changing to use ports and protocols

Author: paigerube14

krkn/scenario_plugins/network_chaos_ng/models.py

@@ -66,8 +66,14 @@ def validate(self) -> list[str]:
 
 @dataclass
 class NetworkFilterConfig(BaseNetworkChaosConfig):
-    ports: list[int]
-    protocols: list[str]
+    ports: list[int] = None
+    protocols: list[str] = None
+
+    def __post_init__(self):
+        if self.ports is None:
+            self.ports = []
+        if self.protocols is None:
+            self.protocols = ["tcp", "udp"]
 
     def validate(self) -> list[str]:
         errors = super().validate()

krkn/scenario_plugins/network_chaos_ng/modules/utils_network_filter.py

@@ -135,38 +135,28 @@ def apply_tc_vmi_chaos(
     namespace: str,
     pid: str,
     iface: str,
+    config: NetworkFilterConfig,
     parallel: bool,
     vmi_name: str,
-):
-    """Block all traffic on the VMI's tap interface using tc.
+) -> Tuple[list[str], list[str]]:
+    """Apply iptables rules inside the virt-launcher netns via nsenter.
 
-    Targets tap0 (the VM-facing end of the KubeVirt bridge) rather than the
-    bridge slave (ovn-udn1-nic).  Blocking the bridge slave also cuts OVN's
-    BFD heartbeats and causes a node-wide network reconvergence; tap0 only
-    connects to QEMU so blocking it isolates only this VMI.
+    Targets the tap interface (tap0) rather than the bridge slave (ovn-udn1-nic)
+    so that OVN's BFD heartbeats on the bridge are unaffected.  Rules are applied
+    inside the virt-launcher's network namespace using nsenter, matching the same
+    iptables approach used by pod_network_filter and node_network_filter.
 
-    tc operates at the device layer below iptables and works without br_netfilter:
-      - root netem loss 100%  -> drops traffic sent toward the VM
-      - ingress + matchall    -> drops traffic sent by the VM
-    Only one pid is needed because all processes in the container share a netns.
+    Returns (input_rules, output_rules) needed for cleanup.
     """
-    ns = f"nsenter --target {pid} --net --"
-    log_info(f"applying tc block on {iface} (egress netem + ingress drop)", parallel, vmi_name)
-    kubecli.exec_cmd_in_pod(
-        [f"{ns} tc qdisc add dev {iface} root netem loss 100%"],
-        chaos_pod_name,
-        namespace,
-    )
-    kubecli.exec_cmd_in_pod(
-        [f"{ns} tc qdisc add dev {iface} ingress"],
-        chaos_pod_name,
-        namespace,
-    )
-    kubecli.exec_cmd_in_pod(
-        [f"{ns} tc filter add dev {iface} parent ffff: protocol all matchall action drop"],
-        chaos_pod_name,
-        namespace,
+    log_info(
+        f"applying iptables rules on {iface} "
+        f"(ports:{config.ports}, protocols:{config.protocols})",
+        parallel,
+        vmi_name,
     )
+    input_rules, output_rules = generate_namespaced_rules([iface], config, [pid])
+    apply_network_rules(kubecli, input_rules, output_rules, chaos_pod_name, namespace, parallel, vmi_name)
+    return input_rules, output_rules
 
 
 def clean_tc_vmi_chaos(
@@ -175,16 +165,12 @@ def clean_tc_vmi_chaos(
     namespace: str,
     pid: str,
     iface: str,
+    input_rules: list[str],
+    output_rules: list[str],
 ):
-    """Remove tc qdiscs applied by apply_tc_vmi_chaos."""
-    ns = f"nsenter --target {pid} --net --"
-    for cmd in [
-        f"{ns} tc qdisc del dev {iface} root",
-        f"{ns} tc qdisc del dev {iface} ingress",
-    ]:
-        try:
-            kubecli.exec_cmd_in_pod([cmd], chaos_pod_name, namespace)
-        except Exception:
-            pass
+    """Remove iptables rules applied by apply_tc_vmi_chaos."""
+    clean_network_rules_namespaced(
+        kubecli, input_rules, output_rules, chaos_pod_name, namespace, [pid]
+    )
 
 

krkn/scenario_plugins/network_chaos_ng/modules/vmi_network_filter.py

@@ -53,14 +53,18 @@ def _rollback(
         network_chaos_pod_name: str,
         netns_pid: str = None,
         iface: str = None,
+        input_rules: list = None,
+        output_rules: list = None,
     ):
-        if netns_pid and iface:
+        if netns_pid and iface and input_rules is not None and output_rules is not None:
             clean_tc_vmi_chaos(
                 self.kubecli.get_lib_kubernetes(),
                 network_chaos_pod_name,
                 namespace,
                 netns_pid,
                 iface,
+                input_rules,
+                output_rules,
             )
         self.kubecli.get_lib_kubernetes().delete_pod(
             network_chaos_pod_name, namespace
@@ -75,6 +79,8 @@ def run(self, target: str, error_queue: queue.Queue = None):
         network_chaos_pod_name = None
         netns_pid = None
         iface = None
+        input_rules = None
+        output_rules = None
 
         try:
             namespace, vmi_name = target.split("/", 1)
@@ -241,36 +247,32 @@ def run(self, target: str, error_queue: queue.Queue = None):
                 network_chaos_pod_name,
             )
 
-            # Use tc (traffic control) to block traffic on the bridge slave.
-            # iptables FORWARD rules are ineffective here because L2-bridged
-            # traffic bypasses iptables unless br_netfilter is loaded and
-            # net.bridge.bridge-nf-call-iptables=1, which is not guaranteed.
-            # tc netem/ingress operates below iptables at the device level.
-            apply_tc_vmi_chaos(
+            input_rules, output_rules = apply_tc_vmi_chaos(
                 self.kubecli.get_lib_kubernetes(),
                 network_chaos_pod_name,
                 namespace,
                 netns_pid,
                 iface,
+                scoped_config,
                 parallel,
                 vmi_name,
             )
 
             log_info(
-                f"waiting {self.config.test_duration} seconds before removing tc rules",
+                f"waiting {self.config.test_duration} seconds before removing iptables rules",
                 parallel,
                 network_chaos_pod_name,
             )
 
             time.sleep(self.config.test_duration)
 
-            log_info("removing tc rules", parallel, network_chaos_pod_name)
+            log_info("removing iptables rules", parallel, network_chaos_pod_name)
 
-            self._rollback(namespace, network_chaos_pod_name, netns_pid, iface)
+            self._rollback(namespace, network_chaos_pod_name, netns_pid, iface, input_rules, output_rules)
 
         except Exception as e:
             if network_chaos_pod_name:
-                self._rollback(namespace, network_chaos_pod_name, netns_pid, iface)
+                self._rollback(namespace, network_chaos_pod_name, netns_pid, iface, input_rules, output_rules)
             if error_queue is None:
                 raise e
             else:

tests/test_vmi_network_filter.py

@@ -210,7 +210,7 @@ def _patch_run(self):
     # ------------------------------------------------------------------ success
 
     @patch(f"{MODULE}.clean_tc_vmi_chaos")
-    @patch(f"{MODULE}.apply_tc_vmi_chaos")
+    @patch(f"{MODULE}.apply_tc_vmi_chaos", return_value=([], []))
     @patch(f"{MODULE}.get_vmi_tap_interface", return_value="tap0")
     @patch(f"{MODULE}.find_virt_launcher_netns_pid", return_value="101")
     @patch(f"{MODULE}.deploy_network_chaos_ng_pod")
@@ -237,7 +237,7 @@ def test_run_success(
         self.mock_kubernetes.delete_pod.assert_called_once()
 
     @patch(f"{MODULE}.clean_tc_vmi_chaos")
-    @patch(f"{MODULE}.apply_tc_vmi_chaos")
+    @patch(f"{MODULE}.apply_tc_vmi_chaos", return_value=([], []))
     @patch(f"{MODULE}.get_vmi_tap_interface", return_value="tap0")
     @patch(f"{MODULE}.find_virt_launcher_netns_pid", return_value="101")
     @patch(f"{MODULE}.deploy_network_chaos_ng_pod")
@@ -352,7 +352,7 @@ def test_run_strips_container_id_prefix(self, mock_log, mock_deploy, mock_find):
         self.mock_kubernetes.get_pod_pids.return_value = ["100"]
 
         with patch(f"{MODULE}.get_vmi_tap_interface", return_value="tap0"), \
-             patch(f"{MODULE}.apply_tc_vmi_chaos"), \
+             patch(f"{MODULE}.apply_tc_vmi_chaos", return_value=([], [])), \
              patch(f"{MODULE}.clean_tc_vmi_chaos"), \
              patch(f"{MODULE}.time.sleep"):
             self.module.run("virt-density-udn-3/virt-server-3")
@@ -395,7 +395,7 @@ def test_run_error_queue_captures_exception(self, mock_log, mock_deploy):
         self.assertIn("not found", error_queue.get())
 
     @patch(f"{MODULE}.clean_tc_vmi_chaos")
-    @patch(f"{MODULE}.apply_tc_vmi_chaos")
+    @patch(f"{MODULE}.apply_tc_vmi_chaos", return_value=([], []))
     @patch(f"{MODULE}.get_vmi_tap_interface", return_value="tap0")
     @patch(f"{MODULE}.find_virt_launcher_netns_pid", return_value="101")
     @patch(f"{MODULE}.deploy_network_chaos_ng_pod")
@@ -412,7 +412,7 @@ def test_run_no_error_queue_raises_directly(
     # ------------------------------------------------------------------ apply / clean called correctly
 
     @patch(f"{MODULE}.clean_tc_vmi_chaos")
-    @patch(f"{MODULE}.apply_tc_vmi_chaos")
+    @patch(f"{MODULE}.apply_tc_vmi_chaos", return_value=([], []))
     @patch(f"{MODULE}.get_vmi_tap_interface", return_value="tap0")
     @patch(f"{MODULE}.find_virt_launcher_netns_pid", return_value="101")
     @patch(f"{MODULE}.deploy_network_chaos_ng_pod")
@@ -432,7 +432,7 @@ def test_run_apply_and_clean_called_with_tap_and_pid(
         self.assertEqual(clean_args[4], "tap0")  # iface
 
     @patch(f"{MODULE}.clean_tc_vmi_chaos")
-    @patch(f"{MODULE}.apply_tc_vmi_chaos")
+    @patch(f"{MODULE}.apply_tc_vmi_chaos", return_value=([], []))
     @patch(f"{MODULE}.get_vmi_tap_interface", return_value="tap0")
     @patch(f"{MODULE}.find_virt_launcher_netns_pid", return_value="101")
     @patch(f"{MODULE}.deploy_network_chaos_ng_pod")
@@ -479,21 +479,31 @@ def setUp(self):
     # ------------------------------------------------------------------ _rollback directly
 
     def test_rollback_calls_clean_then_delete_when_tc_applied(self):
+        input_rules = ["nsenter ... iptables -I INPUT 1 -i tap0 -p tcp -j DROP"]
+        output_rules = ["nsenter ... iptables -I OUTPUT 1 -p tcp -j DROP"]
         with patch(f"{MODULE}.clean_tc_vmi_chaos") as mock_clean:
-            self.module._rollback("ns", "chaos-pod", "101", "tap0")
+            self.module._rollback("ns", "chaos-pod", "101", "tap0", input_rules, output_rules)
 
         mock_clean.assert_called_once_with(
-            self.mock_kubernetes, "chaos-pod", "ns", "101", "tap0"
+            self.mock_kubernetes, "chaos-pod", "ns", "101", "tap0", input_rules, output_rules
         )
         self.mock_kubernetes.delete_pod.assert_called_once_with("chaos-pod", "ns")
 
-    def test_rollback_skips_clean_when_tc_not_applied(self):
+    def test_rollback_skips_clean_when_no_rules(self):
         with patch(f"{MODULE}.clean_tc_vmi_chaos") as mock_clean:
             self.module._rollback("ns", "chaos-pod")
 
         mock_clean.assert_not_called()
         self.mock_kubernetes.delete_pod.assert_called_once_with("chaos-pod", "ns")
 
+    def test_rollback_skips_clean_when_rules_none_but_pid_set(self):
+        """Chaos pod deployed, netns_pid found, but rules never applied: skip clean."""
+        with patch(f"{MODULE}.clean_tc_vmi_chaos") as mock_clean:
+            self.module._rollback("ns", "chaos-pod", "101", "tap0", None, None)
+
+        mock_clean.assert_not_called()
+        self.mock_kubernetes.delete_pod.assert_called_once_with("chaos-pod", "ns")
+
     # ------------------------------------------------------------------ rollback from run: error before tc
 
     @patch(f"{MODULE}.clean_tc_vmi_chaos")
@@ -528,7 +538,7 @@ def test_run_rollback_does_not_clean_when_no_netns_pid(
     # ------------------------------------------------------------------ rollback from run: error after tc
 
     @patch(f"{MODULE}.clean_tc_vmi_chaos")
-    @patch(f"{MODULE}.apply_tc_vmi_chaos")
+    @patch(f"{MODULE}.apply_tc_vmi_chaos", return_value=(["in_rule"], ["out_rule"]))
     @patch(f"{MODULE}.get_vmi_tap_interface", return_value="tap0")
     @patch(f"{MODULE}.find_virt_launcher_netns_pid", return_value="101")
     @patch(f"{MODULE}.deploy_network_chaos_ng_pod")
@@ -547,24 +557,103 @@ def test_run_rollback_cleans_tc_and_deletes_pod_on_error_after_tc(
         self.mock_kubernetes.delete_pod.assert_called_once()
 
     @patch(f"{MODULE}.clean_tc_vmi_chaos")
-    @patch(f"{MODULE}.apply_tc_vmi_chaos")
+    @patch(f"{MODULE}.apply_tc_vmi_chaos", return_value=(["in_rule"], ["out_rule"]))
     @patch(f"{MODULE}.get_vmi_tap_interface", return_value="tap0")
     @patch(f"{MODULE}.find_virt_launcher_netns_pid", return_value="101")
     @patch(f"{MODULE}.deploy_network_chaos_ng_pod")
     @patch(f"{MODULE}.time.sleep")
     @patch(f"{MODULE}.log_info")
-    def test_run_rollback_passes_correct_pid_and_iface_to_clean(
+    def test_run_rollback_passes_correct_pid_iface_and_rules_to_clean(
         self, mock_log, mock_sleep, mock_deploy, mock_find, mock_tap, mock_apply, mock_clean
     ):
-        """Clean must receive the resolved netns_pid and iface, not defaults."""
+        """Clean must receive the resolved netns_pid, iface, and the rules returned by apply."""
         mock_sleep.side_effect = RuntimeError("interrupted")
 
         with self.assertRaises(RuntimeError):
             self.module.run("virt-density-udn-3/virt-server-3")
 
         clean_args = mock_clean.call_args[0]
-        self.assertEqual(clean_args[3], "101")   # netns_pid
-        self.assertEqual(clean_args[4], "tap0")  # iface
+        self.assertEqual(clean_args[3], "101")          # netns_pid
+        self.assertEqual(clean_args[4], "tap0")         # iface
+        self.assertEqual(clean_args[5], ["in_rule"])    # input_rules from apply
+        self.assertEqual(clean_args[6], ["out_rule"])   # output_rules from apply
+
+
+class TestVmiNetworkFilterPortsProtocols(unittest.TestCase):
+
+    def setUp(self):
+        self.mock_kubecli = MagicMock()
+        self.mock_kubernetes = MagicMock()
+        self.mock_kubecli.get_lib_kubernetes.return_value = self.mock_kubernetes
+
+        self.mock_kubernetes.get_vmi.return_value = {"status": {"nodeName": "worker-1"}}
+        self.mock_kubernetes.list_pods.return_value = ["virt-launcher-virt-server-3-abc12"]
+        compute = _make_container("compute", ready=True, container_id="containerd://deadbeef")
+        mock_pod_info = MagicMock()
+        mock_pod_info.containers = [compute]
+        self.mock_kubernetes.get_pod_info.return_value = mock_pod_info
+        self.mock_kubernetes.get_pod_pids.return_value = ["100", "101", "102"]
+
+    def _run_and_capture_apply(self, **config_overrides):
+        config = _make_config(**config_overrides)
+        module = VmiNetworkFilterModule(config, self.mock_kubecli)
+        with patch(f"{MODULE}.deploy_network_chaos_ng_pod"), \
+             patch(f"{MODULE}.find_virt_launcher_netns_pid", return_value="101"), \
+             patch(f"{MODULE}.get_vmi_tap_interface", return_value="tap0"), \
+             patch(f"{MODULE}.apply_tc_vmi_chaos", return_value=([], [])) as mock_apply, \
+             patch(f"{MODULE}.clean_tc_vmi_chaos"), \
+             patch(f"{MODULE}.time.sleep"), \
+             patch(f"{MODULE}.log_info"):
+            module.run("virt-density-udn-3/virt-server-3")
+        return mock_apply
+
+    def test_apply_receives_specific_ports(self):
+        mock_apply = self._run_and_capture_apply(ports=[53, 80, 443])
+        config_arg = mock_apply.call_args[0][5]
+        self.assertEqual(config_arg.ports, [53, 80, 443])
+
+    def test_apply_receives_empty_ports_for_all_traffic(self):
+        mock_apply = self._run_and_capture_apply(ports=[])
+        config_arg = mock_apply.call_args[0][5]
+        self.assertEqual(config_arg.ports, [])
+
+    def test_apply_receives_tcp_only_protocol(self):
+        mock_apply = self._run_and_capture_apply(protocols=["tcp"])
+        config_arg = mock_apply.call_args[0][5]
+        self.assertEqual(config_arg.protocols, ["tcp"])
+
+    def test_apply_receives_udp_only_protocol(self):
+        mock_apply = self._run_and_capture_apply(protocols=["udp"])
+        config_arg = mock_apply.call_args[0][5]
+        self.assertEqual(config_arg.protocols, ["udp"])
+
+    def test_apply_receives_both_protocols(self):
+        mock_apply = self._run_and_capture_apply(protocols=["tcp", "udp"])
+        config_arg = mock_apply.call_args[0][5]
+        self.assertIn("tcp", config_arg.protocols)
+        self.assertIn("udp", config_arg.protocols)
+
+    def test_apply_receives_dns_ports_with_both_protocols(self):
+        """DNS blackout: port 53 on tcp and udp."""
+        mock_apply = self._run_and_capture_apply(ports=[53], protocols=["tcp", "udp"])
+        config_arg = mock_apply.call_args[0][5]
+        self.assertEqual(config_arg.ports, [53])
+        self.assertIn("tcp", config_arg.protocols)
+        self.assertIn("udp", config_arg.protocols)
+
+    def test_apply_receives_management_ports(self):
+        """Management plane loss: SSH + HTTPS + k8s API."""
+        mock_apply = self._run_and_capture_apply(ports=[22, 443, 6443], protocols=["tcp"])
+        config_arg = mock_apply.call_args[0][5]
+        self.assertEqual(config_arg.ports, [22, 443, 6443])
+        self.assertEqual(config_arg.protocols, ["tcp"])
+
+    def test_apply_config_has_resolved_namespace_not_regex(self):
+        """The config passed to apply must use the real namespace from the target string."""
+        mock_apply = self._run_and_capture_apply(namespace="virt-density-udn-.*")
+        config_arg = mock_apply.call_args[0][5]
+        self.assertEqual(config_arg.namespace, "virt-density-udn-3")
+        self.assertNotEqual(config_arg.namespace, "virt-density-udn-.*")
 
 
 if __name__ == "__main__":