def setup_security_group(self, context): group_name = '%s%s' % (context.project_id, CONF.vpn_key_suffix) group = {'user_id': context.user_id, 'project_id': context.project_id, 'name': group_name, 'description': 'Group for vpn'} try: group_ref = db.security_group_create(context, group) except exception.SecurityGroupExists: return group_name rule = {'parent_group_id': group_ref['id'], 'cidr': '0.0.0.0/0', 'protocol': 'udp', 'from_port': 1194, 'to_port': 1194} db.security_group_rule_create(context, rule) rule = {'parent_group_id': group_ref['id'], 'cidr': '0.0.0.0/0', 'protocol': 'icmp', 'from_port': -1, 'to_port': -1} db.security_group_rule_create(context, rule) # NOTE(vish): No need to trigger the group since the instance # has not been run yet. return group_name
def setup_security_group(self, context): group_name = "%s%s" % (context.project_id, CONF.vpn_key_suffix) group = { "user_id": context.user_id, "project_id": context.project_id, "name": group_name, "description": "Group for vpn", } try: group_ref = db.security_group_create(context, group) except exception.SecurityGroupExists: return group_name rule = { "parent_group_id": group_ref["id"], "cidr": "0.0.0.0/0", "protocol": "udp", "from_port": 1194, "to_port": 1194, } db.security_group_rule_create(context, rule) rule = { "parent_group_id": group_ref["id"], "cidr": "0.0.0.0/0", "protocol": "icmp", "from_port": -1, "to_port": -1, } db.security_group_rule_create(context, rule) # NOTE(vish): No need to trigger the group since the instance # has not been run yet. return group_name
def setup_security_group(self, context): group_name = '%s%s' % (context.project_id, CONF.vpn_key_suffix) if db.security_group_exists(context, context.project_id, group_name): return group_name group = { 'user_id': context.user_id, 'project_id': context.project_id, 'name': group_name, 'description': 'Group for vpn' } group_ref = db.security_group_create(context, group) rule = { 'parent_group_id': group_ref['id'], 'cidr': '0.0.0.0/0', 'protocol': 'udp', 'from_port': 1194, 'to_port': 1194 } db.security_group_rule_create(context, rule) rule = { 'parent_group_id': group_ref['id'], 'cidr': '0.0.0.0/0', 'protocol': 'icmp', 'from_port': -1, 'to_port': -1 } db.security_group_rule_create(context, rule) # NOTE(vish): No need to trigger the group since the instance # has not been run yet. return group_name
def create_rule(rule, context): """ Create a security rule. rule -- The rule. context -- The os context. """ # TODO: check exception handling! db.security_group_rule_create(context, rule)
def create_rule(rule, context): """ Create a security rule. rule -- The rule. context -- The os context. """ try: db.security_group_rule_create(context, rule) except Exception as err: raise AttributeError('Unable to create rule: ' + str(err))
def authorize_security_group_ingress(self, context, group_name, **kwargs): LOG.audit(_("Authorize security group ingress %s"), group_name, context=context) self.compute_api.ensure_default_security_group(context) security_group = db.security_group_get_by_name(context, context.project_id, group_name) values = self._revoke_rule_args_to_dict(context, **kwargs) if values is None: raise exception.ApiError( _("Not enough parameters to build a " "valid rule.")) values['parent_group_id'] = security_group.id if self._security_group_rule_exists(security_group, values): raise exception.ApiError( _('This rule already exists in group %s') % group_name) security_group_rule = db.security_group_rule_create(context, values) self.compute_api.trigger_security_group_rules_refresh( context, security_group['id']) return True
def create(self, req, body): context = req.environ['nova.context'] group_id = body['security_group_rule']['parent_group_id'] self.compute_api.ensure_default_security_group(context) security_group = db.security_group_get(context, group_id) if not security_group: raise exception.SecurityGroupNotFound(security_group_id=group_id) msg = "Authorize security group ingress %s" LOG.audit(_(msg), security_group['name'], context=context) values = self._revoke_rule_args_to_dict(context, **body['security_group_rule']) if values is None: raise exception.ApiError(_("Not enough parameters to build a " "valid rule.")) values['parent_group_id'] = security_group.id if self._security_group_rule_exists(security_group, values): raise exception.ApiError(_('This rule already exists in group %s') % group_id) security_group_rule = db.security_group_rule_create(context, values) self.compute_api.trigger_security_group_rules_refresh(context, security_group_id=security_group['id']) return {'security_group_rule': self._format_security_group_rule( context, security_group_rule)}
def create(self, req, body): context = req.environ['nova.context'] authorize(context) if not body: raise exc.HTTPUnprocessableEntity() if not 'security_group_rule' in body: raise exc.HTTPUnprocessableEntity() self.compute_api.ensure_default_security_group(context) sg_rule = body['security_group_rule'] parent_group_id = sg_rule.get('parent_group_id', None) try: parent_group_id = int(parent_group_id) security_group = db.security_group_get(context, parent_group_id) except ValueError: msg = _("Parent group id is not integer") raise exc.HTTPBadRequest(explanation=msg) except exception.NotFound as exp: msg = _("Security group (%s) not found") % parent_group_id raise exc.HTTPNotFound(explanation=msg) msg = _("Authorize security group ingress %s") LOG.audit(msg, security_group['name'], context=context) try: values = self._rule_args_to_dict( context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), parent_group_id=sg_rule.get('parent_group_id'), ip_protocol=sg_rule.get('ip_protocol'), cidr=sg_rule.get('cidr'), group_id=sg_rule.get('group_id')) except Exception as exp: raise exc.HTTPBadRequest(explanation=unicode(exp)) if values is None: msg = _("Not enough parameters to build a " "valid rule.") raise exc.HTTPBadRequest(explanation=msg) values['parent_group_id'] = security_group.id if self._security_group_rule_exists(security_group, values): msg = _('This rule already exists in group %s') % parent_group_id raise exc.HTTPBadRequest(explanation=msg) security_group_rule = db.security_group_rule_create(context, values) self.sgh.trigger_security_group_rule_create_refresh( context, [security_group_rule['id']]) self.compute_api.trigger_security_group_rules_refresh( context, security_group_id=security_group['id']) return { "security_group_rule": self._format_security_group_rule(context, security_group_rule) }
def create(self, req, body): context = req.environ['nova.context'] authorize(context) if not body: raise exc.HTTPUnprocessableEntity() if not 'security_group_rule' in body: raise exc.HTTPUnprocessableEntity() self.compute_api.ensure_default_security_group(context) sg_rule = body['security_group_rule'] parent_group_id = sg_rule.get('parent_group_id', None) try: parent_group_id = int(parent_group_id) security_group = db.security_group_get(context, parent_group_id) except ValueError: msg = _("Parent group id is not integer") raise exc.HTTPBadRequest(explanation=msg) except exception.NotFound as exp: msg = _("Security group (%s) not found") % parent_group_id raise exc.HTTPNotFound(explanation=msg) msg = _("Authorize security group ingress %s") LOG.audit(msg, security_group['name'], context=context) try: values = self._rule_args_to_dict(context, to_port=sg_rule.get('to_port'), from_port=sg_rule.get('from_port'), parent_group_id=sg_rule.get('parent_group_id'), ip_protocol=sg_rule.get('ip_protocol'), cidr=sg_rule.get('cidr'), group_id=sg_rule.get('group_id')) except Exception as exp: raise exc.HTTPBadRequest(explanation=unicode(exp)) if values is None: msg = _("Not enough parameters to build a " "valid rule.") raise exc.HTTPBadRequest(explanation=msg) values['parent_group_id'] = security_group.id if self._security_group_rule_exists(security_group, values): msg = _('This rule already exists in group %s') % parent_group_id raise exc.HTTPBadRequest(explanation=msg) security_group_rule = db.security_group_rule_create(context, values) self.sgh.trigger_security_group_rule_create_refresh( context, [security_group_rule['id']]) self.compute_api.trigger_security_group_rules_refresh(context, security_group_id=security_group['id']) return {"security_group_rule": self._format_security_group_rule( context, security_group_rule)}
def create(self): if self.obj_attr_is_set('id'): raise exception.ObjectActionError(action='create', reason='already created') updates = self.obj_get_changes() parent_group = updates.pop('parent_group', None) if parent_group: updates['parent_group_id'] = parent_group.id grantee_group = updates.pop('grantee_group', None) if grantee_group: updates['group_id'] = grantee_group.id db_rule = db.security_group_rule_create(self._context, updates) self._from_db_object(self._context, self, db_rule)
def authorize_security_group_ingress(self, context, group_name, **kwargs): LOG.audit(_("Authorize security group ingress %s"), group_name, context=context) self.compute_api.ensure_default_security_group(context) security_group = db.security_group_get_by_name(context, context.project_id, group_name) values = self._revoke_rule_args_to_dict(context, **kwargs) if values is None: raise exception.ApiError(_("Not enough parameters to build a " "valid rule.")) values['parent_group_id'] = security_group.id if self._security_group_rule_exists(security_group, values): raise exception.ApiError(_('This rule already exists in group %s') % group_name) security_group_rule = db.security_group_rule_create(context, values) self.compute_api.trigger_security_group_rules_refresh(context, security_group['id']) return True
def test_static_filters(self): instance_ref = self._create_instance_ref() ip = '10.11.12.13' network_ref = db.project_get_network(self.context, 'fake') fixed_ip = {'address': ip, 'network_id': network_ref['id']} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, {'allocated': True, 'instance_id': instance_ref['id']}) secgroup = db.security_group_create(admin_ctxt, {'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24'}) db.instance_add_security_group(admin_ctxt, instance_ref['id'], secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) # self.fw.add_instance(instance_ref) def fake_iptables_execute(*cmd, **kwargs): process_input = kwargs.get('process_input', None) if cmd == ('sudo', 'ip6tables-save', '-t', 'filter'): return '\n'.join(self.in6_filter_rules), None if cmd == ('sudo', 'iptables-save', '-t', 'filter'): return '\n'.join(self.in_filter_rules), None if cmd == ('sudo', 'iptables-save', '-t', 'nat'): return '\n'.join(self.in_nat_rules), None if cmd == ('sudo', 'iptables-restore'): lines = process_input.split('\n') if '*filter' in lines: self.out_rules = lines return '', '' if cmd == ('sudo', 'ip6tables-restore'): lines = process_input.split('\n') if '*filter' in lines: self.out6_rules = lines return '', '' print cmd, kwargs from nova.network import linux_net linux_net.iptables_manager.execute = fake_iptables_execute self.fw.prepare_instance_filter(instance_ref) self.fw.apply_instance_filter(instance_ref) in_rules = filter(lambda l: not l.startswith('#'), self.in_filter_rules) for rule in in_rules: if not 'nova' in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-d 10.11.12.13 -j' in rule: instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -j ACCEPT') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "ICMP acceptance rule wasn't added") regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -m icmp ' '--icmp-type 8 -j ACCEPT') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "ICMP Echo Request acceptance rule wasn't added") regex = re.compile('-A .* -p tcp -s 192.168.10.0/24 -m multiport ' '--dports 80:81 -j ACCEPT') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") db.instance_destroy(admin_ctxt, instance_ref['id'])
def test_static_filters(self, mock_lock): mock_lock.return_value = threading.Semaphore() instance_ref = self._create_instance_ref() src_instance_ref = self._create_instance_ref() admin_ctxt = context.get_admin_context() secgroup = db.security_group_create( admin_ctxt, { 'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group' }) src_secgroup = db.security_group_create( admin_ctxt, { 'user_id': 'fake', 'project_id': 'fake', 'name': 'testsourcegroup', 'description': 'src group' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'group_id': src_secgroup['id'] }) db.security_group_rule_create(admin_ctxt, { 'parent_group_id': secgroup['id'], 'group_id': src_secgroup['id'] }) db.instance_add_security_group(admin_ctxt, instance_ref['uuid'], secgroup['id']) db.instance_add_security_group(admin_ctxt, src_instance_ref['uuid'], src_secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) src_instance_ref = db.instance_get(admin_ctxt, src_instance_ref['id']) def fake_iptables_execute(*cmd, **kwargs): process_input = kwargs.get('process_input', None) if cmd == ('ip6tables-save', '-c'): return '\n'.join(self.in6_filter_rules), None if cmd == ('iptables-save', '-c'): return '\n'.join(self.in_rules), None if cmd == ('iptables-restore', '-c'): lines = process_input.split('\n') if '*filter' in lines: self.out_rules = lines return '', '' if cmd == ( 'ip6tables-restore', '-c', ): lines = process_input.split('\n') if '*filter' in lines: self.out6_rules = lines return '', '' network_model = _fake_network_info(self.stubs, 1) linux_net.iptables_manager.execute = fake_iptables_execute self.stubs.Set(compute_utils, 'get_nw_info_for_instance', lambda instance: network_model) self.fw.prepare_instance_filter(instance_ref, network_model) self.fw.apply_instance_filter(instance_ref, network_model) in_rules = filter(lambda l: not l.startswith('#'), self.in_rules) for rule in in_rules: if 'nova' not in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now # last two octets change if re.search('-d 192.168.[0-9]{1,3}.[0-9]{1,3} -j', rule): instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp ' '-s 192.168.11.0/24') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "ICMP acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp -m icmp ' '--icmp-type 8 -s 192.168.11.0/24') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "ICMP Echo Request acceptance rule wasn't added") for ip in network_model.fixed_ips(): if ip['version'] != 4: continue regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp -m multiport ' '--dports 80:81 -s %s' % ip['address']) self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -s ' '%s' % ip['address']) self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "Protocol/port-less acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp ' '-m multiport --dports 80:81 -s 192.168.10.0/24') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") db.instance_destroy(admin_ctxt, instance_ref['uuid'])
def test_static_filters(self): instance_ref = db.instance_create(self.context, {'user_id': 'fake', 'project_id': 'fake', 'mac_address': '56:12:12:12:12:12'}) ip = '10.11.12.13' network_ref = db.project_get_network(self.context, 'fake') fixed_ip = {'address': ip, 'network_id': network_ref['id']} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, {'allocated': True, 'instance_id': instance_ref['id']}) secgroup = db.security_group_create(admin_ctxt, {'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24'}) db.instance_add_security_group(admin_ctxt, instance_ref['id'], secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) # self.fw.add_instance(instance_ref) def fake_iptables_execute(cmd, process_input=None): if cmd == 'sudo ip6tables-save -t filter': return '\n'.join(self.in6_rules), None if cmd == 'sudo iptables-save -t filter': return '\n'.join(self.in_rules), None if cmd == 'sudo iptables-restore': self.out_rules = process_input.split('\n') return '', '' if cmd == 'sudo ip6tables-restore': self.out6_rules = process_input.split('\n') return '', '' self.fw.execute = fake_iptables_execute self.fw.prepare_instance_filter(instance_ref) self.fw.apply_instance_filter(instance_ref) in_rules = filter(lambda l: not l.startswith('#'), self.in_rules) for rule in in_rules: if not 'nova' in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-d 10.11.12.13 -j' in rule: instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT' % \ security_group_chain in self.out_rules, "ICMP acceptance rule wasn't added") self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type ' '8 -j ACCEPT' % security_group_chain in self.out_rules, "ICMP Echo Request acceptance rule wasn't added") self.assertTrue('-A %s -p tcp -s 192.168.10.0/24 -m multiport ' '--dports 80:81 -j ACCEPT' % security_group_chain \ in self.out_rules, "TCP port 80/81 acceptance rule wasn't added")
def test_static_filters(self): instance_ref = db.instance_create( self.context, { 'user_id': 'fake', 'project_id': 'fake', 'mac_address': '56:12:12:12:12:12' }) ip = '10.11.12.13' network_ref = db.project_get_network(self.context, 'fake') fixed_ip = {'address': ip, 'network_id': network_ref['id']} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, { 'allocated': True, 'instance_id': instance_ref['id'] }) secgroup = db.security_group_create( admin_ctxt, { 'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24' }) db.security_group_rule_create( admin_ctxt, { 'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24' }) db.instance_add_security_group(admin_ctxt, instance_ref['id'], secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) # self.fw.add_instance(instance_ref) def fake_iptables_execute(*cmd, **kwargs): process_input = kwargs.get('process_input', None) if cmd == ('sudo', 'ip6tables-save', '-t', 'filter'): return '\n'.join(self.in6_filter_rules), None if cmd == ('sudo', 'iptables-save', '-t', 'filter'): return '\n'.join(self.in_filter_rules), None if cmd == ('sudo', 'iptables-save', '-t', 'nat'): return '\n'.join(self.in_nat_rules), None if cmd == ('sudo', 'iptables-restore'): lines = process_input.split('\n') if '*filter' in lines: self.out_rules = lines return '', '' if cmd == ('sudo', 'ip6tables-restore'): lines = process_input.split('\n') if '*filter' in lines: self.out6_rules = lines return '', '' print cmd, kwargs from nova.network import linux_net linux_net.iptables_manager.execute = fake_iptables_execute self.fw.prepare_instance_filter(instance_ref) self.fw.apply_instance_filter(instance_ref) in_rules = filter(lambda l: not l.startswith('#'), self.in_filter_rules) for rule in in_rules: if not 'nova' in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-d 10.11.12.13 -j' in rule: instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -j ACCEPT') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "ICMP acceptance rule wasn't added") regex = re.compile('-A .* -p icmp -s 192.168.11.0/24 -m icmp ' '--icmp-type 8 -j ACCEPT') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "ICMP Echo Request acceptance rule wasn't added") regex = re.compile('-A .* -p tcp -s 192.168.10.0/24 -m multiport ' '--dports 80:81 -j ACCEPT') self.assertTrue( len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") db.instance_destroy(admin_ctxt, instance_ref['id'])
def test_static_filters(self, mock_lock): mock_lock.return_value = threading.Semaphore() instance_ref = self._create_instance_ref() src_instance_ref = self._create_instance_ref() admin_ctxt = context.get_admin_context() secgroup = db.security_group_create(admin_ctxt, {'user_id': 'fake', 'project_id': 'fake', 'name': 'testgroup', 'description': 'test group'}) src_secgroup = db.security_group_create(admin_ctxt, {'user_id': 'fake', 'project_id': 'fake', 'name': 'testsourcegroup', 'description': 'src group'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': -1, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'icmp', 'from_port': 8, 'to_port': -1, 'cidr': '192.168.11.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'cidr': '192.168.10.0/24'}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, 'group_id': src_secgroup['id']}) db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], 'group_id': src_secgroup['id']}) db.instance_add_security_group(admin_ctxt, instance_ref['uuid'], secgroup['id']) db.instance_add_security_group(admin_ctxt, src_instance_ref['uuid'], src_secgroup['id']) instance_ref = db.instance_get(admin_ctxt, instance_ref['id']) src_instance_ref = db.instance_get(admin_ctxt, src_instance_ref['id']) def fake_iptables_execute(*cmd, **kwargs): process_input = kwargs.get('process_input', None) if cmd == ('ip6tables-save', '-c'): return '\n'.join(self.in6_filter_rules), None if cmd == ('iptables-save', '-c'): return '\n'.join(self.in_rules), None if cmd == ('iptables-restore', '-c'): lines = process_input.split('\n') if '*filter' in lines: self.out_rules = lines return '', '' if cmd == ('ip6tables-restore', '-c',): lines = process_input.split('\n') if '*filter' in lines: self.out6_rules = lines return '', '' network_model = _fake_network_info(self.stubs, 1) linux_net.iptables_manager.execute = fake_iptables_execute self.stubs.Set(compute_utils, 'get_nw_info_for_instance', lambda instance: network_model) self.fw.prepare_instance_filter(instance_ref, network_model) self.fw.apply_instance_filter(instance_ref, network_model) in_rules = filter(lambda l: not l.startswith('#'), self.in_rules) for rule in in_rules: if 'nova' not in rule: self.assertTrue(rule in self.out_rules, 'Rule went missing: %s' % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now # last two octets change if re.search('-d 192.168.[0-9]{1,3}.[0-9]{1,3} -j', rule): instance_chain = rule.split(' ')[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if '-A %s -j' % instance_chain in rule: security_group_chain = rule.split(' ')[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp ' '-s 192.168.11.0/24') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "ICMP acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p icmp -m icmp ' '--icmp-type 8 -s 192.168.11.0/24') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "ICMP Echo Request acceptance rule wasn't added") for ip in network_model.fixed_ips(): if ip['version'] != 4: continue regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp -m multiport ' '--dports 80:81 -s %s' % ip['address']) self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -s ' '%s' % ip['address']) self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "Protocol/port-less acceptance rule wasn't added") regex = re.compile('\[0\:0\] -A .* -j ACCEPT -p tcp ' '-m multiport --dports 80:81 -s 192.168.10.0/24') self.assertTrue(len(filter(regex.match, self.out_rules)) > 0, "TCP port 80/81 acceptance rule wasn't added") db.instance_destroy(admin_ctxt, instance_ref['uuid'])
def test_static_filters(self): instance_ref = db.instance_create( self.context, {"user_id": "fake", "project_id": "fake", "mac_address": "56:12:12:12:12:12"} ) ip = "10.11.12.13" network_ref = db.project_get_network(self.context, "fake") fixed_ip = {"address": ip, "network_id": network_ref["id"]} admin_ctxt = context.get_admin_context() db.fixed_ip_create(admin_ctxt, fixed_ip) db.fixed_ip_update(admin_ctxt, ip, {"allocated": True, "instance_id": instance_ref["id"]}) secgroup = db.security_group_create( admin_ctxt, {"user_id": "fake", "project_id": "fake", "name": "testgroup", "description": "test group"} ) db.security_group_rule_create( admin_ctxt, { "parent_group_id": secgroup["id"], "protocol": "icmp", "from_port": -1, "to_port": -1, "cidr": "192.168.11.0/24", }, ) db.security_group_rule_create( admin_ctxt, { "parent_group_id": secgroup["id"], "protocol": "icmp", "from_port": 8, "to_port": -1, "cidr": "192.168.11.0/24", }, ) db.security_group_rule_create( admin_ctxt, { "parent_group_id": secgroup["id"], "protocol": "tcp", "from_port": 80, "to_port": 81, "cidr": "192.168.10.0/24", }, ) db.instance_add_security_group(admin_ctxt, instance_ref["id"], secgroup["id"]) instance_ref = db.instance_get(admin_ctxt, instance_ref["id"]) # self.fw.add_instance(instance_ref) def fake_iptables_execute(cmd, process_input=None): if cmd == "sudo ip6tables-save -t filter": return "\n".join(self.in6_rules), None if cmd == "sudo iptables-save -t filter": return "\n".join(self.in_rules), None if cmd == "sudo iptables-restore": self.out_rules = process_input.split("\n") return "", "" if cmd == "sudo ip6tables-restore": self.out6_rules = process_input.split("\n") return "", "" self.fw.execute = fake_iptables_execute self.fw.prepare_instance_filter(instance_ref) self.fw.apply_instance_filter(instance_ref) in_rules = filter(lambda l: not l.startswith("#"), self.in_rules) for rule in in_rules: if not "nova" in rule: self.assertTrue(rule in self.out_rules, "Rule went missing: %s" % rule) instance_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if "-d 10.11.12.13 -j" in rule: instance_chain = rule.split(" ")[-1] break self.assertTrue(instance_chain, "The instance chain wasn't added") security_group_chain = None for rule in self.out_rules: # This is pretty crude, but it'll do for now if "-A %s -j" % instance_chain in rule: security_group_chain = rule.split(" ")[-1] break self.assertTrue(security_group_chain, "The security group chain wasn't added") self.assertTrue( "-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT" % security_group_chain in self.out_rules, "ICMP acceptance rule wasn't added", ) self.assertTrue( "-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type " "8 -j ACCEPT" % security_group_chain in self.out_rules, "ICMP Echo Request acceptance rule wasn't added", ) self.assertTrue( "-A %s -p tcp -s 192.168.10.0/24 -m multiport " "--dports 80:81 -j ACCEPT" % security_group_chain in self.out_rules, "TCP port 80/81 acceptance rule wasn't added", ) db.instance_destroy(admin_ctxt, instance_ref["id"])