[Stateless SG] Add IPv6 and DHCP related tests
When stateless SG are used RA packets may be blocked as there is no
stateful connections in SG so it will not be by default accepted
as related to the outgoing RS packets.
To confirm that this works fine, this patch adds new, dual stack cases
for the test "test_default_sec_grp_scenarios". This test is the same as
existing test_default_sec_grp_scenarios for stateful and stateless IPv4
scenarios but additionally checks at the end if IPv6 addresses were
configured properly in the guest VMs.
Change-Id: I1595e5c2072f43e9c8fd7cbfe6fa25815f1ffd92
Depends-On: Id1328d7cba418fa7c227ae9db4fe83c09fd06035
diff --git a/neutron_tempest_plugin/scenario/test_security_groups.py b/neutron_tempest_plugin/scenario/test_security_groups.py
index d5f9b77..ed9ff8c 100644
--- a/neutron_tempest_plugin/scenario/test_security_groups.py
+++ b/neutron_tempest_plugin/scenario/test_security_groups.py
@@ -17,6 +17,7 @@
from neutron_lib import constants
import testtools
+from oslo_log import log
from tempest.common import utils as tempest_utils
from tempest.common import waiters
from tempest.lib.common.utils import data_utils
@@ -32,7 +33,7 @@
from neutron_tempest_plugin.scenario import constants as const
CONF = config.CONF
-
+LOG = log.getLogger(__name__)
EPHEMERAL_PORT_RANGE = {'min': 32768, 'max': 65535}
@@ -96,10 +97,18 @@
def resource_setup(cls):
super(BaseNetworkSecGroupTest, cls).resource_setup()
# setup basic topology for servers we can log into it
+ cls.reserve_external_subnet_cidrs()
cls.network = cls.create_network()
cls.subnet = cls.create_subnet(cls.network)
cls.router = cls.create_router_by_client()
cls.create_router_interface(cls.router['id'], cls.subnet['id'])
+ if cls.ipv6_mode:
+ cls.subnet_v6 = cls.create_subnet(
+ cls.network,
+ ip_version=constants.IP_VERSION_6,
+ ipv6_ra_mode=cls.ipv6_mode,
+ ipv6_address_mode=cls.ipv6_mode)
+ cls.create_router_interface(cls.router['id'], cls.subnet_v6['id'])
cls.keypair = cls.create_keypair()
def setUp(self):
@@ -332,6 +341,7 @@
self.assertTrue(ext_net_ip)
self.check_remote_connectivity(server_ssh_clients[0], ext_net_ip,
servers=servers)
+ return server_ssh_clients, fips, servers
def _test_protocol_number_rule(self):
# protocol number is added instead of str in security rule creation
@@ -739,6 +749,7 @@
class StatefulNetworkSecGroupTest(BaseNetworkSecGroupTest):
stateless_sg = False
+ ipv6_mode = None
@decorators.idempotent_id('3d73ec1a-2ec6-45a9-b0f8-04a283d9d764')
def test_default_sec_grp_scenarios(self):
@@ -922,9 +933,10 @@
CONF.neutron_plugin_options.firewall_driver in ['openvswitch', 'None'],
"Firewall driver other than 'openvswitch' is required to use "
"stateless security groups.")
-class StatelessNetworkSecGroupTest(BaseNetworkSecGroupTest):
+class StatelessNetworkSecGroupIPv4Test(BaseNetworkSecGroupTest):
required_extensions = ['security-group', 'stateful-security-group']
stateless_sg = True
+ ipv6_mode = None
@decorators.idempotent_id('9e193e3f-56f2-4f4e-886c-988a147958ef')
def test_default_sec_grp_scenarios(self):
@@ -1123,3 +1135,57 @@
ssh_clients['client'], fips['server']['fixed_ip_address'],
mtu=self.network['mtu'] + 1, fragmentation=True,
should_succeed=True)
+
+
+class StatelessSecGroupDualStackSlaacTest(BaseNetworkSecGroupTest):
+ required_extensions = ['security-group', 'stateful-security-group']
+ stateless_sg = True
+ ipv6_mode = 'slaac'
+
+ def _get_port_cidrs(self, port):
+ ips = []
+ subnet_cidrs = {}
+ for fixed_ip in port['fixed_ips']:
+ subnet_id = fixed_ip['subnet_id']
+ subnet_cidr = subnet_cidrs.get('subnet_id')
+ if not subnet_cidr:
+ subnet = self.client.show_subnet(subnet_id)['subnet']
+ subnet_cidr = netaddr.IPNetwork(subnet['cidr'])
+ subnet_cidrs[subnet_id] = subnet_cidr
+ ips.append(
+ netaddr.IPNetwork(
+ "%s/%s" % (fixed_ip['ip_address'], subnet_cidr.prefixlen)))
+ LOG.debug("On port %s found IP cidrs: %s", port['id'], ips)
+ return ips
+
+ def _test_default_sec_grp_scenarios(self):
+ # Make "regular" test like for IPv4 case
+ server_ssh_clients, _, servers = (
+ super()._test_default_sec_grp_scenarios())
+
+ # And additionally ensure that IPv6 addresses are configured properly
+ # in the VM
+ for ssh_client, server in zip(server_ssh_clients, servers):
+ ip_cmd = ip.IPCommand(ssh_client=ssh_client)
+ ports = self.client.list_ports(
+ device_id=server['server']['id'])['ports']
+ for port in ports:
+ configured_cidrs = [ip.network for ip in
+ ip_cmd.list_addresses(port=port)]
+ for port_cidr in self._get_port_cidrs(port):
+ self.assertIn(port_cidr, configured_cidrs)
+
+ @decorators.idempotent_id('e7d64384-ea6a-40aa-b454-854f0990153c')
+ def test_default_sec_grp_scenarios(self):
+ self._test_default_sec_grp_scenarios()
+
+
+class StatelessSecGroupDualStackDHCPv6StatelessTest(
+ StatelessSecGroupDualStackSlaacTest):
+ required_extensions = ['security-group', 'stateful-security-group']
+ stateless_sg = True
+ ipv6_mode = 'dhcpv6-stateless'
+
+ @decorators.idempotent_id('c61c127c-e08f-4ddf-87a3-58b3c86e5476')
+ def test_default_sec_grp_scenarios(self):
+ self._test_default_sec_grp_scenarios()