NSXv: LBaaS driver should not maintain member FW rule

Rule should be applied by the user using security groups. Change-Id: Ib2e85bf8d09b6099b22a26b284c51c629c61ef91
2016-12-14 18:11:05 +02:00 · 2016-12-14 18:11:05 +02:00 · 02ca5e114b
commit 02ca5e114b
parent a966ca0708
4 changed files with 1 additions and 137 deletions
--- a/vmware_nsx/services/lbaas/nsx_v/lbaas_common.py
+++ b/vmware_nsx/services/lbaas/nsx_v/lbaas_common.py
@ -14,17 +14,14 @@
 #    under the License.

 import netaddr
-import xml.etree.ElementTree as et

 from neutron_lib import exceptions as n_exc

 from vmware_nsx._i18n import _
 from vmware_nsx.common import locking
 from vmware_nsx.db import nsxv_db
-from vmware_nsx.plugins.nsx_v.vshield import vcns as nsxv_api

 MEMBER_ID_PFX = 'member-'
-LBAAS_FW_SECTION_NAME = 'LBaaS FW Rules'


 def get_member_id(member_id):
@ -193,64 +190,6 @@ def get_edge_ip_addresses(vcns, edge_id):
    return edge_ips


-def update_pool_fw_rule(vcns, pool_id, edge_id, section_id, member_ips):
-    edge_ips = get_edge_ip_addresses(vcns, edge_id)
-
-    with locking.LockManager.get_lock('lbaas-fw-section'):
-        section_uri = '%s/%s/%s' % (nsxv_api.FIREWALL_PREFIX,
-                                    'layer3sections',
-                                    section_id)
-        xml_section = vcns.get_section(section_uri)[1]
-        section = et.fromstring(xml_section)
-        pool_rule = None
-        for rule in section.iter('rule'):
-            if rule.find('name').text == pool_id:
-                pool_rule = rule
-                if member_ips:
-                    pool_rule.find('sources').find('source').find(
-                        'value').text = (','.join(edge_ips))
-                    pool_rule.find('destinations').find(
-                        'destination').find('value').text = ','.join(
-                        member_ips)
-                else:
-                    section.remove(pool_rule)
-                break
-
-        if member_ips and pool_rule is None:
-            pool_rule = et.SubElement(section, 'rule')
-            et.SubElement(pool_rule, 'name').text = pool_id
-            et.SubElement(pool_rule, 'action').text = 'allow'
-            sources = et.SubElement(pool_rule, 'sources')
-            sources.attrib['excluded'] = 'false'
-            source = et.SubElement(sources, 'source')
-            et.SubElement(source, 'type').text = 'Ipv4Address'
-            et.SubElement(source, 'value').text = ','.join(edge_ips)
-
-            destinations = et.SubElement(pool_rule, 'destinations')
-            destinations.attrib['excluded'] = 'false'
-            destination = et.SubElement(destinations, 'destination')
-            et.SubElement(destination, 'type').text = 'Ipv4Address'
-            et.SubElement(destination, 'value').text = ','.join(member_ips)
-
-        vcns.update_section(section_uri,
-                            et.tostring(section, encoding="us-ascii"),
-                            None)
-
-
-def get_lbaas_fw_section_id(vcns):
-    # Avoid concurrent creation of section by multiple neutron
-    # instances
-    with locking.LockManager.get_lock('lbaas-fw-section'):
-        fw_section_id = vcns.get_section_id(LBAAS_FW_SECTION_NAME)
-        if not fw_section_id:
-            section = et.Element('section')
-            section.attrib['name'] = LBAAS_FW_SECTION_NAME
-            sect = vcns.create_section('ip', et.tostring(section))[1]
-            fw_section_id = et.fromstring(sect).attrib['id']
-
-        return fw_section_id
-
-
 def enable_edge_acceleration(vcns, edge_id):
    with locking.LockManager.get_lock(edge_id):
        # Query the existing load balancer config in case metadata lb is set
--- a/vmware_nsx/services/lbaas/nsx_v/v2/member_mgr.py
+++ b/vmware_nsx/services/lbaas/nsx_v/v2/member_mgr.py
@ -33,19 +33,6 @@ class EdgeMemberManager(base_mgr.EdgeLoadbalancerBaseManager):
        super(EdgeMemberManager, self).__init__(vcns_driver)
        self._fw_section_id = None

-    def _get_pool_member_ips(self, pool, operation, address):
-        member_ips = [member.address for member in pool.members]
-        if operation == 'add' and address not in member_ips:
-            member_ips.append(address)
-        elif operation == 'del' and address in member_ips:
-            member_ips.remove(address)
-        return member_ips
-
-    def _get_lbaas_fw_section_id(self):
-        if not self._fw_section_id:
-            self._fw_section_id = lb_common.get_lbaas_fw_section_id(self.vcns)
-        return self._fw_section_id
-
    @log_helpers.log_method_call
    def create(self, context, member):
        listener = member.pool.listener
@ -75,14 +62,6 @@ class EdgeMemberManager(base_mgr.EdgeLoadbalancerBaseManager):

            try:
                self.vcns.update_pool(edge_id, edge_pool_id, edge_pool)
-
-                member_ips = self._get_pool_member_ips(member.pool, 'add',
-                                                       member.address)
-                lb_common.update_pool_fw_rule(self.vcns, member.pool_id,
-                                              edge_id,
-                                              self._get_lbaas_fw_section_id(),
-                                              member_ips)
-
                self.lbv2_driver.member.successful_completion(context, member)

            except nsxv_exc.VcnsApiException:
--- a/vmware_nsx/tests/unit/nsx_v/test_edge_loadbalancer_driver_v2.py
+++ b/vmware_nsx/tests/unit/nsx_v/test_edge_loadbalancer_driver_v2.py
@ -421,16 +421,10 @@ class TestEdgeLbaasV2Member(BaseTestEdgeLbaasV2):
            mock.patch.object(self.edge_driver.vcns, 'get_pool'
                              ) as mock_get_pool, \
            mock.patch.object(self.edge_driver.vcns, 'update_pool'
-                              ) as mock_update_pool, \
-            mock.patch.object(self.edge_driver.member,
-                              '_get_lbaas_fw_section_id'
-                              ) as mock_get_sect, \
-            mock.patch.object(lb_common, 'update_pool_fw_rule'
-                              ) as mock_upd_fw:
+                              ) as mock_update_pool:
            mock_get_lb_binding.return_value = LB_BINDING
            mock_get_pool_binding.return_value = POOL_BINDING
            mock_get_pool.return_value = (None, EDGE_POOL_DEF.copy())
-            mock_get_sect.return_value = POOL_FW_SECT

            self.edge_driver.member.create(self.context, self.member)

@ -438,9 +432,6 @@ class TestEdgeLbaasV2Member(BaseTestEdgeLbaasV2):
            edge_pool_def['member'] = [EDGE_MEMBER_DEF]
            mock_update_pool.assert_called_with(
                LB_EDGE_ID, EDGE_POOL_ID, edge_pool_def)
-            mock_upd_fw.assert_called_with(self.edge_driver.vcns, POOL_ID,
-                                           LB_EDGE_ID, POOL_FW_SECT,
-                                           [MEMBER_ADDRESS])
            mock_successful_completion = (
                self.lbv2_driver.member.successful_completion)
            mock_successful_completion.assert_called_with(self.context,
--- a/vmware_nsx/tests/unit/nsx_v/test_lbaas_common.py
+++ b/vmware_nsx/tests/unit/nsx_v/test_lbaas_common.py
@ -91,51 +91,6 @@ class TestLbaasCommon(base.BaseTestCase):
    def _mock_edge_driver_vcns(self, attr):
        return mock.patch.object(self.edge_driver.vcns, attr)

-    def test_update_pool_fw_rule_add(self):
-        vip_ips = ['10.0.0.1', '11.0.0.1']
-        member_ips = ['10.0.0.10', '11.0.0.10']
-        edge_fw_section = firewall_section_maker(vip_ips, ['10.0.0.10'])
-        edge_fw_updated_section = firewall_section_maker(vip_ips, member_ips)
-
-        with self._mock_edge_driver_vcns(
-                    'get_section') as mock_get_section,\
-                self._mock_edge_driver_vcns(
-                    'update_section') as mock_update_section:
-
-            tmp_get_ips = lb_common.get_edge_ip_addresses
-            lb_common.get_edge_ip_addresses = mock.Mock()
-            lb_common.get_edge_ip_addresses.return_value = vip_ips
-
-            mock_get_section.return_value = (None, edge_fw_section)
-            lb_common.update_pool_fw_rule(
-                self.edge_driver.vcns, POOL_ID, EDGE_ID, '1111', member_ips)
-            mock_update_section.assert_called_with(
-                '/api/4.0/firewall/globalroot-0/config/layer3sections/1111',
-                edge_fw_updated_section.encode('utf-8'), None)
-            lb_common.get_edge_ip_addresses = tmp_get_ips
-
-    def test_update_pool_fw_rule_del(self):
-        vip_ips = ['10.0.0.1', '11.0.0.1']
-        member_ips = ['10.0.0.10']
-        edge_fw_section = firewall_section_maker(vip_ips, ['10.0.0.10',
-                                                           '11.0.0.10'])
-        edge_fw_updated_section = firewall_section_maker(vip_ips, member_ips)
-
-        with self._mock_edge_driver_vcns('get_section') as mock_get_section, \
-                self._mock_edge_driver_vcns(
-                    'update_section') as mock_update_section:
-
-            tmp_get_ips = lb_common.get_edge_ip_addresses
-            lb_common.get_edge_ip_addresses = mock.Mock()
-            lb_common.get_edge_ip_addresses.return_value = vip_ips
-            mock_get_section.return_value = (None, edge_fw_section)
-            lb_common.update_pool_fw_rule(
-                self.edge_driver.vcns, POOL_ID, EDGE_ID, '1111', member_ips)
-            mock_update_section.assert_called_with(
-                '/api/4.0/firewall/globalroot-0/config/layer3sections/1111',
-                edge_fw_updated_section.encode('utf-8'), None)
-            lb_common.get_edge_ip_addresses = tmp_get_ips
-
    def test_add_vip_as_secondary_ip(self):
        update_if = if_maker(['10.0.0.6', '10.0.0.8'])