From 5407a42aba863da084ed63b532830016c9fadda7 Mon Sep 17 00:00:00 2001 From: Assaf Muller Date: Fri, 29 May 2015 19:17:34 -0400 Subject: [PATCH] Modify ipset functional tests to pass on older machines Production code uses ipset exclusively in the root namespace, however functional testing uses ipset in namespace for isolation. This poses an issue as ipset is not supported in namespaces on all kernels and distributions (I'm looking at you CentOS/RHEL 7.1). This patch changes the ipset functional tests to work in the root namespace while taking care of cleanups. Conflicts: neutron/tests/functional/agent/linux/test_ipset.py Change-Id: I08b2f59197ed76e59b2e58b5a10820653e857cda Closes-Bug: #1460220 (cherry picked from commit 96e2314c8c0f06967b53828b0a771973f0031243) --- .../functional/agent/linux/test_ipset.py | 59 +++++++++++-------- 1 file changed, 33 insertions(+), 26 deletions(-) diff --git a/neutron/tests/functional/agent/linux/test_ipset.py b/neutron/tests/functional/agent/linux/test_ipset.py index 499386423..4c32f2802 100644 --- a/neutron/tests/functional/agent/linux/test_ipset.py +++ b/neutron/tests/functional/agent/linux/test_ipset.py @@ -1,4 +1,4 @@ -# Copyright (c) 2014 Red Hat, Inc. +# Copyright (c) 2015 Red Hat, Inc. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -18,9 +18,8 @@ from neutron.agent.linux import iptables_manager from neutron.tests.functional.agent.linux import base from neutron.tests.functional.agent.linux import helpers -IPSET_SET = 'test-set' +MAX_IPSET_NAME_LENGTH = 28 IPSET_ETHERTYPE = 'IPv4' -ICMP_ACCEPT_RULE = '-p icmp -m set --match-set %s src -j ACCEPT' % IPSET_SET UNRELATED_IP = '1.1.1.1' @@ -30,13 +29,17 @@ class IpsetBase(base.BaseIPVethTestCase): super(IpsetBase, self).setUp() self.src_ns, self.dst_ns = self.prepare_veth_pairs() + self.ipset_name = base.get_rand_name(MAX_IPSET_NAME_LENGTH, 'set-') + self.icmp_accept_rule = ('-p icmp -m set --match-set %s src -j ACCEPT' + % self.ipset_name) self.ipset = self._create_ipset_manager_and_set(self.dst_ns, - IPSET_SET) - + self.ipset_name) + self.addCleanup(self.ipset._destroy, self.ipset_name) self.dst_iptables = iptables_manager.IptablesManager( namespace=self.dst_ns.namespace) - self._add_iptables_ipset_rules(self.dst_iptables) + self._add_iptables_ipset_rules() + self.addCleanup(self._remove_iptables_ipset_rules) self.pinger = helpers.Pinger(self.src_ns) def _create_ipset_manager_and_set(self, dst_ns, set_name): @@ -46,45 +49,49 @@ class IpsetBase(base.BaseIPVethTestCase): ipset._create_set(set_name, IPSET_ETHERTYPE) return ipset - @staticmethod - def _remove_iptables_ipset_rules(iptables_manager): - iptables_manager.ipv4['filter'].remove_rule('INPUT', ICMP_ACCEPT_RULE) - iptables_manager.apply() + def _remove_iptables_ipset_rules(self): + self.dst_iptables.ipv4['filter'].remove_rule( + 'INPUT', base.ICMP_BLOCK_RULE) + self.dst_iptables.ipv4['filter'].remove_rule( + 'INPUT', self.icmp_accept_rule) + self.dst_iptables.apply() - @staticmethod - def _add_iptables_ipset_rules(iptables_manager): - iptables_manager.ipv4['filter'].add_rule('INPUT', ICMP_ACCEPT_RULE) - iptables_manager.ipv4['filter'].add_rule('INPUT', base.ICMP_BLOCK_RULE) - iptables_manager.apply() + def _add_iptables_ipset_rules(self): + self.dst_iptables.ipv4['filter'].add_rule( + 'INPUT', self.icmp_accept_rule) + self.dst_iptables.ipv4['filter'].add_rule( + 'INPUT', base.ICMP_BLOCK_RULE) + self.dst_iptables.apply() class IpsetManagerTestCase(IpsetBase): def test_add_member_allows_ping(self): self.pinger.assert_no_ping(self.DST_ADDRESS) - self.ipset._add_member_to_set(IPSET_SET, self.SRC_ADDRESS) + self.ipset._add_member_to_set(self.ipset_name, self.SRC_ADDRESS) self.pinger.assert_ping(self.DST_ADDRESS) def test_del_member_denies_ping(self): - self.ipset._add_member_to_set(IPSET_SET, self.SRC_ADDRESS) + self.ipset._add_member_to_set(self.ipset_name, self.SRC_ADDRESS) self.pinger.assert_ping(self.DST_ADDRESS) - self.ipset._del_member_from_set(IPSET_SET, self.SRC_ADDRESS) + self.ipset._del_member_from_set(self.ipset_name, self.SRC_ADDRESS) self.pinger.assert_no_ping(self.DST_ADDRESS) def test_refresh_ipset_allows_ping(self): - self.ipset._refresh_set(IPSET_SET, [UNRELATED_IP], IPSET_ETHERTYPE) + self.ipset._refresh_set( + self.ipset_name, [UNRELATED_IP], IPSET_ETHERTYPE) self.pinger.assert_no_ping(self.DST_ADDRESS) - self.ipset._refresh_set(IPSET_SET, [UNRELATED_IP, self.SRC_ADDRESS], - IPSET_ETHERTYPE) + self.ipset._refresh_set( + self.ipset_name, [UNRELATED_IP, self.SRC_ADDRESS], IPSET_ETHERTYPE) self.pinger.assert_ping(self.DST_ADDRESS) - self.ipset._refresh_set(IPSET_SET, [self.SRC_ADDRESS, UNRELATED_IP], - IPSET_ETHERTYPE) + self.ipset._refresh_set( + self.ipset_name, [self.SRC_ADDRESS, UNRELATED_IP], IPSET_ETHERTYPE) self.pinger.assert_ping(self.DST_ADDRESS) def test_destroy_ipset_set(self): - self.assertRaises(RuntimeError, self.ipset._destroy, IPSET_SET) - self._remove_iptables_ipset_rules(self.dst_iptables) - self.ipset._destroy(IPSET_SET) + self.assertRaises(RuntimeError, self.ipset._destroy, self.ipset_name) + self._remove_iptables_ipset_rules() + self.ipset._destroy(self.ipset_name) -- 2.45.2