def _cli_create_os_l3_vsd_managed_subnet(self, vsd_l3_subnet):
network = self.create_network_with_args(
data_utils.rand_name('cli-osl3network'))
subnet_name = data_utils.rand_name('cli-subnet')
prefixlen = mask_to_prefix(vsd_l3_subnet.netmask)
cidr4 = "%s/%d" % (vsd_l3_subnet.address, prefixlen)
subnet4 = self.create_subnet_with_args(
network['name'], cidr4, "--name",
data_utils.rand_name('cli-osl3subnet'), "--net-partition ",
Topology.def_netpartition, "--nuagenet ", vsd_l3_subnet.id)
cidr6 = vsd_l3_subnet.ipv6_address
subnet6 = None
if cidr6:
if Topology.up_to_openstack('train'):
set_gateway = '' # rely on OpenStack's default ::1 gateway
else:
# set gw explicitly to ::1, as Ussuri++ defaults to ::0
set_gateway = '--gateway {}'.format(IPNetwork(cidr6)[1])
subnet6 = self.create_subnet_with_args(
network['name'], cidr6, "--name ", subnet_name + "-6",
"--ip-version 6", set_gateway, "--disable-dhcp",
"--net-partition", Topology.def_netpartition, "--nuagenet",
vsd_l3_subnet.id)
self.addCleanup(self._delete_subnet, subnet6['id'])
self.subnets.remove(subnet6)
return network, subnet4, subnet6
def _test_create_show_delete_security_group_rule(self, ipv6=False):
group_create_body, _ = self._create_security_group()
security_group_id = group_create_body['security_group']['id']
# create a nuage port to create sg on VSD.
self._create_nuage_port_with_security_group([security_group_id],
self.network)
if ipv6:
if Topology.up_to_openstack('stein'):
protocols = (n_constants.IPV6_PROTO_NAME +
[n_constants.IPV6_PROTO_NAME_LEGACY])
else:
# Train onwards, legacy is canonicalized
# https://review.opendev.org/#/c/453346/14
protocols = n_constants.IPV6_PROTO_NAME
else:
protocols = n_constants.IPV4_PROTO_NAME
# Create rules for each protocol
for protocol in protocols:
rule_create_body = (
self.security_group_rules_client.create_security_group_rule(
security_group_id=security_group_id,
protocol=protocol,
direction='ingress',
ethertype=self.ethertype))
# Show details of the created security rule
show_rule_body = (
self.security_group_rules_client.show_security_group_rule(
rule_create_body['security_group_rule']['id']))
create_dict = rule_create_body['security_group_rule']
for key, value in iteritems(create_dict):
self.assertEqual(value,
show_rule_body['security_group_rule'][key],
"%s does not match." % key)
self._verify_nuage_acl(rule_create_body['security_group_rule'],
expected_stateful='icmp' not in protocol)
# List rules and verify created rule is in response
rule_list_body = (
self.security_group_rules_client.list_security_group_rules())
rule_list = [
rule['id'] for rule in rule_list_body['security_group_rules']
]
self.assertIn(rule_create_body['security_group_rule']['id'],
rule_list)
def test_create_update_delete_sg(self):
sg = self.create_security_group()
sg2 = self.create_security_group()
# Create for ipversions:
# - normal rule, for all applicable protocols
# - normal rule, TCP protocol, port 80
# - normal rule, UDP protocol, port 80, egress
# - networkmacro rule for 90.0.0.0/24
# - remote group id rule for SG2
for ip_version in self.ip_versions:
ethertype = 'IPv' + str(ip_version)
# - normal rule, for all applicable protocols
if ip_version == 6:
if Topology.up_to_openstack('stein'):
protocols = (n_constants.IPV6_PROTO_NAME +
[n_constants.IPV6_PROTO_NAME_LEGACY])
else:
# Train onwards, legacy is canonicalized
# https://review.opendev.org/#/c/453346/14
protocols = n_constants.IPV6_PROTO_NAME
else:
protocols = n_constants.IPV4_PROTO_NAME
for protocol in protocols:
self.create_security_group_rule_with_manager(
sg,
protocol=protocol,
direction='ingress',
ethertype=ethertype)
# - normal rule, TCP protocol, port 80
self.create_security_group_rule_with_manager(sg,
protocol='tcp',
direction='ingress',
ethertype=ethertype,
port_range_min=80,
port_range_max=80)
# - normal rule, UDP protocol, port 80, egress
self.create_security_group_rule_with_manager(sg,
protocol='udp',
direction='egress',
ethertype=ethertype,
port_range_min=80,
port_range_max=80)
# - networkmacro rule for 90.0.0.0/24 or cafe:babe::/64
remote_ip_prefix = ('90.0.0.0/24'
if ip_version == 4 else 'cafe:babe::/64')
self.create_security_group_rule_with_manager(
sg,
direction='egress',
ethertype=ethertype,
remote_ip_prefix=remote_ip_prefix)
# - remote group id rule for SG2
self.create_security_group_rule_with_manager(
sg,
direction='egress',
ethertype=ethertype,
remote_group_id=sg2['id'])
port = self.create_port(self.network, security_groups=[sg['id']])
# Verify VSD
# Get updated SG with SGRules
sg = self.get_security_group(sg['id'])
self._verify_sg(sg, ports=[port])
# Update Security group name
name = "updated SG name"
sg = self.update_security_group(sg, name=name)
self._verify_sg(sg, ports=[port])
# Delete port from SG
self.delete_port(port)
# cleanup happens before 20.10, not after.
pg_expected = Topology.from_nuage('20.10')
self._verify_sg(sg, ports=[], pg_expected_without_port=pg_expected)
