etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-8925 - Implement the default egress DENY/ALLOW properly 

- Make tests work with right IP and rules
   - Add egress rule for port 53 protocol UDP when testing default egress DENY on RVR
This commit is contained in:
Wilder Rodrigues 2015-11-03 13:59:46 +01:00
parent ad4fbcd577
commit 79dabfdae4
2 changed files with 81 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
systemvm/patches/debian/config/opt/cloud/bin/configure.py
View File

@ -95,14 +95,11 @@ class CsAcl(CsDataBag):
if 'src_port_range' in obj:
self.rule['first_port'] = obj['src_port_range'][0]
self.rule['last_port'] = obj['src_port_range'][1]
self.rule['allowed'] = True
self.rule['action'] = "ACCEPT"
# In that case it means we are processing the default egress rule
if self.rule['type'] == 'all' and not obj['source_cidr_list']:
if self.rule['default_egress_policy'] == 'false':
self.rule['action'] = "DROP"
self.rule['cidr'] = ['0.0.0.0/0']
else:
self.rule['cidr'] = obj['source_cidr_list']
@ -155,7 +152,25 @@ class CsAcl(CsDataBag):
" -m %s " % rule['protocol'] +
" --icmp-type %s -j %s" % (icmp_type, self.rule['action'])])
else:
fwr = " -A FW_EGRESS_RULES"
fwr = " -I FW_EGRESS_RULES"
#In case we have a default rule (accept all or drop all), we have to evaluate the action again.
if rule['type'] == 'all' and not rule['source_cidr_list']:
fwr = " -A FW_EGRESS_RULES"
# For default egress ALLOW or DENY, the logic is inverted.
# Having default_egress_policy == True, means that the default rule should have ACCEPT,
# otherwise DROP. The rule should be appended, not inserted.
if self.rule['default_egress_policy']:
self.rule['action'] = "ACCEPT"
else:
self.rule['action'] = "DROP"
else:
# For other rules added, if default_egress_policy == True, following rules should be DROP,
# otherwise ACCEPT
if self.rule['default_egress_policy']:
self.rule['action'] = "DROP"
else:
self.rule['action'] = "ACCEPT"
if rule['protocol'] != "all":
fwr += " -s %s " % cidr + \
" -p %s " % rule['protocol'] + \
@ -230,7 +245,7 @@ class CsAcl(CsDataBag):
self.protocol = rule['protocol']
self.action = "DROP"
self.dport = ""
if 'allowed' in rule.keys() and rule['allowed'] and rule['allowed']:
if 'allowed' in rule.keys() and rule['allowed']:
self.action = "ACCEPT"
if 'first_port' in rule.keys():
self.dport = "-m %s --dport %s" % (self.protocol, rule['first_port'])

115
test/integration/component/test_routers_network_ops.py
View File

@ -51,14 +51,13 @@ from marvin.lib.common import (get_zone,
import time
import logging
def check_router_command(virtual_machine, public_ip, ssh_command, check_string, retries=5):
def check_router_command(virtual_machine, public_ip, ssh_command, check_string, test_case, retries=5):
result = 'failed'
try:
ssh = virtual_machine.get_ssh_client(ipaddress=public_ip, retries=retries)
result = str(ssh.execute(ssh_command))
except Exception as e:
logging.debug("Failed to SSH into the Virtual Machine: %s" % e)
return 0
test_case.fail("Failed to SSH into the Virtual Machine: %s" % e)
logging.debug("Result from SSH into the Virtual Machine: %s" % result)
return result.count(check_string)
@ -122,6 +121,20 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
)
cls.network_offering_egress_false.update(cls.api_client, state='Enabled')
cls.services["egress_80"] = {
"startport": 80,
"endport": 80,
"protocol": "TCP",
"cidrlist": ["0.0.0.0/0"]
}
cls.services["egress_53"] = {
"startport": 53,
"endport": 53,
"protocol": "UDP",
"cidrlist": ["0.0.0.0/0"]
}
cls._cleanup = [
cls.service_offering,
cls.network_offering_egress_true,
@ -226,19 +239,6 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
"Length of the list router should be 2 (Backup & master)"
)
self.logger.debug("Associating public IP for network: %s" % network.name)
public_ip = PublicIPAddress.create(
self.apiclient,
accountid=self.account.name,
zoneid=self.zone.id,
domainid=self.account.domainid,
networkid=network.id
)
self.logger.debug("Associated %s with network %s" % (
public_ip.ipaddress.ipaddress,
network.id
))
public_ips = list_publicIP(
self.apiclient,
account=self.account.name,
@ -246,18 +246,18 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
zoneid=self.zone.id
)
public_ip = public_ips[0]
self.assertEqual(
isinstance(public_ips, list),
True,
"Check for list public IPs response return valid data"
)
public_ip_1 = public_ips[0]
self.logger.debug("Creating Firewall rule for VM ID: %s" % virtual_machine.id)
FireWallRule.create(
self.apiclient,
ipaddressid=public_ip_1.id,
ipaddressid=public_ip.id,
protocol=self.services["natrule"]["protocol"],
cidrlist=['0.0.0.0/0'],
startport=self.services["natrule"]["publicport"],
@ -269,7 +269,7 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
self.apiclient,
virtual_machine,
self.services["natrule"],
public_ip_1.id
public_ip.id
)
self.cleanup.insert(0, network)
@ -279,7 +279,7 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
expected = 1
ssh_command = "ping -c 3 8.8.8.8"
check_string = "3 packets received"
result = check_router_command(virtual_machine, public_ip.ipaddress.ipaddress, ssh_command, check_string)
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@ -290,7 +290,7 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
expected = 1
ssh_command = "wget -t 1 -T 5 www.google.com"
check_string = "HTTP request sent, awaiting response... 200 OK"
result = check_router_command(virtual_machine, public_ip.ipaddress.ipaddress, ssh_command, check_string)
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@ -307,10 +307,10 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
cidrlist=self.services["egress_80"]["cidrlist"]
)
expected = 1
expected = 0
ssh_command = "wget -t 1 -T 1 www.google.com"
check_string = "Giving up."
result = check_router_command(virtual_machine, public_ip.ipaddress.ipaddress, ssh_command, check_string)
check_string = "HTTP request sent, awaiting response... 200 OK"
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@ -395,19 +395,6 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
"Length of the list router should be 2 (Backup & master)"
)
self.logger.debug("Associating public IP for network: %s" % network.name)
public_ip = PublicIPAddress.create(
self.apiclient,
accountid=self.account.name,
zoneid=self.zone.id,
domainid=self.account.domainid,
networkid=network.id
)
self.logger.debug("Associated %s with network %s" % (
public_ip.ipaddress.ipaddress,
network.id
))
public_ips = list_publicIP(
self.apiclient,
account=self.account.name,
@ -421,12 +408,12 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
"Check for list public IPs response return valid data"
)
public_ip_1 = public_ips[0]
public_ip = public_ips[0]
self.logger.debug("Creating Firewall rule for VM ID: %s" % virtual_machine.id)
FireWallRule.create(
self.apiclient,
ipaddressid=public_ip_1.id,
ipaddressid=public_ip.id,
protocol=self.services["natrule"]["protocol"],
cidrlist=['0.0.0.0/0'],
startport=self.services["natrule"]["publicport"],
@ -438,7 +425,7 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
self.apiclient,
virtual_machine,
self.services["natrule"],
public_ip_1.id
public_ip.id
)
self.cleanup.insert(0, network)
@ -447,7 +434,7 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
expected = 0
ssh_command = "ping -c 3 8.8.8.8"
check_string = "3 packets received"
result = check_router_command(virtual_machine, public_ip.ipaddress.ipaddress, ssh_command, check_string)
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@ -455,10 +442,10 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
"Ping to outside world from VM should NOT be successful"
)
expected = 1
expected = 0
ssh_command = "wget -t 1 -T 1 www.google.com"
check_string = "Giving up."
result = check_router_command(virtual_machine, public_ip.ipaddress.ipaddress, ssh_command, check_string)
check_string = "HTTP request sent, awaiting response... 200 OK"
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@ -475,10 +462,19 @@ class TestRedundantIsolateNetworks(cloudstackTestCase):
cidrlist=self.services["egress_80"]["cidrlist"]
)
EgressFireWallRule.create(
self.apiclient,
networkid=network.id,
protocol=self.services["egress_53"]["protocol"],
startport=self.services["egress_53"]["startport"],
endport=self.services["egress_53"]["endport"],
cidrlist=self.services["egress_53"]["cidrlist"]
)
expected = 1
ssh_command = "wget -t 1 -T 5 www.google.com"
check_string = "HTTP request sent, awaiting response... 200 OK"
result = check_router_command(virtual_machine, public_ip.ipaddress.ipaddress, ssh_command, check_string)
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@ -546,6 +542,13 @@ class TestIsolatedNetworks(cloudstackTestCase):
cls.network_offering_egress_false.update(cls.api_client, state='Enabled')
cls.services["egress_80"] = {
"startport": 80,
"endport": 80,
"protocol": "TCP",
"cidrlist": ["0.0.0.0/0"]
}
cls._cleanup = [
cls.network_offering_egress_true,
cls.network_offering_egress_false,
@ -680,7 +683,7 @@ class TestIsolatedNetworks(cloudstackTestCase):
expected = 1
ssh_command = "ping -c 3 8.8.8.8"
check_string = "3 packets received"
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string)
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@ -691,7 +694,7 @@ class TestIsolatedNetworks(cloudstackTestCase):
expected = 1
ssh_command = "wget -t 1 -T 5 www.google.com"
check_string = "HTTP request sent, awaiting response... 200 OK"
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string)
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@ -708,10 +711,10 @@ class TestIsolatedNetworks(cloudstackTestCase):
cidrlist=self.services["egress_80"]["cidrlist"]
)
expected = 1
expected = 0
ssh_command = "wget -t 1 -T 1 www.google.com"
check_string = "Giving up."
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string)
check_string = "HTTP request sent, awaiting response... 200 OK"
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@ -825,7 +828,7 @@ class TestIsolatedNetworks(cloudstackTestCase):
expected = 0
ssh_command = "ping -c 3 8.8.8.8"
check_string = "3 packets received"
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string)
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@ -833,10 +836,10 @@ class TestIsolatedNetworks(cloudstackTestCase):
"Ping to outside world from VM should NOT be successful"
)
expected = 1
expected = 0
ssh_command = "wget -t 1 -T 1 www.google.com"
check_string = "Giving up."
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string)
check_string = "HTTP request sent, awaiting response... 200 OK"
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,
@ -856,7 +859,7 @@ class TestIsolatedNetworks(cloudstackTestCase):
expected = 1
ssh_command = "wget -t 1 -T 5 www.google.com"
check_string = "HTTP request sent, awaiting response... 200 OK"
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string)
result = check_router_command(virtual_machine, nat_rule.ipaddress, ssh_command, check_string, self)
self.assertEqual(
result,