openstack/neutron
Code Issues Proposed changes

Merge "ovsfw: Support protocol numbers instead of just tcp and udp"

Browse Source
This commit is contained in:
Jenkins 2017-01-21 02:18:56 +00:00 committed by Gerrit Code Review
commit 2eaadd4050
5 changed files with 42 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
neutron/agent/linux/openvswitch_firewall/constants.py
View File

@ -35,12 +35,6 @@ CT_MARK_INVALID = '0x1'
REG_PORT = 5
REG_NET = 6
protocol_to_nw_proto = {
constants.PROTO_NAME_ICMP: constants.PROTO_NUM_ICMP,
constants.PROTO_NAME_TCP: constants.PROTO_NUM_TCP,
constants.PROTO_NAME_UDP: constants.PROTO_NUM_UDP,
}
PROTOCOLS_WITH_PORTS = (constants.PROTO_NAME_TCP, constants.PROTO_NAME_UDP)
ethertype_to_dl_type_map = {

11
neutron/agent/linux/openvswitch_firewall/rules.py
View File

@ -79,12 +79,13 @@ def create_protocol_flows(direction, flow_template, port, rule):
flow_template['actions'] = 'resubmit(,{:d})'.format(
ovs_consts.ACCEPT_OR_INGRESS_TABLE)
protocol = rule.get('protocol')
try:
flow_template['nw_proto'] = ovsfw_consts.protocol_to_nw_proto[protocol]
if rule['ethertype'] == n_consts.IPv6 and protocol == 'icmp':
if protocol:
if (rule.get('ethertype') == n_consts.IPv6 and
protocol == n_consts.PROTO_NAME_ICMP):
flow_template['nw_proto'] = n_consts.PROTO_NUM_IPV6_ICMP
except KeyError:
pass
else:
flow_template['nw_proto'] = n_consts.IP_PROTOCOL_MAP.get(
protocol, protocol)
flows = create_port_range_flows(flow_template, rule)
return flows or [flow_template]

11
neutron/tests/common/net_helpers.py
View File

@ -72,7 +72,8 @@ READ_TIMEOUT = os.environ.get('OS_TEST_READ_TIMEOUT', 5)
CHILD_PROCESS_TIMEOUT = os.environ.get('OS_TEST_CHILD_PROCESS_TIMEOUT', 20)
CHILD_PROCESS_SLEEP = os.environ.get('OS_TEST_CHILD_PROCESS_SLEEP', 0.5)
TRANSPORT_PROTOCOLS = (n_const.PROTO_NAME_TCP, n_const.PROTO_NAME_UDP)
TRANSPORT_PROTOCOLS = (n_const.PROTO_NAME_TCP, n_const.PROTO_NAME_UDP,
n_const.PROTO_NAME_SCTP)
OVS_MANAGER_TEST_PORT_FIRST = 6610
OVS_MANAGER_TEST_PORT_LAST = 6639
@ -403,6 +404,7 @@ class Pinger(object):
class NetcatTester(object):
TCP = n_const.PROTO_NAME_TCP
UDP = n_const.PROTO_NAME_UDP
SCTP = n_const.PROTO_NAME_SCTP
VERSION_TO_ALL_ADDRESS = {
4: '0.0.0.0',
6: '::',
@ -423,7 +425,7 @@ class NetcatTester(object):
will be spawned
:param address: Server address from client point of view
:param dst_port: Port on which netcat listens
:param protocol: Transport protocol, either 'tcp' or 'udp'
:param protocol: Transport protocol, either 'tcp', 'udp' or 'sctp'
:param server_address: Address in server namespace on which netcat
should listen
:param src_port: Source port of netcat process spawned in client
@ -515,9 +517,12 @@ class NetcatTester(object):
cmd = ['ncat', address, self.dst_port]
if self.protocol == self.UDP:
cmd.append('-u')
elif self.protocol == self.SCTP:
cmd.append('--sctp')
if listen:
cmd.append('-l')
if self.protocol == self.TCP:
if self.protocol in (self.TCP, self.SCTP):
cmd.append('-k')
else:
cmd.extend(['-w', '20'])

35
neutron/tests/fullstack/test_securitygroup.py
View File

@ -61,15 +61,17 @@ class BaseSecurityGroupsSameNetworkTest(base.BaseFullStackTestCase):
def assert_connection(self, *args, **kwargs):
netcat = net_helpers.NetcatTester(*args, **kwargs)
self.addCleanup(netcat.stop_processes)
self.assertTrue(netcat.test_connectivity())
netcat.stop_processes()
try:
self.assertTrue(netcat.test_connectivity())
finally:
netcat.stop_processes()
def assert_no_connection(self, *args, **kwargs):
netcat = net_helpers.NetcatTester(*args, **kwargs)
self.addCleanup(netcat.stop_processes)
self.assertRaises(RuntimeError, netcat.test_connectivity)
netcat.stop_processes()
try:
self.assertRaises(RuntimeError, netcat.test_connectivity)
finally:
netcat.stop_processes()
class TestSecurityGroupsSameNetwork(BaseSecurityGroupsSameNetworkTest):
@ -98,14 +100,15 @@ class TestSecurityGroupsSameNetwork(BaseSecurityGroupsSameNetworkTest):
# NOTE(toshii): As a firewall_driver can interfere with others,
# the recommended way to add test is to expand this method, not
# adding another.
def test_tcp_securitygroup(self):
"""Tests if a TCP security group rule is working, by confirming
def test_securitygroup(self):
"""Tests if a security group rules are working, by confirming
that 1. connection from allowed security group is allowed,
2. connection from elsewhere is blocked,
3. traffic not explicitly allowed (eg. ICMP) is blocked,
4. a security group update takes effect,
5. a remote security group member addition works, and
6. an established connection stops by deleting a SG rule.
7. test other protocol functionality by using SCTP protocol
"""
index_to_sg = [0, 0, 1]
if self.firewall_driver == 'iptables_hybrid':
@ -228,3 +231,19 @@ class TestSecurityGroupsSameNetwork(BaseSecurityGroupsSameNetworkTest):
common_utils.wait_until_true(lambda: netcat.test_no_connectivity(),
sleep=8)
netcat.stop_processes()
# 7. check SCTP is supported by security group
self.assert_no_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)
self.safe_client.create_security_group_rule(
tenant_uuid, sgs[0]['id'],
remote_group_id=sgs[0]['id'], direction='ingress',
ethertype=constants.IPv4,
protocol=constants.PROTO_NUM_SCTP,
port_range_min=3366, port_range_max=3366)
self.assert_connection(
vms[1].namespace, vms[0].namespace, vms[0].ip, 3366,
net_helpers.NetcatTester.SCTP)

1
tools/configure_for_func_testing.sh
View File

@ -283,4 +283,5 @@ fi
if [[ "$VENV" =~ "dsvm-fullstack" ]]; then
_configure_iptables_rules
sudo modprobe ip_conntrack_proto_sctp
fi