diff options
| author | Soren Hansen <soren@linux2go.dk> | 2011-01-11 11:06:16 +0100 |
|---|---|---|
| committer | Soren Hansen <soren@linux2go.dk> | 2011-01-11 11:06:16 +0100 |
| commit | ea4cde387c04e450c7bea9407772ca4276ea54f4 (patch) | |
| tree | b0dfec97d8206da56677813ddb5b4720ebd0bd9d /nova | |
| parent | b11fbe9b005d98dbab0d4088624927f5f5210717 (diff) | |
| download | nova-ea4cde387c04e450c7bea9407772ca4276ea54f4.tar.gz nova-ea4cde387c04e450c7bea9407772ca4276ea54f4.tar.xz nova-ea4cde387c04e450c7bea9407772ca4276ea54f4.zip | |
Fixed a number of issues with the iptables firewall backend:
* Port specifications for firewalls come back from the data store as integers, but were compared as strings.
* --icmp-type was misspelled as --icmp_type (underscore vs dash)
* There weren't any unit tests for these issues.
Diffstat (limited to 'nova')
| -rw-r--r-- | nova/tests/test_virt.py | 44 | ||||
| -rw-r--r-- | nova/virt/libvirt_conn.py | 6 |
2 files changed, 46 insertions, 4 deletions
diff --git a/nova/tests/test_virt.py b/nova/tests/test_virt.py index 59053f4d0..c69dbaab3 100644 --- a/nova/tests/test_virt.py +++ b/nova/tests/test_virt.py @@ -278,6 +278,20 @@ class IptablesFirewallTestCase(test.TestCase): db.security_group_rule_create(admin_ctxt, {'parent_group_id': secgroup['id'], + 'protocol': 'icmp', + 'from_port': -1, + 'to_port': -1, + 'cidr': '192.168.11.0/24'}) + + db.security_group_rule_create(admin_ctxt, + {'parent_group_id': secgroup['id'], + 'protocol': 'icmp', + 'from_port': 8, + 'to_port': -1, + 'cidr': '192.168.11.0/24'}) + + db.security_group_rule_create(admin_ctxt, + {'parent_group_id': secgroup['id'], 'protocol': 'tcp', 'from_port': 80, 'to_port': 81, @@ -297,7 +311,35 @@ class IptablesFirewallTestCase(test.TestCase): self.assertTrue(rule in out_rules, 'Rule went missing: %s' % rule) - print '\n'.join(out_rules) + instance_chain = None + for rule in out_rules: + # This is pretty crude, but it'll do for now + if '-d 10.11.12.13 -j' in rule: + instance_chain = rule.split(' ')[-1] + break + self.assertTrue(instance_chain, "The instance chain wasn't added") + + security_group_chain = None + for rule in out_rules: + # This is pretty crude, but it'll do for now + if '-A %s -j' % instance_chain in rule: + security_group_chain = rule.split(' ')[-1] + break + self.assertTrue(security_group_chain, + "The security group chain wasn't added") + + self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -j ACCEPT' % \ + security_group_chain in out_rules, + "ICMP acceptance rule wasn't added") + + self.assertTrue('-A %s -p icmp -s 192.168.11.0/24 -m icmp --icmp-type' + ' 8 -j ACCEPT' % security_group_chain in out_rules, + "ICMP Echo Request acceptance rule wasn't added") + + self.assertTrue('-A %s -p tcp -s 192.168.10.0/24 -m multiport ' + '--dports 80:81 -j ACCEPT' % security_group_chain \ + in out_rules, + "TCP port 80/81 acceptance rule wasn't added") class NWFilterTestCase(test.TestCase): diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 3a4b6d469..759ef62ab 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -1105,15 +1105,15 @@ class IptablesFirewallDriver(FirewallDriver): icmp_type = rule.from_port icmp_code = rule.to_port - if icmp_type == '-1': + if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = '%s' % icmp_type - if not icmp_code == '-1': + if not icmp_code == -1: icmp_type_arg += '/%s' % icmp_code if icmp_type_arg: - args += ['-m', 'icmp', '--icmp_type', icmp_type_arg] + args += ['-m', 'icmp', '--icmp-type', icmp_type_arg] args += ['-j ACCEPT'] our_rules += [' '.join(args)] |