def assert_connection(self, *args, **kwargs):
netcat = net_helpers.NetcatTester(*args, **kwargs)
def test_connectivity():
try:
return netcat.test_connectivity()
except RuntimeError:
return False
try:
common_utils.wait_until_true(test_connectivity)
finally:
netcat.stop_processes()
def _test_with_nc(self, fw_manager, direction, port, protocol):
netcat = net_helpers.NetcatTester(self.client.namespace,
self.server.namespace,
self.server.ip, self.port, protocol)
self.addCleanup(netcat.stop_processes)
self.assertTrue(netcat.test_connectivity())
self.filter_add_rule(fw_manager, self.server.ip, direction, protocol,
port)
with testtools.ExpectedException(RuntimeError):
netcat.test_connectivity()
self.filter_remove_rule(fw_manager, self.server.ip, direction,
protocol, port)
self.assertTrue(netcat.test_connectivity(True))
def _test_conntrack_disassociate_fip(self, ha):
'''Test that conntrack immediately drops stateful connection
that uses floating IP once it's disassociated.
'''
router_info = self.generate_router_info(enable_ha=ha)
router = self.manage_router(self.agent, router_info)
port = net_helpers.get_free_namespace_port(constants.PROTO_NAME_TCP,
router.ns_name)
client_address = '19.4.4.3'
server_address = '35.4.0.4'
def clean_fips(router):
router.router[constants.FLOATINGIP_KEY] = []
clean_fips(router)
self._add_fip(router, client_address, fixed_address=server_address)
router.process()
router_ns = ip_lib.IPWrapper(namespace=router.ns_name)
netcat = net_helpers.NetcatTester(
router.ns_name,
router.ns_name,
client_address,
port,
protocol=net_helpers.NetcatTester.TCP)
self.addCleanup(netcat.stop_processes)
def assert_num_of_conntrack_rules(n):
out = router_ns.netns.execute(
["conntrack", "-L", "--orig-src", client_address],
privsep_exec=True)
self.assertEqual(
n, len([line for line in out.strip().split('\n') if line]))
if ha:
common_utils.wait_until_true(lambda: router.ha_state == 'primary')
with self.assert_max_execution_time(100):
assert_num_of_conntrack_rules(0)
self.assertTrue(netcat.test_connectivity())
assert_num_of_conntrack_rules(1)
clean_fips(router)
router.process()
assert_num_of_conntrack_rules(0)
with testtools.ExpectedException(RuntimeError):
netcat.test_connectivity()
def test_find_listen_pids_namespace(self):
ns = self.useFixture(net_helpers.NamespaceFixture()).name
ip_wrapper = ip_lib.IPWrapper(namespace=ns)
ip_wrapper.add_dummy('device')
device = ip_lib.IPDevice('device', namespace=ns)
device.addr.add('10.20.30.40/24')
device.link.set_up()
self.assertEqual(tuple(), priv_utils.find_listen_pids_namespace(ns))
netcat = net_helpers.NetcatTester(ns, ns, '10.20.30.40', 12345, 'udp')
proc = netcat.server_process
self.assertEqual((str(proc.child_pid), ),
priv_utils.find_listen_pids_namespace(ns))
netcat.stop_processes()
self.assertEqual(tuple(), priv_utils.find_listen_pids_namespace(ns))
def test_fip_connection_from_same_subnet(self):
'''Test connection to floatingip which is associated with
fixed_ip on the same subnet of the source fixed_ip.
In other words it confirms that return packets surely
go through the router.
'''
src_machine, dst_machine, dst_fip = (
self._setup_fip_with_fixed_ip_from_same_subnet(enable_snat=True))
protocol_port = net_helpers.get_free_namespace_port(
lib_constants.PROTO_NAME_TCP, dst_machine.namespace)
# client sends to fip
netcat = net_helpers.NetcatTester(
src_machine.namespace, dst_machine.namespace,
dst_fip, protocol_port,
protocol=net_helpers.NetcatTester.TCP)
self.addCleanup(netcat.stop_processes)
self.assertTrue(netcat.test_connectivity())
def _test_with_nc(self, fw_manager, direction, port, protocol):
netcat = net_helpers.NetcatTester(self.client.namespace,
self.server.namespace,
self.server.ip, self.port, protocol)
self.addCleanup(netcat.stop_processes)
filter_params = 'direction %s, port %s and protocol %s' % (
direction, port, protocol)
self.assertTrue(
netcat.test_connectivity(),
'Failed connectivity check before applying a filter '
'with %s' % filter_params)
self.filter_add_rule(fw_manager, self.server.ip, direction, protocol,
port)
with testtools.ExpectedException(
RuntimeError,
msg='Wrongfully passed a connectivity check after applying '
'a filter with %s' % filter_params):
netcat.test_connectivity()
self.filter_remove_rule(fw_manager, self.server.ip, direction,
protocol, port)
self.assertTrue(
netcat.test_connectivity(True),
'Failed connectivity check after removing a filter '
'with %s' % filter_params)
def assert_no_connection(self, *args, **kwargs):
netcat = net_helpers.NetcatTester(*args, **kwargs)
try:
self.assertRaises(RuntimeError, netcat.test_connectivity)
finally:
netcat.stop_processes()
def assert_connection(self, *args, **kwargs):
netcat = net_helpers.NetcatTester(*args, **kwargs)
try:
self.assertTrue(netcat.test_connectivity())
finally:
netcat.stop_processes()
def test_securitygroup(self):
"""Tests if a security group rules are working, by confirming
that 0. traffic is allowed when port security is disabled,
1. connection from outside of allowed security group is blocked
2. connection from allowed security group is permitted
3. traffic not explicitly allowed (eg. ICMP) is blocked,
4. a security group update takes effect,
5. a remote security group member addition works, and
6. an established connection stops by deleting a SG rule.
7. multiple overlapping remote rules work,
8. test other protocol functionality by using SCTP protocol
9. test two vms with same mac on the same host in different
networks
"""
index_to_sg = [0, 0, 1, 2]
if self.firewall_driver == 'iptables_hybrid':
# The iptables_hybrid driver lacks isolation between agents
index_to_host = [0] * 4
else:
index_to_host = [0, 1, 1, 0]
tenant_uuid = uuidutils.generate_uuid()
network = self.safe_client.create_network(tenant_uuid)
self.safe_client.create_subnet(tenant_uuid, network['id'],
'20.0.0.0/24')
sgs = [
self.safe_client.create_security_group(tenant_uuid)
for i in range(3)
]
ports = [
self.safe_client.create_port(tenant_uuid,
network['id'],
self.environment.hosts[host].hostname,
security_groups=[],
port_security_enabled=False)
for host in index_to_host
]
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333,
port_range_max=3333)
vms = [
self.useFixture(
machine.FakeFullstackMachine(self.environment.hosts[host],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[port],
use_dhcp=True))
for port, host in enumerate(index_to_host)
]
for vm in vms:
vm.block_until_boot()
# 0. check that traffic is allowed when port security is disabled
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
net_helpers.assert_ping(vms[0].namespace, vms[1].ip)
net_helpers.assert_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_ping(vms[1].namespace, vms[2].ip)
# Apply security groups to the ports
for port, sg in zip(ports, index_to_sg):
self.safe_client.client.update_port(
port['id'],
body={
'port': {
'port_security_enabled': True,
'security_groups': [sgs[sg]['id']]
}
})
# 1. connection from outside of allowed security group is blocked
netcat = net_helpers.NetcatTester(vms[2].namespace, vms[0].namespace,
vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
# Wait until port update takes effect on the ports
common_utils.wait_until_true(
netcat.test_no_connectivity,
exception=AssertionError(
"Still can connect to the VM from different host."))
netcat.stop_processes()
# 2. check if connection from allowed security group is permitted
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
# 3. check if traffic not explicitly allowed (eg. ICMP) is blocked
net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip)
net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip)
# 4. check if a security group update takes effect
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3344,
port_range_max=3344)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3344, net_helpers.NetcatTester.TCP)
# 5. check if a remote security group member addition works
rule2 = self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[1]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3355,
port_range_max=3355)
self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip,
3355, net_helpers.NetcatTester.TCP)
# 6. check if an established connection stops by deleting
# the supporting SG rule.
index_to_host.append(index_to_host[2])
index_to_sg.append(1)
ports.append(
self.safe_client.create_port(
tenant_uuid,
network['id'],
self.environment.hosts[index_to_host[-1]].hostname,
security_groups=[sgs[1]['id']]))
vms.append(
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[index_to_host[-1]],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[-1],
use_dhcp=True)))
self.assertEqual(5, len(vms))
vms[4].block_until_boot()
netcat = net_helpers.NetcatTester(vms[4].namespace, vms[0].namespace,
vms[0].ip, 3355,
net_helpers.NetcatTester.TCP)
self.addCleanup(netcat.stop_processes)
self.assertTrue(netcat.test_connectivity())
self.client.delete_security_group_rule(rule2['id'])
common_utils.wait_until_true(lambda: netcat.test_no_connectivity(),
sleep=8)
netcat.stop_processes()
# 7. check if multiple overlapping remote rules work
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[1]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333,
port_range_max=3333)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[2]['id'],
direction='ingress',
ethertype=constants.IPv4)
for i in range(2):
self.assert_connection(vms[0].namespace, vms[1].namespace,
vms[1].ip, 3333,
net_helpers.NetcatTester.TCP)
self.assert_connection(vms[2].namespace, vms[1].namespace,
vms[1].ip, 3333,
net_helpers.NetcatTester.TCP)
self.assert_connection(vms[3].namespace, vms[0].namespace,
vms[0].ip, 8080,
net_helpers.NetcatTester.TCP)
# 8. check SCTP is supported by security group
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NUM_SCTP,
port_range_min=3366,
port_range_max=3366)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3366, net_helpers.NetcatTester.SCTP)
# 9. test two vms with same mac on the same host in different networks
self._test_overlapping_mac_addresses()
def assert_no_connection(self, *args, **kwargs):
netcat = net_helpers.NetcatTester(*args, **kwargs)
try:
utils.wait_until_true(netcat.test_no_connectivity)
finally:
netcat.stop_processes()
def test_securitygroup(self):
"""Tests if a security group rules are working, by confirming
that 0. traffic is allowed when port security is disabled,
1. connection from outside of allowed security group is blocked
2. connection from allowed security group is permitted
3. traffic not explicitly allowed (eg. ICMP) is blocked,
4. a security group update takes effect,
5. a security group update for entire port range works
6. a remote security group member addition works, and
7. an established connection stops by deleting a SG rule.
8. multiple overlapping remote rules work,
9. test other protocol functionality by using SCTP protocol
10. test two vms with same mac on the same host in different
networks
11. test using multiple security groups
12. test stateless security groups when firewall driver is
iptables or iptables_hybrid.
"""
tenant_uuid = uuidutils.generate_uuid()
subnet_cidr = '20.0.0.0/24'
vms, ports, sgs, network, index_to_host = self._create_resources(
tenant_uuid, subnet_cidr)
# 0. check that traffic is allowed when port security is disabled
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
vms[0].block_until_ping(vms[1].ip)
vms[0].block_until_ping(vms[2].ip)
vms[1].block_until_ping(vms[2].ip)
# Apply security groups to the ports
for port, sg in zip(ports, self.index_to_sg):
self.safe_client.client.update_port(
port['id'],
body={
'port': {
'port_security_enabled': True,
'security_groups': [sgs[sg]['id']]
}
})
# 1. connection from outside of allowed security group is blocked
netcat = net_helpers.NetcatTester(vms[2].namespace, vms[0].namespace,
vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
# Wait until port update takes effect on the ports
common_utils.wait_until_true(
netcat.test_no_connectivity,
exception=AssertionError(
"Still can connect to the VM from different host."))
netcat.stop_processes()
# 2. check if connection from allowed security group is permitted
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3333, net_helpers.NetcatTester.TCP)
# 3. check if traffic not explicitly allowed (eg. ICMP) is blocked
vms[0].block_until_no_ping(vms[1].ip)
vms[0].block_until_no_ping(vms[2].ip)
vms[1].block_until_no_ping(vms[2].ip)
# 4. check if a security group update takes effect
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
rule1 = self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3344,
port_range_max=3344)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3344, net_helpers.NetcatTester.TCP)
# 5. check if a security group update for entire port range works
self.client.delete_security_group_rule(rule1['id'])
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3366,
net_helpers.NetcatTester.TCP)
rule1 = self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=1,
port_range_max=65535)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3344, net_helpers.NetcatTester.TCP)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3366, net_helpers.NetcatTester.TCP)
self.client.delete_security_group_rule(rule1['id'])
# 6. check if a remote security group member addition works
rule2 = self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[1]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3355,
port_range_max=3355)
self.assert_connection(vms[2].namespace, vms[0].namespace, vms[0].ip,
3355, net_helpers.NetcatTester.TCP)
# 7. check if an established connection stops by deleting
# the supporting SG rule.
index_to_host.append(index_to_host[2])
self.index_to_sg.append(1)
ports.append(
self.safe_client.create_port(
tenant_uuid,
network['id'],
self.environment.hosts[index_to_host[-1]].hostname,
security_groups=[sgs[1]['id']]))
vms.append(
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[index_to_host[-1]],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[-1],
use_dhcp=True)))
self.assertEqual(5, len(vms))
vms[4].block_until_boot()
netcat = net_helpers.NetcatTester(vms[4].namespace, vms[0].namespace,
vms[0].ip, 3355,
net_helpers.NetcatTester.TCP)
self.addCleanup(netcat.stop_processes)
self.assertTrue(netcat.test_connectivity())
self.client.delete_security_group_rule(rule2['id'])
common_utils.wait_until_true(lambda: netcat.test_no_connectivity(),
sleep=8)
netcat.stop_processes()
# 8. check if multiple overlapping remote rules work
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[1]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333,
port_range_max=3333)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[2]['id'],
direction='ingress',
ethertype=constants.IPv4)
for i in range(2):
self.assert_connection(vms[0].namespace, vms[1].namespace,
vms[1].ip, 3333,
net_helpers.NetcatTester.TCP)
self.assert_connection(vms[2].namespace, vms[1].namespace,
vms[1].ip, 3333,
net_helpers.NetcatTester.TCP)
self.assert_connection(vms[3].namespace, vms[0].namespace,
vms[0].ip, 8080,
net_helpers.NetcatTester.TCP)
# 9. check SCTP is supported by security group
self.assert_no_connection(vms[1].namespace, vms[0].namespace,
vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)
self.safe_client.create_security_group_rule(
tenant_uuid,
sgs[0]['id'],
remote_group_id=sgs[0]['id'],
direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NUM_SCTP,
port_range_min=3366,
port_range_max=3366)
self.assert_connection(vms[1].namespace, vms[0].namespace, vms[0].ip,
3366, net_helpers.NetcatTester.SCTP)
# 10. test two vms with same mac on the same host in different networks
self._test_overlapping_mac_addresses()
# 11. Check using multiple security groups
self._test_using_multiple_security_groups()
# 12. test stateless security groups when firewall driver is iptables
# or iptables_hybrid.
# TODO(njohnston): Re-add the iptables here once it is stable
if self.firewall_driver == 'iptables_hybrid':
self._test_stateless_security_groups()
def test_securitygroup(self):
"""Tests if a security group rules are working, by confirming
that 1. connection from allowed security group is allowed,
2. connection from elsewhere is blocked,
3. traffic not explicitly allowed (eg. ICMP) is blocked,
4. a security group update takes effect,
5. a remote security group member addition works, and
6. an established connection stops by deleting a SG rule.
7. test other protocol functionality by using SCTP protocol
"""
index_to_sg = [0, 0, 1]
if self.firewall_driver == 'iptables_hybrid':
# The iptables_hybrid driver lacks isolation between agents
index_to_host = [0] * 3
else:
index_to_host = [0, 1, 1]
tenant_uuid = uuidutils.generate_uuid()
network = self.safe_client.create_network(tenant_uuid)
self.safe_client.create_subnet(
tenant_uuid, network['id'], '20.0.0.0/24')
sgs = [self.safe_client.create_security_group(tenant_uuid)
for i in range(2)]
ports = [
self.safe_client.create_port(tenant_uuid, network['id'],
self.environment.hosts[host].hostname,
security_groups=[sgs[sg]['id']])
for host, sg in zip(index_to_host, index_to_sg)]
self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[0]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3333, port_range_max=3333)
vms = [
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[host],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[port]))
for port, host in enumerate(index_to_host)]
for vm in vms:
vm.block_until_boot()
# 1. check if connection from allowed security group is allowed
self.assert_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
# 2. check if connection from elsewhere is blocked
self.assert_no_connection(
vms[2].namespace, vms[0].namespace, vms[0].ip, 3333,
net_helpers.NetcatTester.TCP)
# 3. check if traffic not explicitly allowed (eg. ICMP) is blocked
net_helpers.assert_no_ping(vms[0].namespace, vms[1].ip)
net_helpers.assert_no_ping(vms[0].namespace, vms[2].ip)
net_helpers.assert_no_ping(vms[1].namespace, vms[2].ip)
# 4. check if a security group update takes effect
self.assert_no_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[0]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3344, port_range_max=3344)
self.assert_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3344,
net_helpers.NetcatTester.TCP)
# 5. check if a remote security group member addition works
rule2 = self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[1]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NAME_TCP,
port_range_min=3355, port_range_max=3355)
self.assert_connection(
vms[2].namespace, vms[0].namespace, vms[0].ip, 3355,
net_helpers.NetcatTester.TCP)
# NOTE(slaweq) iptables driver currently contains a bug
# https://bugs.launchpad.net/neutron/+bug/1657260
# where established connections are not dropped after security group
# rule is removed. Remove this workaround once bug #1657260 is fixed.
if self.firewall_driver != 'iptables':
# 6. check if an established connection stops by deleting
# the supporting SG rule.
index_to_host.append(index_to_host[2])
index_to_sg.append(1)
ports.append(
self.safe_client.create_port(tenant_uuid, network['id'],
self.environment.hosts[
index_to_host[3]].hostname,
security_groups=[sgs[1]['id']]))
vms.append(
self.useFixture(
machine.FakeFullstackMachine(
self.environment.hosts[index_to_host[3]],
network['id'],
tenant_uuid,
self.safe_client,
neutron_port=ports[3])))
vms[3].block_until_boot()
netcat = net_helpers.NetcatTester(vms[3].namespace,
vms[0].namespace, vms[0].ip, 3355,
net_helpers.NetcatTester.TCP)
self.addCleanup(netcat.stop_processes)
self.assertTrue(netcat.test_connectivity())
self.client.delete_security_group_rule(rule2['id'])
common_utils.wait_until_true(lambda: netcat.test_no_connectivity(),
sleep=8)
netcat.stop_processes()
# 7. check SCTP is supported by security group
self.assert_no_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)
self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[0]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NUM_SCTP,
port_range_min=3366, port_range_max=3366)
self.assert_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)
def assert_no_connection(self, *args, **kwargs):
netcat = net_helpers.NetcatTester(*args, **kwargs)
self.addCleanup(netcat.stop_processes)
self.assertRaises(RuntimeError, netcat.test_connectivity)
netcat.stop_processes()
def assert_connection(self, *args, **kwargs):
netcat = net_helpers.NetcatTester(*args, **kwargs)
self.addCleanup(netcat.stop_processes)
self.assertTrue(netcat.test_connectivity())
netcat.stop_processes()
