self.iptables.ipv6['filter'].add_rule('sg-fallback', '-j DROP',
comment=ic.UNMATCH_DROP)
+ def _add_raw_chain(self, chain_name):
+ self.iptables.ipv4['raw'].add_chain(chain_name)
+ self.iptables.ipv6['raw'].add_chain(chain_name)
+
def _add_chain_by_name_v4v6(self, chain_name):
- self.iptables.ipv6['filter'].add_chain(chain_name)
self.iptables.ipv4['filter'].add_chain(chain_name)
+ self.iptables.ipv6['filter'].add_chain(chain_name)
+
+ def _remove_raw_chain(self, chain_name):
+ self.iptables.ipv4['raw'].remove_chain(chain_name)
+ self.iptables.ipv6['raw'].remove_chain(chain_name)
def _remove_chain_by_name_v4v6(self, chain_name):
self.iptables.ipv4['filter'].remove_chain(chain_name)
def _get_device_name(self, port):
return (self.OVS_HYBRID_TAP_PREFIX + port['device'])[:LINUX_DEV_LEN]
+
+ def _get_br_device_name(self, port):
+ return ('qvb' + port['device'])[:LINUX_DEV_LEN]
+
+ def _get_jump_rule(self, port, direction):
+ if direction == INGRESS_DIRECTION:
+ device = self._get_br_device_name(port)
+ else:
+ device = self._get_device_name(port)
+ jump_rule = '-m physdev --physdev-in %s -j CT --zone %s' % (
+ device, port['zone_id'])
+ return jump_rule
+
+ def _add_raw_chain_rules(self, port, direction):
+ if port['zone_id']:
+ jump_rule = self._get_jump_rule(port, direction)
+ self.iptables.ipv4['raw'].add_rule('PREROUTING', jump_rule)
+ self.iptables.ipv6['raw'].add_rule('PREROUTING', jump_rule)
+
+ def _remove_raw_chain_rules(self, port, direction):
+ if port['zone_id']:
+ jump_rule = self._get_jump_rule(port, direction)
+ self.iptables.ipv4['raw'].remove_rule('PREROUTING', jump_rule)
+ self.iptables.ipv6['raw'].remove_rule('PREROUTING', jump_rule)
+
+ def _add_chain(self, port, direction):
+ super(OVSHybridIptablesFirewallDriver, self)._add_chain(port,
+ direction)
+ if direction in [INGRESS_DIRECTION, EGRESS_DIRECTION]:
+ self._add_raw_chain_rules(port, direction)
+
+ def _remove_chain(self, port, direction):
+ super(OVSHybridIptablesFirewallDriver, self)._remove_chain(port,
+ direction)
+ if direction in [INGRESS_DIRECTION, EGRESS_DIRECTION]:
+ self._remove_raw_chain_rules(port, direction)
{'nat': IptablesTable(binary_name=self.wrap_name)})
builtin_chains[4].update({'nat': ['PREROUTING',
'OUTPUT', 'POSTROUTING']})
- self.ipv4.update(
- {'raw': IptablesTable(binary_name=self.wrap_name)})
- builtin_chains[4].update({'raw': ['PREROUTING',
- 'OUTPUT']})
+
+ self.ipv4.update({'raw': IptablesTable(binary_name=self.wrap_name)})
+ builtin_chains[4].update({'raw': ['PREROUTING', 'OUTPUT']})
+ self.ipv6.update({'raw': IptablesTable(binary_name=self.wrap_name)})
+ builtin_chains[6].update({'raw': ['PREROUTING', 'OUTPUT']})
for ip_version in builtin_chains:
if ip_version == 4:
class SecurityGroupAgentRpc(object):
"""Enables SecurityGroup agent support in agent implementations."""
- def __init__(self, context, plugin_rpc, defer_refresh_firewall=False):
+ def __init__(self, context, plugin_rpc, local_vlan_map=None,
+ defer_refresh_firewall=False,):
self.context = context
self.plugin_rpc = plugin_rpc
self.init_firewall(defer_refresh_firewall)
+ self.local_vlan_map = local_vlan_map
def init_firewall(self, defer_refresh_firewall=False):
firewall_driver = cfg.CONF.SECURITYGROUP.firewall_driver
self.global_refresh_firewall = False
self._use_enhanced_rpc = None
+ def set_local_zone(self, device):
+ """Set local zone id for device
+
+ In order to separate conntrack in different networks, a local zone
+ id is needed to generate related iptables rules. This routine sets
+ zone id to device according to the network it belongs to. For OVS
+ agent, vlan id of each network can be used as zone id.
+
+ :param device: dictionary of device information, get network id by
+ device['network_id'], and set zone id by device['zone_id']
+ """
+ net_id = device['network_id']
+ zone_id = None
+ if self.local_vlan_map and net_id in self.local_vlan_map:
+ zone_id = self.local_vlan_map[net_id].vlan
+ device['zone_id'] = zone_id
+
@property
def use_enhanced_rpc(self):
if self._use_enhanced_rpc is None:
with self.firewall.defer_apply():
for device in devices.values():
+ self.set_local_zone(device)
self.firewall.prepare_port_filter(device)
if self.use_enhanced_rpc:
LOG.debug("Update security group information for ports %s",
with self.firewall.defer_apply():
for device in devices.values():
LOG.debug("Update port filter for %s", device['device'])
+ self.set_local_zone(device)
self.firewall.update_port_filter(device)
if self.use_enhanced_rpc:
LOG.debug("Update security group information for ports %s",
# Collect additional bridges to monitor
self.ancillary_brs = self.setup_ancillary_bridges(integ_br, tun_br)
+ # In order to keep existed device's local vlan unchanged,
+ # restore local vlan mapping at start
+ self._restore_local_vlan_map()
+
# Security group agent support
self.sg_agent = sg_rpc.SecurityGroupAgentRpc(self.context,
- self.sg_plugin_rpc, defer_refresh_firewall=True)
+ self.sg_plugin_rpc, self.local_vlan_map,
+ defer_refresh_firewall=True)
# Initialize iteration counter
self.iter_num = 0
except Exception:
LOG.exception(_LE("Failed reporting state!"))
+ def _restore_local_vlan_map(self):
+ cur_ports = self.int_br.get_vif_ports()
+ for port in cur_ports:
+ local_vlan_map = self.int_br.db_get_val("Port", port.port_name,
+ "other_config")
+ local_vlan = self.int_br.db_get_val("Port", port.port_name, "tag")
+ net_uuid = local_vlan_map.get('net_uuid')
+ if (net_uuid and net_uuid not in self.local_vlan_map
+ and local_vlan != DEAD_VLAN_TAG):
+ self.provision_local_vlan(local_vlan_map['net_uuid'],
+ local_vlan_map['network_type'],
+ local_vlan_map['physical_network'],
+ local_vlan_map['segmentation_id'],
+ local_vlan)
+
def setup_rpc(self):
self.agent_id = 'ovs-agent-%s' % cfg.CONF.host
self.topic = topics.AGENT
LOG.warning(_LW('Action %s not supported'), action)
def provision_local_vlan(self, net_uuid, network_type, physical_network,
- segmentation_id):
+ segmentation_id, local_vlan=None):
'''Provisions a local VLAN.
:param net_uuid: the uuid of the network associated with this vlan.
if lvm:
lvid = lvm.vlan
else:
- if not self.available_local_vlans:
- LOG.error(_LE("No local VLAN available for net-id=%s"),
- net_uuid)
- return
- lvid = self.available_local_vlans.pop()
+ if local_vlan in self.available_local_vlans:
+ lvid = local_vlan
+ self.available_local_vlans.remove(local_vlan)
+ else:
+ if not self.available_local_vlans:
+ LOG.error(_LE("No local VLAN available for net-id=%s"),
+ net_uuid)
+ return
+ lvid = self.available_local_vlans.pop()
self.local_vlan_map[net_uuid] = LocalVLANMapping(lvid,
network_type,
physical_network,
self.dvr_agent.bind_port_to_dvr(port, lvm,
fixed_ips,
device_owner)
+ port_other_config = self.int_br.db_get_val("Port", port.port_name,
+ "other_config")
+ vlan_mapping = {'net_uuid': net_uuid,
+ 'network_type': network_type,
+ 'physical_network': physical_network,
+ 'segmentation_id': segmentation_id}
+ port_other_config.update(vlan_mapping)
+ self.int_br.set_db_attribute("Port", port.port_name, "other_config",
+ port_other_config)
+
+ def _bind_devices(self, need_binding_ports):
+ for port_detail in need_binding_ports:
+ lvm = self.local_vlan_map[port_detail['network_id']]
+ port = port_detail['vif_port']
+ device = port_detail['device']
+ # Do not bind a port if it's already bound
+ cur_tag = self.int_br.db_get_val("Port", port.port_name, "tag")
+ if cur_tag != lvm.vlan:
+ self.int_br.set_db_attribute(
+ "Port", port.port_name, "tag", lvm.vlan)
+ if port.ofport != -1:
+ self.int_br.delete_flows(in_port=port.ofport)
- # Do not bind a port if it's already bound
- cur_tag = self.int_br.db_get_val("Port", port.port_name, "tag")
- if cur_tag != lvm.vlan:
- self.int_br.set_db_attribute("Port", port.port_name, "tag",
- lvm.vlan)
- if port.ofport != -1:
- self.int_br.delete_flows(in_port=port.ofport)
+ # update plugin about port status
+ # FIXME(salv-orlando): Failures while updating device status
+ # must be handled appropriately. Otherwise this might prevent
+ # neutron server from sending network-vif-* events to the nova
+ # API server, thus possibly preventing instance spawn.
+ if port_detail.get('admin_state_up'):
+ LOG.debug("Setting status for %s to UP", device)
+ self.plugin_rpc.update_device_up(
+ self.context, device, self.agent_id, cfg.CONF.host)
+ else:
+ LOG.debug("Setting status for %s to DOWN", device)
+ self.plugin_rpc.update_device_down(
+ self.context, device, self.agent_id, cfg.CONF.host)
+ LOG.info(_LI("Configuration for device %s completed."), device)
@staticmethod
def setup_arp_spoofing_protection(bridge, vif, port_details):
# an OVS ofport configured, as only these ports were considered
# for being treated. If that does not happen, it is a potential
# error condition of which operators should be aware
+ port_needs_binding = True
if not vif_port.ofport:
LOG.warn(_LW("VIF port: %s has no ofport configured, "
"and might not be able to transmit"), vif_port.vif_id)
fixed_ips, device_owner, ovs_restarted)
else:
self.port_dead(vif_port)
+ port_needs_binding = False
else:
LOG.debug("No VIF port for port %s defined on agent.", port_id)
+ return port_needs_binding
def _setup_tunnel_port(self, br, port_name, remote_ip, tunnel_type):
ofport = br.add_tunnel_port(port_name,
def treat_devices_added_or_updated(self, devices, ovs_restarted):
skipped_devices = []
+ need_binding_devices = []
try:
devices_details_list = self.plugin_rpc.get_devices_details_list(
self.context,
if 'port_id' in details:
LOG.info(_LI("Port %(device)s updated. Details: %(details)s"),
{'device': device, 'details': details})
- self.treat_vif_port(port, details['port_id'],
- details['network_id'],
- details['network_type'],
- details['physical_network'],
- details['segmentation_id'],
- details['admin_state_up'],
- details['fixed_ips'],
- details['device_owner'],
- ovs_restarted)
+ need_binding = self.treat_vif_port(port, details['port_id'],
+ details['network_id'],
+ details['network_type'],
+ details['physical_network'],
+ details['segmentation_id'],
+ details['admin_state_up'],
+ details['fixed_ips'],
+ details['device_owner'],
+ ovs_restarted)
if self.prevent_arp_spoofing:
self.setup_arp_spoofing_protection(self.int_br,
port, details)
- # update plugin about port status
- # FIXME(salv-orlando): Failures while updating device status
- # must be handled appropriately. Otherwise this might prevent
- # neutron server from sending network-vif-* events to the nova
- # API server, thus possibly preventing instance spawn.
- if details.get('admin_state_up'):
- LOG.debug("Setting status for %s to UP", device)
- self.plugin_rpc.update_device_up(
- self.context, device, self.agent_id, cfg.CONF.host)
- else:
- LOG.debug("Setting status for %s to DOWN", device)
- self.plugin_rpc.update_device_down(
- self.context, device, self.agent_id, cfg.CONF.host)
- LOG.info(_LI("Configuration for device %s completed."), device)
+ if need_binding:
+ details['vif_port'] = port
+ need_binding_devices.append(details)
else:
LOG.warn(_LW("Device %s not defined on plugin"), device)
if (port and port.ofport != -1):
self.port_dead(port)
- return skipped_devices
+ return skipped_devices, need_binding_devices
def treat_ancillary_devices_added(self, devices):
try:
# sources: the neutron server, and the ovs db monitor process
# If there is an exception while processing security groups ports
# will not be wired anyway, and a resync will be triggered
- # TODO(salv-orlando): Optimize avoiding applying filters unnecessarily
- # (eg: when there are no IP address changes)
- self.sg_agent.setup_port_filters(port_info.get('added', set()),
- port_info.get('updated', set()))
# VIF wiring needs to be performed always for 'new' devices.
# For updated ports, re-wiring is not needed in most cases, but needs
# to be performed anyway when the admin state of a device is changed.
if devices_added_updated:
start = time.time()
try:
- skipped_devices = self.treat_devices_added_or_updated(
- devices_added_updated, ovs_restarted)
+ skipped_devices, need_binding_devices = (
+ self.treat_devices_added_or_updated(
+ devices_added_updated, ovs_restarted))
LOG.debug("process_network_ports - iteration:%(iter_num)d - "
"treat_devices_added_or_updated completed. "
"Skipped %(num_skipped)d devices of "
'num_skipped': len(skipped_devices),
'num_current': len(port_info['current']),
'elapsed': time.time() - start})
+ # TODO(salv-orlando): Optimize avoiding applying filters
+ # unnecessarily, (eg: when there are no IP address changes)
+ self.sg_agent.setup_port_filters(
+ port_info.get('added', set()),
+ port_info.get('updated', set()))
+ self._bind_devices(need_binding_devices)
# Update the list of current ports storing only those which
# have been actually processed.
port_info['current'] = (port_info['current'] -
self.iptables_inst = mock.Mock()
self.v4filter_inst = mock.Mock()
self.v6filter_inst = mock.Mock()
- self.iptables_inst.ipv4 = {'filter': self.v4filter_inst}
- self.iptables_inst.ipv6 = {'filter': self.v6filter_inst}
+ self.iptables_inst.ipv4 = {'filter': self.v4filter_inst,
+ 'raw': self.v4filter_inst
+ }
+ self.iptables_inst.ipv6 = {'filter': self.v6filter_inst,
+ 'raw': self.v6filter_inst
+ }
iptables_cls.return_value = self.iptables_inst
self.firewall = iptables_firewall.IptablesFirewallDriver()
def _fake_port(self):
return {'device': 'tapfake_dev',
'mac_address': 'ff:ff:ff:ff:ff:ff',
+ 'network_id': 'fake_net',
'fixed_ips': [FAKE_IP['IPv4'],
FAKE_IP['IPv6']]}
'-m physdev --physdev-out tapfake_dev '
'--physdev-is-bridged '
'-j $ifake_dev',
- comment=ic.SG_TO_VM_SG),
+ comment=ic.SG_TO_VM_SG)
]
if ethertype == 'IPv6':
for icmp6_type in constants.ICMPV6_ALLOWED_TYPES:
def test_defer_chain_apply_coalesce_multiple_ports(self):
chain_applies = self._mock_chain_applies()
- port1 = {'device': 'd1', 'mac_address': 'mac1'}
- port2 = {'device': 'd2', 'mac_address': 'mac2'}
+ port1 = {'device': 'd1', 'mac_address': 'mac1', 'network_id': 'net1'}
+ port2 = {'device': 'd2', 'mac_address': 'mac2', 'network_id': 'net1'}
device2port = {'d1': port1, 'd2': port2}
with self.firewall.defer_apply():
self.firewall.prepare_port_filter(port1)
def test_ip_spoofing_filter_with_multiple_ips(self):
port = {'device': 'tapfake_dev',
'mac_address': 'ff:ff:ff:ff:ff:ff',
+ 'network_id': 'fake_net',
'fixed_ips': ['10.0.0.1', 'fe80::1', '10.0.0.2']}
self.firewall.prepare_port_filter(port)
calls = [mock.call.add_chain('sg-fallback'),
def test_ip_spoofing_no_fixed_ips(self):
port = {'device': 'tapfake_dev',
'mac_address': 'ff:ff:ff:ff:ff:ff',
+ 'network_id': 'fake_net',
'fixed_ips': []}
self.firewall.prepare_port_filter(port)
calls = [mock.call.add_chain('sg-fallback'),
def _fake_port(self, sg_id=FAKE_SGID):
return {'device': 'tapfake_dev',
'mac_address': 'ff:ff:ff:ff:ff:ff',
+ 'network_id': 'fake_net',
'fixed_ips': [FAKE_IP['IPv4'],
FAKE_IP['IPv6']],
'security_groups': [sg_id],
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- filter_dump_ipv6)
+ raw_dump + filter_dump_ipv6)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- filter_dump)
+ raw_dump + filter_dump)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- FILTER_DUMP)
+ RAW_DUMP + FILTER_DUMP)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
iptables_args['filter_rules'] = filter_rules
filter_dump_mod = FILTER_WITH_RULES_TEMPLATE % iptables_args
+ raw_dump = RAW_DUMP % IPTABLES_ARG
+
expected_calls_and_values = [
(mock.call(['iptables-save', '-c'],
run_as_root=True),
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- FILTER_DUMP)
+ raw_dump + FILTER_DUMP)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
'# Completed by iptables_manager\n'
% iptables_args)
+ raw_dump = RAW_DUMP % IPTABLES_ARG
+
expected_calls_and_values = [
(mock.call(['iptables-save', '-c'],
run_as_root=True),
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- FILTER_DUMP)
+ raw_dump + FILTER_DUMP)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- FILTER_DUMP)
+ RAW_DUMP + FILTER_DUMP)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
'# Completed by iptables_manager\n'
% IPTABLES_ARG)
+ raw_dump = RAW_DUMP % IPTABLES_ARG
+
expected_calls_and_values = [
(mock.call(['iptables-save', '-c'],
run_as_root=True),
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- FILTER_DUMP)
+ raw_dump + FILTER_DUMP)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
]
if use_ipv6:
self._extend_with_ip6tables_filter(expected_calls_and_values,
- FILTER_DUMP)
+ RAW_DUMP + FILTER_DUMP)
tools.setup_mock_calls(self.execute, expected_calls_and_values)
''),
]
if use_ipv6:
+ expected_calls_and_values.append(
+ (mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT',
+ '-n', '-v', '-x'], run_as_root=True),
+ ''))
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x'],
'')
]
if use_ipv6:
+ expected_calls_and_values.append(
+ (mock.call(['ip6tables', '-t', 'raw', '-L', 'OUTPUT',
+ '-n', '-v', '-x', '-Z'], run_as_root=True),
+ ''))
expected_calls_and_values.append(
(mock.call(['ip6tables', '-t', 'filter', '-L', 'OUTPUT',
'-n', '-v', '-x', '-Z'],
# License for the specific language governing permissions and limitations
# under the License.
+import collections
import contextlib
-import collections
import mock
from oslo_config import cfg
import oslo_messaging
from neutron.extensions import allowedaddresspairs as addr_pair
from neutron.extensions import securitygroup as ext_sg
from neutron import manager
+from neutron.plugins.openvswitch.agent import ovs_neutron_agent
from neutron.tests import base
from neutron.tests.unit.extensions import test_securitygroup as test_sg
self.firewall.defer_apply.side_effect = firewall_object.defer_apply
self.agent.firewall = self.firewall
self.fake_device = {'device': 'fake_device',
+ 'network_id': 'fake_net',
'security_groups': ['fake_sgid1', 'fake_sgid2'],
'security_group_source_groups': ['fake_sgid2'],
'security_group_rules': [{'security_group_id':
IPTABLES_ARG['ip2'] = IPS.values()[1]
IPTABLES_ARG['chains'] = CHAINS_NAT
+IPTABLES_RAW_DEFAULT = """# Generated by iptables_manager
+*raw
+:%(bn)s-OUTPUT - [0:0]
+:%(bn)s-PREROUTING - [0:0]
+[0:0] -A PREROUTING -j %(bn)s-PREROUTING
+[0:0] -A OUTPUT -j %(bn)s-OUTPUT
+COMMIT
+# Completed by iptables_manager
+""" % IPTABLES_ARG
+
+IPTABLES_RAW_DEVICE_1 = """# Generated by iptables_manager
+*raw
+:%(bn)s-OUTPUT - [0:0]
+:%(bn)s-PREROUTING - [0:0]
+[0:0] -A PREROUTING -j %(bn)s-PREROUTING
+[0:0] -A OUTPUT -j %(bn)s-OUTPUT
+[0:0] -A %(bn)s-PREROUTING -m physdev --physdev-in qvbtap_port1 -j CT --zone 1
+[0:0] -A %(bn)s-PREROUTING -m physdev --physdev-in tap_port1 -j CT --zone 1
+COMMIT
+# Completed by iptables_manager
+""" % IPTABLES_ARG
+
+IPTABLES_RAW_DEVICE_2 = """# Generated by iptables_manager
+*raw
+:%(bn)s-OUTPUT - [0:0]
+:%(bn)s-PREROUTING - [0:0]
+[0:0] -A PREROUTING -j %(bn)s-PREROUTING
+[0:0] -A OUTPUT -j %(bn)s-OUTPUT
+[0:0] -A %(bn)s-PREROUTING -m physdev --physdev-in qvbtap_port1 -j CT --zone 1
+[0:0] -A %(bn)s-PREROUTING -m physdev --physdev-in tap_port1 -j CT --zone 1
+[0:0] -A %(bn)s-PREROUTING -m physdev --physdev-in qvbtap_port2 -j CT --zone 1
+[0:0] -A %(bn)s-PREROUTING -m physdev --physdev-in tap_port2 -j CT --zone 1
+COMMIT
+# Completed by iptables_manager
+""" % IPTABLES_ARG
+
IPTABLES_NAT = """# Generated by iptables_manager
*nat
:neutron-postrouting-bottom - [0:0]
cfg.CONF.set_override('comment_iptables_rules', False, group='AGENT')
self.rpc = mock.Mock()
- self.agent = sg_rpc.SecurityGroupAgentRpc(
- context=None, plugin_rpc=self.rpc,
- defer_refresh_firewall=defer_refresh_firewall)
+ self._init_agent(defer_refresh_firewall)
if test_rpc_v1_1:
self.rpc.security_group_info_for_devices.side_effect = (
'12:34:56:78:9a:bd',
rule5)}
+ def _init_agent(self, defer_refresh_firewall):
+ self.agent = sg_rpc.SecurityGroupAgentRpc(
+ context=None, plugin_rpc=self.rpc,
+ defer_refresh_firewall=defer_refresh_firewall)
+
def _device(self, device, ip, mac_address, rule):
return {'device': device,
+ 'network_id': 'fakenet',
'fixed_ips': [ip],
'mac_address': mac_address,
'security_groups': ['security_group1'],
self.assertThat(kwargs['process_input'],
matchers.MatchesRegex(expected_regex))
- def _replay_iptables(self, v4_filter, v6_filter):
+ def _replay_iptables(self, v4_filter, v6_filter, raw):
self._register_mock_call(
['iptables-save', '-c'],
run_as_root=True,
return_value='')
self._register_mock_call(
['iptables-restore', '-c'],
- process_input=self._regex(IPTABLES_RAW + IPTABLES_NAT +
+ process_input=self._regex(raw + IPTABLES_NAT +
IPTABLES_MANGLE + v4_filter),
run_as_root=True,
return_value='')
return_value='')
self._register_mock_call(
['ip6tables-restore', '-c'],
- process_input=self._regex(v6_filter),
+ process_input=self._regex(raw + v6_filter),
run_as_root=True,
return_value='')
def test_prepare_remove_port(self):
self.rpc.security_group_rules_for_devices.return_value = self.devices1
- self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1)
- self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY)
+ self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY,
+ IPTABLES_RAW_DEFAULT)
self.agent.prepare_devices_filter(['tap_port1'])
self.agent.remove_devices_filter(['tap_port1'])
def test_security_group_member_updated(self):
self.rpc.security_group_rules_for_devices.return_value = self.devices1
- self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1)
- self._replay_iptables(IPTABLES_FILTER_1_2, IPTABLES_FILTER_V6_1)
- self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2)
- self._replay_iptables(IPTABLES_FILTER_2_2, IPTABLES_FILTER_V6_2)
- self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1)
- self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY)
+ self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_1_2, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_2_2, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY,
+ IPTABLES_RAW_DEFAULT)
self.agent.prepare_devices_filter(['tap_port1'])
self.rpc.security_group_rules_for_devices.return_value = self.devices2
def test_security_group_rule_updated(self):
self.rpc.security_group_rules_for_devices.return_value = self.devices2
- self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2)
- self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2)
+ self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEFAULT)
self.agent.prepare_devices_filter(['tap_port1', 'tap_port3'])
self.rpc.security_group_rules_for_devices.return_value = self.devices3
def test_prepare_remove_port(self):
self.sg_info.return_value = self.devices_info1
- self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1)
- self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY)
+ self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY,
+ IPTABLES_RAW_DEFAULT)
self.agent.prepare_devices_filter(['tap_port1'])
self.agent.remove_devices_filter(['tap_port1'])
def test_security_group_member_updated(self):
self.sg_info.return_value = self.devices_info1
- self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1)
- self._replay_iptables(IPTABLES_FILTER_1_2, IPTABLES_FILTER_V6_1)
- self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2)
- self._replay_iptables(IPTABLES_FILTER_2_2, IPTABLES_FILTER_V6_2)
- self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1)
- self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY)
+ self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_1_2, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_2_2, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY,
+ IPTABLES_RAW_DEFAULT)
self.agent.prepare_devices_filter(['tap_port1'])
self.sg_info.return_value = self.devices_info2
def test_security_group_rule_updated(self):
self.sg_info.return_value = self.devices_info2
- self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2)
- self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2)
+ self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEFAULT)
self.agent.prepare_devices_filter(['tap_port1', 'tap_port3'])
self.sg_info.return_value = self.devices_info3
def test_prepare_remove_port(self):
self.sg_info.return_value = self.devices_info1
- self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1)
- self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY)
+ self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY,
+ IPTABLES_RAW_DEFAULT)
self.agent.prepare_devices_filter(['tap_port1'])
self.agent.remove_devices_filter(['tap_port1'])
def test_security_group_member_updated(self):
self.sg_info.return_value = self.devices_info1
- self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1)
- self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1)
- self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2)
- self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2)
- self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1)
- self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY)
+ self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPSET_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY,
+ IPTABLES_RAW_DEFAULT)
self.agent.prepare_devices_filter(['tap_port1'])
self.sg_info.return_value = self.devices_info2
def test_security_group_rule_updated(self):
self.sg_info.return_value = self.devices_info2
- self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2)
- self._replay_iptables(IPSET_FILTER_2_3, IPTABLES_FILTER_V6_2)
+ self._replay_iptables(IPSET_FILTER_2, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEFAULT)
+ self._replay_iptables(IPSET_FILTER_2_3, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEFAULT)
self.agent.prepare_devices_filter(['tap_port1', 'tap_port3'])
self.sg_info.return_value = self.devices_info3
FIREWALL_DRIVER = FIREWALL_HYBRID_DRIVER
+ def setUp(self, defer_refresh_firewall=False, test_rpc_v1_1=True):
+ super(TestSecurityGroupAgentWithOVSIptables, self).setUp(
+ defer_refresh_firewall,
+ test_rpc_v1_1)
+
+ def _init_agent(self, defer_refresh_firewall):
+ fake_map = ovs_neutron_agent.LocalVLANMapping(1, 'network_type',
+ 'physical_network', 1)
+ local_vlan_map = {'fakenet': fake_map}
+ self.agent = sg_rpc.SecurityGroupAgentRpc(
+ context=None, plugin_rpc=self.rpc,
+ local_vlan_map=local_vlan_map,
+ defer_refresh_firewall=defer_refresh_firewall)
+
+ def test_prepare_remove_port(self):
+ self.rpc.security_group_rules_for_devices.return_value = self.devices1
+ self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEVICE_1)
+ self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY,
+ IPTABLES_RAW_DEFAULT)
+
+ self.agent.prepare_devices_filter(['tap_port1'])
+ self.agent.remove_devices_filter(['tap_port1'])
+
+ self._verify_mock_calls()
+
+ def test_security_group_member_updated(self):
+ self.rpc.security_group_rules_for_devices.return_value = self.devices1
+ self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEVICE_1)
+ self._replay_iptables(IPTABLES_FILTER_1_2, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEVICE_1)
+ self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEVICE_2)
+ self._replay_iptables(IPTABLES_FILTER_2_2, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEVICE_2)
+ self._replay_iptables(IPTABLES_FILTER_1, IPTABLES_FILTER_V6_1,
+ IPTABLES_RAW_DEVICE_1)
+ self._replay_iptables(IPTABLES_FILTER_EMPTY, IPTABLES_FILTER_V6_EMPTY,
+ IPTABLES_RAW_DEFAULT)
+
+ self.agent.prepare_devices_filter(['tap_port1'])
+ self.rpc.security_group_rules_for_devices.return_value = self.devices2
+ self.agent.security_groups_member_updated(['security_group1'])
+ self.agent.prepare_devices_filter(['tap_port2'])
+ self.rpc.security_group_rules_for_devices.return_value = self.devices1
+ self.agent.security_groups_member_updated(['security_group1'])
+ self.agent.remove_devices_filter(['tap_port2'])
+ self.agent.remove_devices_filter(['tap_port1'])
+
+ self._verify_mock_calls()
+
+ def test_security_group_rule_updated(self):
+ self.rpc.security_group_rules_for_devices.return_value = self.devices2
+ self._replay_iptables(IPTABLES_FILTER_2, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEVICE_2)
+ self._replay_iptables(IPTABLES_FILTER_2_3, IPTABLES_FILTER_V6_2,
+ IPTABLES_RAW_DEVICE_2)
+
+ self.agent.prepare_devices_filter(['tap_port1', 'tap_port3'])
+ self.rpc.security_group_rules_for_devices.return_value = self.devices3
+ self.agent.security_groups_rule_updated(['security_group1'])
+
+ self._verify_mock_calls()
+
def _regex(self, value):
#Note(nati): tap is prefixed on the device
# in the OVSHybridIptablesFirewallDriver
value = value.replace('tap_port', 'taptap_port')
+ value = value.replace('qvbtaptap_port', 'qvbtap_port')
value = value.replace('o_port', 'otap_port')
value = value.replace('i_port', 'itap_port')
value = value.replace('s_port', 'stap_port')
mock.patch('neutron.agent.common.ovs_lib.BaseOVS.get_bridges'),
mock.patch('neutron.openstack.common.loopingcall.'
'FixedIntervalLoopingCall',
- new=MockFixedIntervalLoopingCall)):
+ new=MockFixedIntervalLoopingCall),
+ mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
+ 'get_vif_ports', return_value=[])):
self.agent = ovs_neutron_agent.OVSNeutronAgent(**kwargs)
# set back to true because initial report state will succeed due
# to mocked out RPC calls
mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'set_db_attribute', return_value=True),
mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
- 'db_get_val', return_value=old_local_vlan),
+ 'db_get_val', return_value={}),
mock.patch.object(self.agent.int_br, 'delete_flows')
) as (set_ovs_db_func, get_ovs_db_func, delete_flows_func):
self.agent.port_bound(port, net_uuid, 'local', None, None,
fixed_ips, "compute:None", False)
- get_ovs_db_func.assert_called_once_with("Port", mock.ANY, "tag")
- if new_local_vlan != old_local_vlan:
- set_ovs_db_func.assert_called_once_with(
- "Port", mock.ANY, "tag", new_local_vlan)
- if ofport != -1:
- delete_flows_func.assert_called_once_with(in_port=port.ofport)
- else:
- self.assertFalse(delete_flows_func.called)
- else:
- self.assertFalse(set_ovs_db_func.called)
- self.assertFalse(delete_flows_func.called)
+ vlan_mapping = {'net_uuid': net_uuid,
+ 'network_type': 'local',
+ 'physical_network': None,
+ 'segmentation_id': None}
+ set_ovs_db_func.assert_called_once_with(
+ "Port", mock.ANY, "other_config", vlan_mapping)
def test_check_agent_configurations_for_dvr_raises(self):
self.agent.enable_distributed_routing = True
mock.patch.object(self.agent.plugin_rpc, 'update_device_down'),
mock.patch.object(self.agent, func_name)
) as (get_dev_fn, get_vif_func, upd_dev_up, upd_dev_down, func):
- skip_devs = self.agent.treat_devices_added_or_updated([{}], False)
+ skip_devs, need_bound_devices = (
+ self.agent.treat_devices_added_or_updated([{}], False))
# The function should not raise
self.assertFalse(skip_devs)
return func.called
return_value=[dev_mock]),
mock.patch.object(self.agent.int_br, 'get_vif_port_by_id',
return_value=None),
- mock.patch.object(self.agent.plugin_rpc, 'update_device_up'),
- mock.patch.object(self.agent.plugin_rpc, 'update_device_down'),
mock.patch.object(self.agent, 'treat_vif_port')
- ) as (get_dev_fn, get_vif_func, upd_dev_up,
- upd_dev_down, treat_vif_port):
+ ) as (get_dev_fn, get_vif_func, treat_vif_port):
skip_devs = self.agent.treat_devices_added_or_updated([{}], False)
# The function should return False for resync and no device
# processed
- self.assertEqual(['the_skipped_one'], skip_devs)
+ self.assertEqual((['the_skipped_one'], []), skip_devs)
self.assertFalse(treat_vif_port.called)
- self.assertFalse(upd_dev_down.called)
- self.assertFalse(upd_dev_up.called)
def test_treat_devices_added_updated_put_port_down(self):
fake_details_dict = {'admin_state_up': False,
return_value=[fake_details_dict]),
mock.patch.object(self.agent.int_br, 'get_vif_port_by_id',
return_value=mock.MagicMock()),
- mock.patch.object(self.agent.plugin_rpc, 'update_device_up'),
- mock.patch.object(self.agent.plugin_rpc, 'update_device_down'),
mock.patch.object(self.agent, 'treat_vif_port')
- ) as (get_dev_fn, get_vif_func, upd_dev_up,
- upd_dev_down, treat_vif_port):
- skip_devs = self.agent.treat_devices_added_or_updated([{}], False)
+ ) as (get_dev_fn, get_vif_func, treat_vif_port):
+ skip_devs, need_bound_devices = (
+ self.agent.treat_devices_added_or_updated([{}], False))
# The function should return False for resync
self.assertFalse(skip_devs)
self.assertTrue(treat_vif_port.called)
- self.assertTrue(upd_dev_down.called)
def test_treat_devices_removed_returns_true_for_missing_device(self):
with mock.patch.object(self.agent.plugin_rpc, 'update_device_down',
with contextlib.nested(
mock.patch.object(self.agent.sg_agent, "setup_port_filters"),
mock.patch.object(self.agent, "treat_devices_added_or_updated",
- return_value=[]),
+ return_value=([], [])),
mock.patch.object(self.agent, "treat_devices_removed",
return_value=False)
) as (setup_port_filters, device_added_updated, device_removed):
return_value=bridges),
mock.patch('neutron.agent.common.ovs_lib.BaseOVS.'
'get_bridge_external_bridge_id',
- side_effect=pullup_side_effect)):
+ side_effect=pullup_side_effect),
+ mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
+ 'get_vif_ports', return_value=[])):
self.agent = ovs_neutron_agent.OVSNeutronAgent(**self.kwargs)
self.assertEqual(len(ancillary), len(self.agent.ancillary_brs))
if ancillary:
mock.patch('neutron.agent.common.ovs_lib.BaseOVS.get_bridges'),
mock.patch('neutron.openstack.common.loopingcall.'
'FixedIntervalLoopingCall',
- new=MockFixedIntervalLoopingCall)):
+ new=MockFixedIntervalLoopingCall),
+ mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
+ 'get_vif_ports', return_value=[])):
self.agent = ovs_neutron_agent.OVSNeutronAgent(**kwargs)
# set back to true because initial report state will succeed due
# to mocked out RPC calls
physical_network = self._physical_network
segmentation_id = self._segmentation_id
network_type = p_const.TYPE_VLAN
- with mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
+ with contextlib.nested(
+ mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'set_db_attribute',
- return_value=True):
- with contextlib.nested(
+ return_value=True),
mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'db_get_val',
- return_value=self._old_local_vlan),
+ return_value={})):
+ with contextlib.nested(
mock.patch.object(self.agent.dvr_agent.plugin_rpc,
'get_subnet_for_dvr',
return_value={
'ip_version': ip_version,
'gateway_mac': gateway_mac}),
mock.patch.object(self.agent.dvr_agent.plugin_rpc,
- 'get_ports_on_host_by_subnet',
- return_value=[]),
+ 'get_ports_on_host_by_subnet',
+ return_value=[]),
mock.patch.object(self.agent.dvr_agent.int_br,
'get_vif_port_by_id',
return_value=self._port),
mock.patch.object(self.agent.dvr_agent.int_br, 'add_flow'),
- mock.patch.object(self.agent.dvr_agent.int_br, 'delete_flows'),
mock.patch.object(self.agent.dvr_agent.tun_br, 'add_flow'),
mock.patch.object(self.agent.dvr_agent.tun_br, 'delete_flows'),
mock.patch.object(
mock.patch.object(
self.agent.dvr_agent.phys_brs[physical_network],
'delete_flows')
- ) as (get_ovs_db_func, get_subnet_fn, get_cphost_fn,
- get_vif_fn, add_flow_int_fn, delete_flows_int_fn,
+ ) as (get_subnet_fn, get_cphost_fn,
+ get_vif_fn, add_flow_int_fn,
add_flow_tun_fn, delete_flows_tun_fn, add_flow_phys_fn,
delete_flows_phys_fn):
self.agent.port_bound(
]
self.assertEqual(expected_on_int_br,
add_flow_int_fn.call_args_list)
- expected_on_int_br = [
- mock.call(in_port=self._port.ofport),
- mock.call(in_port=self._compute_port.ofport)
- ]
- self.assertEqual(expected_on_int_br,
- delete_flows_int_fn.call_args_list)
self.assertFalse(add_flow_tun_fn.called)
self.assertFalse(delete_flows_tun_fn.called)
self.assertFalse(delete_flows_phys_fn.called)
self._compute_port.vif_mac = '77:88:99:00:11:22'
physical_network = self._physical_network
segmentation_id = self._segmentation_id
- with mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
+ with contextlib.nested(
+ mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'set_db_attribute',
- return_value=True):
- with contextlib.nested(
+ return_value=True),
mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'db_get_val',
- return_value=self._old_local_vlan),
+ return_value={})):
+ with contextlib.nested(
mock.patch.object(self.agent.dvr_agent.plugin_rpc,
'get_subnet_for_dvr',
return_value={
'get_vif_port_by_id',
return_value=self._port),
mock.patch.object(self.agent.dvr_agent.int_br, 'add_flow'),
- mock.patch.object(self.agent.dvr_agent.int_br, 'delete_flows'),
mock.patch.object(self.agent.dvr_agent.tun_br, 'add_flow'),
mock.patch.object(self.agent.dvr_agent.tun_br, 'delete_flows'),
mock.patch.object(
mock.patch.object(
self.agent.dvr_agent.phys_brs[physical_network],
'delete_flows')
- ) as (get_ovs_db_func, get_subnet_fn, get_cphost_fn,
- get_vif_fn, add_flow_int_fn, delete_flows_int_fn,
+ ) as (get_subnet_fn, get_cphost_fn,
+ get_vif_fn, add_flow_int_fn,
add_flow_tun_fn, delete_flows_tun_fn,
add_flow_phys_fn, delete_flows_phys_fn):
self.agent.port_bound(
self.assertEqual(expected_on_int_br,
add_flow_int_fn.call_args_list)
self.assertFalse(add_flow_phys_fn.called)
- expected_on_int_br = [
- mock.call(in_port=self._port.ofport),
- mock.call(in_port=self._compute_port.ofport)
- ]
- self.assertEqual(expected_on_int_br,
- delete_flows_int_fn.call_args_list)
self.assertFalse(add_flow_phys_fn.called)
self.assertFalse(delete_flows_tun_fn.called)
self.assertFalse(delete_flows_phys_fn.called)
def test_port_bound_for_dvr_with_csnat_ports(self, ofport=10):
self._setup_for_dvr_test()
- with mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
+ with contextlib.nested(
+ mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'set_db_attribute',
- return_value=True):
- with contextlib.nested(
+ return_value=True),
mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'db_get_val',
- return_value=self._old_local_vlan),
+ return_value={})):
+ with contextlib.nested(
mock.patch.object(
self.agent.dvr_agent.plugin_rpc, 'get_subnet_for_dvr',
return_value={'gateway_ip': '1.1.1.1',
'get_vif_port_by_id',
return_value=self._port),
mock.patch.object(self.agent.dvr_agent.int_br, 'add_flow'),
- mock.patch.object(self.agent.dvr_agent.int_br, 'delete_flows'),
mock.patch.object(self.agent.dvr_agent.tun_br, 'add_flow'),
mock.patch.object(self.agent.dvr_agent.tun_br, 'delete_flows')
- ) as (get_ovs_db_func, get_subnet_fn, get_cphost_fn,
- get_vif_fn, add_flow_int_fn, delete_flows_int_fn,
+ ) as (get_subnet_fn, get_cphost_fn,
+ get_vif_fn, add_flow_int_fn,
add_flow_tun_fn, delete_flows_tun_fn):
self.agent.port_bound(
self._port, self._net_uuid, 'vxlan',
n_const.DEVICE_OWNER_ROUTER_SNAT,
False)
self.assertTrue(add_flow_int_fn.called)
- self.assertTrue(delete_flows_int_fn.called)
def test_treat_devices_removed_for_dvr_interface(self, ofport=10):
self._test_treat_devices_removed_for_dvr_interface(ofport)
else:
gateway_ip = '2001:100::1'
cidr = '2001:100::0/64'
- with mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
+ with contextlib.nested(
+ mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'set_db_attribute',
- return_value=True):
- with contextlib.nested(
+ return_value=True),
mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'db_get_val',
- return_value=self._old_local_vlan),
+ return_value={})):
+ with contextlib.nested(
mock.patch.object(
self.agent.dvr_agent.plugin_rpc, 'get_subnet_for_dvr',
return_value={'gateway_ip': gateway_ip,
'get_vif_port_by_id',
return_value=self._port),
mock.patch.object(self.agent.dvr_agent.int_br, 'add_flow'),
- mock.patch.object(self.agent.dvr_agent.int_br, 'delete_flows'),
mock.patch.object(self.agent.dvr_agent.tun_br, 'add_flow'),
mock.patch.object(self.agent.dvr_agent.tun_br, 'delete_flows')
- ) as (get_ovs_db_func, get_subnet_fn, get_cphost_fn,
- get_vif_fn, add_flow_int_fn, delete_flows_int_fn,
+ ) as (get_subnet_fn, get_cphost_fn,
+ get_vif_fn, add_flow_int_fn,
add_flow_tun_fn, delete_flows_tun_fn):
self.agent.port_bound(
self._port, self._net_uuid, 'vxlan',
n_const.DEVICE_OWNER_DVR_INTERFACE,
False)
self.assertTrue(add_flow_tun_fn.called)
- self.assertTrue(delete_flows_int_fn.called)
with contextlib.nested(
mock.patch.object(self.agent, 'reclaim_local_vlan'),
else:
gateway_ip = '2001:100::1'
cidr = '2001:100::0/64'
- with mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
+ with contextlib.nested(
+ mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'set_db_attribute',
- return_value=True):
- with contextlib.nested(
+ return_value=True),
mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'db_get_val',
- return_value=self._old_local_vlan),
+ return_value={})):
+ with contextlib.nested(
mock.patch.object(
self.agent.dvr_agent.plugin_rpc, 'get_subnet_for_dvr',
return_value={'gateway_ip': gateway_ip,
'get_vif_port_by_id',
return_value=self._port),
mock.patch.object(self.agent.dvr_agent.int_br, 'add_flow'),
- mock.patch.object(self.agent.dvr_agent.int_br, 'delete_flows'),
mock.patch.object(self.agent.dvr_agent.tun_br, 'add_flow'),
mock.patch.object(self.agent.dvr_agent.tun_br, 'delete_flows')
- ) as (get_ovs_db_func, get_subnet_fn, get_cphost_fn,
- get_vif_fn, add_flow_int_fn, delete_flows_int_fn,
+ ) as (get_subnet_fn, get_cphost_fn,
+ get_vif_fn, add_flow_int_fn,
add_flow_tun_fn, delete_flows_tun_fn):
self.agent.port_bound(
self._port, self._net_uuid, 'vxlan',
device_owner, False)
self.assertTrue(add_flow_tun_fn.called)
self.assertTrue(add_flow_int_fn.called)
- self.assertTrue(delete_flows_int_fn.called)
with contextlib.nested(
mock.patch.object(self.agent, 'reclaim_local_vlan'),
def test_treat_devices_removed_for_dvr_csnat_port(self, ofport=10):
self._setup_for_dvr_test()
- with mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
+ with contextlib.nested(
+ mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'set_db_attribute',
- return_value=True):
- with contextlib.nested(
+ return_value=True),
mock.patch('neutron.agent.common.ovs_lib.OVSBridge.'
'db_get_val',
- return_value=self._old_local_vlan),
+ return_value={})):
+ with contextlib.nested(
mock.patch.object(
self.agent.dvr_agent.plugin_rpc, 'get_subnet_for_dvr',
return_value={'gateway_ip': '1.1.1.1',
'get_vif_port_by_id',
return_value=self._port),
mock.patch.object(self.agent.dvr_agent.int_br, 'add_flow'),
- mock.patch.object(self.agent.dvr_agent.int_br, 'delete_flows'),
mock.patch.object(self.agent.dvr_agent.tun_br, 'add_flow'),
mock.patch.object(self.agent.dvr_agent.tun_br, 'delete_flows')
- ) as (get_ovs_db_func, get_subnet_fn, get_cphost_fn,
- get_vif_fn, add_flow_int_fn, delete_flows_int_fn,
+ ) as (get_subnet_fn, get_cphost_fn,
+ get_vif_fn, add_flow_int_fn,
add_flow_tun_fn, delete_flows_tun_fn):
self.agent.port_bound(
self._port, self._net_uuid, 'vxlan',
n_const.DEVICE_OWNER_ROUTER_SNAT,
False)
self.assertTrue(add_flow_int_fn.called)
- self.assertTrue(delete_flows_int_fn.called)
with contextlib.nested(
mock.patch.object(self.agent, 'reclaim_local_vlan'),
self.mock_int_bridge.add_port.return_value = self.MAP_TUN_INT_OFPORT
self.mock_int_bridge.add_patch_port.side_effect = (
lambda tap, peer: self.ovs_int_ofports[tap])
+ self.mock_int_bridge.get_vif_ports.return_value = []
+ self.mock_int_bridge.db_get_val.return_value = {}
self.mock_map_tun_bridge = self.ovs_bridges[self.MAP_TUN_BRIDGE]
self.mock_map_tun_bridge.br_name = self.MAP_TUN_BRIDGE
mock.call.add_patch_port('patch-int', 'patch-tun'),
]
self.mock_int_bridge_expected += [
- mock.call.add_patch_port('patch-tun', 'patch-int')
+ mock.call.add_patch_port('patch-tun', 'patch-int'),
+ ]
+ self.mock_int_bridge_expected += [
+ mock.call.get_vif_ports(),
]
self.mock_tun_bridge_expected += [
self._verify_mock_calls()
def test_port_bound(self):
+ vlan_mapping = {'segmentation_id': LS_ID,
+ 'physical_network': None,
+ 'net_uuid': NET_UUID,
+ 'network_type': 'gre'}
self.mock_int_bridge_expected += [
- mock.call.db_get_val('Port', VIF_PORT.port_name, 'tag'),
+ mock.call.db_get_val('Port', 'port', 'other_config'),
mock.call.set_db_attribute('Port', VIF_PORT.port_name,
- 'tag', LVM.vlan),
- mock.call.delete_flows(in_port=VIF_PORT.ofport)
- ]
+ 'other_config',
+ vlan_mapping)]
a = self._build_agent()
a.local_vlan_map[NET_UUID] = LVM
self.mock_int_bridge_expected += [
mock.call.add_patch_port('patch-tun', 'patch-int')
]
-
+ self.mock_int_bridge_expected += [
+ mock.call.get_vif_ports(),
+ ]
self.mock_tun_bridge_expected += [
mock.call.remove_all_flows(),
mock.call.add_flow(priority=1,
Code Review / openstack-build / neutron-build.git / commitdiff