Stop changing default firewall behaviour and just add rules instead

seman · May 28, 2015 · 4d8247d · 4d8247d
1 parent e200b49
commit 4d8247d
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 34 deletions.
diff --git a/chaos/net.py b/chaos/net.py
@@ -25,11 +25,6 @@ def enable(cls):
         """Gives an action for enabling and disabling the firewalling."""
         return cls("ufw --force enable", "ufw disable")
 
-    @classmethod
-    def default_allow(cls):
-        """Gives an action for allowing and denying incoming connections."""
-        return cls("ufw default allow", "ufw default deny")
-
     @classmethod
     def rule(cls, rule):
         """Gives an action for creating and deleting a given firewall rule."""
@@ -80,45 +75,48 @@ def factory(cls):
         return cls()
 
     def get_chaos(self):
-        allow_incoming = FirewallAction.default_allow()
         allow_ssh = FirewallAction.rule("allow ssh")
+        allow_in_to_any = FirewallAction.rule("allow in to any")
+        deny_in_to_any = FirewallAction.rule("deny in to any")
         deny_out_to_any = FirewallAction.rule("deny out to any")
         return [
             FirewallChaos(
                 'deny-all',
                 'Deny all incoming and outgoing network traffic except ssh.',
                 allow_ssh,
+                deny_in_to_any,
                 deny_out_to_any,
                 ),
             FirewallChaos(
                 'deny-incoming',
                 'Deny all incoming network traffic except ssh.',
                 allow_ssh,
+                deny_in_to_any,
                 ),
             FirewallChaos(
                 'deny-outgoing',
                 'Deny all outgoing network traffic except ssh.',
                 allow_ssh,
                 deny_out_to_any,
-                allow_incoming,
+                allow_in_to_any,
                 ),
             FirewallChaos(
                 'deny-state-server',
                 'Deny network traffic to the Juju State-Server',
                 FirewallAction.deny_port_rule(37017),
-                allow_incoming,
+                allow_in_to_any,
                 ),
             FirewallChaos(
                 'deny-api-server',
                 'Deny network traffic to the Juju API Server.',
                 FirewallAction.deny_port_rule(17017),
-                allow_incoming,
+                allow_in_to_any,
                 ),
             FirewallChaos(
                 'deny-sys-log',
                 'Deny network traffic to the Juju SysLog.',
                 FirewallAction.deny_port_rule(6514),
-                allow_incoming,
+                allow_in_to_any,
                 ),
         ]
 

diff --git a/tests/test_chaos_monkey.py b/tests/test_chaos_monkey.py
@@ -49,10 +49,10 @@ def test_run_chaos(self):
             cm.run_chaos('net', 'deny-state-server', timeout=0)
         self.assertEqual(mock.mock_calls, [
             call(['ufw', 'deny', '37017']),
-            call(['ufw', 'default', 'allow']),
+            call(['ufw', 'allow', 'in', 'to', 'any']),
             call(['ufw', '--force', 'enable']),
             call(['ufw', 'disable']),
-            call(['ufw', 'default', 'deny']),
+            call(['ufw', 'delete', 'allow', 'in', 'to', 'any']),
             call(['ufw', 'delete', 'deny', '37017']),
         ])
 
@@ -94,10 +94,10 @@ def test_run_command(self):
             cm._run_command(chaos, timeout=0)
         self.assertEqual(mock.mock_calls, [
             call(['ufw', 'deny', '37017']),
-            call(['ufw', 'default', 'allow']),
+            call(['ufw', 'allow', 'in', 'to', 'any']),
             call(['ufw', '--force', 'enable']),
             call(['ufw', 'disable']),
-            call(['ufw', 'default', 'deny']),
+            call(['ufw', 'delete', 'allow', 'in', 'to', 'any']),
             call(['ufw', 'delete', 'deny', '37017']),
         ])
 

diff --git a/tests/test_net.py b/tests/test_net.py
@@ -22,11 +22,6 @@ def test_enable(self):
         self.assertEqual(action.do_command, "ufw --force enable")
         self.assertEqual(action.undo_command, "ufw disable")
 
-    def test_default_allow(self):
-        action = FirewallAction.default_allow()
-        self.assertEqual(action.do_command, "ufw default allow")
-        self.assertEqual(action.undo_command, "ufw default deny")
-
     def test_rule(self):
         action = FirewallAction.rule("allow from 192.168.1.0/24")
         self.assertEqual(action.do_command, "ufw allow from 192.168.1.0/24")
@@ -55,14 +50,16 @@ def test_undo(self):
         mock.assert_called_once_with(["off"])
 
 
+allow_in_call = call(['ufw', 'allow', 'in', 'to', 'any'])
+deny_in_call = call(['ufw', 'deny', 'in', 'to', 'any'])
 deny_out_call = call(['ufw', 'deny', 'out', 'to', 'any'])
 allow_ssh_call = call(['ufw', 'allow', 'ssh'])
-default_allow_call = call(['ufw', 'default', 'allow'])
 enable_call = call(['ufw', '--force', 'enable'])
 disable_call = call(['ufw', 'disable'])
-default_deny_call = call(['ufw', 'default', 'deny'])
 delete_ssh_call = call(['ufw', 'delete', 'allow', 'ssh'])
-allow_out_call = call(['ufw', 'delete', 'deny', 'out', 'to', 'any'])
+delete_deny_out_call = call(['ufw', 'delete', 'deny', 'out', 'to', 'any'])
+delete_deny_in_call = call(['ufw', 'delete', 'deny', 'in', 'to', 'any'])
+delete_allow_in_call = call(['ufw', 'delete', 'allow', 'in', 'to', 'any'])
 
 
 class TestNet(CommonTestBase):
@@ -100,53 +97,59 @@ def test_deny_all(self):
         chaos = self.get_net_chaos("deny-all")
         self.assert_calls(
             chaos.enable,
-            [allow_ssh_call, deny_out_call, enable_call])
+            [allow_ssh_call, deny_in_call, deny_out_call, enable_call])
         self.assert_calls(
             chaos.disable,
-            [disable_call, allow_out_call, delete_ssh_call])
+            [disable_call, delete_deny_out_call, delete_deny_in_call,
+             delete_ssh_call])
 
     def test_deny_incoming(self):
         chaos = self.get_net_chaos("deny-incoming")
-        self.assert_calls(chaos.enable, [allow_ssh_call, enable_call])
-        self.assert_calls(chaos.disable, [disable_call, delete_ssh_call])
+        self.assert_calls(
+            chaos.enable,
+            [allow_ssh_call, deny_in_call, enable_call])
+        self.assert_calls(
+            chaos.disable,
+            [disable_call, delete_deny_in_call, delete_ssh_call])
 
     def test_deny_outgoing(self):
         chaos = self.get_net_chaos("deny-outgoing")
         self.assert_calls(
             chaos.enable,
-            [allow_ssh_call, deny_out_call, default_allow_call, enable_call])
+            [allow_ssh_call, deny_out_call, allow_in_call, enable_call])
         self.assert_calls(
             chaos.disable,
-            [disable_call, default_deny_call, allow_out_call, delete_ssh_call])
+            [disable_call, delete_allow_in_call, delete_deny_out_call,
+             delete_ssh_call])
 
     def test_deny_state_server(self):
         chaos = self.get_net_chaos("deny-state-server")
         self.assert_calls(
             chaos.enable,
-            [call(['ufw', 'deny', '37017']), default_allow_call, enable_call])
+            [call(['ufw', 'deny', '37017']), allow_in_call, enable_call])
         self.assert_calls(
             chaos.disable,
-            [disable_call, default_deny_call,
+            [disable_call, delete_allow_in_call,
              call(['ufw', 'delete', 'deny', '37017'])])
 
     def test_deny_api_server(self):
         chaos = self.get_net_chaos("deny-api-server")
         self.assert_calls(
             chaos.enable,
-            [call(['ufw', 'deny', '17017']), default_allow_call, enable_call])
+            [call(['ufw', 'deny', '17017']), allow_in_call, enable_call])
         self.assert_calls(
             chaos.disable,
-            [disable_call, default_deny_call,
+            [disable_call, delete_allow_in_call,
              call(['ufw', 'delete', 'deny', '17017'])])
 
     def test_deny_sys_log(self):
         chaos = self.get_net_chaos("deny-sys-log")
         self.assert_calls(
             chaos.enable,
-            [call(['ufw', 'deny', '6514']), default_allow_call, enable_call])
+            [call(['ufw', 'deny', '6514']), allow_in_call, enable_call])
         self.assert_calls(
             chaos.disable,
-            [disable_call, default_deny_call,
+            [disable_call, delete_allow_in_call,
              call(['ufw', 'delete', 'deny', '6514'])])