NSXv3: Completing security-group implementation
This patch adds default dhcp allow rule to all security-group associated ports, plus few minor changes. Change-Id: I32be9006aed619471136c5290bcd63688dfb4d6f
This commit is contained in:
parent
dba21e7045
commit
1ac571ccaf
@ -37,21 +37,32 @@ def _get_l4_protocol_name(proto_num):
|
|||||||
return firewall.ICMPV4
|
return firewall.ICMPV4
|
||||||
|
|
||||||
|
|
||||||
|
def _get_direction(sg_rule):
|
||||||
|
return firewall.IN if sg_rule['direction'] == 'ingress' else firewall.OUT
|
||||||
|
|
||||||
|
|
||||||
def _decide_service(sg_rule):
|
def _decide_service(sg_rule):
|
||||||
ip_proto = securitygroups_db.IP_PROTOCOL_MAP.get(sg_rule['protocol'],
|
ip_proto = securitygroups_db.IP_PROTOCOL_MAP.get(sg_rule['protocol'],
|
||||||
sg_rule['protocol'])
|
sg_rule['protocol'])
|
||||||
l4_protocol = _get_l4_protocol_name(ip_proto)
|
l4_protocol = _get_l4_protocol_name(ip_proto)
|
||||||
|
direction = _get_direction(sg_rule)
|
||||||
|
|
||||||
if l4_protocol in [firewall.TCP, firewall.UDP]:
|
if l4_protocol in [firewall.TCP, firewall.UDP]:
|
||||||
# If port_range_min is not specified then we assume all ports are
|
# If port_range_min is not specified then we assume all ports are
|
||||||
# matched, relying on neutron to perform validation.
|
# matched, relying on neutron to perform validation.
|
||||||
|
source_ports = []
|
||||||
if sg_rule['port_range_min'] is None:
|
if sg_rule['port_range_min'] is None:
|
||||||
source_ports = []
|
destination_ports = []
|
||||||
else:
|
else:
|
||||||
source_ports = ['%(port_range_min)s-%(port_range_max)s' % sg_rule]
|
destination_ports = ['%(port_range_min)s-%(port_range_max)s'
|
||||||
|
% sg_rule]
|
||||||
|
if direction == firewall.OUT:
|
||||||
|
source_ports, destination_ports = destination_ports, []
|
||||||
|
|
||||||
return firewall.get_nsservice(firewall.L4_PORT_SET_NSSERVICE,
|
return firewall.get_nsservice(firewall.L4_PORT_SET_NSSERVICE,
|
||||||
l4_protocol=l4_protocol,
|
l4_protocol=l4_protocol,
|
||||||
source_ports=source_ports)
|
source_ports=source_ports,
|
||||||
|
destination_ports=destination_ports)
|
||||||
elif l4_protocol == firewall.ICMPV4:
|
elif l4_protocol == firewall.ICMPV4:
|
||||||
return firewall.get_nsservice(firewall.ICMP_TYPE_NSSERVICE,
|
return firewall.get_nsservice(firewall.ICMP_TYPE_NSSERVICE,
|
||||||
protocol=l4_protocol,
|
protocol=l4_protocol,
|
||||||
@ -65,8 +76,7 @@ def _decide_service(sg_rule):
|
|||||||
def _get_fw_rule_from_sg_rule(sg_rule, nsgroup_id, rmt_nsgroup_id):
|
def _get_fw_rule_from_sg_rule(sg_rule, nsgroup_id, rmt_nsgroup_id):
|
||||||
# IPV4 or IPV6
|
# IPV4 or IPV6
|
||||||
ip_protocol = sg_rule['ethertype'].upper()
|
ip_protocol = sg_rule['ethertype'].upper()
|
||||||
direction = (
|
direction = _get_direction(sg_rule)
|
||||||
firewall.IN if sg_rule['direction'] == 'ingress' else firewall.OUT)
|
|
||||||
|
|
||||||
source = None
|
source = None
|
||||||
local_group = firewall.get_nsgroup_reference(nsgroup_id)
|
local_group = firewall.get_nsgroup_reference(nsgroup_id)
|
||||||
@ -105,9 +115,9 @@ def create_firewall_rules(context, section_id, nsgroup_id,
|
|||||||
fw_rule = _get_fw_rule_from_sg_rule(
|
fw_rule = _get_fw_rule_from_sg_rule(
|
||||||
sg_rule, nsgroup_id, remote_nsgroup_id)
|
sg_rule, nsgroup_id, remote_nsgroup_id)
|
||||||
|
|
||||||
firewall_rules.append(
|
firewall_rules.append(fw_rule)
|
||||||
firewall.add_rule_in_section(fw_rule, section_id))
|
|
||||||
return {'rules': firewall_rules}
|
return firewall.add_rules_in_section(firewall_rules, section_id)
|
||||||
|
|
||||||
|
|
||||||
def get_nsgroup_name(security_group):
|
def get_nsgroup_name(security_group):
|
||||||
@ -195,8 +205,7 @@ def _init_nsgroup_container(name, description):
|
|||||||
nsgroups = firewall.list_nsgroups()
|
nsgroups = firewall.list_nsgroups()
|
||||||
for nsg in nsgroups:
|
for nsg in nsgroups:
|
||||||
if nsg['display_name'] == name:
|
if nsg['display_name'] == name:
|
||||||
# NSGroup container exists and so should the OS default
|
# NSGroup container exists.
|
||||||
# security-groups section.
|
|
||||||
break
|
break
|
||||||
else:
|
else:
|
||||||
# Need to create the nsgroup container and the OS default
|
# Need to create the nsgroup container and the OS default
|
||||||
@ -216,6 +225,13 @@ def _init_default_section(name, description, nsgroup_id):
|
|||||||
# TODO(roeyc): Add aditional rules to allow IPV6 NDP.
|
# TODO(roeyc): Add aditional rules to allow IPV6 NDP.
|
||||||
block_rule = firewall.get_firewall_rule_dict(
|
block_rule = firewall.get_firewall_rule_dict(
|
||||||
'Block All', action=firewall.DROP)
|
'Block All', action=firewall.DROP)
|
||||||
firewall.add_rule_in_section(block_rule, section['id'])
|
dhcp_client = firewall.get_nsservice(firewall.L4_PORT_SET_NSSERVICE,
|
||||||
|
l4_protocol=firewall.TCP,
|
||||||
|
source_ports=[67],
|
||||||
|
destination_ports=[68])
|
||||||
|
dhcp_client_rule = firewall.get_firewall_rule_dict(
|
||||||
|
'DHCP-Client', direction=firewall.IN, service=dhcp_client)
|
||||||
|
firewall.add_rules_in_section([dhcp_client_rule, block_rule],
|
||||||
|
section['id'])
|
||||||
|
|
||||||
return section['id']
|
return section['id']
|
||||||
|
@ -475,10 +475,6 @@ class NsxV3Plugin(db_base_plugin_v2.NeutronDbPluginV2,
|
|||||||
if sgids is not None:
|
if sgids is not None:
|
||||||
self._process_port_create_security_group(
|
self._process_port_create_security_group(
|
||||||
context, neutron_db, sgids)
|
context, neutron_db, sgids)
|
||||||
#FIXME(abhiraut): Security group should not be processed for
|
|
||||||
# a port belonging to an external network.
|
|
||||||
# Below call will fail since there is no lport
|
|
||||||
# in the backend.
|
|
||||||
security.update_lport_with_security_groups(
|
security.update_lport_with_security_groups(
|
||||||
context, lport['id'], [], sgids)
|
context, lport['id'], [], sgids)
|
||||||
return neutron_db
|
return neutron_db
|
||||||
@ -1084,7 +1080,7 @@ class NsxV3Plugin(db_base_plugin_v2.NeutronDbPluginV2,
|
|||||||
except nsx_exc.ManagerError:
|
except nsx_exc.ManagerError:
|
||||||
with excutils.save_and_reraise_exception():
|
with excutils.save_and_reraise_exception():
|
||||||
LOG.exception(_LE("Failed to create backend firewall rules "
|
LOG.exception(_LE("Failed to create backend firewall rules "
|
||||||
" for security-group %(name)s (%(id)s), "
|
"for security-group %(name)s (%(id)s), "
|
||||||
"rolling back changes."), secgroup_db)
|
"rolling back changes."), secgroup_db)
|
||||||
# default security group deletion requires admin context
|
# default security group deletion requires admin context
|
||||||
if default_sg:
|
if default_sg:
|
||||||
|
Loading…
Reference in New Issue
Block a user