Support named ip protocols for SecurityGroupRules
Along with numbered ip protocols mechanism Driver will now also support named ip protocols for SecurityGroupRules Change-Id: I888c2fbfd242b1838cf69ce07ee09650f790c1a1
This commit is contained in:
noiro
ajay goyal
parent
196e083370
commit
03cd33ba0c
|
|
@ -437,7 +437,7 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||
display_name=dname,
|
||||
direction='egress',
|
||||
ethertype='ipv4',
|
||||
ip_protocol='udp',
|
||||
ip_protocol=self.get_aim_protocol('udp'),
|
||||
from_port='67',
|
||||
to_port='67',
|
||||
conn_track='normal')
|
||||
|
|
@ -453,7 +453,7 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||
display_name=dname,
|
||||
direction='ingress',
|
||||
ethertype='ipv4',
|
||||
ip_protocol='udp',
|
||||
ip_protocol=self.get_aim_protocol('udp'),
|
||||
from_port='68',
|
||||
to_port='68',
|
||||
conn_track='normal')
|
||||
|
|
@ -469,7 +469,7 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||
display_name=dname,
|
||||
direction='egress',
|
||||
ethertype='ipv6',
|
||||
ip_protocol='udp',
|
||||
ip_protocol=self.get_aim_protocol('udp'),
|
||||
from_port='547',
|
||||
to_port='547',
|
||||
conn_track='normal')
|
||||
|
|
@ -485,7 +485,7 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||
display_name=dname,
|
||||
direction='ingress',
|
||||
ethertype='ipv6',
|
||||
ip_protocol='udp',
|
||||
ip_protocol=self.get_aim_protocol('udp'),
|
||||
from_port='546',
|
||||
to_port='546',
|
||||
conn_track='normal')
|
||||
|
|
@ -502,7 +502,7 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||
display_name=dname,
|
||||
direction='ingress',
|
||||
ethertype='ipv6',
|
||||
ip_protocol='icmpv6',
|
||||
ip_protocol=self.get_aim_protocol('icmpv6'),
|
||||
conn_track='normal',
|
||||
remote_ips=['::/0'])
|
||||
self.aim.create(aim_ctx, icmp6_ingress_rule, overwrite=True)
|
||||
|
|
@ -517,7 +517,7 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||
display_name=dname,
|
||||
direction='egress',
|
||||
ethertype='ipv6',
|
||||
ip_protocol='icmpv6',
|
||||
ip_protocol=self.get_aim_protocol('icmpv6'),
|
||||
conn_track='normal',
|
||||
remote_ips=['::/0'])
|
||||
self.aim.create(aim_ctx, icmp6_egress_rule, overwrite=True)
|
||||
|
|
@ -2553,8 +2553,7 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||
name=sg_rule['id'],
|
||||
direction=sg_rule['direction'],
|
||||
ethertype=sg_rule['ethertype'].lower(),
|
||||
ip_protocol=(sg_rule['protocol'] if sg_rule['protocol']
|
||||
else 'unspecified'),
|
||||
ip_protocol= self.get_aim_protocol(sg_rule['protocol']),
|
||||
remote_ips=remote_ips,
|
||||
icmp_code=(sg_rule['port_range_min']
|
||||
if (sg_rule['port_range_min'] and
|
||||
|
|
@ -5529,8 +5528,7 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||
name=rule_db.id,
|
||||
direction=rule_db.direction,
|
||||
ethertype=rule_db.ethertype.lower(),
|
||||
ip_protocol=(rule_db.protocol if rule_db.protocol
|
||||
else 'unspecified'),
|
||||
ip_protocol = self.get_aim_protocol(rule_db.protocol),
|
||||
remote_ips=remote_ips,
|
||||
from_port=(rule_db.port_range_min
|
||||
if rule_db.port_range_min
|
||||
|
|
@ -5659,3 +5657,15 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
|
|||
"binding them again." % (failure_count, list(failure_hosts)))
|
||||
else:
|
||||
mgr.output("All ports are bound")
|
||||
|
||||
# The sg_rule_protocol can be either protocol name , protocol number or
|
||||
# None.
|
||||
# If sg_rule_protocol is None, return 'unspecified' otherwise return
|
||||
# protocol number.
|
||||
def get_aim_protocol(self, sg_rule_protocol):
|
||||
if sg_rule_protocol:
|
||||
try:
|
||||
return n_constants.IP_PROTOCOL_MAP[sg_rule_protocol]
|
||||
except KeyError:
|
||||
return sg_rule_protocol
|
||||
return 'unspecified'
|
||||
|
|
|
|||
|
|
@ -1065,6 +1065,7 @@ class TestAimMapping(ApicAimTestCase):
|
|||
|
||||
aim_sg_rule = self._get_sg_rule(
|
||||
sg_rule['id'], 'default', sg_id, tenant_aname)
|
||||
|
||||
self.assertEqual(tenant_aname, aim_sg_rule.tenant_name)
|
||||
self.assertEqual(sg_id, aim_sg_rule.security_group_name)
|
||||
self.assertEqual('default',
|
||||
|
|
@ -1077,9 +1078,8 @@ class TestAimMapping(ApicAimTestCase):
|
|||
self.assertEqual(([sg_rule['remote_ip_prefix']] if
|
||||
sg_rule['remote_ip_prefix'] else []),
|
||||
aim_sg_rule.remote_ips)
|
||||
self.assertEqual((sg_rule['protocol'] if
|
||||
sg_rule['protocol'] else 'unspecified'),
|
||||
aim_sg_rule.ip_protocol)
|
||||
self.assertEqual(str(self.driver.get_aim_protocol(
|
||||
sg_rule['protocol'])), str(aim_sg_rule.ip_protocol))
|
||||
self.assertEqual((str(sg_rule['port_range_min']) if
|
||||
sg_rule['port_range_min'] else 'unspecified'),
|
||||
aim_sg_rule.from_port)
|
||||
|
|
@ -1205,7 +1205,8 @@ class TestAimMapping(ApicAimTestCase):
|
|||
'DefaultSecurityGroupDhcpEgressRule', sg_rule.display_name)
|
||||
self.assertEqual('egress', sg_rule.direction)
|
||||
self.assertEqual('ipv4', sg_rule.ethertype)
|
||||
self.assertEqual('udp', sg_rule.ip_protocol)
|
||||
self.assertEqual(str(self.driver.get_aim_protocol('udp')),
|
||||
str(sg_rule.ip_protocol))
|
||||
self.assertEqual([], sg_rule.remote_ips)
|
||||
self.assertEqual('67', sg_rule.from_port)
|
||||
self.assertEqual('67', sg_rule.to_port)
|
||||
|
|
@ -1222,7 +1223,8 @@ class TestAimMapping(ApicAimTestCase):
|
|||
'DefaultSecurityGroupDhcpIngressRule', sg_rule.display_name)
|
||||
self.assertEqual('ingress', sg_rule.direction)
|
||||
self.assertEqual('ipv4', sg_rule.ethertype)
|
||||
self.assertEqual('udp', sg_rule.ip_protocol)
|
||||
self.assertEqual(str(self.driver.get_aim_protocol('udp')),
|
||||
str(sg_rule.ip_protocol))
|
||||
self.assertEqual([], sg_rule.remote_ips)
|
||||
self.assertEqual('68', sg_rule.from_port)
|
||||
self.assertEqual('68', sg_rule.to_port)
|
||||
|
|
@ -1239,7 +1241,8 @@ class TestAimMapping(ApicAimTestCase):
|
|||
'DefaultSecurityGroupDhcp6EgressRule', sg_rule.display_name)
|
||||
self.assertEqual('egress', sg_rule.direction)
|
||||
self.assertEqual('ipv6', sg_rule.ethertype)
|
||||
self.assertEqual('udp', sg_rule.ip_protocol)
|
||||
self.assertEqual(str(self.driver.get_aim_protocol('udp')),
|
||||
str(sg_rule.ip_protocol))
|
||||
self.assertEqual([], sg_rule.remote_ips)
|
||||
self.assertEqual('547', sg_rule.from_port)
|
||||
self.assertEqual('547', sg_rule.to_port)
|
||||
|
|
@ -1256,7 +1259,8 @@ class TestAimMapping(ApicAimTestCase):
|
|||
'DefaultSecurityGroupDhcp6IngressRule', sg_rule.display_name)
|
||||
self.assertEqual('ingress', sg_rule.direction)
|
||||
self.assertEqual('ipv6', sg_rule.ethertype)
|
||||
self.assertEqual('udp', sg_rule.ip_protocol)
|
||||
self.assertEqual(str(self.driver.get_aim_protocol('udp')),
|
||||
str(sg_rule.ip_protocol))
|
||||
self.assertEqual([], sg_rule.remote_ips)
|
||||
self.assertEqual('546', sg_rule.from_port)
|
||||
self.assertEqual('546', sg_rule.to_port)
|
||||
|
|
@ -1273,7 +1277,8 @@ class TestAimMapping(ApicAimTestCase):
|
|||
'DefaultSecurityGroupIcmp6IngressRule', sg_rule.display_name)
|
||||
self.assertEqual('ingress', sg_rule.direction)
|
||||
self.assertEqual('ipv6', sg_rule.ethertype)
|
||||
self.assertEqual('icmpv6', sg_rule.ip_protocol)
|
||||
self.assertEqual(str(self.driver.get_aim_protocol('icmpv6')),
|
||||
str(sg_rule.ip_protocol))
|
||||
self.assertEqual(['::/0'], sg_rule.remote_ips)
|
||||
self.assertEqual('unspecified', sg_rule.from_port)
|
||||
self.assertEqual('unspecified', sg_rule.to_port)
|
||||
|
|
@ -1290,7 +1295,8 @@ class TestAimMapping(ApicAimTestCase):
|
|||
'DefaultSecurityGroupIcmp6EgressRule', sg_rule.display_name)
|
||||
self.assertEqual('egress', sg_rule.direction)
|
||||
self.assertEqual('ipv6', sg_rule.ethertype)
|
||||
self.assertEqual('icmpv6', sg_rule.ip_protocol)
|
||||
self.assertEqual(str(self.driver.get_aim_protocol('icmpv6')),
|
||||
str(sg_rule.ip_protocol))
|
||||
self.assertEqual(['::/0'], sg_rule.remote_ips)
|
||||
self.assertEqual('unspecified', sg_rule.from_port)
|
||||
self.assertEqual('unspecified', sg_rule.to_port)
|
||||
|
|
@ -1404,6 +1410,7 @@ class TestAimMapping(ApicAimTestCase):
|
|||
|
||||
def test_security_group_lifecycle(self):
|
||||
# Test create
|
||||
|
||||
sg = self._make_security_group(self.fmt,
|
||||
'sg1', 'test')['security_group']
|
||||
sg_id = sg['id']
|
||||
|
|
@ -1419,35 +1426,38 @@ class TestAimMapping(ApicAimTestCase):
|
|||
self._check_sg(sg)
|
||||
|
||||
# Test adding rules
|
||||
rule1 = self._build_security_group_rule(
|
||||
sg_id, 'ingress', n_constants.PROTO_NAME_TCP, '22', '23',
|
||||
remote_ip_prefix='1.1.1.1/0', remote_group_id=None,
|
||||
ethertype=n_constants.IPv4)
|
||||
rules = {'security_group_rules': [rule1['security_group_rule']]}
|
||||
sg_rule = self._make_security_group_rule(
|
||||
self.fmt, rules)['security_group_rules'][0]
|
||||
self._check_sg_rule(sg_id, sg_rule)
|
||||
proto_list = [
|
||||
('ingress', n_constants.PROTO_NAME_AH, None, None, None),
|
||||
('egress', n_constants.PROTO_NUM_AH, None, None, '1.1.1.1/0'),
|
||||
('ingress', n_constants.PROTO_NAME_TCP, '22', '23', '1.1.1.1/0'),
|
||||
('egress', n_constants.PROTO_NUM_TCP, '23', '80', '1.1.1.1/0'),
|
||||
('ingress', n_constants.PROTO_NAME_ICMP, None, None, '1.1.1.1/0'),
|
||||
('egress', n_constants.PROTO_NUM_ICMP, '23', None, '1.1.1.1/0'),
|
||||
('ingress', None, None, None, '2.2.1.1/0')
|
||||
]
|
||||
for ele in proto_list:
|
||||
rule1 = self._build_security_group_rule(
|
||||
sg_id, ele[0], ele[1], ele[2], ele[3],
|
||||
remote_ip_prefix=ele[4], remote_group_id=None,
|
||||
ethertype=n_constants.IPv4)
|
||||
rules = {'security_group_rules': [rule1['security_group_rule']]}
|
||||
sg_rule = self._make_security_group_rule(
|
||||
self.fmt, rules)['security_group_rules'][0]
|
||||
self._check_sg_rule(sg_id, sg_rule)
|
||||
|
||||
rule2 = self._build_security_group_rule(
|
||||
sg_id, 'ingress', n_constants.PROTO_NAME_ICMP, '8', '100',
|
||||
remote_ip_prefix='1.1.1.1/0', remote_group_id=None,
|
||||
ethertype=n_constants.IPv4)
|
||||
rules = {'security_group_rules': [rule2['security_group_rule']]}
|
||||
sg_rule = self._make_security_group_rule(
|
||||
self.fmt, rules)['security_group_rules'][0]
|
||||
self._check_sg_rule(sg_id, sg_rule)
|
||||
|
||||
rule3 = self._build_security_group_rule(
|
||||
sg_id, 'ingress', n_constants.PROTO_NAME_ICMP, None, None,
|
||||
remote_ip_prefix='1.1.1.1/0', remote_group_id=None,
|
||||
ethertype=n_constants.IPv4)
|
||||
rules = {'security_group_rules': [rule3['security_group_rule']]}
|
||||
sg_rule = self._make_security_group_rule(
|
||||
self.fmt, rules)['security_group_rules'][0]
|
||||
self._check_sg_rule(sg_id, sg_rule)
|
||||
|
||||
sg = self._show('security-groups', sg_id)['security_group']
|
||||
self._check_sg(sg)
|
||||
# Test undefined protocol
|
||||
try:
|
||||
ele = ('ingress', 'no_such_protocol', None, None, '1.1.1.1/0')
|
||||
rule1 = self._build_security_group_rule(
|
||||
sg_id, ele[0], ele[1], ele[2], ele[3],
|
||||
remote_ip_prefix=ele[4], remote_group_id=None,
|
||||
ethertype=n_constants.IPv4)
|
||||
rules = {'security_group_rules': [rule1['security_group_rule']]}
|
||||
sg_rule = self._make_security_group_rule(
|
||||
self.fmt, rules)['security_group_rules'][0]
|
||||
self._check_sg_rule(sg_id, sg_rule)
|
||||
except webob.exc.HTTPClientError:
|
||||
pass
|
||||
|
||||
# Test show rule
|
||||
sg_rule = self._show('security-group-rules',
|
||||
|
|
|
|||
Loading…
Reference in New Issue