arp_spoof_for_port(self.dst_p.name, ["192.168.0.3"])
self._setup_arp_spoof_for_port(self.dst_p.name, ["192.168.0.3"], psec=False)
self.src_p.addr.add("%s/24" % self.src_addr)
self.dst_p.addr.add("%s/24" % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
def _test_icmp_connectivity(self, direction, protocol, src_port, dst_port):
src_namespace, ip_address = self._get_namespace_and_address(direction)
try:
net_helpers.assert_ping(src_namespace, ip_address)
except RuntimeError:
raise ConnectionTesterException(
"ICMP packets can't get from %s namespace to %s address" %
(src_namespace, ip_address))
def test_mac_spoof_blocks_wrong_mac(self):
self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr])
self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr])
self.src_p.addr.add("%s/24" % self.src_addr)
self.dst_p.addr.add("%s/24" % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
# changing the allowed mac should stop the port from working
self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr], mac="00:11:22:33:44:55")
net_helpers.assert_no_ping(self.src_namespace, self.dst_addr)
def check_ping(self, from_site, to_site, instance=0, success=True):
if success:
net_helpers.assert_ping(from_site.vm[instance].namespace,
to_site.vm[instance].port_ip,
timeout=8, count=4)
else:
net_helpers.assert_no_ping(from_site.vm[instance].namespace,
to_site.vm[instance].port_ip,
timeout=8, count=4)
def test_arp_spoof_disable_network_port(self):
# block first and then disable port security to make sure old rules
# are cleared
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'])
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'],
device_owner='network:router_gateway')
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
def test_arp_spoof_disable_network_port(self):
# block first and then disable port security to make sure old rules
# are cleared
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'])
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'],
device_owner='network:router_gateway')
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
def test_arp_spoof_disable_port_security(self):
# block first and then disable port security to make sure old rules
# are cleared
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'])
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'],
psec=False)
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
def _test_icmp_connectivity(self, direction, protocol, src_port, dst_port):
src_namespace, ip_address = self._get_namespace_and_address(direction)
ip_version = ip_lib.get_ip_version(ip_address)
icmp_timeout = ICMP_VERSION_TIMEOUTS[ip_version]
try:
net_helpers.assert_ping(src_namespace, ip_address, timeout=icmp_timeout)
except RuntimeError:
raise ConnectionTesterException(
"ICMP packets can't get from %s namespace to %s address" % (src_namespace, ip_address)
)
def test_mac_spoof_blocks_wrong_mac(self):
self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr])
self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr])
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
# changing the allowed mac should stop the port from working
self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr],
mac='00:11:22:33:44:55')
net_helpers.assert_no_ping(self.src_namespace, self.dst_addr)
def test_arp_spoof_icmpv6_neigh_advt_allowed_address_pairs(self):
self.src_addr = "2000::1"
self.dst_addr = "2000::2"
self._setup_arp_spoof_for_port(self.dst_p.name, ["2000::3", self.dst_addr])
self.src_p.addr.add("%s/64" % self.src_addr)
self.dst_p.addr.add("%s/64" % self.dst_addr)
# make sure the IPv6 addresses are ready before pinging
self.src_p.addr.wait_until_address_ready(self.src_addr)
self.dst_p.addr.wait_until_address_ready(self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
def test_arp_spoof_disable_network_port(self):
# block first and then disable port security to make sure old rules
# are cleared
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'])
self._setup_arp_spoof_for_port(
self.dst_p.name, ['192.168.0.3'],
device_owner=n_const.DEVICE_OWNER_ROUTER_GW)
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
def test_arp_spoof_icmpv6_neigh_advt_allowed_address_pairs(self):
self.src_addr = '2000::1'
self.dst_addr = '2000::2'
self._setup_arp_spoof_for_port(self.dst_p.name, ['2000::3',
self.dst_addr])
self.src_p.addr.add('%s/64' % self.src_addr)
self.dst_p.addr.add('%s/64' % self.dst_addr)
# make sure the IPv6 addresses are ready before pinging
self.src_p.addr.wait_until_address_ready(self.src_addr)
self.dst_p.addr.wait_until_address_ready(self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
def _test_icmp_connectivity(self, direction, protocol, src_port, dst_port):
src_namespace, ip_address = self._get_namespace_and_address(direction)
ip_version = ip_lib.get_ip_version(ip_address)
icmp_timeout = ICMP_VERSION_TIMEOUTS[ip_version]
try:
net_helpers.assert_ping(src_namespace, ip_address,
timeout=icmp_timeout)
except RuntimeError:
raise ConnectionTesterException(
"ICMP packets can't get from %s namespace to %s address" % (
src_namespace, ip_address))
def test_arp_spoof_doesnt_block_ipv6(self):
self.src_addr = '2000::1'
self.dst_addr = '2000::2'
self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr])
self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr])
self.src_p.addr.add('%s/64' % self.src_addr)
self.dst_p.addr.add('%s/64' % self.dst_addr)
# make sure the IPv6 addresses are ready before pinging
self.src_p.addr.wait_until_address_ready(self.src_addr)
self.dst_p.addr.wait_until_address_ready(self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
def test_arp_spoof_doesnt_block_ipv6(self):
self.src_addr = "2000::1"
self.dst_addr = "2000::2"
self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr])
self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr])
self.src_p.addr.add("%s/64" % self.src_addr)
self.dst_p.addr.add("%s/64" % self.dst_addr)
# make sure the IPv6 addresses are ready before pinging
self.src_p.addr.wait_until_address_ready(self.src_addr)
self.dst_p.addr.wait_until_address_ready(self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
def test_connection_from_diff_address_scope_with_fip(self):
(machine_same_scope, machine_diff_scope, router) = self._setup_address_scope("scope1", "scope2", "scope1")
router.router[l3_constants.FLOATINGIP_KEY] = []
fip = "19.4.4.11"
self._add_fip(router, fip, fixed_address=machine_diff_scope.ip, fixed_ip_address_scope="scope2")
router.process(self.agent)
# For the internal networks that are in the same address scope as
# external network, they should be able to reach the floating ip
net_helpers.assert_ping(machine_same_scope.namespace, fip, 5)
# For the port with fip, it should be able to reach the internal
# networks that are in the same address scope as external network
net_helpers.assert_ping(machine_diff_scope.namespace, machine_same_scope.ip, 5)
def test_fip_connection_for_address_scope(self):
(machine_same_scope, machine_diff_scope, router) = self._setup_address_scope("scope1", "scope2", "scope1")
router.router[l3_constants.FLOATINGIP_KEY] = []
fip_same_scope = "19.4.4.10"
self._add_fip(router, fip_same_scope, fixed_address=machine_same_scope.ip, fixed_ip_address_scope="scope1")
fip_diff_scope = "19.4.4.11"
self._add_fip(router, fip_diff_scope, fixed_address=machine_diff_scope.ip, fixed_ip_address_scope="scope2")
router.process(self.agent)
br_ex = framework.get_ovs_bridge(self.agent.conf.external_network_bridge)
src_machine = self.useFixture(machine_fixtures.FakeMachine(br_ex, "19.4.4.12/24"))
# Floating ip should work no matter of address scope
net_helpers.assert_ping(src_machine.namespace, fip_same_scope, 5)
net_helpers.assert_ping(src_machine.namespace, fip_diff_scope, 5)
def test_direct_route_for_address_scope(self):
(machine_same_scope, machine_diff_scope, router) = self._setup_address_scope("scope1", "scope2", "scope1")
gw_port = router.get_ex_gw_port()
gw_ip = self._port_first_ip_cidr(gw_port).partition("/")[0]
br_ex = framework.get_ovs_bridge(self.agent.conf.external_network_bridge)
src_machine = self.useFixture(machine_fixtures.FakeMachine(br_ex, "19.4.4.12/24", gw_ip))
# For the internal networks that are in the same address scope as
# external network, they can directly route to external network
net_helpers.assert_ping(src_machine.namespace, machine_same_scope.ip, 5)
# For the internal networks that are not in the same address scope as
# external networks. SNAT will be used. Direct route will not work
# here.
src_machine.assert_no_ping(machine_diff_scope.ip)
def test_connection_from_diff_address_scope_with_fip(self):
(machine_same_scope, machine_diff_scope,
router) = self._setup_address_scope('scope1', 'scope2', 'scope1')
fip = '19.4.4.11'
self._add_fip(router, fip,
fixed_address=machine_diff_scope.ip,
host=self.agent.conf.host,
fixed_ip_address_scope='scope2')
router.process(self.agent)
# For the internal networks that are in the same address scope as
# external network, they should be able to reach the floating ip
net_helpers.assert_ping(machine_same_scope.namespace, fip, 5)
# For the port with fip, it should be able to reach the internal
# networks that are in the same address scope as external network
net_helpers.assert_ping(machine_diff_scope.namespace,
machine_same_scope.ip, 5)
def test_connection_from_diff_address_scope_with_fip(self):
(machine_same_scope, machine_diff_scope,
router) = self._setup_address_scope('scope1', 'scope2', 'scope1')
fip = '19.4.4.11'
self._add_fip(router, fip,
fixed_address=machine_diff_scope.ip,
host=self.agent.conf.host,
fixed_ip_address_scope='scope2')
router.process(self.agent)
# For the internal networks that are in the same address scope as
# external network, they should be able to reach the floating ip
net_helpers.assert_ping(machine_same_scope.namespace, fip, 5)
# For the port with fip, it should be able to reach the internal
# networks that are in the same address scope as external network
net_helpers.assert_ping(machine_diff_scope.namespace,
machine_same_scope.ip, 5)
def test_ipsec_site_connections(self):
site1, site2 = self._create_ipsec_site_connection()
net_helpers.assert_no_ping(site1['port_namespace'], site2['port_ip'],
timeout=8, count=4)
net_helpers.assert_no_ping(site2['port_namespace'], site1['port_ip'],
timeout=8, count=4)
self.driver.sync(mock.Mock(), [{'id': site1['router'].router_id},
{'id': site2['router'].router_id}])
self.addCleanup(
self.driver._delete_vpn_processes,
[site1['router'].router_id, site2['router'].router_id], [])
net_helpers.assert_ping(site1['port_namespace'], site2['port_ip'],
timeout=8, count=4)
net_helpers.assert_ping(site2['port_namespace'], site1['port_ip'],
timeout=8, count=4)
def test_direct_route_for_address_scope(self):
(machine_same_scope, machine_diff_scope,
router) = self._setup_address_scope('scope1', 'scope2', 'scope1')
gw_port = router.get_ex_gw_port()
gw_ip = self._port_first_ip_cidr(gw_port).partition('/')[0]
br_int = framework.get_ovs_bridge(
self.agent.conf.OVS.integration_bridge)
src_machine = self.useFixture(
machine_fixtures.FakeMachine(br_int, '19.4.4.12/24', gw_ip))
# For the internal networks that are in the same address scope as
# external network, they can directly route to external network
net_helpers.assert_ping(src_machine.namespace, machine_same_scope.ip)
# For the internal networks that are not in the same address scope as
# external networks. SNAT will be used. Direct route will not work
# here.
src_machine.assert_no_ping(machine_diff_scope.ip)
def test_ipsec_site_connections(self):
device = self.vpn_agent.device_drivers[0]
# Mock the method below because it causes Exception:
# RuntimeError: Second simultaneous read on fileno 5 detected.
# Unless you really know what you're doing, make sure that only
# one greenthread can read any particular socket. Consider using
# a pools.Pool. If you do know what you're doing and want to disable
# this error, call eventlet.debug.hub_prevent_multiple_readers(False)
# Can reproduce the exception in the test only
ip_lib.send_ip_addr_adv_notif = mock.Mock()
# There are no vpn services yet. get_vpn_services_on_host returns
# empty list
device.agent_rpc.get_vpn_services_on_host = mock.Mock(
return_value=[])
# instantiate network resources "router", "private network"
private_nets = list(PRIVATE_NET.subnet(24))
site1 = self.site_setup(PUBLIC_NET[4], private_nets[1])
site2 = self.site_setup(PUBLIC_NET[5], private_nets[2])
# build vpn resources
self.prepare_ipsec_conn_info(site1['vpn_service'],
site2['vpn_service'])
self.prepare_ipsec_conn_info(site2['vpn_service'],
site1['vpn_service'])
device.report_status = mock.Mock()
device.agent_rpc.get_vpn_services_on_host = mock.Mock(
return_value=[site1['vpn_service'],
site2['vpn_service']])
net_helpers.assert_no_ping(site1['port_namespace'], site2['port_ip'],
timeout=8, count=4)
net_helpers.assert_no_ping(site2['port_namespace'], site1['port_ip'],
timeout=8, count=4)
device.sync(mock.Mock(), [{'id': site1['router'].router_id},
{'id': site2['router'].router_id}])
self.addCleanup(
device._delete_vpn_processes,
[site1['router'].router_id, site2['router'].router_id], [])
net_helpers.assert_ping(site1['port_namespace'], site2['port_ip'],
timeout=8, count=4)
net_helpers.assert_ping(site2['port_namespace'], site1['port_ip'],
timeout=8, count=4)
def test_fip_connection_for_address_scope(self):
(machine_same_scope, machine_diff_scope,
router) = self._setup_address_scope('scope1', 'scope2', 'scope1')
router.router[lib_constants.FLOATINGIP_KEY] = []
fip_same_scope = '19.4.4.10'
self._add_fip(router, fip_same_scope,
fixed_address=machine_same_scope.ip,
fixed_ip_address_scope='scope1')
fip_diff_scope = '19.4.4.11'
self._add_fip(router, fip_diff_scope,
fixed_address=machine_diff_scope.ip,
fixed_ip_address_scope='scope2')
router.process()
br_int = framework.get_ovs_bridge(
self.agent.conf.ovs_integration_bridge)
src_machine = self.useFixture(
machine_fixtures.FakeMachine(br_int, '19.4.4.12/24'))
# Floating ip should work no matter of address scope
net_helpers.assert_ping(src_machine.namespace, fip_same_scope)
net_helpers.assert_ping(src_machine.namespace, fip_diff_scope)
def test_fip_connection_for_address_scope(self):
(machine_same_scope, machine_diff_scope,
router) = self._setup_address_scope('scope1', 'scope2', 'scope1')
router.router[lib_constants.FLOATINGIP_KEY] = []
fip_same_scope = '19.4.4.10'
self._add_fip(router, fip_same_scope,
fixed_address=machine_same_scope.ip,
fixed_ip_address_scope='scope1')
fip_diff_scope = '19.4.4.11'
self._add_fip(router, fip_diff_scope,
fixed_address=machine_diff_scope.ip,
fixed_ip_address_scope='scope2')
router.process()
br_int = framework.get_ovs_bridge(
self.agent.conf.ovs_integration_bridge)
src_machine = self.useFixture(
machine_fixtures.FakeMachine(br_int, '19.4.4.12/24'))
# Floating ip should work no matter of address scope
net_helpers.assert_ping(src_machine.namespace, fip_same_scope)
net_helpers.assert_ping(src_machine.namespace, fip_diff_scope)
def test_list_tc_policy_class_retrieve_statistics(self):
statistics = {
'bytes', 'packets', 'drop', 'overlimits', 'bps', 'pps', 'qlen',
'backlog'
}
self._create_two_namespaces()
tc_lib.add_tc_qdisc(self.device[0],
'htb',
parent='root',
handle='1:',
namespace=self.ns[0])
tc_lib.add_tc_policy_class(self.device[0],
'1:',
'1:10',
max_kbps=1000,
burst_kb=900,
min_kbps=500,
namespace=self.ns[0])
tc_lib.add_tc_filter_match_mac(self.device[0],
'1:',
'1:10',
self.mac[1],
namespace=self.ns[0])
tc_classes = tc_lib.list_tc_policy_class(self.device[0],
namespace=self.ns[0])
self.assertEqual(1, len(tc_classes))
self.assertEqual(statistics, set(tc_classes[0]['stats']))
bytes = tc_classes[0]['stats']['bytes']
packets = tc_classes[0]['stats']['packets']
net_helpers.assert_ping(self.ns[1],
str(netaddr.IPNetwork(self.ip[0]).ip),
count=1)
tc_classes = tc_lib.list_tc_policy_class(self.device[0],
namespace=self.ns[0])
self.assertGreater(tc_classes[0]['stats']['bytes'], bytes)
self.assertGreater(tc_classes[0]['stats']['packets'], packets)
def test_arp_spoof_allowed_address_pairs_0cidr(self):
self._setup_arp_spoof_for_port(self.dst_p.name, ['9.9.9.9/0',
'1.2.3.4'])
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
def test_arp_spoof_allowed_address_pairs(self):
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3',
self.dst_addr])
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
def test_arp_spoof_allowed_address_pairs_0cidr(self):
self._setup_arp_spoof_for_port(self.dst_p.name, ['9.9.9.9/0',
'1.2.3.4'])
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
def test_securitygroup(self):
"""Tests if a security group rules are working, by confirming
that 0. traffic is allowed when port security is disabled,
1. connection from outside of allowed security group is blocked
2. connection from allowed security group is permitted
3. traffic not explicitly allowed (eg. ICMP) is blocked,
4. a security group update takes effect,
5. a remote security group member addition works, and
6. an established connection stops by deleting a SG rule.
7. test other protocol functionality by using SCTP protocol
"""
index_to_sg = [0, 0, 1]
if self.firewall_driver == 'iptables_hybrid':
# The iptables_hybrid driver lacks isolation between agents
index_to_host = [0] * 3
else:
index_to_host = [0, 1, 1]
tenant_uuid = uuidutils.generate_uuid()
network = self.safe_client.create_network(tenant_uuid)
self.safe_client.create_subnet(
tenant_uuid, network['id'], '20.0.0.0/24')
sgs = [self.safe_client.create_security_group(tenant_uuid)
for i in range(2)]
ports = [
self.safe_client.create_port(tenant_uuid, network['id'],
self.environment.hosts[host].hostname,
security_groups=[],
port_security_enabled=False)
for host in index_to_host]
self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[0]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333, port_range_max=3333)
vms = [
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[host],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[port],
use_dhcp=True))
for port, host in enumerate(index_to_host)]
for vm in vms:
vm.block_until_boot()
# 0. check that traffic is allowed when port security is disabled
self.assert_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
self.assert_connection(
vms[2].namespace, vms[0].namespace, vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
net_helpers.assert_ping(vms[0].namespace, vms[1].ip)
net_helpers.assert_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_ping(vms[1].namespace, vms[2].ip)
# Apply security groups to the ports
for port, sg in zip(ports, index_to_sg):
self.safe_client.client.update_port(
port['id'],
body={'port': {'port_security_enabled': True,
'security_groups': [sgs[sg]['id']]}})
# 1. connection from outside of allowed security group is blocked
netcat = net_helpers.NetcatTester(
vms[2].namespace, vms[0].namespace, vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
# Wait until port update takes effect on the ports
common_utils.wait_until_true(
netcat.test_no_connectivity,
exception=AssertionError(
"Still can connect to the VM from different host.")
)
netcat.stop_processes()
# 2. check if connection from allowed security group is permitted
self.assert_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
# 3. check if traffic not explicitly allowed (eg. ICMP) is blocked
net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip)
net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip)
# 4. check if a security group update takes effect
self.assert_no_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[0]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3344, port_range_max=3344)
self.assert_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
# 5. check if a remote security group member addition works
rule2 = self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[1]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3355, port_range_max=3355)
self.assert_connection(
vms[2].namespace, vms[0].namespace, vms[0].ip, 3355,
net_helpers.NetcatTester.TCP)
# 6. check if an established connection stops by deleting
# the supporting SG rule.
index_to_host.append(index_to_host[2])
index_to_sg.append(1)
ports.append(
self.safe_client.create_port(tenant_uuid, network['id'],
self.environment.hosts[
index_to_host[3]].hostname,
security_groups=[sgs[1]['id']]))
vms.append(
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[index_to_host[3]],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[3],
use_dhcp=True)))
vms[3].block_until_boot()
netcat = net_helpers.NetcatTester(vms[3].namespace,
vms[0].namespace, vms[0].ip, 3355,
net_helpers.NetcatTester.TCP)
self.addCleanup(netcat.stop_processes)
self.assertTrue(netcat.test_connectivity())
self.client.delete_security_group_rule(rule2['id'])
common_utils.wait_until_true(lambda: netcat.test_no_connectivity(),
sleep=8)
netcat.stop_processes()
# 7. check SCTP is supported by security group
self.assert_no_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)
self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[0]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NUM_SCTP,
port_range_min=3366, port_range_max=3366)
self.assert_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)
def test_arp_spoof_doesnt_block_normal_traffic(self):
self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr])
self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr])
self.src_p.addr.add('%s/24' % self.src_addr)
self.dst_p.addr.add('%s/24' % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr)
def test_ipsec_site_connections_with_l3ha_routers(self):
"""Test ipsec site connection with HA routers.
This test creates two agents. First agent will have Legacy and HA
routers. Second agent will host only HA router. We setup ipsec
connection between legacy and HA router.
When HA router is created, agent1 will have master router and
agent2 will have backup router. Ipsec connection will be established
between legacy router and agent1's master HA router.
Then we fail the agent1's master HA router. Agent1's HA router will
transition to backup and agent2's HA router will become master.
Now ipsec connection will be established between legacy router and
agent2's master HA router
"""
self.failover_agent = self._configure_agent('agent2')
self.connect_agents(self.vpn_agent, self.failover_agent)
vpn_agent_driver = self.vpn_agent.device_drivers[0]
self.failover_agent_driver = self.failover_agent.device_drivers[0]
site1, site2 = self._create_ipsec_site_connection(l3ha=True)
router = site1['router']
router1 = site2['router1']
router2 = site2['router2']
# No ipsec connection between legacy router and HA routers
net_helpers.assert_no_ping(site1['port_namespace'], site2['port_ip'],
timeout=8, count=4)
net_helpers.assert_no_ping(site2['port_namespace'], site1['port_ip'],
timeout=8, count=4)
# sync the routers
vpn_agent_driver.sync(mock.Mock(), [{'id': router.router_id},
{'id': router1.router_id}])
self.failover_agent_driver.sync(mock.Mock(),
[{'id': router1.router_id}])
self.addCleanup(
vpn_agent_driver._delete_vpn_processes,
[router.router_id, router1.router_id], [])
# Test ipsec connection between legacy router and agent2's HA router
net_helpers.assert_ping(site1['port_namespace'], site2['port_ip'],
timeout=8, count=4)
net_helpers.assert_ping(site2['port_namespace'], site1['port_ip'],
timeout=8, count=4)
# Fail the agent1's HA router. Agent1's HA router will transition
# to backup and agent2's HA router will become master.
self._fail_ha_router(router1)
linux_utils.wait_until_true(lambda: router2.ha_state == 'master')
linux_utils.wait_until_true(lambda: router1.ha_state == 'backup')
# wait until ipsec process running in failover agent's HA router
# check for both strongswan and openswan processes
path = self.failover_agent_driver.processes[
router2.router_id].config_dir
pid_files = ['%s/var/run/charon.pid' % path,
'%s/var/run/pluto.pid' % path]
linux_utils.wait_until_true(
lambda: self._ipsec_process_exists(
self.failover_agent.conf, router2, pid_files))
# Test ipsec connection between legacy router and agent2's HA router
net_helpers.assert_ping(site1['port_namespace'], site2['port_ip'],
timeout=8, count=4)
net_helpers.assert_ping(site2['port_namespace'], site1['port_ip'],
timeout=8, count=4)
def test_arp_spoof_allowed_address_pairs_0cidr(self):
self._setup_arp_spoof_for_port(self.dst_p.name, ["9.9.9.9/0", "1.2.3.4"])
self.src_p.addr.add("%s/24" % self.src_addr)
self.dst_p.addr.add("%s/24" % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
def test_arp_spoof_allowed_address_pairs(self):
self._setup_arp_spoof_for_port(self.dst_p.name, ["192.168.0.3", self.dst_addr])
self.src_p.addr.add("%s/24" % self.src_addr)
self.dst_p.addr.add("%s/24" % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
def test_add_tc_filter_vxlan(self):
# The traffic control is applied on the veth pair device of the first
# namespace (self.ns[0]). The traffic created from the VXLAN interface
# when replying to the ping (sent from the other namespace), is
# encapsulated in a VXLAN frame and goes through the veth pair
# interface.
self._create_two_namespaces_connected_using_vxlan()
tc_lib.add_tc_qdisc(self.device[0],
'htb',
parent='root',
handle='1:',
namespace=self.ns[0])
classes = tc_lib.list_tc_policy_class(self.device[0],
namespace=self.ns[0])
self.assertEqual(0, len(classes))
class_ids = []
for i in range(1, 10):
class_id = '1:%s' % i
class_ids.append(class_id)
tc_lib.add_tc_policy_class(self.device[0],
'1:',
class_id,
namespace=self.ns[0],
min_kbps=1000,
max_kbps=2000,
burst_kb=1600)
# Add a filter for a randomly chosen created class, in the first
# namespace veth pair device, with the VXLAN MAC address. The traffic
# from the VXLAN device must go through this chosen class.
chosen_class_id = random.choice(class_ids)
tc_lib.add_tc_filter_vxlan(self.device[0],
'1:',
chosen_class_id,
self.mac_vxlan[0],
self.vxlan_id,
namespace=self.ns[0])
tc_classes = tc_lib.list_tc_policy_class(self.device[0],
namespace=self.ns[0])
for tc_class in (c for c in tc_classes
if c['classid'] == chosen_class_id):
bytes = tc_class['stats']['bytes']
packets = tc_class['stats']['packets']
break
else:
self.fail('TC class %(class_id)s is not present in the device '
'%(device)s' % {
'class_id': chosen_class_id,
'device': self.device[0]
})
net_helpers.assert_ping(self.ns[1],
str(netaddr.IPNetwork(self.ip_vxlan[0]).ip),
count=1)
tc_classes = tc_lib.list_tc_policy_class(self.device[0],
namespace=self.ns[0])
for tc_class in tc_classes:
if tc_class['classid'] == chosen_class_id:
self.assertGreater(tc_class['stats']['bytes'], bytes)
self.assertGreater(tc_class['stats']['packets'], packets)
else:
self.assertEqual(0, tc_class['stats']['bytes'])
self.assertEqual(0, tc_class['stats']['packets'])
def test_arp_spoof_doesnt_block_normal_traffic(self):
self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr])
self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr])
self.src_p.addr.add("%s/24" % self.src_addr)
self.dst_p.addr.add("%s/24" % self.dst_addr)
net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
def test_securitygroup(self):
"""Tests if a security group rules are working, by confirming
that 0. traffic is allowed when port security is disabled,
1. connection from outside of allowed security group is blocked
2. connection from allowed security group is permitted
3. traffic not explicitly allowed (eg. ICMP) is blocked,
4. a security group update takes effect,
5. a remote security group member addition works, and
6. an established connection stops by deleting a SG rule.
7. multiple overlapping remote rules work,
8. test other protocol functionality by using SCTP protocol
9. test two vms with same mac on the same host in different
networks
"""
index_to_sg = [0, 0, 1, 2]
if self.firewall_driver == 'iptables_hybrid':
# The iptables_hybrid driver lacks isolation between agents
index_to_host = [0] * 4
else:
index_to_host = [0, 1, 1, 0]
tenant_uuid = uuidutils.generate_uuid()
network = self.safe_client.create_network(tenant_uuid)
self.safe_client.create_subnet(tenant_uuid, network['id'],
'20.0.0.0/24')
sgs = [
self.safe_client.create_security_group(tenant_uuid)
for i in range(3)
]
ports = [
self.safe_client.create_port(tenant_uuid,
network['id'],
self.environment.hosts[host].hostname,
security_groups=[],
port_security_enabled=False)
for host in index_to_host
]
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333,
port_range_max=3333)
vms = [
self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[host],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[port],
use_dhcp=True))
for port, host in enumerate(index_to_host)
]
for vm in vms:
vm.block_until_boot()
# 0. check that traffic is allowed when port security is disabled
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
net_helpers.assert_ping(vms[0].namespace, vms[1].ip)
net_helpers.assert_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_ping(vms[1].namespace, vms[2].ip)
# Apply security groups to the ports
for port, sg in zip(ports, index_to_sg):
self.safe_client.client.update_port(
port['id'],
body={
'port': {
'port_security_enabled': True,
'security_groups': [sgs[sg]['id']]
}
})
# 1. connection from outside of allowed security group is blocked
netcat = net_helpers.NetcatTester(vms[2].namespace, vms[0].namespace,
vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
# Wait until port update takes effect on the ports
common_utils.wait_until_true(
netcat.test_no_connectivity,
exception=AssertionError(
"Still can connect to the VM from different host."))
netcat.stop_processes()
# 2. check if connection from allowed security group is permitted
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
# 3. check if traffic not explicitly allowed (eg. ICMP) is blocked
net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip)
net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip)
# 4. check if a security group update takes effect
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3344,
port_range_max=3344)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3344, net_helpers.NetcatTester.TCP)
# 5. check if a remote security group member addition works
rule2 = self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[1]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3355,
port_range_max=3355)
self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip,
3355, net_helpers.NetcatTester.TCP)
# 6. check if an established connection stops by deleting
# the supporting SG rule.
index_to_host.append(index_to_host[2])
index_to_sg.append(1)
ports.append(
self.safe_client.create_port(
tenant_uuid,
network['id'],
self.environment.hosts[index_to_host[-1]].hostname,
security_groups=[sgs[1]['id']]))
vms.append(
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[index_to_host[-1]],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[-1],
use_dhcp=True)))
self.assertEqual(5, len(vms))
vms[4].block_until_boot()
netcat = net_helpers.NetcatTester(vms[4].namespace, vms[0].namespace,
vms[0].ip, 3355,
net_helpers.NetcatTester.TCP)
self.addCleanup(netcat.stop_processes)
self.assertTrue(netcat.test_connectivity())
self.client.delete_security_group_rule(rule2['id'])
common_utils.wait_until_true(lambda: netcat.test_no_connectivity(),
sleep=8)
netcat.stop_processes()
# 7. check if multiple overlapping remote rules work
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[1]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333,
port_range_max=3333)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[2]['id'],
direction='ingress',
ethertype=constants.IPv4)
for i in range(2):
self.assert_connection(vms[0].namespace, vms[1].namespace,
vms[1].ip, 3333,
net_helpers.NetcatTester.TCP)
self.assert_connection(vms[2].namespace, vms[1].namespace,
vms[1].ip, 3333,
net_helpers.NetcatTester.TCP)
self.assert_connection(vms[3].namespace, vms[0].namespace,
vms[0].ip, 8080,
net_helpers.NetcatTester.TCP)
# 8. check SCTP is supported by security group
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NUM_SCTP,
port_range_min=3366,
port_range_max=3366)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3366, net_helpers.NetcatTester.SCTP)
# 9. test two vms with same mac on the same host in different networks
self._test_overlapping_mac_addresses()
def assert_ping(self, dst_ip):
net_helpers.assert_ping(self.namespace, dst_ip)
def test_ipsec_site_connections_with_l3ha_routers(self):
"""Test ipsec site connection with HA routers.
This test creates two agents. First agent will have Legacy and HA
routers. Second agent will host only HA router. We setup ipsec
connection between legacy and HA router.
When HA router is created, agent1 will have master router and
agent2 will have backup router. Ipsec connection will be established
between legacy router and agent1's master HA router.
Then we fail the agent1's master HA router. Agent1's HA router will
transition to backup and agent2's HA router will become master.
Now ipsec connection will be established between legacy router and
agent2's master HA router
"""
self.failover_agent = self._configure_agent('agent2')
self.connect_agents(self.vpn_agent, self.failover_agent)
vpn_agent_driver = self.vpn_agent.device_drivers[0]
failover_agent_driver = self.failover_agent.device_drivers[0]
ip_lib.send_ip_addr_adv_notif = mock.Mock()
# There are no vpn services yet. get_vpn_services_on_host returns
# empty list
vpn_agent_driver.agent_rpc.get_vpn_services_on_host = mock.Mock(
return_value=[])
failover_agent_driver.agent_rpc.get_vpn_services_on_host = mock.Mock(
return_value=[])
# instantiate network resources "router", "private network"
private_nets = list(PRIVATE_NET.subnet(24))
site1 = self.site_setup(PUBLIC_NET[4], private_nets[1])
site2 = self.setup_ha_routers(PUBLIC_NET[5], private_nets[2])
router = site1['router']
router1 = site2['router1']
router2 = site2['router2']
# build vpn resources
self.prepare_ipsec_conn_info(site1['vpn_service'],
site2['vpn_service'])
self.prepare_ipsec_conn_info(site2['vpn_service'],
site1['vpn_service'])
vpn_agent_driver.report_status = mock.Mock()
failover_agent_driver.report_status = mock.Mock()
vpn_agent_driver.agent_rpc.get_vpn_services_on_host = mock.Mock(
return_value=[site1['vpn_service'],
site2['vpn_service']])
failover_agent_driver.agent_rpc.get_vpn_services_on_host = mock.Mock(
return_value=[site2['vpn_service']])
# No ipsec connection between legacy router and HA routers
net_helpers.assert_no_ping(site1['port_namespace'], site2['port_ip'],
timeout=8, count=4)
net_helpers.assert_no_ping(site2['port_namespace'], site1['port_ip'],
timeout=8, count=4)
# sync the routers
vpn_agent_driver.sync(mock.Mock(), [{'id': router.router_id},
{'id': router1.router_id}])
failover_agent_driver.sync(mock.Mock(), [{'id': router1.router_id}])
self.addCleanup(
vpn_agent_driver._delete_vpn_processes,
[router.router_id, router1.router_id], [])
# Test ipsec connection between legacy router and agent2's HA router
net_helpers.assert_ping(site1['port_namespace'], site2['port_ip'],
timeout=8, count=4)
net_helpers.assert_ping(site2['port_namespace'], site1['port_ip'],
timeout=8, count=4)
# Fail the agent1's HA router. Agent1's HA router will transition
# to backup and agent2's HA router will become master.
self._fail_ha_router(router1)
linux_utils.wait_until_true(lambda: router2.ha_state == 'master')
linux_utils.wait_until_true(lambda: router1.ha_state == 'backup')
# wait until ipsec process running in failover agent's HA router
# check for both strongswan and openswan processes
path = failover_agent_driver.processes[router2.router_id].config_dir
pid_files = ['%s/var/run/charon.pid' % path,
'%s/var/run/pluto.pid' % path]
linux_utils.wait_until_true(
lambda: self._ipsec_process_exists(
self.failover_agent.conf, router2, pid_files))
# Test ipsec connection between legacy router and agent2's HA router
net_helpers.assert_ping(site1['port_namespace'], site2['port_ip'],
timeout=8, count=4)
net_helpers.assert_ping(site2['port_namespace'], site1['port_ip'],
timeout=8, count=4)
def _test_using_multiple_security_groups(self):
"""Test using multiple security groups.
This test will do following things:
1. Create three vms with two security groups. vm0, vm1 in sg0;
vm2 in sg1.
2. Add SSH and ICMP rules in sg0. vm0 and vm1 can ping and ssh
for each other, but can not access between vm0 and vm2.
3. Using multiple security groups(sg0, sg1) for vm0, and sg1
have rules allowed sg0 access(ICMP), so vm0 and vm1 can
ping vm2.
4. Then remove sg0 from vm0, we removed ICMP and SSH rules.
vm0 and vm1 can not ping and ssh for each other.
"""
tenant_uuid = uuidutils.generate_uuid()
subnet_cidr = '30.0.0.0/24'
vms, ports, sgs, _, _ = self._create_resources(tenant_uuid,
subnet_cidr)
# Apply security groups to the ports
for port, sg in zip(ports, self.index_to_sg):
self.safe_client.client.update_port(
port['id'],
body={
'port': {
'port_security_enabled': True,
'security_groups': [sgs[sg]['id']]
}
})
# Traffic not explicitly allowed (eg. SSH, ICMP) is blocked
self.verify_no_connectivity_between_vms(vms[1], vms[0],
net_helpers.NetcatTester.TCP,
22)
net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip)
net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip)
# Add SSH and ICMP allowed in the same security group
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=22,
port_range_max=22)
self.verify_connectivity_between_vms(vms[1], vms[0],
net_helpers.NetcatTester.TCP, 22)
self.verify_no_connectivity_between_vms(vms[2], vms[0],
net_helpers.NetcatTester.TCP,
22)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_ICMP)
net_helpers.assert_ping(vms[1].namespace, vms[0].ip)
net_helpers.assert_no_ping(vms[2].namespace, vms[0].ip)
# Update vm0 to use two security groups
# Add security group rules(ICMP) in another security group
self.safe_client.client.update_port(
ports[0]['id'],
body={'port': {
'security_groups': [sgs[0]['id'], sgs[1]['id']]
}})
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[1]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_ICMP)
net_helpers.assert_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_ping(vms[1].namespace, vms[2].ip)
net_helpers.assert_no_ping(vms[2].namespace, vms[0].ip)
net_helpers.assert_no_ping(vms[2].namespace, vms[1].ip)
self.verify_connectivity_between_vms(vms[1], vms[0],
net_helpers.NetcatTester.TCP, 22)
self.verify_no_connectivity_between_vms(vms[2], vms[0],
net_helpers.NetcatTester.TCP,
22)
# Remove first security group from port
self.safe_client.client.update_port(
ports[0]['id'], body={'port': {
'security_groups': [sgs[1]['id']]
}})
net_helpers.assert_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_ping(vms[1].namespace, vms[2].ip)
net_helpers.assert_no_ping(vms[2].namespace, vms[0].ip)
net_helpers.assert_no_ping(vms[2].namespace, vms[1].ip)
self.verify_no_connectivity_between_vms(vms[1], vms[0],
net_helpers.NetcatTester.TCP,
22)
def assert_ping(self, dst_ip):
net_helpers.assert_ping(self.namespace, dst_ip)
