Add an apply_instance_filter method to NWFilter driver.

Adjust unit tests for both firewall drivers to actually exercise these code paths.
2011-01-19 09:39:22 +00:00 · 2011-01-19 09:39:22 +00:00 · 7d7fbf5dfd
parent 604be356a0 c79e72b2a1
commit 7d7fbf5dfd
2 changed files with 39 additions and 17 deletions
--- a/nova/tests/test_virt.py
+++ b/nova/tests/test_virt.py
@ -228,12 +228,6 @@ class IptablesFirewallTestCase(test.TestCase):
        self.manager.delete_user(self.user)
        super(IptablesFirewallTestCase, self).tearDown()

-    def _p(self, *args, **kwargs):
-        if 'iptables-restore' in args:
-            print ' '.join(args), kwargs['stdin']
-        if 'iptables-save' in args:
-            return
-
    in_rules = [
      '# Generated by iptables-save v1.4.4 on Mon Dec  6 11:54:13 2010',
      '*filter',
@ -255,11 +249,21 @@ class IptablesFirewallTestCase(test.TestCase):
      '# Completed on Mon Dec  6 11:54:13 2010',
    ]

+    in6_rules = [
+      '# Generated by ip6tables-save v1.4.4 on Tue Jan 18 23:47:56 2011',
+      '*filter',
+      ':INPUT ACCEPT [349155:75810423]',
+      ':FORWARD ACCEPT [0:0]',
+      ':OUTPUT ACCEPT [349256:75777230]',
+      'COMMIT',
+      '# Completed on Tue Jan 18 23:47:56 2011'
+    ]
+
    def test_static_filters(self):
-        self.fw.execute = self._p
        instance_ref = db.instance_create(self.context,
                                          {'user_id': 'fake',
-                                          'project_id': 'fake'})
+                                          'project_id': 'fake',
+                                          'mac_address': '56:12:12:12:12:12'})
        ip = '10.11.12.13'

        network_ref = db.project_get_network(self.context,
@ -304,18 +308,31 @@ class IptablesFirewallTestCase(test.TestCase):
                                       secgroup['id'])
        instance_ref = db.instance_get(admin_ctxt, instance_ref['id'])

-        self.fw.add_instance(instance_ref)
+#        self.fw.add_instance(instance_ref)
+        def fake_iptables_execute(cmd, process_input=None):
+            if cmd == 'sudo ip6tables-save -t filter':
+                return '\n'.join(self.in6_rules), None
+            if cmd == 'sudo iptables-save -t filter':
+                return '\n'.join(self.in_rules), None
+            if cmd == 'sudo iptables-restore':
+                self.out_rules = process_input.split('\n')
+                return '', ''
+            if cmd == 'sudo ip6tables-restore':
+                self.out6_rules = process_input.split('\n')
+                return '', ''
+        self.fw.execute = fake_iptables_execute

-        out_rules = self.fw.modify_rules(self.in_rules)
+        self.fw.prepare_instance_filter(instance_ref)
+        self.fw.apply_instance_filter(instance_ref)

        in_rules = filter(lambda l: not l.startswith('#'), self.in_rules)
        for rule in in_rules:
            if not 'nova' in rule:
-                self.assertTrue(rule in out_rules,
+                self.assertTrue(rule in self.out_rules,
                                'Rule went missing: %s' % rule)

        instance_chain = None
-        for rule in out_rules:
+        for rule in self.out_rules:
            # This is pretty crude, but it'll do for now
            if '-d 10.11.12.13 -j' in rule:
                instance_chain = rule.split(' ')[-1]
@ -323,7 +340,7 @@ class IptablesFirewallTestCase(test.TestCase):
        self.assertTrue(instance_chain, "The instance chain wasn't added")

        security_group_chain = None
-        for rule in out_rules:
+        for rule in self.out_rules:
            # This is pretty crude, but it'll do for now
            if '-A %s -j' % instance_chain in rule:
                security_group_chain = rule.split(' ')[-1]
@ -332,16 +349,16 @@ class IptablesFirewallTestCase(test.TestCase):
                        "The security group chain wasn't added")

        self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT' % \
-                               security_group_chain in out_rules,
+                               security_group_chain in self.out_rules,
                        "ICMP acceptance rule wasn't added")

-        self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type'
-                        ' 8 -j ACCEPT' % security_group_chain in out_rules,
+        self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type '
+                        '8 -j ACCEPT' % security_group_chain in self.out_rules,
                        "ICMP Echo Request acceptance rule wasn't added")

        self.assertTrue('-A %s -p tcp -s 192.168.10.0/24 -m multiport '
                        '--dports 80:81 -j ACCEPT' % security_group_chain \
-                            in out_rules,
+                            in self.out_rules,
                        "TCP port 80/81 acceptance rule wasn't added")


@ -476,5 +493,6 @@ class NWFilterTestCase(test.TestCase):

        self.fw.setup_basic_filtering(instance)
        self.fw.prepare_instance_filter(instance)
+        self.fw.apply_instance_filter(instance)
        _ensure_all_called()
        self.teardown_security_group()
--- a/nova/virt/libvirt_conn.py
+++ b/nova/virt/libvirt_conn.py
@ -1121,6 +1121,10 @@ class NWFilterFirewall(FirewallDriver):

        return

+    def apply_instance_filter(self, instance):
+        """No-op. Everything is done in prepare_instance_filter"""
+        pass
+
    def refresh_security_group_rules(self, security_group_id):
        return self._define_filter(
                   self.security_group_to_nwfilter_xml(security_group_id))