ovsfw: Support protocol numbers instead of just tcp and udp
Neutron API accepts also protocol numbers as protocols for security
groups. This patch makes support for it in OVS firewall driver. iptables
driver already supports it.
Fullstack test covering SCTP connection was added and it requires
ip_conntrack_proto_sctp kernel module in order to make conntrack work
with SCTP.
Closes-bug: 1625516
Conflicts:
neutron/tests/fullstack/test_securitygroup.py
Change-Id: I6c5665a994c4a50ddbb95cd1360be0de0a6c7e40
(cherry picked from commit d5c07fe512
)
This commit is contained in:
parent
9c1b18296d
commit
6ddddcbaeb
|
@ -35,12 +35,6 @@ CT_MARK_INVALID = '0x1'
|
|||
REG_PORT = 5
|
||||
REG_NET = 6
|
||||
|
||||
protocol_to_nw_proto = {
|
||||
constants.PROTO_NAME_ICMP: constants.PROTO_NUM_ICMP,
|
||||
constants.PROTO_NAME_TCP: constants.PROTO_NUM_TCP,
|
||||
constants.PROTO_NAME_UDP: constants.PROTO_NUM_UDP,
|
||||
}
|
||||
|
||||
PROTOCOLS_WITH_PORTS = (constants.PROTO_NAME_TCP, constants.PROTO_NAME_UDP)
|
||||
|
||||
ethertype_to_dl_type_map = {
|
||||
|
|
|
@ -79,12 +79,13 @@ def create_protocol_flows(direction, flow_template, port, rule):
|
|||
flow_template['actions'] = 'resubmit(,{:d})'.format(
|
||||
ovs_consts.ACCEPT_OR_INGRESS_TABLE)
|
||||
protocol = rule.get('protocol')
|
||||
try:
|
||||
flow_template['nw_proto'] = ovsfw_consts.protocol_to_nw_proto[protocol]
|
||||
if rule['ethertype'] == n_consts.IPv6 and protocol == 'icmp':
|
||||
if protocol:
|
||||
if (rule.get('ethertype') == n_consts.IPv6 and
|
||||
protocol == n_consts.PROTO_NAME_ICMP):
|
||||
flow_template['nw_proto'] = n_consts.PROTO_NUM_IPV6_ICMP
|
||||
except KeyError:
|
||||
pass
|
||||
else:
|
||||
flow_template['nw_proto'] = n_consts.IP_PROTOCOL_MAP.get(
|
||||
protocol, protocol)
|
||||
|
||||
flows = create_port_range_flows(flow_template, rule)
|
||||
return flows or [flow_template]
|
||||
|
|
|
@ -72,7 +72,8 @@ READ_TIMEOUT = os.environ.get('OS_TEST_READ_TIMEOUT', 5)
|
|||
CHILD_PROCESS_TIMEOUT = os.environ.get('OS_TEST_CHILD_PROCESS_TIMEOUT', 20)
|
||||
CHILD_PROCESS_SLEEP = os.environ.get('OS_TEST_CHILD_PROCESS_SLEEP', 0.5)
|
||||
|
||||
TRANSPORT_PROTOCOLS = (n_const.PROTO_NAME_TCP, n_const.PROTO_NAME_UDP)
|
||||
TRANSPORT_PROTOCOLS = (n_const.PROTO_NAME_TCP, n_const.PROTO_NAME_UDP,
|
||||
n_const.PROTO_NAME_SCTP)
|
||||
|
||||
OVS_MANAGER_TEST_PORT_FIRST = 6610
|
||||
OVS_MANAGER_TEST_PORT_LAST = 6639
|
||||
|
@ -382,6 +383,7 @@ class Pinger(object):
|
|||
class NetcatTester(object):
|
||||
TCP = n_const.PROTO_NAME_TCP
|
||||
UDP = n_const.PROTO_NAME_UDP
|
||||
SCTP = n_const.PROTO_NAME_SCTP
|
||||
VERSION_TO_ALL_ADDRESS = {
|
||||
4: '0.0.0.0',
|
||||
6: '::',
|
||||
|
@ -402,7 +404,7 @@ class NetcatTester(object):
|
|||
will be spawned
|
||||
:param address: Server address from client point of view
|
||||
:param dst_port: Port on which netcat listens
|
||||
:param protocol: Transport protocol, either 'tcp' or 'udp'
|
||||
:param protocol: Transport protocol, either 'tcp', 'udp' or 'sctp'
|
||||
:param server_address: Address in server namespace on which netcat
|
||||
should listen
|
||||
:param src_port: Source port of netcat process spawned in client
|
||||
|
@ -488,9 +490,12 @@ class NetcatTester(object):
|
|||
cmd = ['nc', address, self.dst_port]
|
||||
if self.protocol == self.UDP:
|
||||
cmd.append('-u')
|
||||
elif self.protocol == self.SCTP:
|
||||
cmd.append('--sctp')
|
||||
|
||||
if listen:
|
||||
cmd.append('-l')
|
||||
if self.protocol == self.TCP:
|
||||
if self.protocol in (self.TCP, self.SCTP):
|
||||
cmd.append('-k')
|
||||
else:
|
||||
cmd.extend(['-w', '20'])
|
||||
|
|
|
@ -280,4 +280,5 @@ fi
|
|||
|
||||
if [[ "$VENV" =~ "dsvm-fullstack" ]]; then
|
||||
_configure_iptables_rules
|
||||
sudo modprobe ip_conntrack_proto_sctp
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue