def _create_port_policies(self, disable_rule=True): ignore_action = app_testing_objects.IgnoreAction() key1 = (self.subnet1.subnet_id, self.port1.port_id) actions = [ app_testing_objects.SendAction(self.subnet1.subnet_id, self.port1.port_id, self._create_dhcp_request) ] if disable_rule: actions.append(app_testing_objects.DisableRuleAction()) rules1 = [ app_testing_objects.PortPolicyRule( # Detect dhcp offer app_testing_objects.RyuDHCPOfferFilter(), actions), app_testing_objects.PortPolicyRule( # Detect dhcp acknowledge app_testing_objects.RyuDHCPAckFilter(), actions=[ app_testing_objects.DisableRuleAction(), app_testing_objects.WaitAction(5), app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, self._create_dhcp_renewal_request), ]), app_testing_objects.PortPolicyRule( # Detect dhcp acknowledge app_testing_objects.RyuDHCPAckFilter(), actions=[ app_testing_objects.StopSimulationAction(), app_testing_objects.DisableRuleAction() ]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] key2 = (self.subnet1.subnet_id, self.port2.port_id) rules2 = [ app_testing_objects.PortPolicyRule( # Detect arp replies app_testing_objects.RyuDHCPFilter(), actions=[ app_testing_objects.RaiseAction("Received DHCP packet") ]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] raise_action = app_testing_objects.RaiseAction("Unexpected packet") policy1 = app_testing_objects.PortPolicy(rules=rules1, default_action=raise_action) policy2 = app_testing_objects.PortPolicy(rules=rules2, default_action=raise_action) return { key1: policy1, key2: policy2, }
def _create_port_policies(self): ignore_action = app_testing_objects.IgnoreAction() key1 = (self.subnet1.subnet_id, self.port1.port_id) rules1 = [ app_testing_objects.PortPolicyRule( # Detect pong, end simulation app_testing_objects.RyuICMPPongFilter(self._get_ping), actions=[ app_testing_objects.DisableRuleAction(), app_testing_objects.StopSimulationAction(), ]), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] key2 = (self.subnet2.subnet_id, self.port2.port_id) rules2 = [ app_testing_objects.PortPolicyRule( # Detect ping, reply with pong app_testing_objects.RyuICMPPingFilter(), actions=[ app_testing_objects.SendAction(self.subnet2.subnet_id, self.port2.port_id, self._create_pong_packet), app_testing_objects.DisableRuleAction(), ]), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] raise_action = app_testing_objects.RaiseAction("Unexpected packet") policy1 = app_testing_objects.PortPolicy(rules=rules1, default_action=raise_action) policy2 = app_testing_objects.PortPolicy(rules=rules2, default_action=raise_action) return { key1: policy1, key2: policy2, }
def _create_extra_route_policies(self, nexthop_port): ignore_action = app_testing_objects.IgnoreAction() raise_action = app_testing_objects.RaiseAction("Unexpected packet") rules = [ app_testing_objects.PortPolicyRule( # The nexthop lport should get the icmp echo request whose # destination is the cidr of extra route. app_testing_objects.RyuICMPPingFilter(self._get_ping), actions=[ app_testing_objects.DisableRuleAction(), app_testing_objects.StopSimulationAction() ]), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] policy = app_testing_objects.PortPolicy(rules=rules, default_action=raise_action) key = (self.subnet1.subnet_id, nexthop_port.port_id) return {key: policy}
def _create_rate_limit_port_policies(self, rate, icmp_filter): ignore_action = app_testing_objects.IgnoreAction() raise_action = app_testing_objects.RaiseAction("Unexpected packet") # Disable port policy rule, so that any further packets will hit the # default action, which is raise_action in this case. count_action = app_testing_objects.CountAction( rate, app_testing_objects.DisableRuleAction()) key = (self.subnet1.subnet_id, self.port1.port_id) rules = [ app_testing_objects.PortPolicyRule( # Detect ICMP, end simulation icmp_filter(self._get_ip), actions=[count_action]), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] policy = app_testing_objects.PortPolicy(rules=rules, default_action=raise_action) return {key: policy}
def _create_icmp_test_port_policies(self, icmp_filter): ignore_action = app_testing_objects.IgnoreAction() raise_action = app_testing_objects.RaiseAction("Unexpected packet") key = (self.subnet.subnet_id, self.port.port_id) rules = [ app_testing_objects.PortPolicyRule( # Detect ICMP, end simulation icmp_filter(self._get_ip), actions=[app_testing_objects.DisableRuleAction(), app_testing_objects.StopSimulationAction()] ), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ ignore_action ] ), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ ignore_action ] ), ] policy = app_testing_objects.PortPolicy( rules=rules, default_action=raise_action ) return {key: policy}
def setUp(self): super(TestArpResponder, self).setUp() self.topology = None self.policy = None try: self.topology = app_testing_objects.Topology( self.neutron, self.nb_api) subnet1 = self.topology.create_subnet(cidr='192.168.10.0/24') port1 = subnet1.create_port() port2 = subnet1.create_port() time.sleep(test_utils.DEFAULT_CMD_TIMEOUT) # Create policy arp_packet = self._create_arp_request( src_port=port1.port.get_logical_port(), dst_port=port2.port.get_logical_port(), ) send_arp_request = app_testing_objects.SendAction( subnet1.subnet_id, port1.port_id, str(arp_packet), ) ignore_action = app_testing_objects.IgnoreAction() log_action = app_testing_objects.LogAction() key1 = (subnet1.subnet_id, port1.port_id) port_policies = { key1: app_testing_objects.PortPolicy( rules=[ app_testing_objects.PortPolicyRule( # Detect arp replies app_testing_objects.RyuARPReplyFilter(), actions=[ log_action, app_testing_objects.StopSimulationAction() ] ), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ ignore_action ] ), ], default_action=app_testing_objects.RaiseAction( "Unexpected packet" ) ), } self.policy = app_testing_objects.Policy( initial_actions=[send_arp_request], port_policies=port_policies, unknown_port_action=ignore_action ) except Exception: if self.topology: self.topology.close() raise self.store(self.topology) self.store(self.policy)
def _get_filtering_rules(self): ignore_action = app_testing_objects.IgnoreAction() rules = [ app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]) ] return rules
def _create_port_policies(self): ignore_action = app_testing_objects.IgnoreAction() key = (self.subnet.subnet_id, self.port2.port_id) # when port2 receive both two packets (one using vm fixed ip and mac, # another using one of the allowed address pairs), # stop this simulation. count_action = app_testing_objects.CountAction( 2, app_testing_objects.StopSimulationAction()) rules = [ app_testing_objects.PortPolicyRule( app_testing_objects.RyuICMPPingFilter( self._get_ping_using_vm_ip_mac), actions=[ count_action, app_testing_objects.DisableRuleAction(), ]), app_testing_objects.PortPolicyRule( app_testing_objects.RyuICMPPingFilter( self._get_ping_using_allowed_address_pair_ip_mac), actions=[ count_action, app_testing_objects.DisableRuleAction(), ]), app_testing_objects.PortPolicyRule( app_testing_objects.RyuICMPPingFilter( self._get_ping_using_fake_ip), actions=[ app_testing_objects.RaiseAction("a packet with a fake " "ip passed") ]), app_testing_objects.PortPolicyRule( app_testing_objects.RyuICMPPingFilter( self._get_ping_using_fake_mac), actions=[ app_testing_objects.RaiseAction("a packet with a fake " "mac passed") ]), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] raise_action = app_testing_objects.RaiseAction("Unexpected packet") policy = app_testing_objects.PortPolicy(rules=rules, default_action=raise_action) return {key: policy}
def _test_disable_dhcp(self): dhcp_packet = self._create_dhcp_discover() send_dhcp_offer = app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, dhcp_packet, ) key = (self.subnet1.subnet_id, self.port1.port_id) rules = [ app_testing_objects.PortPolicyRule( # Detect arp replies app_testing_objects.RyuDHCPFilter(), actions=[ app_testing_objects.RaiseAction("Received DHCP packet") ]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[app_testing_objects.IgnoreAction()]), ] raise_action = app_testing_objects.RaiseAction("Unexpected packet") port_policy = app_testing_objects.PortPolicy( rules=rules, default_action=raise_action) policy = app_testing_objects.Policy( initial_actions=[send_dhcp_offer], port_policies={key: port_policy}, unknown_port_action=app_testing_objects.IgnoreAction()) self.addCleanup(policy.close) policy.start(self.topology) # Since there is no dhcp response, we are expecting timeout # exception here. self.assertRaises(app_testing_objects.TimeoutException, policy.wait, const.DEFAULT_RESOURCE_READY_TIMEOUT) policy.stop() if len(policy.exceptions) > 0: raise policy.exceptions[0]
def _create_port_policies(self, disable_rule=True): ignore_action = app_testing_objects.IgnoreAction() key1 = (self.subnet1.subnet_id, self.port1.port_id) actions = [ app_testing_objects.SendAction(self.subnet1.subnet_id, self.port1.port_id, self._create_dhcp_request) ] if disable_rule: actions.append(app_testing_objects.DisableRuleAction()) testclass = self class DHCPAckFilterVerifiesMTU(app_testing_objects.RyuDHCPAckFilter): def __init__(self, expected_mtu): super(DHCPAckFilterVerifiesMTU, self).__init__() self.expected_mtu = expected_mtu def __call__(self, buf): result = super(DHCPAckFilterVerifiesMTU, self).__call__(buf) if not result: return result pkt = ryu.lib.packet.packet.Packet(buf) pkt_dhcp_protocol = pkt.get_protocol(dhcp.dhcp) for option in pkt_dhcp_protocol.options.option_list: if option.tag == dhcp.DHCP_INTERFACE_MTU_OPT: mtu = struct.unpack('!H', option.value) testclass.assertEqual((self.expected_mtu, ), mtu) return result lport1 = self.port1.port.get_logical_port() lswitch_ref = lport1.lswitch lswitch = self.nb_api.get(lswitch_ref) expected_mtu = lswitch.mtu rules1 = [ app_testing_objects.PortPolicyRule( # Detect dhcp offer app_testing_objects.RyuDHCPOfferFilter(), actions), app_testing_objects.PortPolicyRule( # Detect dhcp acknowledge DHCPAckFilterVerifiesMTU(expected_mtu), actions=[ app_testing_objects.DisableRuleAction(), app_testing_objects.WaitAction(5), app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, self._create_dhcp_renewal_request), ]), app_testing_objects.PortPolicyRule( # Detect dhcp acknowledge DHCPAckFilterVerifiesMTU(expected_mtu), actions=[ app_testing_objects.StopSimulationAction(), app_testing_objects.DisableRuleAction() ]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] key2 = (self.subnet1.subnet_id, self.port2.port_id) rules2 = [ app_testing_objects.PortPolicyRule( # Detect arp replies app_testing_objects.RyuDHCPFilter(), actions=[ app_testing_objects.RaiseAction("Received DHCP packet") ]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] raise_action = app_testing_objects.RaiseAction("Unexpected packet") policy1 = app_testing_objects.PortPolicy(rules=rules1, default_action=raise_action) policy2 = app_testing_objects.PortPolicy(rules=rules2, default_action=raise_action) return { key1: policy1, key2: policy2, }
def _create_port_policies(self, connected=True): ignore_action = app_testing_objects.IgnoreAction() raise_action = app_testing_objects.RaiseAction("Unexpected packet") key1 = (self.subnet1.subnet_id, self.port1.port_id) if connected: actions = [ app_testing_objects.DisableRuleAction(), app_testing_objects.StopSimulationAction() ] else: actions = [raise_action] rules1 = [ app_testing_objects.PortPolicyRule( # Detect pong, end simulation app_testing_objects.RyuICMPPongFilter(self._get_ping), actions=actions), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] key2 = (self.subnet2.subnet_id, self.port2.port_id) if connected: actions = [ app_testing_objects.SendAction(self.subnet2.subnet_id, self.port2.port_id, self._create_pong_packet), app_testing_objects.DisableRuleAction() ] else: actions = [raise_action] rules2 = [ app_testing_objects.PortPolicyRule( # Detect ping, reply with pong app_testing_objects.RyuICMPPingFilter(), actions=actions), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore ARP requests from active port detection app for # ports with allowed_address_pairs app_testing_objects.RyuARPRequestFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] policy1 = app_testing_objects.PortPolicy(rules=rules1, default_action=raise_action) policy2 = app_testing_objects.PortPolicy(rules=rules2, default_action=raise_action) return { key1: policy1, key2: policy2, }
def _create_port_policies(self): ignore_action = app_testing_objects.IgnoreAction() raise_action = app_testing_objects.RaiseAction("Unexpected packet") key1 = (self.subnet.subnet_id, self.permit_port_id) rules1 = [ app_testing_objects.PortPolicyRule( # Detect pong, end simulation app_testing_objects.RyuICMPPongFilter(self.permit_icmp_request ), actions=[ app_testing_objects.DisableRuleAction(), app_testing_objects.StopSimulationAction(), ]), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] key2 = (self.subnet.subnet_id, self.no_permit_port_id) rules2 = [ app_testing_objects.PortPolicyRule( # Detect pong, raise unexpected packet exception app_testing_objects.RyuICMPPongFilter( self.no_permit_icmp_request), actions=[raise_action]), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] key3 = (self.subnet.subnet_id, self.port3.port_id) rules3 = [ app_testing_objects.PortPolicyRule( # Detect ping from port1, reply with pong app_testing_objects.RyuICMPPingFilter(self.permit_icmp_request ), actions=[ app_testing_objects.SendAction(self.subnet.subnet_id, self.port3.port_id, self._create_pong_packet), app_testing_objects.DisableRuleAction(), ]), app_testing_objects.PortPolicyRule( # Detect ping from port2, raise unexpected packet exception app_testing_objects.RyuICMPPingFilter( self.no_permit_icmp_request), actions=[raise_action]), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] policy1 = app_testing_objects.PortPolicy(rules=rules1, default_action=raise_action) policy2 = app_testing_objects.PortPolicy(rules=rules2, default_action=raise_action) policy3 = app_testing_objects.PortPolicy(rules=rules3, default_action=raise_action) return {key1: policy1, key2: policy2, key3: policy3}
def test_icmp_ping_pong(self): # Setup base components - two ports on 1 network self.topology = app_testing_objects.Topology(self.neutron, self.nb_api) self.addCleanup(self.topology.close) self.subnet1 = self.topology.create_subnet(cidr='192.168.12.0/24') self.port1 = self.subnet1.create_port() self.port2 = self.subnet1.create_port() time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) # Setup VLAN ports self.network = objects.NetworkTestObj(self.neutron, self.nb_api) self.addCleanup(self.network.close) self.network.create() self.subnet = objects.SubnetTestObj(self.neutron, self.nb_api, network_id=self.network.network_id) self.addCleanup(self.subnet.close) self.subnet.create() self.vlan_port1 = objects.PortTestObj( self.neutron, self.nb_api, network_id=self.network.network_id) self.addCleanup(self.vlan_port1.close) self.vlan_port1.create() self.vlan_port2 = objects.PortTestObj( self.neutron, self.nb_api, network_id=self.network.network_id) self.addCleanup(self.vlan_port2.close) self.vlan_port2.create() self.cps1 = objects.ChildPortSegmentationTestObj( self.neutron, self.nb_api) self.addCleanup(self.cps1.close) self.cps1.create(self.port1.port.port_id, self.vlan_port1.port_id, 'vlan', 7) self.addCleanup(self.port1.unbind) self.cps2 = objects.ChildPortSegmentationTestObj( self.neutron, self.nb_api) self.addCleanup(self.cps2.close) self.cps2.create(self.port2.port.port_id, self.vlan_port2.port_id, 'vlan', 8) self.addCleanup(self.port2.unbind) # Setup policy ignore_action = app_testing_objects.IgnoreAction() key1 = (self.subnet1.subnet_id, self.port1.port_id) rules1 = [ app_testing_objects.PortPolicyRule( # Detect pong, end simulation app_testing_objects.AndingFilter( app_testing_objects.RyuVLANTagFilter(7), app_testing_objects.RyuICMPPongFilter(self._get_ping)), actions=[ app_testing_objects.DisableRuleAction(), app_testing_objects.StopSimulationAction() ]), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] key2 = (self.subnet1.subnet_id, self.port2.port_id) rules2 = [ app_testing_objects.PortPolicyRule( # Detect ping, reply with pong app_testing_objects.AndingFilter( app_testing_objects.RyuVLANTagFilter(8), app_testing_objects.RyuICMPPingFilter()), actions=[ app_testing_objects.SendAction(self.subnet1.subnet_id, self.port2.port_id, self._create_pong_packet), app_testing_objects.DisableRuleAction() ]), app_testing_objects.PortPolicyRule( # Ignore gratuitous ARP packets app_testing_objects.RyuARPGratuitousFilter(), actions=[ignore_action]), app_testing_objects.PortPolicyRule( # Ignore IPv6 packets app_testing_objects.RyuIPv6Filter(), actions=[ignore_action]), ] raise_action = app_testing_objects.RaiseAction("Unexpected packet") policy1 = app_testing_objects.PortPolicy(rules=rules1, default_action=raise_action) policy2 = app_testing_objects.PortPolicy(rules=rules2, default_action=raise_action) port_policies = {key1: policy1, key2: policy2} initial_packet = self._create_ping_packet() policy = app_testing_objects.Policy( initial_actions=[ app_testing_objects.SendAction( self.subnet1.subnet_id, self.port1.port_id, initial_packet, ), ], port_policies=port_policies, unknown_port_action=app_testing_objects.IgnoreAction()) self.addCleanup(policy.close) time.sleep(const.DEFAULT_RESOURCE_READY_TIMEOUT) # Verify port is up neutron_vlan_port1 = objects.get_port_by_id(self.neutron, self.vlan_port1.port_id) self.assertEqual(n_const.PORT_STATUS_ACTIVE, neutron_vlan_port1['status']) neutron_vlan_port2 = objects.get_port_by_id(self.neutron, self.vlan_port2.port_id) self.assertEqual(n_const.PORT_STATUS_ACTIVE, neutron_vlan_port2['status']) # Verify connectivity apps.start_policy(policy, self.topology, const.DEFAULT_RESOURCE_READY_TIMEOUT)