}
}
- public void egressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
- int priority, boolean write) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = new FlowBuilder();
- String flowName = "TCP_Syn_Egress_Default_Drop_" + segmentationId + "_" + attachedMac;
- FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
-
- MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createSmacTcpPortWithFlagMatch(matchBuilder, attachedMac, Constants.TCP_SYN, segmentationId);
- flowBuilder.setMatch(matchBuilder.build());
-
- if (write) {
- InstructionBuilder ib = new InstructionBuilder();
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructions = Lists.newArrayList();
-
- InstructionUtils.createDropInstructions(ib);
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructions.add(ib.build());
- isb.setInstruction(instructions);
-
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void egressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac, boolean write,
- Integer securityRulePortMin, String securityRuleIpPrefix,
- Integer priority) {
- PortNumber tcpPort = new PortNumber(securityRulePortMin);
- Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
-
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = new FlowBuilder();
- String flowName = "UcastEgress_" + segmentationId + "_" + attachedMac
- + securityRulePortMin + securityRuleIpPrefix;
- FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
-
- MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createSmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
- tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix);
- flowBuilder.setMatch(matchBuilder.build());
-
- if (write) {
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void egressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
- String securityRuleProtcol, Integer priority) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = new FlowBuilder();
- String flowName = "EgressAllProto_" + segmentationId + "_"
- + attachedMac + "_AllowEgressTCPSyn_" + securityRuleProtcol;
- FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
-
- MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null);
- MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId));
- flowBuilder.setMatch(matchBuilder.build());
-
- if (write) {
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void egressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
- boolean write, String securityRuleIpPrefix, Integer priority) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = new FlowBuilder();
- String flowName = "Egress_Proto_ACL" + segmentationId + "_" +
- attachedMac + "_Permit_" + securityRuleIpPrefix;
- FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
-
- MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId));
- if (securityRuleIpPrefix != null) {
- Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
- MatchUtils.createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix);
- } else {
- MatchUtils.createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null);
- }
- flowBuilder.setMatch(matchBuilder.build());
-
- if (write) {
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void egressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
- Integer securityRulePortMin, Integer priority) {
- PortNumber tcpPort = new PortNumber(securityRulePortMin);
-
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = new FlowBuilder();
- String flowName = "Ucast_this.getTable()" + segmentationId + "_" + attachedMac + securityRulePortMin;
- FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
-
- MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createSmacTcpSyn(matchBuilder, attachedMac, tcpPort, Constants.TCP_SYN, segmentationId);
- flowBuilder.setMatch(matchBuilder.build());
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
/**
* Adds flow to allow any DHCP client traffic.
*
syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false, securityServicesManager.isConntrackEnabled());
}
-
- public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
- Integer securityRulePortMin, Integer protoPortMatchPriority) {
-
- String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
- PortNumber tcpPort = new PortNumber(securityRulePortMin);
- MatchBuilder matchBuilder = new MatchBuilder();
- NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
- FlowBuilder flowBuilder = new FlowBuilder();
-
- flowBuilder.setMatch(MatchUtils.createDmacTcpSynMatch(matchBuilder, attachedMac, tcpPort,
- Constants.TCP_SYN, segmentationId).build());
-
- LOG.debug("ingressACLTcpSyn MatchBuilder contains: {}", flowBuilder.getMatch());
- String flowId = "UcastOut_ACL2_" + segmentationId + "_" + attachedMac + securityRulePortMin;
- // Add Flow Attributes
- flowBuilder.setId(new FlowId(flowId));
- FlowKey key = new FlowKey(new FlowId(flowId));
- flowBuilder.setStrict(false);
- flowBuilder.setPriority(protoPortMatchPriority);
- flowBuilder.setBarrier(true);
- flowBuilder.setTableId(this.getTable());
- flowBuilder.setKey(key);
- flowBuilder.setFlowName(flowId);
- flowBuilder.setHardTimeout(0);
- flowBuilder.setIdleTimeout(0);
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- LOG.debug("Instructions are: {}", ib.getInstruction());
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void ingressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac,
- boolean write, Integer securityRulePortMin, String securityRuleIpPrefix,
- Integer protoPortPrefixMatchPriority) {
-
- String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
- PortNumber tcpPort = new PortNumber(securityRulePortMin);
-
- MatchBuilder matchBuilder = new MatchBuilder();
- NodeBuilder nodeBuilder = this.createNodeBuilder(nodeName);
- FlowBuilder flowBuilder = new FlowBuilder();
- Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
-
- flowBuilder.setMatch(MatchUtils
- .createDmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
- tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build());
-
- LOG.debug(" MatchBuilder contains: {}", flowBuilder.getMatch());
- String flowId = "UcastOut2_" + segmentationId + "_" + attachedMac +
- securityRulePortMin + securityRuleIpPrefix;
- // Add Flow Attributes
- flowBuilder.setId(new FlowId(flowId));
- FlowKey key = new FlowKey(new FlowId(flowId));
- flowBuilder.setStrict(false);
- flowBuilder.setPriority(protoPortPrefixMatchPriority);
- flowBuilder.setBarrier(true);
- flowBuilder.setTableId(this.getTable());
- flowBuilder.setKey(key);
- flowBuilder.setFlowName(flowId);
- flowBuilder.setHardTimeout(0);
- flowBuilder.setIdleTimeout(0);
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionsBuilder isb = new InstructionsBuilder();
-
- List<Instruction> instructionsList = Lists.newArrayList();
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- LOG.debug("Instructions contain: {}", ib.getInstruction());
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void handleIngressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
- String securityRuleProtcol, Integer protoMatchPriority) {
-
- String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
-
- MatchBuilder matchBuilder = new MatchBuilder();
- NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
- FlowBuilder flowBuilder = new FlowBuilder();
-
- flowBuilder.setMatch(MatchUtils
- .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
- flowBuilder.setMatch(MatchUtils
- .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
- LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
-
- String flowId = "UcastOut_" + segmentationId + "_" +
- attachedMac + "_AllowTCPSynPrefix_" + securityRuleProtcol;
- // Add Flow Attributes
- flowBuilder.setId(new FlowId(flowId));
- FlowKey key = new FlowKey(new FlowId(flowId));
- flowBuilder.setStrict(false);
- flowBuilder.setPriority(protoMatchPriority);
- flowBuilder.setBarrier(true);
- flowBuilder.setTableId(this.getTable());
- flowBuilder.setKey(key);
- flowBuilder.setFlowName(flowId);
- flowBuilder.setHardTimeout(0);
- flowBuilder.setIdleTimeout(0);
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(1);
- ib.setKey(new InstructionKey(1));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
- LOG.debug("Instructions contain: {}", ib.getInstruction());
-
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
-
- public void ingressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
- int priority, boolean write) {
-
- String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
- MatchBuilder matchBuilder = new MatchBuilder();
- NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
- FlowBuilder flowBuilder = new FlowBuilder();
-
- flowBuilder.setMatch(MatchUtils.createDmacTcpPortWithFlagMatch(matchBuilder,
- attachedMac, Constants.TCP_SYN, segmentationId).build());
-
- LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
- String flowId = "PortSec_TCP_Syn_Default_Drop_" + segmentationId + "_" + attachedMac;
- flowBuilder.setId(new FlowId(flowId));
- FlowKey key = new FlowKey(new FlowId(flowId));
- flowBuilder.setStrict(false);
- flowBuilder.setPriority(priority);
- flowBuilder.setBarrier(true);
- flowBuilder.setTableId(this.getTable());
- flowBuilder.setKey(key);
- flowBuilder.setFlowName(flowId);
- flowBuilder.setHardTimeout(0);
- flowBuilder.setIdleTimeout(0);
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionBuilder ib = new InstructionBuilder();
- InstructionsBuilder isb = new InstructionsBuilder();
-
- // Instructions List Stores Individual Instructions
- List<Instruction> instructions = Lists.newArrayList();
-
- // Set the Output Port/Iface
- InstructionUtils.createDropInstructions(ib);
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructions.add(ib.build());
-
- // Add InstructionBuilder to the Instruction(s)Builder List
- isb.setInstruction(instructions);
- LOG.debug("Instructions contain: {}", ib.getInstruction());
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void ingressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
- boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
- String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
- Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
- MatchBuilder matchBuilder = new MatchBuilder();
- NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
- FlowBuilder flowBuilder = new FlowBuilder();
-
- flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
- .build());
- if (securityRuleIpPrefix != null) {
- flowBuilder.setMatch(MatchUtils
- .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
- .build());
- } else {
- flowBuilder.setMatch(MatchUtils
- .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
- .build());
- }
-
- LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
- String flowId = "IngressProto_ACL_" + segmentationId + "_" +
- attachedMac + "_Permit_" + securityRuleIpPrefix;
- // Add Flow Attributes
- flowBuilder.setId(new FlowId(flowId));
- FlowKey key = new FlowKey(new FlowId(flowId));
- flowBuilder.setStrict(false);
- flowBuilder.setPriority(protoPortMatchPriority);
- flowBuilder.setBarrier(true);
- flowBuilder.setTableId(this.getTable());
- flowBuilder.setKey(key);
- flowBuilder.setFlowName(flowId);
- flowBuilder.setHardTimeout(0);
- flowBuilder.setIdleTimeout(0);
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionBuilder ib = new InstructionBuilder();
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(1);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- LOG.debug("Instructions contain: {}", ib.getInstruction());
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
/**
* Add rule to ensure only DHCP server traffic from the specified mac is allowed.
*
private Neutron_IPs neutron_ip_dest_2;
private List<Neutron_IPs> neutronSrcIpList = new ArrayList<>();
private List<Neutron_IPs> neutronDestIpList = new ArrayList<>();
- private static final String HOST_ADDRESS = "127.0.0.1/32";
private static final String MAC_ADDRESS = "87:1D:5E:02:40:B7";
private static final String SRC_IP = "192.168.0.1";
private static final String DEST_IP_1 = "192.169.0.1";
private static final String DEST_IP_2 = "192.169.0.2";
- private static final String DEST_IP_1_WITH_MASK = "192.169.0.1/32";
- private static final String DEST_IP_2_WITH_MASK = "192.169.0.2/32";
private static final String SECURITY_GROUP_UUID = "85cc3048-abc3-43cc-89b3-377341426ac5";
private static final String PORT_UUID = "95cc3048-abc3-43cc-89b3-377341426ac5";
private static final String SEGMENT_ID = "2";
}
- /**
- * Rule 1: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
- */
- /*@Test
- public void testProgramPortSecurityACLRule1() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(1);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(egressAclServiceSpy, times(1)).egressACLTcpPortWithPrefix(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 2: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule2() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(egressAclServiceSpy, times(1)).egressACLTcpPortWithPrefix(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 3: TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule3() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(egressAclServiceSpy, times(1)).egressACLPermitAllProto(anyLong(), anyString(), anyString(), anyBoolean(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 4: TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule4() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(egressAclServiceSpy, times(1)).egressACLPermitAllProto(anyLong(), anyString(), anyString(), anyBoolean(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 5: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
- *//*
- @Test
- public void testProgramPortSecurityACLRule5() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(1);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(egressAclServiceSpy, times(1)).egressACLTcpSyn(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 6: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
- *//*
- @Test
- public void testProgramPortSecurityACLRule6() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(egressAclServiceSpy, times(1)).egressACLTcpSyn(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 7: TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
- *//*
- @Test
- public void testProgramPortSecurityACLRule7() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressAllowProto(anyLong(), anyString(), anyString(), anyBoolean(), anyString(), anyInt());
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
- }
-*/
/**
* Test method {@link EgressAclService#programPortSecurityGroup(java.lang.Long, java.lang.String,
* java.lang.String, long, org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup,
localSecurityGroup, PORT_UUID, true);
}
- /**
- * Test method {@link EgressAclService#egressACLDefaultTcpDrop(Long, String, String, int, boolean)}
- */
- @Test
- public void testEgressACLDefaultTcpDrop() throws Exception {
- egressAclService.egressACLDefaultTcpDrop(123L, "2", MAC_ADDRESS, 1, true);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
-
- egressAclService.egressACLDefaultTcpDrop(123L, "2", MAC_ADDRESS, 1, false);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
- }
-
/**
* Test IPv4 add test case.
*/
verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ verify(commitFuture, times(1)).checkedGet();
}
/**
}
}
-
/**
* Test UDP add with port (All UDP) and CIDR selected.
*/
}
/**
- * Test With isLastPortInBridge false isComputeNode false
+ * Test With isConntrackEnabled false isComputeNode false
*/
@Test
public void testProgramFixedSecurityACLAdd1() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
+
egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, true);
- verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(0)).submit();
- verify(commitFuture, times(0)).get();
+ verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(1)).submit();
+ verify(commitFuture, times(1)).checkedGet();
}
/**
- * Test With isLastPortInBridge false isComputeNode false
+ * Test With isConntrackEnabled false isComputeNode false
*/
@Test
public void testProgramFixedSecurityACLRemove1() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, false);
- verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(0)).submit();
- verify(commitFuture, times(0)).get();
+ verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(1)).submit();
+ verify(commitFuture, times(1)).get();
}
/**
- * Test With isLastPortInBridge false isComputeNode true
+ * Test With isConntrackEnabled false isComputeNode true
*/
@Test
public void testProgramFixedSecurityACLAdd2() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, true);
- verify(writeTransaction, times(6)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(3)).submit();
- verify(commitFuture, times(3)).get();
+ verify(writeTransaction, times(10)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(5)).submit();
+ verify(commitFuture, times(5)).checkedGet();
}
/**
- * Test With isLastPortInBridge false isComputeNode true
+ * Test With isConntrackEnabled false isComputeNode true
*/
@Test
public void testProgramFixedSecurityACLRemove2() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, false);
- verify(writeTransaction, times(3)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(3)).submit();
- verify(commitFuture, times(3)).get();
+ verify(writeTransaction, times(5)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(5)).submit();
+ verify(commitFuture, times(5)).get();
}
/**
- * Test With isLastPortInBridge true isComputeNode false
+ * Test With isConntrackEnabled true isComputeNode false
*/
@Test
public void testProgramFixedSecurityACLAdd3() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, false, true);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, true);
verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ verify(commitFuture, times(1)).checkedGet();
}
/**
- * Test With isLastPortInBridge true isComputeNode false
+ * Test With isConntrackEnabled true isComputeNode false
*/
@Test
public void testProgramFixedSecurityACLRemove3() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, false, false);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, false);
verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(1)).submit();
}
/**
- * Test With isLastPortInBridge true isComputeNode true
+ * Test With isConntrackEnabled true isComputeNode true
*/
@Test
public void testProgramFixedSecurityACLAdd4() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, true, true);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, true);
- verify(writeTransaction, times(8)).put(any(LogicalDatastoreType.class),
+ verify(writeTransaction, times(16)).put(any(LogicalDatastoreType.class),
any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(4)).submit();
- verify(commitFuture, times(4)).get();
+ verify(writeTransaction, times(8)).submit();
+ verify(commitFuture, times(8)).checkedGet();
}
/**
- * Test With isLastPortInBridge true isComputeNode true
+ * Test With isConntrackEnabled true isComputeNode true
*/
@Test
public void testProgramFixedSecurityACLRemove4() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, true, false);
-
- verify(writeTransaction, times(4)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(4)).submit();
- verify(commitFuture, times(4)).get();
- }
-
- /**
- * Test method {@link EgressAclService#egressACLTcpPortWithPrefix(Long, String, String, boolean, Integer, String, Integer)}
- */
- @Test
- public void testEgressACLTcpPortWithPrefix() throws Exception {
- egressAclService.egressACLTcpPortWithPrefix(123L, "2", MAC_ADDRESS, true, 1, HOST_ADDRESS, 1);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
-
- egressAclService.egressACLTcpPortWithPrefix(123L, "2", MAC_ADDRESS, false, 1, HOST_ADDRESS, 1);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
- }
-
- /**
- * Test method {@link EgressAclService#egressAllowProto(Long, String, String, boolean, String, Integer)}
- */
- @Test
- public void testEgressAllowProto() throws Exception {
- egressAclService.egressAllowProto(123L, "2", MAC_ADDRESS, true, HOST_ADDRESS, 1);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
-
- egressAclService.egressAllowProto(123L, "2", MAC_ADDRESS, false, HOST_ADDRESS, 1);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
- }
-
- /**
- * Test method {@link EgressAclService#egressACLPermitAllProto(Long, String, String, boolean, String, Integer)}
- */
- @Test
- public void testEgressACLPermitAllProto() throws Exception {
- egressAclService.egressACLPermitAllProto(123L, "2", MAC_ADDRESS, true, HOST_ADDRESS, 1);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, false);
- egressAclService.egressACLPermitAllProto(123L, "2", MAC_ADDRESS, false, HOST_ADDRESS, 1);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
+ verify(writeTransaction, times(8)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(8)).submit();
+ verify(commitFuture, times(8)).get();
}
- /**
- * Test method {@link EgressAclService#egressACLTcpSyn(Long, String, String, boolean, Integer, Integer)}
- */
- @Test
- public void testEgressACLTcpSyn() throws Exception {
- egressAclService.egressACLTcpSyn(123L, "2", MAC_ADDRESS, true, 1, 1);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
-
- egressAclService.egressACLTcpSyn(123L, "2", MAC_ADDRESS, false, 1, 1);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
- }
}
package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
import static org.mockito.Matchers.any;
-import static org.mockito.Matchers.anyBoolean;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import java.util.ArrayList;
import java.util.List;
+import java.util.concurrent.atomic.AtomicBoolean;
import org.junit.Assert;
import org.junit.Before;
import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityGroupCacheManger;
import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityServicesManager;
+import org.opendaylight.ovsdb.openstack.netvirt.providers.NetvirtProvidersProvider;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.PipelineOrchestrator;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._4.match.UdpMatch;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.powermock.api.mockito.PowerMockito;
+import org.powermock.api.support.membermodification.MemberModifier;
import org.powermock.modules.junit4.PowerMockRunner;
import com.google.common.util.concurrent.CheckedFuture;
private Neutron_IPs neutron_ip_dest_1;
private Neutron_IPs neutron_ip_dest_2;
- private static final String SEGMENTATION_ID = "2";
- private static final int PRIORITY = 1;
- private static final String HOST_ADDRESS = "127.0.0.1/32";
private static final String MAC_ADDRESS = "87:1D:5E:02:40:B8";
+ private static final String DHCP_MAC_ADDRESS = "87:1D:5E:02:40:B9";
private static final String SRC_IP = "192.168.0.1";
private static final String DEST_IP_1 = "192.169.0.1";
private static final String DEST_IP_2 = "192.169.0.2";
}
@Before
- public void setUp() {
+ public void setUp() throws IllegalArgumentException, IllegalAccessException{
ingressAclServiceSpy = PowerMockito.spy(ingressAclService);
when(writeTransaction.submit()).thenReturn(commitFuture);
when(securityGroup.getSecurityRules()).thenReturn(portSecurityList);
when(securityServices.getVmListForSecurityGroup
(PORT_UUID, SECURITY_GROUP_UUID)).thenReturn(neutronDestIpList);
- }
-
- /* *//**
- * Rule 1: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule1() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(1);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).ingressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(ingressAclServiceSpy, times(1)).ingressACLTcpPortWithPrefix(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
-
- *//**
- * Rule 2: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule2() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).ingressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(ingressAclServiceSpy, times(1)).ingressACLTcpPortWithPrefix(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
+ NetvirtProvidersProvider netvirtProvider = mock(NetvirtProvidersProvider.class);
+ MemberModifier.field(NetvirtProvidersProvider.class, "hasProviderEntityOwnership").set(netvirtProvider, new AtomicBoolean(true));
- *//**
- * Rule 3: TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule3() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).ingressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(ingressAclServiceSpy, times(1)).ingressACLPermitAllProto(anyLong(), anyString(), anyString(), anyBoolean(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
}
-
- *//**
- * Rule 4: TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule4() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).ingressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(ingressAclServiceSpy, times(1)).ingressACLPermitAllProto(anyLong(), anyString(), anyString(), anyBoolean(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 5: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
- *//*
- @Test
- public void testProgramPortSecurityACLRule5() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(1);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).ingressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(ingressAclServiceSpy, times(1)).ingressACLTcpSyn(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 6: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
- *//*
- @Test
- public void testProgramPortSecurityACLRule6() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).ingressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(ingressAclServiceSpy, times(1)).ingressACLTcpSyn(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 7: TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
- *//*
- @Test
- public void testProgramPortSecurityACLRule7() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).handleIngressAllowProto(anyLong(), anyString(), anyString(), anyBoolean(), anyString(), anyInt());
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
- }
-*/
/**
* Test method {@link EgressAclService#programPortSecurityGroup(java.lang.Long, java.lang.String,
* java.lang.String, long, org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup,
verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ verify(commitFuture, times(1)).checkedGet();
}
/**
}
/**
- * Test With isLastPortInBridge false isComputeNode false
+ * Test With isConntrackEnabled false isComputeNode false
*/
@Test
public void testProgramFixedSecurityACLAdd1() throws Exception {
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, false, false, null, true);
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
+
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, true);
verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(0)).submit();
verify(commitFuture, times(0)).get();
}
/**
- * Test With isLastPortInBridge false isComputeNode false
+ * Test With isConntrackEnabled false isComputeNode false
*/
@Test
public void testProgramFixedSecurityACLRemove1() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, false, false, null, false);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, false);
verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(0)).submit();
verify(commitFuture, times(0)).get();
}
-
/**
- * Test method {@link IgressAclService#egressACLDefaultTcpDrop(Long, String, String, int, boolean)}
+ * Test With isConntrackEnabled false isComputeNode false
*/
@Test
- public void testIgressACLDefaultTcpDrop() throws Exception {
- ingressAclService.ingressACLDefaultTcpDrop(123L, SEGMENTATION_ID, MAC_ADDRESS, PRIORITY, true);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ public void testProgramFixedSecurityACLAdd2() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
- ingressAclService.ingressACLDefaultTcpDrop(123L, SEGMENTATION_ID, MAC_ADDRESS, PRIORITY, false);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
- }
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, true);
+ verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(1)).submit();
+ verify(commitFuture, times(1)).checkedGet();
+ }
/**
- * Test method {@link IgressAclService#ingressACLTcpPortWithPrefix(Long, String, String, boolean, Integer, String, Integer)}
+ * Test With isConntrackEnabled false isComputeNode false
*/
@Test
- public void testIngressACLTcpPortWithPrefix() throws Exception {
- ingressAclService.ingressACLTcpPortWithPrefix(123L, SEGMENTATION_ID, MAC_ADDRESS, true, 1, HOST_ADDRESS, PRIORITY);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ public void testProgramFixedSecurityACLRemove2() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
+
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, false);
- ingressAclService.ingressACLTcpPortWithPrefix(123L, SEGMENTATION_ID, MAC_ADDRESS, false, 1, HOST_ADDRESS, PRIORITY);
verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
+ verify(writeTransaction, times(1)).submit();
+ verify(commitFuture, times(1)).get();
}
-
/**
- * Test method {@link IgressAclService#handleIngressAllowProto(Long, String, String, boolean, String, Integer)}
+ * Test With isConntrackEnabled true isComputeNode false
*/
@Test
- public void testIngressAllowProto() throws Exception {
- ingressAclService.handleIngressAllowProto(123L, SEGMENTATION_ID, MAC_ADDRESS, true, HOST_ADDRESS, PRIORITY);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ public void testProgramFixedSecurityACLAdd3() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- ingressAclService.handleIngressAllowProto(123L, SEGMENTATION_ID, MAC_ADDRESS, false, HOST_ADDRESS, PRIORITY);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
- }
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, true);
+ verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(0)).submit();
+ verify(commitFuture, times(0)).get();
+ }
/**
- * Test method {@link IgressAclService#ingressACLPermitAllProto(Long, String, String, boolean, String, Integer)}
+ * Test With isConntrackEnabled true isComputeNode false
*/
@Test
- public void testIngressACLPermitAllProto() throws Exception {
- ingressAclService.ingressACLPermitAllProto(123L, SEGMENTATION_ID, MAC_ADDRESS, true, HOST_ADDRESS, PRIORITY);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ public void testProgramFixedSecurityACLRemove3() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- ingressAclService.ingressACLPermitAllProto(123L, SEGMENTATION_ID, MAC_ADDRESS, false, HOST_ADDRESS, PRIORITY);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, false);
+
+ verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(0)).submit();
+ verify(commitFuture, times(0)).get();
}
+ /**
+ * Test With isConntrackEnabled true isComputeNode true
+ */
+ @Test
+ public void testProgramFixedSecurityACLAdd4() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, true);
+
+ verify(writeTransaction, times(8)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(4)).submit();
+ verify(commitFuture, times(4)).checkedGet();
+ }
/**
- * Test method {@link IgressAclService#ingressACLTcpSyn(Long, String, String, boolean, Integer, Integer)}
+ * Test With isConntrackEnabled true isComputeNode true
*/
@Test
- public void testIngressACLTcpSyn() throws Exception {
- ingressAclService.ingressACLTcpSyn(123L, SEGMENTATION_ID, MAC_ADDRESS, true, 1, PRIORITY);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ public void testProgramFixedSecurityACLRemove4() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- ingressAclService.ingressACLTcpSyn(123L, SEGMENTATION_ID, MAC_ADDRESS, false, 1, PRIORITY);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, false);
+
+ verify(writeTransaction, times(4)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(4)).submit();
+ verify(commitFuture, times(4)).get();
}
+
}
Code Review / netvirt.git / commitdiff