Skip to content

Commit

Permalink
ut: add unit test for SGLostACL (#4378)
Browse files Browse the repository at this point in the history
Signed-off-by: zcq98 <zhaocongqi_yewu@cmss.chinamobile.com>
  • Loading branch information
zcq98 authored and bobz965 committed Aug 14, 2024
1 parent cbe67e4 commit 248599e
Show file tree
Hide file tree
Showing 2 changed files with 181 additions and 0 deletions.
177 changes: 177 additions & 0 deletions pkg/ovs/ovn-nb-acl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1861,3 +1861,180 @@ func (suite *OvnClientTestSuite) testSgRuleNoACL() {
require.False(t, noACL)
})
}

func (suite *OvnClientTestSuite) testSGLostACL() {
t := suite.T()
t.Parallel()

ovnClient := suite.ovnClient

t.Run("no lost ACLs", func(t *testing.T) {
t.Parallel()
sg := &kubeovnv1.SecurityGroup{
ObjectMeta: metav1.ObjectMeta{
Name: "test-sg-no-lost-acl",
},
Spec: kubeovnv1.SecurityGroupSpec{
IngressRules: []*kubeovnv1.SgRule{
{
IPVersion: "ipv4",
Protocol: "tcp",
RemoteType: kubeovnv1.SgRemoteTypeAddress,
RemoteAddress: "192.168.0.0/24",
PortRangeMin: 80,
PortRangeMax: 80,
Priority: 1,
Policy: "allow",
},
},
EgressRules: []*kubeovnv1.SgRule{
{
IPVersion: "ipv6",
Protocol: "udp",
RemoteType: kubeovnv1.SgRemoteTypeAddress,
RemoteAddress: "fd00::/64",
PortRangeMin: 53,
PortRangeMax: 53,
Priority: 1,
Policy: "allow",
},
},
},
}

pgName := GetSgPortGroupName(sg.Name)
err := ovnClient.CreatePortGroup(pgName, nil)
require.NoError(t, err)

ingressACL, err := ovnClient.newACL(pgName, ovnnb.ACLDirectionToLport, "2299", "outport == @ovn.sg.test.sg.no.lost.acl && ip4 && ip4.src == 192.168.0.0/24 && 80 <= tcp.dst <= 80", ovnnb.ACLActionAllowRelated, util.NetpolACLTier)
require.NoError(t, err)
err = ovnClient.CreateAcls(pgName, portGroupKey, ingressACL)
require.NoError(t, err)

egressACL, err := ovnClient.newACL(pgName, ovnnb.ACLDirectionFromLport, "2299", "inport == @ovn.sg.test.sg.no.lost.acl && ip6 && ip6.dst == fd00::/64 && 53 <= udp.dst <= 53", ovnnb.ACLActionAllowRelated, util.NetpolACLTier)
require.NoError(t, err)
err = ovnClient.CreateAcls(pgName, portGroupKey, egressACL)
require.NoError(t, err)

lost, err := ovnClient.SGLostACL(sg)
require.NoError(t, err)
require.False(t, lost)
})

t.Run("lost ingress ACL", func(t *testing.T) {
t.Parallel()
sg := &kubeovnv1.SecurityGroup{
ObjectMeta: metav1.ObjectMeta{
Name: "test-sg-lost-ingress-acl",
},
Spec: kubeovnv1.SecurityGroupSpec{
IngressRules: []*kubeovnv1.SgRule{
{
IPVersion: "ipv4",
Protocol: "tcp",
RemoteType: kubeovnv1.SgRemoteTypeAddress,
RemoteAddress: "192.168.0.0/24",
PortRangeMin: 80,
PortRangeMax: 80,
Priority: 1,
Policy: "allow",
},
},
EgressRules: []*kubeovnv1.SgRule{
{
IPVersion: "ipv6",
Protocol: "udp",
RemoteType: kubeovnv1.SgRemoteTypeAddress,
RemoteAddress: "fd00::/64",
PortRangeMin: 53,
PortRangeMax: 53,
Priority: 1,
Policy: "allow",
},
},
},
}

pgName := GetSgPortGroupName(sg.Name)
err := ovnClient.CreatePortGroup(pgName, nil)
require.NoError(t, err)

egressACL, err := ovnClient.newACL(pgName, ovnnb.ACLDirectionFromLport, "2299", "inport == @ovn.sg.test.sg.lost.ingress.acl && ip6 && ip6.dst == fd00::/64 && 53 <= udp.dst <= 53", ovnnb.ACLActionAllowRelated, util.NetpolACLTier)
require.NoError(t, err)
err = ovnClient.CreateAcls(pgName, portGroupKey, egressACL)
require.NoError(t, err)

lost, err := ovnClient.SGLostACL(sg)
require.NoError(t, err)
require.True(t, lost)
})

t.Run("lost egress ACL", func(t *testing.T) {
t.Parallel()
sg := &kubeovnv1.SecurityGroup{
ObjectMeta: metav1.ObjectMeta{
Name: "test-sg-lost-egress-acl",
},
Spec: kubeovnv1.SecurityGroupSpec{
IngressRules: []*kubeovnv1.SgRule{
{
IPVersion: "ipv4",
Protocol: "tcp",
RemoteType: kubeovnv1.SgRemoteTypeAddress,
RemoteAddress: "192.168.0.0/24",
PortRangeMin: 80,
PortRangeMax: 80,
Priority: 1,
Policy: "allow",
},
},
EgressRules: []*kubeovnv1.SgRule{
{
IPVersion: "ipv6",
Protocol: "udp",
RemoteType: kubeovnv1.SgRemoteTypeAddress,
RemoteAddress: "fd00::/64",
PortRangeMin: 53,
PortRangeMax: 53,
Priority: 1,
Policy: "allow",
},
},
},
}

pgName := GetSgPortGroupName(sg.Name)
err := ovnClient.CreatePortGroup(pgName, nil)
require.NoError(t, err)

ingressACL, err := ovnClient.newACL(pgName, ovnnb.ACLDirectionToLport, "2299", "outport == @ovn.sg.test.sg.lost.egress.acl && ip4 && ip4.src == 192.168.0.0/24 && 80 <= tcp.dst <= 80", ovnnb.ACLActionAllowRelated, util.NetpolACLTier)
require.NoError(t, err)
err = ovnClient.CreateAcls(pgName, portGroupKey, ingressACL)
require.NoError(t, err)

lost, err := ovnClient.SGLostACL(sg)
require.NoError(t, err)
require.True(t, lost)
})

t.Run("empty security group", func(t *testing.T) {
t.Parallel()
sg := &kubeovnv1.SecurityGroup{
ObjectMeta: metav1.ObjectMeta{
Name: "test-sg-empty",
},
Spec: kubeovnv1.SecurityGroupSpec{
IngressRules: []*kubeovnv1.SgRule{},
EgressRules: []*kubeovnv1.SgRule{},
},
}

pgName := GetSgPortGroupName(sg.Name)
err := ovnClient.CreatePortGroup(pgName, nil)
require.NoError(t, err)

lost, err := ovnClient.SGLostACL(sg)
require.NoError(t, err)
require.False(t, lost)
})
}
4 changes: 4 additions & 0 deletions pkg/ovs/ovn-nb-suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -538,6 +538,10 @@ func (suite *OvnClientTestSuite) Test_sgRuleNoACL() {
suite.testSgRuleNoACL()
}

func (suite *OvnClientTestSuite) Test_SGLostACL() {
suite.testSGLostACL()
}

/* logical_router_policy unit test */
func (suite *OvnClientTestSuite) Test_AddLogicalRouterPolicy() {
suite.testAddLogicalRouterPolicy()
Expand Down

0 comments on commit 248599e

Please sign in to comment.