CHAINS_NAT = 'OUTPUT|POSTROUTING|PREROUTING|float-snat|snat'
-# These Dicts use the same keys as devices2 and devices3 in
-# TestSecurityGroupAgentWithIptables() to ensure that the ordering
-# is consistent regardless of hashseed value
-PORTS = {'tap_port1': 'port1', 'tap_port2': 'port2'}
-MACS = {'tap_port1': '12:34:56:78:9A:BC', 'tap_port2': '12:34:56:78:9A:BD'}
-IPS = {'tap_port1': '10.0.0.3/32', 'tap_port2': '10.0.0.4/32'}
-
-ports_values = list(PORTS.values())
-macs_values = list(MACS.values())
-ips_values = list(IPS.values())
-
-IPTABLES_ARG['port1'] = ports_values[0]
-IPTABLES_ARG['port2'] = ports_values[1]
-IPTABLES_ARG['mac1'] = macs_values[0]
-IPTABLES_ARG['mac2'] = macs_values[1]
-IPTABLES_ARG['ip1'] = ips_values[0]
-IPTABLES_ARG['ip2'] = ips_values[1]
+IPTABLES_ARG['port1'] = 'port1'
+IPTABLES_ARG['port2'] = 'port2'
+IPTABLES_ARG['mac1'] = '12:34:56:78:9A:BC'
+IPTABLES_ARG['mac2'] = '12:34:56:78:9A:BD'
+IPTABLES_ARG['ip1'] = '10.0.0.3/32'
+IPTABLES_ARG['ip2'] = '10.0.0.4/32'
IPTABLES_ARG['chains'] = CHAINS_NAT
IPTABLES_RAW_DEFAULT = """# Generated by iptables_manager
# Completed by iptables_manager
""" % IPTABLES_ARG
-# These Dicts use the same keys as devices2 and devices3 in
-# TestSecurityGroupAgentWithIptables() to ensure that the ordering
-# is consistent regardless of hashseed value
-REVERSE_PORT_ORDER = {'tap_port1': False, 'tap_port2': True}
-reverse_port_order_values = list(REVERSE_PORT_ORDER.values())
-
IPTABLES_FILTER_2_2 = """# Generated by iptables_manager
*filter
:neutron-filter-top - [0:0]
--dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port1)s -p tcp -m tcp --dport 22 -j RETURN
""" % IPTABLES_ARG
-if reverse_port_order_values[0]:
- IPTABLES_FILTER_2_2 += ("[0:0] -A %(bn)s-i_%(port1)s -s %(ip2)s "
- "-j RETURN\n"
- % IPTABLES_ARG)
IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port1)s -j %(bn)s-sg-fallback
[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port1)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
--dport 68 -j RETURN
[0:0] -A %(bn)s-i_%(port2)s -p tcp -m tcp --dport 22 -j RETURN
""" % IPTABLES_ARG
-if not reverse_port_order_values[0]:
- IPTABLES_FILTER_2_2 += ("[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s "
- "-j RETURN\n"
- % IPTABLES_ARG)
+IPTABLES_FILTER_2_2 += ("[0:0] -A %(bn)s-i_%(port2)s -s %(ip1)s "
+ "-j RETURN\n"
+ % IPTABLES_ARG)
IPTABLES_FILTER_2_2 += """[0:0] -A %(bn)s-i_%(port2)s -j %(bn)s-sg-fallback
[0:0] -A %(bn)s-FORWARD %(physdev_mod)s --physdev-EGRESS tap_%(port2)s \
%(physdev_is_bridged)s -j %(bn)s-sg-chain
'10.0.0.3/32',
'12:34:56:78:9a:bc',
rule1)}
- self.devices2 = {'tap_port1': self._device('tap_port1',
- '10.0.0.3/32',
- '12:34:56:78:9a:bc',
- rule2),
- 'tap_port2': self._device('tap_port2',
- '10.0.0.4/32',
- '12:34:56:78:9a:bd',
- rule4)}
- self.devices3 = {'tap_port1': self._device('tap_port1',
- '10.0.0.3/32',
- '12:34:56:78:9a:bc',
- rule3),
- 'tap_port2': self._device('tap_port2',
- '10.0.0.4/32',
- '12:34:56:78:9a:bd',
- rule5)}
+ self.devices2 = collections.OrderedDict([
+ ('tap_port1', self._device('tap_port1',
+ '10.0.0.3/32',
+ '12:34:56:78:9a:bc',
+ rule2)),
+ ('tap_port2', self._device('tap_port2',
+ '10.0.0.4/32',
+ '12:34:56:78:9a:bd',
+ rule4))
+ ])
+ self.devices3 = collections.OrderedDict([
+ ('tap_port1', self._device('tap_port1',
+ '10.0.0.3/32',
+ '12:34:56:78:9a:bc',
+ rule3)),
+ ('tap_port2', self._device('tap_port2',
+ '10.0.0.4/32',
+ '12:34:56:78:9a:bd',
+ rule5))
+ ])
+
+ @staticmethod
+ def _enforce_order_in_firewall(firewall):
+ # for the sake of the test, eliminate any order randomness:
+ # it helps to match iptables output against regexps consistently
+ for attr in ('filtered_ports', 'unfiltered_ports'):
+ setattr(firewall, attr, collections.OrderedDict())
def _init_agent(self, defer_refresh_firewall):
self.agent = sg_rpc.SecurityGroupAgentRpc(
context=None, plugin_rpc=self.rpc,
defer_refresh_firewall=defer_refresh_firewall)
+ self._enforce_order_in_firewall(self.agent.firewall)
def _device(self, device, ip, mac_address, rule):
return {'device': device,
'security_group1': {
'IPv4': ['10.0.0.3/32'], 'IPv6': []}},
'devices': devices_info1}
- devices_info2 = {'tap_port1': self._device('tap_port1',
- '10.0.0.3/32',
- '12:34:56:78:9a:bc',
- []),
- 'tap_port2': self._device('tap_port2',
- '10.0.0.4/32',
- '12:34:56:78:9a:bd',
- [])}
+ devices_info2 = collections.OrderedDict([
+ ('tap_port1', self._device('tap_port1',
+ '10.0.0.3/32',
+ '12:34:56:78:9a:bc',
+ [])),
+ ('tap_port2', self._device('tap_port2',
+ '10.0.0.4/32',
+ '12:34:56:78:9a:bd',
+ []))
+ ])
self.devices_info2 = {'security_groups': {'security_group1': rule1},
'sg_member_ips': {
'security_group1': {
context=None, plugin_rpc=self.rpc,
local_vlan_map=local_vlan_map,
defer_refresh_firewall=defer_refresh_firewall)
+ self._enforce_order_in_firewall(self.agent.firewall)
def test_prepare_remove_port(self):
self.rpc.security_group_rules_for_devices.return_value = self.devices1
Code Review / openstack-build / neutron-build.git / commitdiff