From b4e44a68deb09c5ce53d86d7856f101aee9fb6cc Mon Sep 17 00:00:00 2001 From: Alexey Kashavkin Date: Fri, 24 May 2024 06:09:06 +0500 Subject: [PATCH 1/3] Added support of existing security groups --- nfvbench/cfg.default.yaml | 6 +++++ nfvbench/chaining.py | 46 ++++++++++++++++++++++++++++++--------- nfvbench/nfvbench.py | 10 +++++++++ 3 files changed, 52 insertions(+), 10 deletions(-) diff --git a/nfvbench/cfg.default.yaml b/nfvbench/cfg.default.yaml index c76e738..783f4e9 100644 --- a/nfvbench/cfg.default.yaml +++ b/nfvbench/cfg.default.yaml @@ -951,3 +951,9 @@ no_e2e_check: false # Designed for development needs # The hexadecimal notation (0x...) is accepted. debug_mask: 0x00000000 + +# Do not disable port security +# Use the default security group using the command line argument, or specify a single security group as in the following example +# Example: +# security_group: any_group +# THIS PARAMETER MUST NOT BE EMPTY otherwise it must be commented out diff --git a/nfvbench/chaining.py b/nfvbench/chaining.py index d6f67f9..9e1e859 100644 --- a/nfvbench/chaining.py +++ b/nfvbench/chaining.py @@ -165,16 +165,42 @@ def __init__(self, name, vnf, chain_network, vnic_type): port = self.manager.neutron_client.create_port(body) self.port = port['port'] LOG.info('Created port %s', name) - try: - self.manager.neutron_client.update_port(self.port['id'], { - 'port': { - 'security_groups': [], - 'port_security_enabled': False, - } - }) - LOG.info('Security disabled on port %s', name) - except Exception: - LOG.info('Failed to disable security on port %s (ignored)', name) + if not 'security_group' in self.manager.config.keys(): + try: + self.manager.neutron_client.update_port(self.port['id'], { + 'port': { + 'security_groups': [], + 'port_security_enabled': False, + } + }) + LOG.info('Security disabled on port %s', name) + except Exception: + LOG.info('Failed to disable security on port %s (ignored)', name) + elif self.manager.config.security_group == '': + try: + self.manager.neutron_client.update_port(self.port['id'], { + 'port': { + 'allowed_address_pairs': [{'ip_address': self.manager.config.traffic_generator.ip_addrs[0] }, + {'ip_address': self.manager.config.traffic_generator.ip_addrs[1] }], + } + }) + LOG.info('Port security will not be disabled. %s uses the default security group.', name) + except Exception: + LOG.error('Allowed address pairs were not added to the port %s', name) + else: + sec_group = self.manager.neutron_client.list_security_groups(name=self.manager.config.security_group, fields=['id']) + for sg_id in sec_group['security_groups']: + try: + self.manager.neutron_client.update_port(self.port['id'], { + 'port': { + 'security_groups': [*sg_id.values()], + 'allowed_address_pairs': [{'ip_address': self.manager.config.traffic_generator.ip_addrs[0] }, + {'ip_address': self.manager.config.traffic_generator.ip_addrs[1] }], + } + }) + LOG.info('Port security will not be disabled. %s uses the %s security group.', name, *sg_id.values()) + except Exception: + LOG.error('Allowed address pairs were not added to the port %s', name) def get_mac(self): """Get the MAC address for this port.""" diff --git a/nfvbench/nfvbench.py b/nfvbench/nfvbench.py index 891b2bb..c572615 100644 --- a/nfvbench/nfvbench.py +++ b/nfvbench/nfvbench.py @@ -444,6 +444,14 @@ def _parse_opts_from_cli(): action='store_true', help='Enable MPLS encapsulation') + parser.add_argument('--use-sg', dest='use_sg', + action='store', + const='', + nargs='?', + metavar='', + help='Do not disable port security and specify single security group. ' + 'If left empty, the default security group will be used.') + parser.add_argument('--no-cleanup', dest='no_cleanup', default=None, action='store_true', @@ -810,6 +818,8 @@ def main(): if opts.debug_mask is not None: config.debug_mask = opts.debug_mask opts.debug_mask = None + if opts.use_sg is not None: + config.security_group = opts.use_sg # convert 'user_info' opt from json string to dictionnary # and merge the result with the current config dictionnary From 0a6660108a874a190cc3a69f99d6ebfa87d876f1 Mon Sep 17 00:00:00 2001 From: Alexey Kashavkin Date: Fri, 24 May 2024 06:32:13 +0500 Subject: [PATCH 2/3] Up to the latest new versions --- docker/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 46be733..edf5118 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,8 +1,8 @@ # docker file for creating a container that has nfvbench installed and ready to use FROM ubuntu:20.04 -ENV TREX_VER "v2.89" -ENV VM_IMAGE_VER "0.15" +ENV TREX_VER "v3.04" +ENV VM_IMAGE_VER "0.16" ENV PYTHONIOENCODING "utf8" RUN apt-get update && apt-get install -y \ From 83ed3ec2a50b21b1d8d869afb52a9dcd44ab4b0c Mon Sep 17 00:00:00 2001 From: Alexey Kashavkin Date: Fri, 24 May 2024 06:44:51 +0500 Subject: [PATCH 3/3] Update README.rst --- README.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.rst b/README.rst index ead5053..5a20e58 100644 --- a/README.rst +++ b/README.rst @@ -1,3 +1,7 @@ +This fork adds support for existing security groups. That is, port security will not be disabled. Use the ``--use-sg`` command line argument. If you specify only this, the project's default security group will be used, or you can specify any of the existing groups after the ``--use-sg`` parameter. You can also specify a security group in the configuration file. Specifying multiple security groups is not provided. + +---- + NFVbench: A Network Performance Benchmarking Tool for NFVi Full Stacks **********************************************************************