avoid changing the rule's own action
fixes Bug #1240812 When iterating through the rule list, we should not change the rule itself. So that we can use the rule data for the second router. Change-Id: I613438507949007bec41416e7f8530693e4d5129
This commit is contained in:
parent
85e798deca
commit
c8b07d5293
@ -233,11 +233,7 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
|||||||
self._add_rules_to_chain(ipt_mgr, IPV6, 'FORWARD', jump_rule)
|
self._add_rules_to_chain(ipt_mgr, IPV6, 'FORWARD', jump_rule)
|
||||||
|
|
||||||
def _convert_fwaas_to_iptables_rule(self, rule):
|
def _convert_fwaas_to_iptables_rule(self, rule):
|
||||||
if rule.get('action') == 'allow':
|
action = rule.get('action') == 'allow' and 'ACCEPT' or 'DROP'
|
||||||
rule['action'] = 'ACCEPT'
|
|
||||||
else:
|
|
||||||
rule['action'] = 'DROP'
|
|
||||||
|
|
||||||
args = [self._protocol_arg(rule.get('protocol')),
|
args = [self._protocol_arg(rule.get('protocol')),
|
||||||
self._port_arg('dport',
|
self._port_arg('dport',
|
||||||
rule.get('protocol'),
|
rule.get('protocol'),
|
||||||
@ -247,7 +243,7 @@ class IptablesFwaasDriver(fwaas_base.FwaasDriverBase):
|
|||||||
rule.get('source_port')),
|
rule.get('source_port')),
|
||||||
self._ip_prefix_arg('s', rule.get('source_ip_address')),
|
self._ip_prefix_arg('s', rule.get('source_ip_address')),
|
||||||
self._ip_prefix_arg('d', rule.get('destination_ip_address')),
|
self._ip_prefix_arg('d', rule.get('destination_ip_address')),
|
||||||
self._action_arg(rule.get('action'))]
|
self._action_arg(action)]
|
||||||
|
|
||||||
iptables_rule = ' '.join(args)
|
iptables_rule = ' '.join(args)
|
||||||
return iptables_rule
|
return iptables_rule
|
||||||
|
@ -46,23 +46,11 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||||||
self.addCleanup(self.utils_exec_p.stop)
|
self.addCleanup(self.utils_exec_p.stop)
|
||||||
self.iptables_cls_p = mock.patch(
|
self.iptables_cls_p = mock.patch(
|
||||||
'neutron.agent.linux.iptables_manager.IptablesManager')
|
'neutron.agent.linux.iptables_manager.IptablesManager')
|
||||||
iptables_cls = self.iptables_cls_p.start()
|
self.iptables_cls_p.start()
|
||||||
self.addCleanup(self.iptables_cls_p.stop)
|
self.addCleanup(self.iptables_cls_p.stop)
|
||||||
self.iptables_inst = mock.Mock()
|
|
||||||
self.v4filter_inst = mock.Mock()
|
|
||||||
self.v6filter_inst = mock.Mock()
|
|
||||||
self.v4filter_inst.chains = []
|
|
||||||
self.v6filter_inst.chains = []
|
|
||||||
self.iptables_inst.ipv4 = {'filter': self.v4filter_inst}
|
|
||||||
self.iptables_inst.ipv6 = {'filter': self.v6filter_inst}
|
|
||||||
iptables_cls.return_value = self.iptables_inst
|
|
||||||
|
|
||||||
self.router_info_inst = mock.Mock()
|
|
||||||
self.router_info_inst.iptables_manager = self.iptables_inst
|
|
||||||
|
|
||||||
self.firewall = fwaas.IptablesFwaasDriver()
|
self.firewall = fwaas.IptablesFwaasDriver()
|
||||||
|
|
||||||
def _fake_rules_v4(self, fwid):
|
def _fake_rules_v4(self, fwid, apply_list):
|
||||||
rule_list = []
|
rule_list = []
|
||||||
rule1 = {'enabled': True,
|
rule1 = {'enabled': True,
|
||||||
'action': 'allow',
|
'action': 'allow',
|
||||||
@ -76,9 +64,11 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||||||
'protocol': 'tcp',
|
'protocol': 'tcp',
|
||||||
'destination_port': '22'}
|
'destination_port': '22'}
|
||||||
ingress_chain = ('iv4%s' % fwid)[:11]
|
ingress_chain = ('iv4%s' % fwid)[:11]
|
||||||
self.v4filter_inst.chains.append(ingress_chain)
|
|
||||||
egress_chain = ('ov4%s' % fwid)[:11]
|
egress_chain = ('ov4%s' % fwid)[:11]
|
||||||
self.v4filter_inst.chains.append(egress_chain)
|
for router_info_inst in apply_list:
|
||||||
|
v4filter_inst = router_info_inst.iptables_manager.ipv4['filter']
|
||||||
|
v4filter_inst.chains.append(ingress_chain)
|
||||||
|
v4filter_inst.chains.append(egress_chain)
|
||||||
rule_list.append(rule1)
|
rule_list.append(rule1)
|
||||||
rule_list.append(rule2)
|
rule_list.append(rule2)
|
||||||
return rule_list
|
return rule_list
|
||||||
@ -105,14 +95,25 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||||||
'firewall_rule_list': rule_list}
|
'firewall_rule_list': rule_list}
|
||||||
return fw_inst
|
return fw_inst
|
||||||
|
|
||||||
def _fake_apply_list(self):
|
def _fake_apply_list(self, router_count=1):
|
||||||
apply_list = []
|
apply_list = []
|
||||||
apply_list.append(self.router_info_inst)
|
while router_count > 0:
|
||||||
|
iptables_inst = mock.Mock()
|
||||||
|
v4filter_inst = mock.Mock()
|
||||||
|
v6filter_inst = mock.Mock()
|
||||||
|
v4filter_inst.chains = []
|
||||||
|
v6filter_inst.chains = []
|
||||||
|
iptables_inst.ipv4 = {'filter': v4filter_inst}
|
||||||
|
iptables_inst.ipv6 = {'filter': v6filter_inst}
|
||||||
|
router_info_inst = mock.Mock()
|
||||||
|
router_info_inst.iptables_manager = iptables_inst
|
||||||
|
apply_list.append(router_info_inst)
|
||||||
|
router_count -= 1
|
||||||
return apply_list
|
return apply_list
|
||||||
|
|
||||||
def _setup_firewall_with_rules(self, func):
|
def _setup_firewall_with_rules(self, func, router_count=1):
|
||||||
apply_list = self._fake_apply_list()
|
apply_list = self._fake_apply_list(router_count=router_count)
|
||||||
rule_list = self._fake_rules_v4(FAKE_FW_ID)
|
rule_list = self._fake_rules_v4(FAKE_FW_ID, apply_list)
|
||||||
firewall = self._fake_firewall(rule_list)
|
firewall = self._fake_firewall(rule_list)
|
||||||
func(apply_list, firewall)
|
func(apply_list, firewall)
|
||||||
invalid_rule = '-m state --state INVALID -j DROP'
|
invalid_rule = '-m state --state INVALID -j DROP'
|
||||||
@ -124,26 +125,32 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||||||
bname = fwaas.iptables_manager.binary_name
|
bname = fwaas.iptables_manager.binary_name
|
||||||
ipt_mgr_ichain = '%s-%s' % (bname, ingress_chain[:11])
|
ipt_mgr_ichain = '%s-%s' % (bname, ingress_chain[:11])
|
||||||
ipt_mgr_echain = '%s-%s' % (bname, egress_chain[:11])
|
ipt_mgr_echain = '%s-%s' % (bname, egress_chain[:11])
|
||||||
calls = [call.ensure_remove_chain('iv4fake-fw-uuid'),
|
for router_info_inst in apply_list:
|
||||||
call.ensure_remove_chain('ov4fake-fw-uuid'),
|
v4filter_inst = router_info_inst.iptables_manager.ipv4['filter']
|
||||||
call.ensure_remove_chain('fwaas-default-policy'),
|
calls = [call.ensure_remove_chain('iv4fake-fw-uuid'),
|
||||||
call.add_chain('fwaas-default-policy'),
|
call.ensure_remove_chain('ov4fake-fw-uuid'),
|
||||||
call.add_rule('fwaas-default-policy', '-j DROP'),
|
call.ensure_remove_chain('fwaas-default-policy'),
|
||||||
call.add_chain(ingress_chain),
|
call.add_chain('fwaas-default-policy'),
|
||||||
call.add_rule(ingress_chain, invalid_rule),
|
call.add_rule('fwaas-default-policy', '-j DROP'),
|
||||||
call.add_rule(ingress_chain, est_rule),
|
call.add_chain(ingress_chain),
|
||||||
call.add_chain(egress_chain),
|
call.add_rule(ingress_chain, invalid_rule),
|
||||||
call.add_rule(egress_chain, invalid_rule),
|
call.add_rule(ingress_chain, est_rule),
|
||||||
call.add_rule(egress_chain, est_rule),
|
call.add_chain(egress_chain),
|
||||||
call.add_rule(ingress_chain, rule1),
|
call.add_rule(egress_chain, invalid_rule),
|
||||||
call.add_rule(egress_chain, rule1),
|
call.add_rule(egress_chain, est_rule),
|
||||||
call.add_rule(ingress_chain, rule2),
|
call.add_rule(ingress_chain, rule1),
|
||||||
call.add_rule(egress_chain, rule2),
|
call.add_rule(egress_chain, rule1),
|
||||||
call.add_rule('FORWARD', '-o qr-+ -j %s' % ipt_mgr_ichain),
|
call.add_rule(ingress_chain, rule2),
|
||||||
call.add_rule('FORWARD', '-i qr-+ -j %s' % ipt_mgr_echain),
|
call.add_rule(egress_chain, rule2),
|
||||||
call.add_rule('FORWARD', '-o qr-+ -j %s-fwaas-defau' % bname),
|
call.add_rule('FORWARD',
|
||||||
call.add_rule('FORWARD', '-i qr-+ -j %s-fwaas-defau' % bname)]
|
'-o qr-+ -j %s' % ipt_mgr_ichain),
|
||||||
self.v4filter_inst.assert_has_calls(calls)
|
call.add_rule('FORWARD',
|
||||||
|
'-i qr-+ -j %s' % ipt_mgr_echain),
|
||||||
|
call.add_rule('FORWARD',
|
||||||
|
'-o qr-+ -j %s-fwaas-defau' % bname),
|
||||||
|
call.add_rule('FORWARD',
|
||||||
|
'-i qr-+ -j %s-fwaas-defau' % bname)]
|
||||||
|
v4filter_inst.assert_has_calls(calls)
|
||||||
|
|
||||||
def test_create_firewall_no_rules(self):
|
def test_create_firewall_no_rules(self):
|
||||||
apply_list = self._fake_apply_list()
|
apply_list = self._fake_apply_list()
|
||||||
@ -167,11 +174,15 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||||||
call.add_rule(egress_chain, est_rule),
|
call.add_rule(egress_chain, est_rule),
|
||||||
call.add_rule('FORWARD', '-o qr-+ -j %s-fwaas-defau' % bname),
|
call.add_rule('FORWARD', '-o qr-+ -j %s-fwaas-defau' % bname),
|
||||||
call.add_rule('FORWARD', '-i qr-+ -j %s-fwaas-defau' % bname)]
|
call.add_rule('FORWARD', '-i qr-+ -j %s-fwaas-defau' % bname)]
|
||||||
self.v4filter_inst.assert_has_calls(calls)
|
apply_list[0].iptables_manager.ipv4['filter'].assert_has_calls(calls)
|
||||||
|
|
||||||
def test_create_firewall_with_rules(self):
|
def test_create_firewall_with_rules(self):
|
||||||
self._setup_firewall_with_rules(self.firewall.create_firewall)
|
self._setup_firewall_with_rules(self.firewall.create_firewall)
|
||||||
|
|
||||||
|
def test_create_firewall_with_rules_two_routers(self):
|
||||||
|
self._setup_firewall_with_rules(self.firewall.create_firewall,
|
||||||
|
router_count=2)
|
||||||
|
|
||||||
def test_update_firewall_with_rules(self):
|
def test_update_firewall_with_rules(self):
|
||||||
self._setup_firewall_with_rules(self.firewall.update_firewall)
|
self._setup_firewall_with_rules(self.firewall.update_firewall)
|
||||||
|
|
||||||
@ -184,11 +195,11 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||||||
calls = [call.ensure_remove_chain(ingress_chain),
|
calls = [call.ensure_remove_chain(ingress_chain),
|
||||||
call.ensure_remove_chain(egress_chain),
|
call.ensure_remove_chain(egress_chain),
|
||||||
call.ensure_remove_chain('fwaas-default-policy')]
|
call.ensure_remove_chain('fwaas-default-policy')]
|
||||||
self.v4filter_inst.assert_has_calls(calls)
|
apply_list[0].iptables_manager.ipv4['filter'].assert_has_calls(calls)
|
||||||
|
|
||||||
def test_create_firewall_with_admin_down(self):
|
def test_create_firewall_with_admin_down(self):
|
||||||
rule_list = self._fake_rules_v4(FAKE_FW_ID)
|
|
||||||
apply_list = self._fake_apply_list()
|
apply_list = self._fake_apply_list()
|
||||||
|
rule_list = self._fake_rules_v4(FAKE_FW_ID, apply_list)
|
||||||
firewall = self._fake_firewall_with_admin_down(rule_list)
|
firewall = self._fake_firewall_with_admin_down(rule_list)
|
||||||
self.firewall.create_firewall(apply_list, firewall)
|
self.firewall.create_firewall(apply_list, firewall)
|
||||||
calls = [call.ensure_remove_chain('iv4fake-fw-uuid'),
|
calls = [call.ensure_remove_chain('iv4fake-fw-uuid'),
|
||||||
@ -196,4 +207,4 @@ class IptablesFwaasTestCase(base.BaseTestCase):
|
|||||||
call.ensure_remove_chain('fwaas-default-policy'),
|
call.ensure_remove_chain('fwaas-default-policy'),
|
||||||
call.add_chain('fwaas-default-policy'),
|
call.add_chain('fwaas-default-policy'),
|
||||||
call.add_rule('fwaas-default-policy', '-j DROP')]
|
call.add_rule('fwaas-default-policy', '-j DROP')]
|
||||||
self.v4filter_inst.assert_has_calls(calls)
|
apply_list[0].iptables_manager.ipv4['filter'].assert_has_calls(calls)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user