Commit 25808853 authored by Morten Knutsen's avatar Morten Knutsen

Merge branch 'fix_port_range_overlap' into 'master'

Fix port range overlap

See merge request !6
parents be77683a 72266e9f
#!/usr/bin/env python
from __future__ import absolute_import, division, print_function, unicode_literals
from collections import OrderedDict
import subprocess
import logging
from nova_router import security_groups, setupLogfile, send_stat, etcd_connect
......@@ -73,13 +74,13 @@ class Generator(object):
self.ip_cidr_groups = {}
self.generation = 0
self.serial = 0
self.output_data = []
self.output_data = OrderedDict()
self.open_groups = set()
self.group_members = {}
def output(self, line):
if line not in self.output_data:
self.output_data.append(line)
self.output_data[line] = 1
else:
logging.warning("duplicate ipset entry: %s", line)
......@@ -128,17 +129,24 @@ class Generator(object):
self.output("add {} {}{}".format(setname, to, suffix))
def add_ipset_member(self, name, member, protocol="tcp", port=None, net=None, source=None):
suffix = ""
if port is not None and protocol in ['tcp', 'udp']:
suffix += ",{}:{}".format(protocol, port)
if net is not None:
suffix += ",{}".format(net)
member = member.lower()
if member in self.addresses_v4 and (net is None or "." in net):
self.add_ipset_member_family(name, member, "inet", suffix, source, self.addresses_v4)
if '-' in port:
first, last = (int(x) for x in port.split('-'))
portrange = range(first, last+1)
else:
portrange = [port]
suffixes = (",{}:{}".format(protocol, port) for port in portrange)
else:
suffixes = [""]
for suffix in suffixes:
if net is not None:
suffix += ",{}".format(net)
member = member.lower()
if member in self.addresses_v4 and (net is None or "." in net):
self.add_ipset_member_family(name, member, "inet", suffix, source, self.addresses_v4)
if member in self.addresses_v6 and (net is None or ":" in net):
self.add_ipset_member_family(name, member, "inet6", suffix, source, self.addresses_v6)
if member in self.addresses_v6 and (net is None or ":" in net):
self.add_ipset_member_family(name, member, "inet6", suffix, source, self.addresses_v6)
def process_security_group(self, group_id, name):
rules = security_groups.get_group_rules(self.etcd_client, group_id)
......@@ -222,7 +230,7 @@ class Generator(object):
self.ip_cidr_groups = {}
self.serial = 0
self.open_groups = set()
self.output_data = []
self.output_data = OrderedDict()
self.group_members = {}
if not self.noop:
......@@ -249,7 +257,7 @@ class Generator(object):
for group_id, group in sorted(groups.items(), key=lambda x: x[0]):
self.process_security_group(group_id, group['name'])
output_data = [line for line in self.output_data if self.group_members[line.split(" ")[1]]]
output_data = [line for line in self.output_data.keys() if self.group_members[line.split(" ")[1]]]
if not self.noop:
with tempfile.TemporaryFile() as output_file:
output_file.write("\n".join(output_data))
......
......@@ -58,12 +58,12 @@ class TestProcessSecurityGroup(object):
'protocol': 'tcp',
'source_type': 'cidr',
'source_cidr': '10.0.0.1/32',
'destination_port': 22,
'destination_port': '22',
},
]
self.generator.process_security_group("a", "b")
self.generator.add_ipset_member.assert_called_with(iptables_configurator.RULES_FROM_CIDR,
"00:11:22:33:44:55", "tcp", 22,
"00:11:22:33:44:55", "tcp", '22',
"10.0.0.1/32")
@mock.patch('nova_router.security_groups.get_group_members')
......@@ -77,12 +77,12 @@ class TestProcessSecurityGroup(object):
'id': 1,
'protocol': 'tcp',
'source_type': 'any',
'destination_port': 22,
'destination_port': '22',
},
]
self.generator.process_security_group("a", "b")
self.generator.add_ipset_member.assert_called_with(iptables_configurator.RULES_FROM_ANY,
'00:11:22:33:44:55', 'tcp', 22)
'00:11:22:33:44:55', 'tcp', '22')
self.generator.add_ipset_member_family.assert_any_call(iptables_configurator.RULES_FROM_ANY,
'00:11:22:33:44:55', 'inet6', ',tcp:22', None, self.generator.addresses_v6)
self.generator.add_ipset_member_family.assert_any_call(iptables_configurator.RULES_FROM_ANY,
......@@ -121,11 +121,11 @@ class TestProcessSecurityGroup(object):
'protocol': 'tcp',
'source_type': 'security_group',
'source_security_group': '1',
'destination_port': 22,
'destination_port': '22',
},
]
self.generator.process_security_group("a", "b")
self.generator.add_ipset_member.assert_called_with('rls_by_src1', '00:11:22:33:44:55', 'tcp', 22)
self.generator.add_ipset_member.assert_called_with('rls_by_src1', '00:11:22:33:44:55', 'tcp', '22')
@mock.patch('nova_router.security_groups.get_group_members')
@mock.patch('nova_router.security_groups.get_group_mode')
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment