openstack/os-vif
Code Issues Proposed changes
os-vif/vif_plug_linux_bridge/linux_bridge.py
Kevin Benton 10e6b6bd1b Don't install iptables rules if neutron is filtering 
Don't setup iptables rules in the Linux Bridge driver
if Neutron is providing security groups filtering.
When neutron is providing filtering, it handles everything
ranging from security-group enforcement to anti-spoofing
rules so Nova/os-vif shouldn't need to do anything on plug.

Change-Id: I19d62a8ac730aba2586b9f8eb08e153746ec2bcb
2017-02-28 12:08:59 +00:00

114 lines
4.6 KiB
Python
Raw Blame History

# Derived from nova/virt/libvirt/vif.py
#
# Copyright (C) 2011 Midokura KK
# Copyright (C) 2011 Nicira, Inc
# Copyright 2011 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from os_vif import objects
from os_vif import plugin
from oslo_config import cfg
from vif_plug_linux_bridge import iptables
from vif_plug_linux_bridge import linux_net
class LinuxBridgePlugin(plugin.PluginBase):
"""A VIF type that uses a standard Linux bridge device."""
CONFIG_OPTS = (
cfg.BoolOpt('use_ipv6',
default=False,
help='Use IPv6',
deprecated_group="DEFAULT"),
cfg.StrOpt('iptables_top_regex',
default='',
help='Regular expression to match the iptables rule that '
'should always be on the top.',
deprecated_group="DEFAULT"),
cfg.StrOpt('iptables_bottom_regex',
default='',
help='Regular expression to match the iptables rule that '
'should always be on the bottom.',
deprecated_group="DEFAULT"),
cfg.StrOpt('iptables_drop_action',
default='DROP',
help='The table that iptables to jump to when a packet is '
'to be dropped.',
deprecated_group="DEFAULT"),
cfg.MultiStrOpt('forward_bridge_interface',
default=['all'],
help='An interface that bridges can forward to. If '
'this is set to all then all traffic will be '
'forwarded. Can be specified multiple times.',
deprecated_group="DEFAULT"),
cfg.StrOpt('vlan_interface',
help='VLANs will bridge into this interface if set',
deprecated_group="DEFAULT"),
cfg.StrOpt('flat_interface',
help='FlatDhcp will bridge into this interface if set',
deprecated_group="DEFAULT"),
cfg.IntOpt('network_device_mtu',
default=1500,
help='MTU setting for network interface.',
deprecated_group="DEFAULT"),
)
def __init__(self, config):
super(LinuxBridgePlugin, self).__init__(config)
ipm = iptables.IptablesManager(
use_ipv6=config.use_ipv6,
iptables_top_regex=config.iptables_top_regex,
iptables_bottom_regex=config.iptables_bottom_regex,
iptables_drop_action=config.iptables_drop_action,
forward_bridge_interface=config.forward_bridge_interface)
linux_net.configure(ipm)
def describe(self):
return objects.host_info.HostPluginInfo(
plugin_name="linux_bridge",
vif_info=[
objects.host_info.HostVIFInfo(
vif_object_name=objects.vif.VIFBridge.__name__,
min_version="1.0",
max_version="1.0")
])
def plug(self, vif, instance_info):
"""Ensure that the bridge exists, and add VIF to it."""
network = vif.network
bridge_name = vif.bridge_name
if not network.multi_host and network.should_provide_bridge:
if network.should_provide_vlan:
iface = self.config.vlan_interface or network.bridge_interface
mtu = network.mtu or self.config.network_device_mtu
linux_net.ensure_vlan_bridge(network.vlan,
bridge_name, iface, mtu=mtu)
else:
iface = self.config.flat_interface or network.bridge_interface
# only put in iptables rules if Neutron not filtering
install_filters = not vif.has_traffic_filtering
linux_net.ensure_bridge(bridge_name, iface,
filtering=install_filters)
def unplug(self, vif, instance_info):
# Nothing required to unplug a port for a VIF using standard
# Linux bridge device...
pass
View Git Blame Copy Permalink