You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by re...@apache.org on 2015/11/04 14:59:34 UTC
[4/5] git commit: updated refs/heads/master to f948e96
CLOUDSTACK-8925 - Implement the default egress DENY/ALLOW properly
- Make tests work with right IP and rules
- Add egress rule for port 53 protocol UDP when testing default egress DENY on RVR
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/79dabfda
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/79dabfda
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/79dabfda
Branch: refs/heads/master
Commit: 79dabfdae440baafede15569845b6a280b9b46eb
Parents: ad4fbcd
Author: Wilder Rodrigues <wr...@schubergphilis.com>
Authored: Tue Nov 3 13:59:46 2015 +0100
Committer: Wilder Rodrigues <wr...@schubergphilis.com>
Committed: Wed Nov 4 13:48:04 2015 +0100
----------------------------------------------------------------------
.../debian/config/opt/cloud/bin/configure.py | 29 +++--
.../component/test_routers_network_ops.py | 115 ++++++++++---------
2 files changed, 81 insertions(+), 63 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/79dabfda/systemvm/patches/debian/config/opt/cloud/bin/configure.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index e9efa9b..c789e28 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -95,14 +95,11 @@ class CsAcl(CsDataBag):
if 'src_port_range' in obj:
self.rule['first_port'] = obj['src_port_range'][0]
self.rule['last_port'] = obj['src_port_range'][1]
- self.rule['allowed'] = True
+ self.rule['allowed'] = True
self.rule['action'] = "ACCEPT"
-
- # In that case it means we are processing the default egress rule
+
if self.rule['type'] == 'all' and not obj['source_cidr_list']:
- if self.rule['default_egress_policy'] == 'false':
- self.rule['action'] = "DROP"
self.rule['cidr'] = ['0.0.0.0/0']
else:
self.rule['cidr'] = obj['source_cidr_list']
@@ -155,7 +152,25 @@ class CsAcl(CsDataBag):
" -m %s " % rule['protocol'] +
" --icmp-type %s -j %s" % (icmp_type, self.rule['action'])])
else:
- fwr = " -A FW_EGRESS_RULES"
+ fwr = " -I FW_EGRESS_RULES"
+ #In case we have a default rule (accept all or drop all), we have to evaluate the action again.
+ if rule['type'] == 'all' and not rule['source_cidr_list']:
+ fwr = " -A FW_EGRESS_RULES"
+ # For default egress ALLOW or DENY, the logic is inverted.
+ # Having default_egress_policy == True, means that the default rule should have ACCEPT,
+ # otherwise DROP. The rule should be appended, not inserted.
+ if self.rule['default_egress_policy']:
+ self.rule['action'] = "ACCEPT"
+ else:
+ self.rule['action'] = "DROP"
+ else:
+ # For other rules added, if default_egress_policy == True, following rules should be DROP,
+ # otherwise ACCEPT
+ if self.rule['default_egress_policy']:
+ self.rule['action'] = "DROP"
+ else:
+ self.rule['action'] = "ACCEPT"
+
if rule['protocol'] != "all":
fwr += " -s %s " % cidr + \
" -p %s " % rule['protocol'] + \
@@ -230,7 +245,7 @@ class CsAcl(CsDataBag):
self.protocol = rule['protocol']
self.action = "DROP"
self.dport = ""
- if 'allowed' in rule.keys() and rule['allowed'] and rule['allowed']:
+ if 'allowed' in rule.keys() and rule['allowed']:
self.action = "ACCEPT"
if 'first_port' in rule.keys():
self.dport = "-m %s --dport %s" % (self.protocol, rule['first_port'])
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/79dabfda/test/integration/component/test_routers_network_ops.py
----------------------------------------------------------------------
diff --git a/test/integration/component/test_routers_network_ops.py b/test/integration/component/test_routers_network_ops.py
index db2bcc4..1b028f2 100644
--- a/test/integration/component/test_routers_network_ops.py
+++ b/test/integration/component/test_routers_network_ops.py
@@ -51,14 +51,13 @@ from marvin.lib.common import (get_zone,
import time
import logging
-def check_router_command(virtual_machine, public_ip, ssh_command, check_string, retries=5):
+def check_router_command(virtual_machine, public_ip, ssh_command, check_string, test_case, retries=5):
result = 'failed'
try:
ssh = virtual_machine.get_ssh_client(ipaddress=public_ip, retries=retries)
result = str(ssh.execute(ssh_command))
except Exception as e:
- logging.debug("Failed to SSH into the Virtual Machine: %s" % e)
- return 0
+ test_case.fail("Failed to SSH into the Virtual Machine: %s" % e)
logging.debug("Result from SSH into the Virtual Machine: %s" % result)
return result.count(check_string)
@@ -122,6 +121,20 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
)
cls.network_offering_egress_false.update(cls.api_client, state='Enabled')
+ cls.services["egress_80"] = {
+ "startport": 80,
+ "endport": 80,
+ "protocol": "TCP",
+ "cidrlist": ["0.0.0.0/0"]
+ }
+
+ cls.services["egress_53"] = {
+ "startport": 53,
+ "endport": 53,
+ "protocol": "UDP",
+ "cidrlist": ["0.0.0.0/0"]
+ }
+
cls._cleanup = [
cls.service_offering,
cls.network_offering_egress_true,
@@ -226,19 +239,6 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
"Length of the list router should be 2 (Backup & master)"
)
- self.logger.debug("Associating public IP for network: %s" % network.name)
- public_ip = PublicIPAddress.create(
- self.apiclient,
- accountid=self.account.name,
- zoneid=self.zone.id,
- domainid=self.account.domainid,
- networkid=network.id
- )
- self.logger.debug("Associated %s with network %s" % (
- public_ip.ipaddress.ipaddress,
- network.id
- ))
-
public_ips = list_publicIP(
self.apiclient,
account=self.account.name,
@@ -246,18 +246,18 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
zoneid=self.zone.id
)
+ public_ip = public_ips[0]
+
self.assertEqual(
isinstance(public_ips, list),
True,
"Check for list public IPs response return valid data"
)
- public_ip_1 = public_ips[0]
-
self.logger.debug("Creating Firewall rule for VM ID: %s" % virtual_machine.id)
FireWallRule.create(
self.apiclient,
- ipaddressid=public_ip_1.id,
+ ipaddressid=public_ip.id,
protocol=self.services["natrule"]["protocol"],
cidrlist=['0.0.0.0/0'],
startport=self.services["natrule"]["publicport"],
@@ -269,7 +269,7 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
self.apiclient,
virtual_machine,
self.services["natrule"],
- public_ip_1.id
+ public_ip.id
)
self.cleanup.insert(0, network)
@@ -279,7 +279,7 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
expected = 1
ssh_command = "ping -c 3 8.8.8.8"
check_string = "3 packets received"
- result = check_router_command(virtual_machine, public_ip.ipaddress.ipaddress, ssh_command, check_string)
+ result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@@ -290,7 +290,7 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
expected = 1
ssh_command = "wget -t 1 -T 5 www.google.com"
check_string = "HTTP request sent, awaiting response... 200 OK"
- result = check_router_command(virtual_machine, public_ip.ipaddress.ipaddress, ssh_command, check_string)
+ result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@@ -307,10 +307,10 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
cidrlist=self.services["egress_80"]["cidrlist"]
)
- expected = 1
+ expected = 0
ssh_command = "wget -t 1 -T 1 www.google.com"
- check_string = "Giving up."
- result = check_router_command(virtual_machine, public_ip.ipaddress.ipaddress, ssh_command, check_string)
+ check_string = "HTTP request sent, awaiting response... 200 OK"
+ result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@@ -395,19 +395,6 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
"Length of the list router should be 2 (Backup & master)"
)
- self.logger.debug("Associating public IP for network: %s" % network.name)
- public_ip = PublicIPAddress.create(
- self.apiclient,
- accountid=self.account.name,
- zoneid=self.zone.id,
- domainid=self.account.domainid,
- networkid=network.id
- )
- self.logger.debug("Associated %s with network %s" % (
- public_ip.ipaddress.ipaddress,
- network.id
- ))
-
public_ips = list_publicIP(
self.apiclient,
account=self.account.name,
@@ -421,12 +408,12 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
"Check for list public IPs response return valid data"
)
- public_ip_1 = public_ips[0]
+ public_ip = public_ips[0]
self.logger.debug("Creating Firewall rule for VM ID: %s" % virtual_machine.id)
FireWallRule.create(
self.apiclient,
- ipaddressid=public_ip_1.id,
+ ipaddressid=public_ip.id,
protocol=self.services["natrule"]["protocol"],
cidrlist=['0.0.0.0/0'],
startport=self.services["natrule"]["publicport"],
@@ -438,7 +425,7 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
self.apiclient,
virtual_machine,
self.services["natrule"],
- public_ip_1.id
+ public_ip.id
)
self.cleanup.insert(0, network)
@@ -447,7 +434,7 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
expected = 0
ssh_command = "ping -c 3 8.8.8.8"
check_string = "3 packets received"
- result = check_router_command(virtual_machine, public_ip.ipaddress.ipaddress, ssh_command, check_string)
+ result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@@ -455,10 +442,10 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
"Ping to outside world from VM should NOT be successful"
)
- expected = 1
+ expected = 0
ssh_command = "wget -t 1 -T 1 www.google.com"
- check_string = "Giving up."
- result = check_router_command(virtual_machine, public_ip.ipaddress.ipaddress, ssh_command, check_string)
+ check_string = "HTTP request sent, awaiting response... 200 OK"
+ result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@@ -475,10 +462,19 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
cidrlist=self.services["egress_80"]["cidrlist"]
)
+ EgressFireWallRule.create(
+ self.apiclient,
+ networkid=network.id,
+ protocol=self.services["egress_53"]["protocol"],
+ startport=self.services["egress_53"]["startport"],
+ endport=self.services["egress_53"]["endport"],
+ cidrlist=self.services["egress_53"]["cidrlist"]
+ )
+
expected = 1
ssh_command = "wget -t 1 -T 5 www.google.com"
check_string = "HTTP request sent, awaiting response... 200 OK"
- result = check_router_command(virtual_machine, public_ip.ipaddress.ipaddress, ssh_command, check_string)
+ result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@@ -546,6 +542,13 @@ class TestIsolatedNetworks(cloudstackTestCase):
cls.network_offering_egress_false.update(cls.api_client, state='Enabled')
+ cls.services["egress_80"] = {
+ "startport": 80,
+ "endport": 80,
+ "protocol": "TCP",
+ "cidrlist": ["0.0.0.0/0"]
+ }
+
cls._cleanup = [
cls.network_offering_egress_true,
cls.network_offering_egress_false,
@@ -680,7 +683,7 @@ class TestIsolatedNetworks(cloudstackTestCase):
expected = 1
ssh_command = "ping -c 3 8.8.8.8"
check_string = "3 packets received"
- result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string)
+ result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@@ -691,7 +694,7 @@ class TestIsolatedNetworks(cloudstackTestCase):
expected = 1
ssh_command = "wget -t 1 -T 5 www.google.com"
check_string = "HTTP request sent, awaiting response... 200 OK"
- result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string)
+ result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@@ -708,10 +711,10 @@ class TestIsolatedNetworks(cloudstackTestCase):
cidrlist=self.services["egress_80"]["cidrlist"]
)
- expected = 1
+ expected = 0
ssh_command = "wget -t 1 -T 1 www.google.com"
- check_string = "Giving up."
- result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string)
+ check_string = "HTTP request sent, awaiting response... 200 OK"
+ result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@@ -825,7 +828,7 @@ class TestIsolatedNetworks(cloudstackTestCase):
expected = 0
ssh_command = "ping -c 3 8.8.8.8"
check_string = "3 packets received"
- result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string)
+ result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@@ -833,10 +836,10 @@ class TestIsolatedNetworks(cloudstackTestCase):
"Ping to outside world from VM should NOT be successful"
)
- expected = 1
+ expected = 0
ssh_command = "wget -t 1 -T 1 www.google.com"
- check_string = "Giving up."
- result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string)
+ check_string = "HTTP request sent, awaiting response... 200 OK"
+ result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@@ -856,7 +859,7 @@ class TestIsolatedNetworks(cloudstackTestCase):
expected = 1
ssh_command = "wget -t 1 -T 5 www.google.com"
check_string = "HTTP request sent, awaiting response... 200 OK"
- result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string)
+ result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,