def test_nwfilter_parameters(self, mock_define, mock_lookup): fakefilter = NWFilterFakes() mock_lookup.side_effect = fakefilter.nwfilterLookupByName mock_define.side_effect = fakefilter.filterDefineXMLMock instance_ref = self._create_instance() self._create_security_group(instance_ref) network_info = _fake_network_info(self, 1) self.fw.setup_basic_filtering(instance_ref, network_info) vif = network_info[0] nic_id = vif['address'].replace(':', '') instance_filter_name = self.fw._instance_filter_name(instance_ref, nic_id) f = fakefilter.nwfilterLookupByName(instance_filter_name) tree = etree.fromstring(f.xml) for fref in tree.findall('filterref'): parameters = fref.findall('./parameter') for parameter in parameters: subnet_v4, subnet_v6 = vif['network']['subnets'] if parameter.get('name') == 'IP': self.assertTrue(_ipv4_like(parameter.get('value'), '192.168')) elif parameter.get('name') == 'DHCPSERVER': dhcp_server = subnet_v4.get('dhcp_server') self.assertEqual(parameter.get('value'), dhcp_server) elif parameter.get('name') == 'RASERVER': ra_server = subnet_v6['gateway']['address'] + "/128" self.assertEqual(parameter.get('value'), ra_server) elif parameter.get('name') == 'PROJNET': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), mask) elif parameter.get('name') == 'PROJNET6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), prefix) else: raise exception.InvalidParameterValue('unknown parameter ' 'in filter')
def test_nwfilter_parameters(self, mock_define, mock_lookup): fakefilter = NWFilterFakes() mock_lookup.side_effect = fakefilter.nwfilterLookupByName mock_define.side_effect = fakefilter.filterDefineXMLMock instance_ref = self._create_instance() self._create_security_group(instance_ref) network_info = _fake_network_info(self, 1) self.fw.setup_basic_filtering(instance_ref, network_info) vif = network_info[0] nic_id = vif['address'].replace(':', '') instance_filter_name = self.fw._instance_filter_name(instance_ref, nic_id) f = fakefilter.nwfilterLookupByName(instance_filter_name) tree = etree.fromstring(f.xml) for fref in tree.findall('filterref'): parameters = fref.findall('./parameter') for parameter in parameters: subnet_v4, subnet_v6 = vif['network']['subnets'] if parameter.get('name') == 'IP': self.assertTrue(_ipv4_like(parameter.get('value'), '192.168')) elif parameter.get('name') == 'DHCPSERVER': dhcp_server = subnet_v4.get('dhcp_server') self.assertEqual(parameter.get('value'), dhcp_server) elif parameter.get('name') == 'RASERVER': ra_server = subnet_v6['gateway']['address'] + "/128" self.assertEqual(parameter.get('value'), ra_server) elif parameter.get('name') == 'PROJNET': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), mask) elif parameter.get('name') == 'PROJNET6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), prefix) else: raise exception.InvalidParameterValue('unknown parameter ' 'in filter')
def _get_instance_filter_parameters(self, network, mapping): parameters = [] def format_parameter(parameter, value): return ("<parameter name='%s' value='%s'/>" % (parameter, value)) for address in mapping['ips']: parameters.append(format_parameter('IP', address['ip'])) if mapping['dhcp_server']: parameters.append(format_parameter('DHCPSERVER', mapping['dhcp_server'])) if CONF.use_ipv6: ra_server = mapping.get('gateway_v6') + "/128" parameters.append(format_parameter('RASERVER', ra_server)) if CONF.allow_same_net_traffic: ipv4_cidr = network['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) parameters.append(format_parameter('PROJNET', net)) parameters.append(format_parameter('PROJMASK', mask)) if CONF.use_ipv6: ipv6_cidr = network['cidr_v6'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) parameters.append(format_parameter('PROJNET6', net)) parameters.append(format_parameter('PROJMASK6', prefix)) return parameters
def get_config(self, instance, network, mapping): """Get VIF configurations for bridge type.""" mac_id = mapping['mac'].replace(':', '') conf = super(LibvirtBridgeDriver, self).get_config(instance, network, mapping) conf.net_type = "bridge" conf.source_dev = network['bridge'] conf.script = "" conf.filtername = "nova-instance-" + instance['name'] + "-" + mac_id conf.add_filter_param("IP", mapping['ips'][0]['ip']) if mapping['dhcp_server']: conf.add_filter_param("DHCPSERVER", mapping['dhcp_server']) if CONF.use_ipv6: conf.add_filter_param("RASERVER", mapping.get('gateway_v6') + "/128") if CONF.allow_same_net_traffic: net, mask = netutils.get_net_and_mask(network['cidr']) conf.add_filter_param("PROJNET", net) conf.add_filter_param("PROJMASK", mask) if CONF.use_ipv6: net_v6, prefixlen_v6 = netutils.get_net_and_prefixlen( network['cidr_v6']) conf.add_filter_param("PROJNET6", net_v6) conf.add_filter_param("PROJMASK6", prefixlen_v6) return conf
def _get_configurations(self, instance, network, mapping): """Get a dictionary of VIF configurations for bridge type.""" mac_id = mapping['mac'].replace(':', '') conf = config.LibvirtConfigGuestInterface() conf.net_type = "bridge" conf.mac_addr = mapping['mac'] conf.source_dev = network['bridge'] conf.script = "" if FLAGS.libvirt_use_virtio_for_bridges: conf.model = "virtio" conf.filtername = "nova-instance-" + instance['name'] + "-" + mac_id conf.add_filter_param("IP", mapping['ips'][0]['ip']) conf.add_filter_param("DHCPSERVER", mapping['dhcp_server']) if FLAGS.use_ipv6: conf.add_filter_param("RASERVER", mapping.get('gateway_v6') + "/128") if FLAGS.allow_same_net_traffic: net, mask = netutils.get_net_and_mask(network['cidr']) conf.add_filter_param("PROJNET", net) conf.add_filter_param("PROJMASK", mask) if FLAGS.use_ipv6: net_v6, prefixlen_v6 = netutils.get_net_and_prefixlen( network['cidr_v6']) conf.add_filter_param("PROJNET6", net_v6) conf.add_filter_param("PROJMASK6", prefixlen_v6) return conf
def _get_configurations(self, instance, network, mapping): """Get a dictionary of VIF configurations for bridge type.""" mac_id = mapping['mac'].replace(':', '') conf = config.LibvirtConfigGuestInterface() conf.net_type = "bridge" conf.mac_addr = mapping['mac'] conf.source_dev = network['bridge'] conf.script = "" if FLAGS.libvirt_use_virtio_for_bridges: conf.model = "virtio" conf.filtername = "nova-instance-" + instance['name'] + "-" + mac_id conf.add_filter_param("IP", mapping['ips'][0]['ip']) if mapping['dhcp_server']: conf.add_filter_param("DHCPSERVER", mapping['dhcp_server']) if FLAGS.use_ipv6: conf.add_filter_param("RASERVER", mapping.get('gateway_v6') + "/128") if FLAGS.allow_same_net_traffic: net, mask = netutils.get_net_and_mask(network['cidr']) conf.add_filter_param("PROJNET", net) conf.add_filter_param("PROJMASK", mask) if FLAGS.use_ipv6: net_v6, prefixlen_v6 = netutils.get_net_and_prefixlen( network['cidr_v6']) conf.add_filter_param("PROJNET6", net_v6) conf.add_filter_param("PROJMASK6", prefixlen_v6) return conf
def _get_configurations(self, network, mapping): """Get a dictionary of VIF configurations for bridge type.""" # Assume that the gateway also acts as the dhcp server. gateway_v6 = mapping.get('gateway_v6') mac_id = mapping['mac'].replace(':', '') if FLAGS.allow_same_net_traffic: template = "<parameter name=\"%s\" value=\"%s\" />\n" net, mask = netutils.get_net_and_mask(network['cidr']) values = [("PROJNET", net), ("PROJMASK", mask)] if FLAGS.use_ipv6: net_v6, prefixlen_v6 = netutils.get_net_and_prefixlen( network['cidr_v6']) values.extend([("PROJNETV6", net_v6), ("PROJMASKV6", prefixlen_v6)]) extra_params = "".join([template % value for value in values]) else: extra_params = "\n" result = { 'id': mac_id, 'bridge_name': network['bridge'], 'mac_address': mapping['mac'], 'ip_address': mapping['ips'][0]['ip'], 'dhcp_server': mapping['dhcp_server'], 'extra_params': extra_params, } if gateway_v6: result['gateway_v6'] = gateway_v6 + "/128" return result
def _get_configurations(self, network, mapping): """Get a dictionary of VIF configurations for bridge type.""" # Assume that the gateway also acts as the dhcp server. gateway_v6 = mapping.get('gateway_v6') mac_id = mapping['mac'].replace(':', '') if FLAGS.allow_same_net_traffic: template = "<parameter name=\"%s\" value=\"%s\" />\n" net, mask = netutils.get_net_and_mask(network['cidr']) values = [("PROJNET", net), ("PROJMASK", mask)] if FLAGS.use_ipv6: net_v6, prefixlen_v6 = netutils.get_net_and_prefixlen( network['cidr_v6']) values.extend([("PROJNETV6", net_v6), ("PROJMASKV6", prefixlen_v6)]) extra_params = "".join([template % value for value in values]) else: extra_params = "\n" result = { 'id': mac_id, 'bridge_name': network['bridge'], 'mac_address': mapping['mac'], 'ip_address': mapping['ips'][0]['ip'], 'dhcp_server': mapping['dhcp_server'], 'extra_params': extra_params, } if gateway_v6: result['gateway_v6'] = gateway_v6 + "/128" return result
def get_config(self, instance, network, mapping): """Get VIF configurations for bridge type.""" mac_id = mapping['mac'].replace(':', '') conf = super(LibvirtBridgeDriver, self).get_config(instance, network, mapping) conf.net_type = "bridge" conf.source_dev = network['bridge'] conf.script = "" conf.filtername = "nova-instance-" + instance['name'] + "-" + mac_id conf.add_filter_param("IP", mapping['ips'][0]['ip']) if mapping['dhcp_server']: conf.add_filter_param("DHCPSERVER", mapping['dhcp_server']) if CONF.use_ipv6: conf.add_filter_param("RASERVER", mapping.get('gateway_v6') + "/128") if CONF.allow_same_net_traffic: net, mask = netutils.get_net_and_mask(network['cidr']) conf.add_filter_param("PROJNET", net) conf.add_filter_param("PROJMASK", mask) if CONF.use_ipv6: net_v6, prefixlen_v6 = netutils.get_net_and_prefixlen( network['cidr_v6']) conf.add_filter_param("PROJNET6", net_v6) conf.add_filter_param("PROJMASK6", prefixlen_v6) return conf
def _get_instance_filter_parameters(self, network, mapping): parameters = [] def format_parameter(parameter, value): return ("<parameter name='%s' value='%s'/>" % (parameter, value)) for address in mapping['ips']: parameters.append(format_parameter('IP', address['ip'])) if mapping['dhcp_server']: parameters.append(format_parameter('DHCPSERVER', mapping['dhcp_server'])) if CONF.use_ipv6: ra_server = mapping.get('gateway_v6') + "/128" parameters.append(format_parameter('RASERVER', ra_server)) if CONF.allow_same_net_traffic: ipv4_cidr = network['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) parameters.append(format_parameter('PROJNET', net)) parameters.append(format_parameter('PROJMASK', mask)) if CONF.use_ipv6: ipv6_cidr = network['cidr_v6'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) parameters.append(format_parameter('PROJNET6', net)) parameters.append(format_parameter('PROJMASK6', prefix)) return parameters
def set_vif_host_backend_filter_config(conf, name, primary_addr, dhcp_server=None, ra_server=None, allow_same_net=False, ipv4_cidr=None, ipv6_cidr=None): """Populate a LibvirtConfigGuestInterface instance with host backend details for traffic filtering""" conf.filtername = name conf.add_filter_param("IP", primary_addr) if dhcp_server: conf.add_filter_param("DHCPSERVER", dhcp_server) if ra_server: conf.add_filter_param("RASERVER", ra_server) if allow_same_net: if ipv4_cidr: net, mask = netutils.get_net_and_mask(ipv4_cidr) conf.add_filter_param("PROJNET", net) conf.add_filter_param("PROJMASK", mask) if ipv6_cidr: net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) conf.add_filter_param("PROJNET6", net) conf.add_filter_param("PROJMASK6", prefix)
def test_nwfilter_parameters(self, mock_define, mock_lookup): fakefilter = NWFilterFakes() mock_lookup.side_effect = fakefilter.nwfilterLookupByName mock_define.side_effect = fakefilter.filterDefineXMLMock instance_ref = self._create_instance() self._create_security_group(instance_ref) network_info = _fake_network_info(self, 1) self.fw.setup_basic_filtering(instance_ref, network_info) vif = network_info[0] nic_id = vif["address"].replace(":", "") instance_filter_name = self.fw._instance_filter_name(instance_ref, nic_id) f = fakefilter.nwfilterLookupByName(instance_filter_name) tree = etree.fromstring(f.xml) for fref in tree.findall("filterref"): parameters = fref.findall("./parameter") for parameter in parameters: subnet_v4, subnet_v6 = vif["network"]["subnets"] if parameter.get("name") == "IP": self.assertTrue(_ipv4_like(parameter.get("value"), "192.168")) elif parameter.get("name") == "DHCPSERVER": dhcp_server = subnet_v4.get("dhcp_server") self.assertEqual(parameter.get("value"), dhcp_server) elif parameter.get("name") == "RASERVER": ra_server = subnet_v6["gateway"]["address"] + "/128" self.assertEqual(parameter.get("value"), ra_server) elif parameter.get("name") == "PROJNET": ipv4_cidr = subnet_v4["cidr"] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get("value"), net) elif parameter.get("name") == "PROJMASK": ipv4_cidr = subnet_v4["cidr"] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get("value"), mask) elif parameter.get("name") == "PROJNET6": ipv6_cidr = subnet_v6["cidr"] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get("value"), net) elif parameter.get("name") == "PROJMASK6": ipv6_cidr = subnet_v6["cidr"] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get("value"), prefix) else: raise exception.InvalidParameterValue("unknown parameter " "in filter")
def _get_instance_filter_parameters(self, vif): parameters = [] def format_parameter(parameter, value): return ("<parameter name='%s' value='%s'/>" % (parameter, value)) network = vif['network'] if not vif['network'] or not vif['network']['subnets']: return parameters v4_subnets = [s for s in network['subnets'] if s['version'] == 4] v6_subnets = [s for s in network['subnets'] if s['version'] == 6] for subnet in v4_subnets: for ip in subnet['ips']: parameters.append(format_parameter('IP', ip['address'])) dhcp_server = subnet.get_meta('dhcp_server') if dhcp_server: parameters.append(format_parameter('DHCPSERVER', dhcp_server)) if CONF.use_ipv6: for subnet in v6_subnets: gateway = subnet.get('gateway') if gateway: ra_server = gateway['address'] + "/128" parameters.append(format_parameter('RASERVER', ra_server)) if CONF.allow_same_net_traffic: for subnet in v4_subnets: ipv4_cidr = subnet['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) parameters.append(format_parameter('PROJNET', net)) parameters.append(format_parameter('PROJMASK', mask)) if CONF.use_ipv6: for subnet in v6_subnets: ipv6_cidr = subnet['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) parameters.append(format_parameter('PROJNET6', net)) parameters.append(format_parameter('PROJMASK6', prefix)) return parameters
def _get_instance_filter_parameters(self, vif): parameters = [] def format_parameter(parameter, value): return ("<parameter name='%s' value='%s'/>" % (parameter, value)) network = vif['network'] if not vif['network'] or not vif['network']['subnets']: return parameters v4_subnets = [s for s in network['subnets'] if s['version'] == 4] v6_subnets = [s for s in network['subnets'] if s['version'] == 6] for subnet in v4_subnets: for ip in subnet['ips']: parameters.append(format_parameter('IP', ip['address'])) dhcp_server = subnet.get_meta('dhcp_server') if dhcp_server: parameters.append(format_parameter('DHCPSERVER', dhcp_server)) if CONF.use_ipv6: for subnet in v6_subnets: gateway = subnet.get('gateway') if gateway: ra_server = gateway['address'] + "/128" parameters.append(format_parameter('RASERVER', ra_server)) if CONF.allow_same_net_traffic: for subnet in v4_subnets: ipv4_cidr = subnet['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) parameters.append(format_parameter('PROJNET', net)) parameters.append(format_parameter('PROJMASK', mask)) if CONF.use_ipv6: for subnet in v6_subnets: ipv6_cidr = subnet['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) parameters.append(format_parameter('PROJNET6', net)) parameters.append(format_parameter('PROJMASK6', prefix)) return parameters
def _get_instance_filter_parameters(self, vif): parameters = [] def format_parameter(parameter, value): return "<parameter name='%s' value='%s'/>" % (parameter, value) network = vif["network"] if not vif["network"] or not vif["network"]["subnets"]: return parameters v4_subnets = [s for s in network["subnets"] if s["version"] == 4] v6_subnets = [s for s in network["subnets"] if s["version"] == 6] for subnet in v4_subnets: for ip in subnet["ips"]: parameters.append(format_parameter("IP", ip["address"])) dhcp_server = subnet.get_meta("dhcp_server") if dhcp_server: parameters.append(format_parameter("DHCPSERVER", dhcp_server)) if CONF.use_ipv6: for subnet in v6_subnets: gateway = subnet.get("gateway") if gateway: ra_server = gateway["address"] + "/128" parameters.append(format_parameter("RASERVER", ra_server)) if CONF.allow_same_net_traffic: for subnet in v4_subnets: ipv4_cidr = subnet["cidr"] net, mask = netutils.get_net_and_mask(ipv4_cidr) parameters.append(format_parameter("PROJNET", net)) parameters.append(format_parameter("PROJMASK", mask)) if CONF.use_ipv6: for subnet in v6_subnets: ipv6_cidr = subnet["cidr"] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) parameters.append(format_parameter("PROJNET6", net)) parameters.append(format_parameter("PROJMASK6", prefix)) return parameters
def security_group_to_nwfilter_xml(security_group_id): security_group = db.security_group_get(context.get_admin_context(), security_group_id) rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} for rule in security_group.rules: rule_xml += "<rule action='accept' direction='in' priority='300'>" if rule.cidr: version = netutils.get_ip_version(rule.cidr) if (FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (rule.protocol, net, mask) if rule.protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif rule.protocol == 'icmp': LOG.info( 'rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', rule.protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "</rule>\n" xml = "<filter name='nova-secgroup-%s' " % security_group_id if (FLAGS.use_ipv6): xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def provider_fw_to_nwfilter_xml(): """Compose a filter of drop rules from specified cidrs.""" rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} rules = db.provider_fw_rule_get_all(context.get_admin_context()) for rule in rules: rule_xml += "<rule action='block' direction='in' priority='150'>" version = netutils.get_ip_version(rule.cidr) if (FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (rule.protocol, net, mask) if rule.protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif rule.protocol == 'icmp': LOG.info( 'rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', rule.protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "</rule>\n" xml = "<filter name='nova-provider-rules' " if (FLAGS.use_ipv6): xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def security_group_to_nwfilter_xml(security_group_id): security_group = db.security_group_get(context.get_admin_context(), security_group_id) rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} for rule in security_group.rules: rule_xml += "<rule action='accept' direction='in' priority='300'>" if rule.cidr: version = netutils.get_ip_version(rule.cidr) if(FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (rule.protocol, net, mask) if rule.protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif rule.protocol == 'icmp': LOG.info('rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', rule.protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "</rule>\n" xml = "<filter name='nova-secgroup-%s' " % security_group_id if(FLAGS.use_ipv6): xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def provider_fw_to_nwfilter_xml(): """Compose a filter of drop rules from specified cidrs.""" rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} rules = db.provider_fw_rule_get_all(context.get_admin_context()) for rule in rules: rule_xml += "<rule action='block' direction='in' priority='150'>" version = netutils.get_ip_version(rule.cidr) if(FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (rule.protocol, net, mask) if rule.protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif rule.protocol == 'icmp': LOG.info('rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', rule.protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "</rule>\n" xml = "<filter name='nova-provider-rules' " if(FLAGS.use_ipv6): xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def test_nwfilter_parameters(self): admin_ctxt = context.get_admin_context() fakefilter = NWFilterFakes() self.fw._conn.nwfilterDefineXML = fakefilter.filterDefineXMLMock self.fw._conn.nwfilterLookupByName = fakefilter.nwfilterLookupByName instance_ref = self._create_instance() inst_id = instance_ref['id'] inst_uuid = instance_ref['uuid'] self.security_group = self.setup_and_return_security_group() db.instance_add_security_group(self.context, inst_uuid, self.security_group['id']) instance = db.instance_get(self.context, inst_id) network_info = _fake_network_info(self.stubs, 1) self.fw.setup_basic_filtering(instance, network_info) vif = network_info[0] nic_id = vif['address'].replace(':', '') instance_filter_name = self.fw._instance_filter_name(instance, nic_id) f = fakefilter.nwfilterLookupByName(instance_filter_name) tree = etree.fromstring(f.xml) for fref in tree.findall('filterref'): parameters = fref.findall('./parameter') for parameter in parameters: subnet_v4, subnet_v6 = vif['network']['subnets'] if parameter.get('name') == 'IP': self.assertTrue(_ipv4_like(parameter.get('value'), '192.168')) elif parameter.get('name') == 'DHCPSERVER': dhcp_server = subnet_v4.get('dhcp_server') self.assertEqual(parameter.get('value'), dhcp_server) elif parameter.get('name') == 'RASERVER': ra_server = subnet_v6['gateway']['address'] + "/128" self.assertEqual(parameter.get('value'), ra_server) elif parameter.get('name') == 'PROJNET': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), mask) elif parameter.get('name') == 'PROJNET6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), prefix) else: raise exception.InvalidParameterValue('unknown parameter ' 'in filter') db.instance_destroy(admin_ctxt, instance_ref['uuid'])
def test_nwfilter_parameters(self): admin_ctxt = context.get_admin_context() fakefilter = NWFilterFakes() self.fw._conn.nwfilterDefineXML = fakefilter.filterDefineXMLMock self.fw._conn.nwfilterLookupByName = fakefilter.nwfilterLookupByName instance_ref = self._create_instance() inst_id = instance_ref['id'] inst_uuid = instance_ref['uuid'] self.security_group = self.setup_and_return_security_group() db.instance_add_security_group(self.context, inst_uuid, self.security_group['id']) instance = db.instance_get(self.context, inst_id) network_info = _fake_network_info(self.stubs, 1) self.fw.setup_basic_filtering(instance, network_info) vif = network_info[0] nic_id = vif['address'].replace(':', '') instance_filter_name = self.fw._instance_filter_name(instance, nic_id) f = fakefilter.nwfilterLookupByName(instance_filter_name) tree = etree.fromstring(f.xml) for fref in tree.findall('filterref'): parameters = fref.findall('./parameter') for parameter in parameters: subnet_v4, subnet_v6 = vif['network']['subnets'] if parameter.get('name') == 'IP': self.assertTrue( _ipv4_like(parameter.get('value'), '192.168')) elif parameter.get('name') == 'DHCPSERVER': dhcp_server = subnet_v4.get('dhcp_server') self.assertEqual(parameter.get('value'), dhcp_server) elif parameter.get('name') == 'RASERVER': ra_server = subnet_v6['gateway']['address'] + "/128" self.assertEqual(parameter.get('value'), ra_server) elif parameter.get('name') == 'PROJNET': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK': ipv4_cidr = subnet_v4['cidr'] net, mask = netutils.get_net_and_mask(ipv4_cidr) self.assertEqual(parameter.get('value'), mask) elif parameter.get('name') == 'PROJNET6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), net) elif parameter.get('name') == 'PROJMASK6': ipv6_cidr = subnet_v6['cidr'] net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr) self.assertEqual(parameter.get('value'), prefix) else: raise exception.InvalidParameterValue('unknown parameter ' 'in filter') db.instance_destroy(admin_ctxt, instance_ref['uuid'])