x/vmware-nsx
Code Issues Proposed changes

Merge "NSX|V: Fix FW rule id for distributed routers"

Browse Source
This commit is contained in:
Zuul 2020-11-16 14:33:53 +00:00 committed by Gerrit Code Review
commit 13b208a682
2 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
vmware_nsx/services/fwaas/nsx_v/fwaas_callbacks_v2.py
View File

@ -83,17 +83,22 @@ class NsxvFwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
ctx_elevated, router_id) ctx_elevated, router_id)
fw_rules = [] fw_rules = []
fwg_ids = []
router_dict = {}
# Add firewall rules per port attached to a firewall group # Add firewall rules per port attached to a firewall group
for port in router_interfaces: for port in router_interfaces:
fwg = self.get_port_fwg(ctx_elevated, port['id']) fwg = self.get_port_fwg(ctx_elevated, port['id'])
if fwg: if fwg:
router_dict = {} if not router_dict:
self.core_plugin._extend_nsx_router_dict( self.core_plugin._extend_nsx_router_dict(
router_dict, router_db) router_dict, router_db)
if router_dict['distributed']: if router_dict['distributed']:
# The vnic_id is ignored for distributed routers, so # The vnic_id is ignored for distributed routers, so
# each rule will be applied to all the interfaces. # each rule will be applied to all the interfaces.
vnic_id = None vnic_id = None
# if rules for this fwg where already added skip it
if fwg['id'] in fwg_ids:
continue
else: else:
# get the interface vnic # get the interface vnic
edge_vnic_bind = nsxv_db.get_edge_vnic_binding( edge_vnic_bind = nsxv_db.get_edge_vnic_binding(
@ -102,6 +107,7 @@ class NsxvFwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
# Add the FWaaS rules for this port # Add the FWaaS rules for this port
fw_rules.extend( fw_rules.extend(
self.get_port_translated_rules(vnic_id, fwg)) self.get_port_translated_rules(vnic_id, fwg))
fwg_ids.append(fwg['id'])
return fw_rules return fw_rules
@ -118,12 +124,14 @@ class NsxvFwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
firewall_group['ingress_rule_list'], firewall_group['ingress_rule_list'],
replace_dest=vnic_id, replace_dest=vnic_id,
logged=logged, logged=logged,
is_ingress=True)) is_ingress=True,
fwg_id=firewall_group['id']))
port_rules.extend(self.translate_rules( port_rules.extend(self.translate_rules(
firewall_group['egress_rule_list'], firewall_group['egress_rule_list'],
replace_src=vnic_id, replace_src=vnic_id,
logged=logged, logged=logged,
is_ingress=False)) is_ingress=False,
fwg_id=firewall_group['id']))
# Add ingress/egress block rules for this port # Add ingress/egress block rules for this port
default_ingress = {'name': "Block port ingress", default_ingress = {'name': "Block port ingress",
@ -140,7 +148,7 @@ class NsxvFwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
return port_rules return port_rules
def translate_rules(self, fwaas_rules, replace_dest=None, replace_src=None, def translate_rules(self, fwaas_rules, replace_dest=None, replace_src=None,
logged=False, is_ingress=True): logged=False, is_ingress=True, fwg_id=None):
translated_rules = [] translated_rules = []
for rule in fwaas_rules: for rule in fwaas_rules:
if not rule['enabled']: if not rule['enabled']:
@ -157,10 +165,12 @@ class NsxvFwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
# update rules ID to prevent DB duplications in # update rules ID to prevent DB duplications in
# NsxvEdgeFirewallRuleBinding # NsxvEdgeFirewallRuleBinding
if is_ingress: if is_ingress:
rule['id'] = ('ingress-%s-%s' % (replace_dest, rule['id'] = ('ingress-%s-%s' % (replace_dest or
fwg_id[:15],
rule['id']))[:36] rule['id']))[:36]
else: else:
rule['id'] = ('egress-%s-%s' % (replace_src, rule['id'] = ('egress-%s-%s' % (replace_src or
fwg_id[:15],
rule['id']))[:36] rule['id']))[:36]
# source & destination should be lists # source & destination should be lists
if (rule.get('destination_ip_address') and if (rule.get('destination_ip_address') and

8
vmware_nsx/tests/unit/nsx_v/test_fwaas_v2_driver.py
View File

@ -121,7 +121,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
def _fake_translated_rules(self, rules_list, def _fake_translated_rules(self, rules_list,
nsx_port_id, nsx_port_id,
is_ingress=True, is_ingress=True,
logged=False): logged=False, fwg_id=None):
translated_rules = copy.copy(rules_list) translated_rules = copy.copy(rules_list)
for rule in translated_rules: for rule in translated_rules:
if logged: if logged:
@ -152,10 +152,10 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
(rule.get('name') or rule['id']))[:30] (rule.get('name') or rule['id']))[:30]
if rule.get('id'): if rule.get('id'):
if is_ingress: if is_ingress:
rule['id'] = ('ingress-%s-%s' % (nsx_port_id, rule['id'] = ('ingress-%s-%s' % (nsx_port_id or fwg_id,
rule['id']))[:36] rule['id']))[:36]
else: else:
rule['id'] = ('egress-%s-%s' % (nsx_port_id, rule['id'] = ('egress-%s-%s' % (nsx_port_id or fwg_id,
rule['id']))[:36] rule['id']))[:36]
return translated_rules return translated_rules
@ -356,7 +356,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
return_value=self.distributed_router): return_value=self.distributed_router):
func('nsx', apply_list, firewall) func('nsx', apply_list, firewall)
expected_rules = self._fake_translated_rules( expected_rules = self._fake_translated_rules(
rule_list, None, is_ingress=is_ingress) + [ rule_list, None, is_ingress=is_ingress, fwg_id=FAKE_FW_ID) + [
{'name': "Block port ingress", {'name': "Block port ingress",
'action': edge_firewall_driver.FWAAS_DENY, 'action': edge_firewall_driver.FWAAS_DENY,
'logged': False}, 'logged': False},