def test_add_acls_with_sec_group(self):
        expected_acls = []
        expected_acls += ovn_acl.drop_all_ip_traffic_for_port(
            self.fake_port_sg)
        expected_acls += ovn_acl.add_acl_dhcp(
            self.fake_port_sg, self.fake_subnet)
        sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port(
            self.fake_port_sg, self.fake_sg_rule,
            'outport == "' + self.fake_port_sg['id'] + '" ' +
            '&& ip4 && ip4.src == 0.0.0.0/0 ' +
            '&& tcp && tcp.dst == 22')
        expected_acls.append(sg_rule_acl)

        # Test with caches
        acls = ovn_acl.add_acls(self.mech_driver._plugin,
                                mock.Mock(),
                                self.fake_port_sg,
                                self.sg_cache,
                                self.sg_ports_cache,
                                self.subnet_cache)
        self.assertEqual(expected_acls, acls)

        # Test without caches
        with mock.patch('neutron.db.db_base_plugin_v2.'
                        'NeutronDbPluginV2.get_subnet',
                        return_value=self.fake_subnet), \
            mock.patch('neutron.db.securitygroups_db.'
                       'SecurityGroupDbMixin.get_security_group',
                       return_value=self.fake_sg):

            acls = ovn_acl.add_acls(self.mech_driver._plugin,
                                    mock.Mock(),
                                    self.fake_port_sg,
                                    {}, {}, {})
            self.assertEqual(expected_acls, acls)
示例#2
0
    def _add_sg_rule_acl_for_port(self, admin_context, port, r, sg_ports_cache,
                                  subnet_cache):
        # Update the match based on which direction this rule is for (ingress
        # or egress).
        match, remote_portdir = ovn_acl.acl_direction(r, port)

        # Update the match for IPv4 vs IPv6.
        ip_match, ip_version, icmp = ovn_acl.acl_ethertype(r)
        match += ip_match

        # Update the match if an IPv4 or IPv6 prefix was specified.
        match += ovn_acl.acl_remote_ip_prefix(r, ip_version)

        group_match, empty_match = self._acl_remote_group_id(
            admin_context, r, sg_ports_cache, subnet_cache, port,
            remote_portdir, ip_version)
        if empty_match:
            # If there are no other ports on this security group, then this
            # rule can never match, so no ACL row will be created for this
            # rule.
            return None
        match += group_match

        # Update the match for the protocol (tcp, udp, icmp) and port/type
        # range if specified.
        match += ovn_acl.acl_protocol_and_ports(r, icmp)

        # Finally, create the ACL entry for the direction specified.
        return ovn_acl.add_sg_rule_acl_for_port(port, r, match)
    def _add_sg_rule_acl_for_port(self, admin_context, port, r,
                                  sg_ports_cache, subnet_cache):
        # Update the match based on which direction this rule is for (ingress
        # or egress).
        match, remote_portdir = ovn_acl.acl_direction(r, port)

        # Update the match for IPv4 vs IPv6.
        ip_match, ip_version, icmp = ovn_acl.acl_ethertype(r)
        match += ip_match

        # Update the match if an IPv4 or IPv6 prefix was specified.
        match += ovn_acl.acl_remote_ip_prefix(r, ip_version)

        group_match, empty_match = self._acl_remote_group_id(admin_context, r,
                                                             sg_ports_cache,
                                                             subnet_cache,
                                                             port,
                                                             remote_portdir,
                                                             ip_version)
        if empty_match:
            # If there are no other ports on this security group, then this
            # rule can never match, so no ACL row will be created for this
            # rule.
            return None
        match += group_match

        # Update the match for the protocol (tcp, udp, icmp) and port/type
        # range if specified.
        match += ovn_acl.acl_protocol_and_ports(r, icmp)

        # Finally, create the ACL entry for the direction specified.
        return ovn_acl.add_sg_rule_acl_for_port(port, r, match)
 def test_acl_update_compare_acls(self):
     fake_sg_rule = \
         fakes.FakeSecurityGroupRule.create_one_security_group_rule().info()
     fake_port = fakes.FakePort.create_one_port().info()
     fake_add_acl = fakes.FakeOvsdbRow.create_one_ovsdb_row(
         attrs={'match': 'add_acl'})
     fake_del_acl = fakes.FakeOvsdbRow.create_one_ovsdb_row(
         attrs={'match': 'del_acl'})
     fake_lswitch = fakes.FakeOvsdbRow.create_one_ovsdb_row(
         attrs={'name': ovn_utils.ovn_name(fake_port['network_id']),
                'acls': []})
     add_acl = ovn_acl.add_sg_rule_acl_for_port(
         fake_port, fake_sg_rule, 'add_acl')
     self.ovn_api.get_acls_for_lswitches.return_value = (
         {fake_port['id']: [fake_del_acl.match]},
         {fake_del_acl.match: fake_del_acl},
         {fake_lswitch.name.replace('neutron-', ''): fake_lswitch})
     cmd = commands.UpdateACLsCommand(
         self.ovn_api, [fake_port['network_id']],
         [fake_port], {fake_port['id']: [add_acl]},
         need_compare=True)
     self.transaction.insert.return_value = fake_add_acl
     cmd.run_idl(self.transaction)
     self.transaction.insert.assert_called_once_with(
         self.ovn_api.acl_table)
     fake_lswitch.verify.assert_called_with('acls')
     self.assertEqual([fake_add_acl.uuid], fake_lswitch.acls)
示例#5
0
    def _test_add_acls_with_sec_group_helper(self, native_dhcp=True):
        fake_port_sg = fakes.FakePort.create_one_port(
            attrs={
                'security_groups': [self.fake_sg['id']],
                'fixed_ips': [{
                    'subnet_id': self.fake_subnet['id'],
                    'ip_address': '10.10.10.20'
                }]
            }).info()

        expected_acls = []
        expected_acls += ovn_acl.drop_all_ip_traffic_for_port(fake_port_sg)
        if not native_dhcp:
            expected_acls += ovn_acl.add_acl_dhcp(fake_port_sg,
                                                  self.fake_subnet)
        sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port(
            fake_port_sg, self.fake_sg_rule,
            'outport == "' + fake_port_sg['id'] + '" ' +
            '&& ip4 && ip4.src == 0.0.0.0/0 ' + '&& tcp && tcp.dst == 22')
        expected_acls.append(sg_rule_acl)

        # Test with caches
        acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(),
                                fake_port_sg, self.sg_cache, self.subnet_cache)
        self.assertEqual(expected_acls, acls)

        # Test without caches
        with mock.patch('neutron.db.db_base_plugin_v2.'
                        'NeutronDbPluginV2.get_subnet',
                        return_value=self.fake_subnet), \
            mock.patch('neutron.db.securitygroups_db.'
                       'SecurityGroupDbMixin.get_security_group',
                       return_value=self.fake_sg):

            acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(),
                                    fake_port_sg, {}, {})
            self.assertEqual(expected_acls, acls)

        # Test with security groups disabled
        with mock.patch('networking_ovn.common.acl.is_sg_enabled',
                        return_value=False):
            acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(),
                                    fake_port_sg, self.sg_cache,
                                    self.subnet_cache)
            self.assertEqual([], acls)

        # Test with multiple fixed IPs on the same subnet.
        fake_port_sg['fixed_ips'].append({
            'subnet_id': self.fake_subnet['id'],
            'ip_address': '10.10.10.21'
        })
        acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(),
                                fake_port_sg, self.sg_cache, self.subnet_cache)
        self.assertEqual(expected_acls, acls)
示例#6
0
 def _test_add_sg_rule_acl_for_port(self, sg_rule, direction, match):
     port = {'id': 'port-id',
             'network_id': 'network-id'}
     acl = ovn_acl.add_sg_rule_acl_for_port(port, sg_rule, match)
     self.assertEqual(acl, {'lswitch': 'neutron-network-id',
                            'lport': 'port-id',
                            'priority': ovn_const.ACL_PRIORITY_ALLOW,
                            'action': ovn_const.ACL_ACTION_ALLOW_RELATED,
                            'log': False,
                            'direction': direction,
                            'match': match,
                            'external_ids': {'neutron:lport': 'port-id'}})
示例#7
0
 def _test_add_sg_rule_acl_for_port(self, sg_rule, direction, match):
     port = {'id': 'port-id',
             'network_id': 'network-id'}
     acl = ovn_acl.add_sg_rule_acl_for_port(port, sg_rule, match)
     self.assertEqual({'lswitch': 'neutron-network-id',
                       'lport': 'port-id',
                       'priority': ovn_const.ACL_PRIORITY_ALLOW,
                       'action': ovn_const.ACL_ACTION_ALLOW_RELATED,
                       'log': False,
                       'direction': direction,
                       'match': match,
                       'external_ids': {'neutron:lport': 'port-id'}},
                      acl)
    def _test_add_acls_with_sec_group_helper(self, native_dhcp=True):
        fake_port_sg = fakes.FakePort.create_one_port(
            attrs={
                "security_groups": [self.fake_sg["id"]],
                "fixed_ips": [{"subnet_id": self.fake_subnet["id"], "ip_address": "10.10.10.20"}],
            }
        ).info()

        expected_acls = []
        expected_acls += ovn_acl.drop_all_ip_traffic_for_port(fake_port_sg)
        if not native_dhcp:
            expected_acls += ovn_acl.add_acl_dhcp(fake_port_sg, self.fake_subnet)
        sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port(
            fake_port_sg,
            self.fake_sg_rule,
            'outport == "' + fake_port_sg["id"] + '" ' + "&& ip4 && ip4.src == 0.0.0.0/0 " + "&& tcp && tcp.dst == 22",
        )
        expected_acls.append(sg_rule_acl)

        # Test with caches
        acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache)
        self.assertEqual(expected_acls, acls)

        # Test without caches
        with mock.patch(
            "neutron.db.db_base_plugin_v2." "NeutronDbPluginV2.get_subnet", return_value=self.fake_subnet
        ), mock.patch(
            "neutron.db.securitygroups_db." "SecurityGroupDbMixin.get_security_group", return_value=self.fake_sg
        ):

            acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, {}, {})
            self.assertEqual(expected_acls, acls)

        # Test with security groups disabled
        with mock.patch("networking_ovn.common.acl.is_sg_enabled", return_value=False):
            acls = ovn_acl.add_acls(
                self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache
            )
            self.assertEqual([], acls)

        # Test with multiple fixed IPs on the same subnet.
        fake_port_sg["fixed_ips"].append({"subnet_id": self.fake_subnet["id"], "ip_address": "10.10.10.21"})
        acls = ovn_acl.add_acls(self.mech_driver._plugin, mock.Mock(), fake_port_sg, self.sg_cache, self.subnet_cache)
        self.assertEqual(expected_acls, acls)
 def test_acl_update_no_compare_del_acls(self):
     fake_sg_rule = \
         fakes.FakeSecurityGroupRule.create_one_security_group_rule().info()
     fake_port = fakes.FakePort.create_one_port().info()
     fake_acl = fakes.FakeOvsdbRow.create_one_ovsdb_row(
         attrs={'match': '*'})
     fake_lswitch = fakes.FakeOvsdbRow.create_one_ovsdb_row(
         attrs={'name': ovn_utils.ovn_name(fake_port['network_id']),
                'acls': [fake_acl]})
     del_acl = ovn_acl.add_sg_rule_acl_for_port(
         fake_port, fake_sg_rule, '*')
     with mock.patch.object(idlutils, 'row_by_value',
                            return_value=fake_lswitch):
         cmd = commands.UpdateACLsCommand(
             self.ovn_api, [fake_port['network_id']],
             [fake_port], {fake_port['id']: del_acl},
             need_compare=False,
             is_add_acl=False)
         cmd.run_idl(self.transaction)
         self.transaction.insert.assert_not_called()
         fake_lswitch.verify.assert_called_with('acls')
         self.assertEqual([], fake_lswitch.acls)
    def _test_add_acls_with_sec_group_helper(self, native_dhcp=True):
        fake_port_sg = fakes.FakePort.create_one_port(
            attrs={'security_groups': [self.fake_sg['id']],
                   'fixed_ips': [{'subnet_id': self.fake_subnet['id'],
                                  'ip_address': '10.10.10.20'}]}
        ).info()

        expected_acls = []
        expected_acls += ovn_acl.drop_all_ip_traffic_for_port(
            fake_port_sg)
        if not native_dhcp:
            expected_acls += ovn_acl.add_acl_dhcp(
                fake_port_sg, self.fake_subnet)
        sg_rule_acl = ovn_acl.add_sg_rule_acl_for_port(
            fake_port_sg, self.fake_sg_rule,
            'outport == "' + fake_port_sg['id'] + '" ' +
            '&& ip4 && ip4.src == 0.0.0.0/0 ' +
            '&& tcp && tcp.dst == 22')
        expected_acls.append(sg_rule_acl)

        # Test with caches
        acls = ovn_acl.add_acls(self.mech_driver._plugin,
                                mock.Mock(),
                                fake_port_sg,
                                self.sg_cache,
                                self.subnet_cache)
        self.assertEqual(expected_acls, acls)

        # Test without caches
        with mock.patch('neutron.db.db_base_plugin_v2.'
                        'NeutronDbPluginV2.get_subnet',
                        return_value=self.fake_subnet), \
            mock.patch('neutron.db.securitygroups_db.'
                       'SecurityGroupDbMixin.get_security_group',
                       return_value=self.fake_sg):

            acls = ovn_acl.add_acls(self.mech_driver._plugin,
                                    mock.Mock(),
                                    fake_port_sg,
                                    {}, {})
            self.assertEqual(expected_acls, acls)

        # Test with security groups disabled
        with mock.patch('networking_ovn.common.acl.is_sg_enabled',
                        return_value=False):
            acls = ovn_acl.add_acls(self.mech_driver._plugin,
                                    mock.Mock(),
                                    fake_port_sg,
                                    self.sg_cache,
                                    self.subnet_cache)
            self.assertEqual([], acls)

        # Test with multiple fixed IPs on the same subnet.
        fake_port_sg['fixed_ips'].append({'subnet_id': self.fake_subnet['id'],
                                          'ip_address': '10.10.10.21'})
        acls = ovn_acl.add_acls(self.mech_driver._plugin,
                                mock.Mock(),
                                fake_port_sg,
                                self.sg_cache,
                                self.subnet_cache)
        self.assertEqual(expected_acls, acls)