IPTABLES_ARG = {'bn': iptables_manager.binary_name,
- 'snat_out_comment': ic.SNAT_OUT}
-
-NAT_DUMP = ('# Generated by iptables_manager\n'
- '*nat\n'
- ':neutron-postrouting-bottom - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-POSTROUTING - [0:0]\n'
- ':%(bn)s-PREROUTING - [0:0]\n'
- ':%(bn)s-float-snat - [0:0]\n'
- ':%(bn)s-snat - [0:0]\n'
- '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING\n'
- '[0:0] -A POSTROUTING -j neutron-postrouting-bottom\n'
- '[0:0] -A neutron-postrouting-bottom -j %(bn)s-snat\n'
- '[0:0] -A %(bn)s-snat -j '
- '%(bn)s-float-snat\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n' % IPTABLES_ARG)
-
-FILTER_DUMP = ('# Generated by iptables_manager\n'
- '*filter\n'
- ':neutron-filter-top - [0:0]\n'
- ':%(bn)s-FORWARD - [0:0]\n'
- ':%(bn)s-INPUT - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-local - [0:0]\n'
- '[0:0] -A FORWARD -j neutron-filter-top\n'
- '[0:0] -A OUTPUT -j neutron-filter-top\n'
- '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n' % IPTABLES_ARG)
+ 'snat_out_comment': ic.SNAT_OUT,
+ 'filter_rules': ''}
+
+NAT_TEMPLATE = ('# Generated by iptables_manager\n'
+ '*nat\n'
+ ':neutron-postrouting-bottom - [0:0]\n'
+ ':%(bn)s-OUTPUT - [0:0]\n'
+ ':%(bn)s-POSTROUTING - [0:0]\n'
+ ':%(bn)s-PREROUTING - [0:0]\n'
+ ':%(bn)s-float-snat - [0:0]\n'
+ ':%(bn)s-snat - [0:0]\n'
+ '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n'
+ '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
+ '[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING\n'
+ '[0:0] -A POSTROUTING -j neutron-postrouting-bottom\n'
+ '[0:0] -A neutron-postrouting-bottom -j %(bn)s-snat\n'
+ '[0:0] -A %(bn)s-snat -j '
+ '%(bn)s-float-snat\n'
+ 'COMMIT\n'
+ '# Completed by iptables_manager\n')
+
+NAT_DUMP = NAT_TEMPLATE % IPTABLES_ARG
+
+FILTER_TEMPLATE = ('# Generated by iptables_manager\n'
+ '*filter\n'
+ ':neutron-filter-top - [0:0]\n'
+ ':%(bn)s-FORWARD - [0:0]\n'
+ ':%(bn)s-INPUT - [0:0]\n'
+ ':%(bn)s-OUTPUT - [0:0]\n'
+ ':%(bn)s-local - [0:0]\n'
+ '[0:0] -A FORWARD -j neutron-filter-top\n'
+ '[0:0] -A OUTPUT -j neutron-filter-top\n'
+ '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
+ '[0:0] -A INPUT -j %(bn)s-INPUT\n'
+ '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
+ '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
+ 'COMMIT\n'
+ '# Completed by iptables_manager\n')
+
+FILTER_DUMP = FILTER_TEMPLATE % IPTABLES_ARG
+
+FILTER_WITH_RULES_TEMPLATE = (
+ '# Generated by iptables_manager\n'
+ '*filter\n'
+ ':neutron-filter-top - [0:0]\n'
+ ':%(bn)s-FORWARD - [0:0]\n'
+ ':%(bn)s-INPUT - [0:0]\n'
+ ':%(bn)s-OUTPUT - [0:0]\n'
+ ':%(bn)s-filter - [0:0]\n'
+ ':%(bn)s-local - [0:0]\n'
+ '[0:0] -A FORWARD -j neutron-filter-top\n'
+ '[0:0] -A OUTPUT -j neutron-filter-top\n'
+ '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
+ '[0:0] -A INPUT -j %(bn)s-INPUT\n'
+ '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
+ '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
+ '%(filter_rules)s'
+ 'COMMIT\n'
+ '# Completed by iptables_manager\n')
COMMENTED_NAT_DUMP = (
'# Generated by iptables_manager\n'
'COMMIT\n'
'# Completed by iptables_manager\n' % IPTABLES_ARG)
+TRAFFIC_COUNTERS_DUMP = (
+ 'Chain OUTPUT (policy ACCEPT 400 packets, 65901 bytes)\n'
+ ' pkts bytes target prot opt in out source'
+ ' destination \n'
+ ' 400 65901 chain1 all -- * * 0.0.0.0/0'
+ ' 0.0.0.0/0 \n'
+ ' 400 65901 chain2 all -- * * 0.0.0.0/0'
+ ' 0.0.0.0/0 \n')
+
class IptablesTestCase(base.BaseTestCase):
% attr)
def test_add_filter_rule(self):
- filter_dump_mod = ('# Generated by iptables_manager\n'
- '*filter\n'
- ':neutron-filter-top - [0:0]\n'
- ':%(bn)s-FORWARD - [0:0]\n'
- ':%(bn)s-INPUT - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-filter - [0:0]\n'
- ':%(bn)s-local - [0:0]\n'
- '[0:0] -A FORWARD -j neutron-filter-top\n'
- '[0:0] -A OUTPUT -j neutron-filter-top\n'
- '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
- '[0:0] -A %(bn)s-filter -j DROP\n'
- '[0:0] -A %(bn)s-INPUT -s 0/0 -d 192.168.0.2 -j '
- '%(bn)s-filter\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n'
- % IPTABLES_ARG)
+ iptables_args = {}
+ iptables_args.update(IPTABLES_ARG)
+ filter_rules = ('[0:0] -A %(bn)s-filter -j DROP\n'
+ '[0:0] -A %(bn)s-INPUT -s 0/0 -d 192.168.0.2 -j '
+ '%(bn)s-filter\n' % iptables_args)
+ iptables_args['filter_rules'] = filter_rules
+ filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % iptables_args
raw_dump = _generate_raw_dump(IPTABLES_ARG)
use_ipv6=use_ipv6)
self.execute = mock.patch.object(self.iptables, "execute").start()
- iptables_args = {'bn': bn[:16]}
-
- filter_dump = ('# Generated by iptables_manager\n'
- '*filter\n'
- ':neutron-filter-top - [0:0]\n'
- ':%(bn)s-FORWARD - [0:0]\n'
- ':%(bn)s-INPUT - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-filter - [0:0]\n'
- ':%(bn)s-local - [0:0]\n'
- '[0:0] -A FORWARD -j neutron-filter-top\n'
- '[0:0] -A OUTPUT -j neutron-filter-top\n'
- '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n' % iptables_args)
-
- filter_dump_ipv6 = ('# Generated by iptables_manager\n'
- '*filter\n'
- ':neutron-filter-top - [0:0]\n'
- ':%(bn)s-FORWARD - [0:0]\n'
- ':%(bn)s-INPUT - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-local - [0:0]\n'
- '[0:0] -A FORWARD -j neutron-filter-top\n'
- '[0:0] -A OUTPUT -j neutron-filter-top\n'
- '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n' %
- iptables_args)
+ iptables_args = {'bn': bn[:16], 'filter_rules': ''}
- filter_dump_mod = ('# Generated by iptables_manager\n'
- '*filter\n'
- ':neutron-filter-top - [0:0]\n'
- ':%(bn)s-FORWARD - [0:0]\n'
- ':%(bn)s-INPUT - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-filter - [0:0]\n'
- ':%(bn)s-local - [0:0]\n'
- '[0:0] -A FORWARD -j neutron-filter-top\n'
- '[0:0] -A OUTPUT -j neutron-filter-top\n'
- '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n'
- % iptables_args)
+ filter_dump = FILTER_WITH_RULES_TEMPLATE % iptables_args
+
+ filter_dump_ipv6 = FILTER_TEMPLATE % iptables_args
+
+ filter_dump_mod = filter_dump
- nat_dump = ('# Generated by iptables_manager\n'
- '*nat\n'
- ':neutron-postrouting-bottom - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-POSTROUTING - [0:0]\n'
- ':%(bn)s-PREROUTING - [0:0]\n'
- ':%(bn)s-float-snat - [0:0]\n'
- ':%(bn)s-snat - [0:0]\n'
- '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING\n'
- '[0:0] -A POSTROUTING -j neutron-postrouting-bottom\n'
- '[0:0] -A neutron-postrouting-bottom -j %(bn)s-snat\n'
- '[0:0] -A %(bn)s-snat -j '
- '%(bn)s-float-snat\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n' % iptables_args)
+ nat_dump = NAT_TEMPLATE % iptables_args
raw_dump = _generate_raw_dump(iptables_args)
iptables_args = {'bn': bn}
- filter_dump = ('# Generated by iptables_manager\n'
- '*filter\n'
- ':neutron-filter-top - [0:0]\n'
- ':%(bn)s-FORWARD - [0:0]\n'
- ':%(bn)s-INPUT - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-local - [0:0]\n'
- '[0:0] -A FORWARD -j neutron-filter-top\n'
- '[0:0] -A OUTPUT -j neutron-filter-top\n'
- '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n' % iptables_args)
+ filter_dump = FILTER_TEMPLATE % iptables_args
- filter_dump_mod = ('# Generated by iptables_manager\n'
- '*filter\n'
- ':neutron-filter-top - [0:0]\n'
- ':%(bn)s-FORWARD - [0:0]\n'
- ':%(bn)s-INPUT - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-filter - [0:0]\n'
- ':%(bn)s-local - [0:0]\n'
- '[0:0] -A FORWARD -j neutron-filter-top\n'
- '[0:0] -A OUTPUT -j neutron-filter-top\n'
- '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
- '[0:0] -A %(bn)s-filter -s 0/0 -d 192.168.0.2\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n'
- % iptables_args)
+ filter_rules = ('[0:0] -A %(bn)s-filter -s 0/0 -d 192.168.0.2\n'
+ % iptables_args)
+ iptables_args['filter_rules'] = filter_rules
+ filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % iptables_args
- nat_dump = ('# Generated by iptables_manager\n'
- '*nat\n'
- ':neutron-postrouting-bottom - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-POSTROUTING - [0:0]\n'
- ':%(bn)s-PREROUTING - [0:0]\n'
- ':%(bn)s-float-snat - [0:0]\n'
- ':%(bn)s-snat - [0:0]\n'
- '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING\n'
- '[0:0] -A POSTROUTING -j neutron-postrouting-bottom\n'
- '[0:0] -A neutron-postrouting-bottom -j %(bn)s-snat\n'
- '[0:0] -A %(bn)s-snat -j '
- '%(bn)s-float-snat\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n' % iptables_args)
+ nat_dump = NAT_TEMPLATE % iptables_args
raw_dump = _generate_raw_dump(iptables_args)
use_ipv6=use_ipv6)
self.execute = mock.patch.object(self.iptables, "execute").start()
- filter_dump_mod = ('# Generated by iptables_manager\n'
- '*filter\n'
- ':neutron-filter-top - [0:0]\n'
- ':%(bn)s-FORWARD - [0:0]\n'
- ':%(bn)s-INPUT - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-filter - [0:0]\n'
- ':%(bn)s-local - [0:0]\n'
- '[0:0] -A FORWARD -j neutron-filter-top\n'
- '[0:0] -A OUTPUT -j neutron-filter-top\n'
- '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n'
- % IPTABLES_ARG)
+ filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % IPTABLES_ARG
expected_calls_and_values = [
(mock.call(['iptables-save', '-c'],
use_ipv6=use_ipv6)
self.execute = mock.patch.object(self.iptables, "execute").start()
- filter_dump_mod = ('# Generated by iptables_manager\n'
- '*filter\n'
- ':neutron-filter-top - [0:0]\n'
- ':%(bn)s-FORWARD - [0:0]\n'
- ':%(bn)s-INPUT - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-filter - [0:0]\n'
- ':%(bn)s-local - [0:0]\n'
- '[0:0] -A FORWARD -j neutron-filter-top\n'
- '[0:0] -A OUTPUT -j neutron-filter-top\n'
- '[0:0] -A neutron-filter-top -j %(bn)s-local\n'
- '[0:0] -A INPUT -j %(bn)s-INPUT\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A FORWARD -j %(bn)s-FORWARD\n'
- '[0:0] -A %(bn)s-filter -j DROP\n'
- '[0:0] -A %(bn)s-INPUT -s 0/0 -d 192.168.0.2 -j '
- '%(bn)s-filter\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n'
- % IPTABLES_ARG)
+ iptables_args = {}
+ iptables_args.update(IPTABLES_ARG)
+ filter_rules = ('[0:0] -A %(bn)s-filter -j DROP\n'
+ '[0:0] -A %(bn)s-INPUT -s 0/0 -d 192.168.0.2 -j '
+ '%(bn)s-filter\n' % iptables_args)
+ iptables_args['filter_rules'] = filter_rules
+ filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % iptables_args
expected_calls_and_values = [
(mock.call(['iptables-save', '-c'],
use_ipv6=use_ipv6)
self.execute = mock.patch.object(self.iptables, "execute").start()
- nat_dump = ('# Generated by iptables_manager\n'
- '*nat\n'
- ':neutron-postrouting-bottom - [0:0]\n'
- ':%(bn)s-OUTPUT - [0:0]\n'
- ':%(bn)s-POSTROUTING - [0:0]\n'
- ':%(bn)s-PREROUTING - [0:0]\n'
- ':%(bn)s-float-snat - [0:0]\n'
- ':%(bn)s-snat - [0:0]\n'
- '[0:0] -A PREROUTING -j %(bn)s-PREROUTING\n'
- '[0:0] -A OUTPUT -j %(bn)s-OUTPUT\n'
- '[0:0] -A POSTROUTING -j %(bn)s-POSTROUTING\n'
- '[0:0] -A POSTROUTING -j neutron-postrouting-bottom\n'
- '[0:0] -A neutron-postrouting-bottom -j %(bn)s-snat\n'
- '[0:0] -A %(bn)s-snat -j %(bn)s-float-snat\n'
- 'COMMIT\n'
- '# Completed by iptables_manager\n'
- % IPTABLES_ARG)
+ nat_dump = NAT_TEMPLATE % IPTABLES_ARG
nat_dump_mod = ('# Generated by iptables_manager\n'
'*nat\n'
exp_packets = 800
exp_bytes = 131802
- iptables_dump = (
- 'Chain OUTPUT (policy ACCEPT 400 packets, 65901 bytes)\n'
- ' pkts bytes target prot opt in out source'
- ' destination \n'
- ' 400 65901 chain1 all -- * * 0.0.0.0/0'
- ' 0.0.0.0/0 \n'
- ' 400 65901 chain2 all -- * * 0.0.0.0/0'
- ' 0.0.0.0/0 \n')
-
expected_calls_and_values = [
(mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x'],
root_helper=self.root_helper),
- iptables_dump),
+ TRAFFIC_COUNTERS_DUMP),
(mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n',
'-v', '-x'],
root_helper=self.root_helper),
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x'],
root_helper=self.root_helper),
- iptables_dump))
+ TRAFFIC_COUNTERS_DUMP))
exp_packets *= 2
exp_bytes *= 2
exp_packets = 800
exp_bytes = 131802
- iptables_dump = (
- 'Chain OUTPUT (policy ACCEPT 400 packets, 65901 bytes)\n'
- ' pkts bytes target prot opt in out source'
- ' destination \n'
- ' 400 65901 chain1 all -- * * 0.0.0.0/0'
- ' 0.0.0.0/0 \n'
- ' 400 65901 chain2 all -- * * 0.0.0.0/0'
- ' 0.0.0.0/0 \n')
-
expected_calls_and_values = [
(mock.call(['iptables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x', '-Z'],
root_helper=self.root_helper),
- iptables_dump),
+ TRAFFIC_COUNTERS_DUMP),
(mock.call(['iptables', '-t', 'raw', '-L', 'OUTPUT', '-n',
'-v', '-x', '-Z'],
root_helper=self.root_helper),
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x', '-Z'],
root_helper=self.root_helper),
- iptables_dump))
+ TRAFFIC_COUNTERS_DUMP))
exp_packets *= 2
exp_bytes *= 2
Code Review / openstack-build / neutron-build.git / commitdiff