def _test__iptables_args(self, expected_port):
self.driver = iptables.IptablesFilter()
self.mock_iptables = self.useFixture(
fixtures.MockPatchObject(self.driver, '_iptables')).mock
self.mock_should_enable_dhcp.return_value = True
_iptables_expected_args = [
('-D', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
expected_port, '-j', self.driver.new_chain),
('-F', self.driver.new_chain), ('-X', self.driver.new_chain),
('-N', self.driver.new_chain),
('-A', self.driver.new_chain, '-j', 'ACCEPT'),
('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
expected_port, '-j', self.driver.new_chain),
('-D', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp',
'--dport', expected_port, '-j', self.driver.chain),
('-F', self.driver.chain), ('-X', self.driver.chain),
('-E', self.driver.new_chain, self.driver.chain)
]
self.driver.sync(self.mock_ironic)
call_args_list = self.mock_iptables.call_args_list
for (args, call) in zip(_iptables_expected_args, call_args_list):
self.assertEqual(args, call[0])
self.mock_get_inactive_macs.assert_called_once_with(self.mock_ironic)
self.check_fsm([pxe_filter.Events.sync])
def _test__iptables_clean_cache_on_error(self, expected_port):
self.driver = iptables.IptablesFilter()
self.mock_iptables = self.useFixture(
fixtures.MockPatchObject(self.driver, '_iptables')).mock
self.mock_get_inactive_macs.return_value = ['AA:BB:CC:DD:EE:FF']
self.mock_should_enable_dhcp.return_value = True
self.mock_iptables.side_effect = [
None, None,
RuntimeError('Oops!'), None, None, None, None, None, None
]
self.assertRaises(RuntimeError, self.driver.sync, self.mock_ironic)
self.check_fsm([pxe_filter.Events.sync, pxe_filter.Events.reset])
self.mock_get_inactive_macs.assert_called_once_with(self.mock_ironic)
# check caching
syncs_expected_args = [
# driver reset
('-D', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
expected_port, '-j', self.driver.new_chain),
('-F', self.driver.new_chain),
('-X', self.driver.new_chain),
('-N', self.driver.new_chain),
# deny
('-A', self.driver.new_chain, '-m', 'mac', '--mac-source',
self.mock_get_inactive_macs.return_value[0], '-j', 'DROP'),
('-A', self.driver.new_chain, '-j', 'ACCEPT'),
('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
expected_port, '-j', self.driver.new_chain),
('-D', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
expected_port, '-j', self.driver.chain),
('-F', self.driver.chain),
('-X', self.driver.chain),
('-E', self.driver.new_chain, self.driver.chain)
]
self.mock_iptables.reset_mock()
self.mock_iptables.side_effect = None
self.mock_get_inactive_macs.reset_mock()
self.mock_fsm.reset_mock()
self.driver.sync(self.mock_ironic)
self.check_fsm([pxe_filter.Events.sync])
call_args_list = self.mock_iptables.call_args_list
for (idx, (args,
call)) in enumerate(zip(syncs_expected_args,
call_args_list)):
self.assertEqual(args, call[0], 'idx: %s' % idx)
self.mock_get_inactive_macs.assert_called_once_with(self.mock_ironic)
def setUp(self):
super(TestIptablesDriver, self).setUp()
CONF.set_override('rootwrap_config', '/some/fake/path')
# NOTE(milan) we ignore the state checking in order to avoid having to
# always call e.g self.driver.init_filter() to set proper driver state
self.mock_fsm = self.useFixture(
fixtures.MockPatchObject(iptables.IptablesFilter, 'fsm')).mock
self.mock_call = self.useFixture(
fixtures.MockPatchObject(iptables.subprocess, 'check_call')).mock
self.driver = iptables.IptablesFilter()
self.mock_iptables = self.useFixture(
fixtures.MockPatchObject(self.driver, '_iptables')).mock
self.mock_should_enable_dhcp = self.useFixture(
fixtures.MockPatchObject(iptables, '_should_enable_dhcp')).mock
self.mock__get_blacklist = self.useFixture(
fixtures.MockPatchObject(iptables, '_get_blacklist')).mock
self.mock__get_blacklist.return_value = []
self.mock_ironic = mock.Mock()
def _test_sync_with_allowlist(self, expected_port):
CONF.set_override('deny_unknown_macs', True, 'pxe_filter')
self.driver = iptables.IptablesFilter()
self.mock_iptables = self.useFixture(
fixtures.MockPatchObject(self.driver, '_iptables')).mock
self.mock_get_active_macs.return_value = ['AA:BB:CC:DD:EE:FF']
self.mock_get_inactive_macs.return_value = ['FF:EE:DD:CC:BB:AA']
self.mock_should_enable_dhcp.return_value = True
_iptables_expected_args = [
('-D', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
expected_port, '-j', self.driver.new_chain),
('-F', self.driver.new_chain),
('-X', self.driver.new_chain),
('-N', self.driver.new_chain),
# deny
('-A', self.driver.new_chain, '-m', 'mac', '--mac-source',
self.mock_get_active_macs.return_value[0], '-j', 'ACCEPT'),
('-A', self.driver.new_chain, '-j', 'DROP'),
('-I', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
expected_port, '-j', self.driver.new_chain),
('-D', 'INPUT', '-i', 'br-ctlplane', '-p', 'udp', '--dport',
expected_port, '-j', self.driver.chain),
('-F', self.driver.chain),
('-X', self.driver.chain),
('-E', self.driver.new_chain, self.driver.chain)
]
self.driver.sync(self.mock_ironic)
self.check_fsm([pxe_filter.Events.sync])
call_args_list = self.mock_iptables.call_args_list
for (args, call) in zip(_iptables_expected_args, call_args_list):
self.assertEqual(args, call[0])
self.mock_get_active_macs.assert_called_once_with(self.mock_ironic)
# check caching
self.mock_iptables.reset_mock()
self.mock_get_active_macs.reset_mock()
self.driver.sync(self.mock_ironic)
self.mock_get_active_macs.assert_called_once_with(self.mock_ironic)
self.assertFalse(self.mock_iptables.called)
def setUp(self):
super(TestIptablesDriver, self).setUp()
CONF.set_override('rootwrap_config', '/some/fake/path')
# NOTE(milan) we ignore the state checking in order to avoid having to
# always call e.g self.driver.init_filter() to set proper driver state
self.mock_fsm = self.useFixture(
fixtures.MockPatchObject(iptables.IptablesFilter, 'fsm')).mock
self.mock_call = self.useFixture(
fixtures.MockPatchObject(iptables.processutils, 'execute')).mock
self.driver = iptables.IptablesFilter()
self.mock_iptables = self.useFixture(
fixtures.MockPatchObject(self.driver, '_iptables')).mock
self.mock_should_enable_dhcp = self.useFixture(
fixtures.MockPatchObject(iptables, '_should_enable_dhcp')).mock
self.mock_get_inactive_macs = self.useFixture(
fixtures.MockPatchObject(pxe_filter, 'get_inactive_macs')).mock
self.mock_get_inactive_macs.return_value = set()
self.mock_get_active_macs = self.useFixture(
fixtures.MockPatchObject(pxe_filter, 'get_active_macs')).mock
self.mock_get_active_macs.return_value = set()
self.mock_ironic = mock.Mock()
self.mock_ironic.ports.return_value = []
def test_iptables_command_ipv6(self):
CONF.set_override('ip_version', '6', 'iptables')
driver = iptables.IptablesFilter()
self.assertEqual(driver._cmd_iptables, 'ip6tables')
