NSXv3: Completing security-group implementation

This patch adds default dhcp allow rule to all security-group associated ports,
plus few minor changes.

Change-Id: I32be9006aed619471136c5290bcd63688dfb4d6f
This commit is contained in:
Roey Chen 2015-09-16 05:44:35 -07:00
parent dba21e7045
commit 1ac571ccaf
2 changed files with 28 additions and 16 deletions

View File

@ -37,21 +37,32 @@ def _get_l4_protocol_name(proto_num):
return firewall.ICMPV4 return firewall.ICMPV4
def _get_direction(sg_rule):
return firewall.IN if sg_rule['direction'] == 'ingress' else firewall.OUT
def _decide_service(sg_rule): def _decide_service(sg_rule):
ip_proto = securitygroups_db.IP_PROTOCOL_MAP.get(sg_rule['protocol'], ip_proto = securitygroups_db.IP_PROTOCOL_MAP.get(sg_rule['protocol'],
sg_rule['protocol']) sg_rule['protocol'])
l4_protocol = _get_l4_protocol_name(ip_proto) l4_protocol = _get_l4_protocol_name(ip_proto)
direction = _get_direction(sg_rule)
if l4_protocol in [firewall.TCP, firewall.UDP]: if l4_protocol in [firewall.TCP, firewall.UDP]:
# If port_range_min is not specified then we assume all ports are # If port_range_min is not specified then we assume all ports are
# matched, relying on neutron to perform validation. # matched, relying on neutron to perform validation.
source_ports = []
if sg_rule['port_range_min'] is None: if sg_rule['port_range_min'] is None:
source_ports = [] destination_ports = []
else: else:
source_ports = ['%(port_range_min)s-%(port_range_max)s' % sg_rule] destination_ports = ['%(port_range_min)s-%(port_range_max)s'
% sg_rule]
if direction == firewall.OUT:
source_ports, destination_ports = destination_ports, []
return firewall.get_nsservice(firewall.L4_PORT_SET_NSSERVICE, return firewall.get_nsservice(firewall.L4_PORT_SET_NSSERVICE,
l4_protocol=l4_protocol, l4_protocol=l4_protocol,
source_ports=source_ports) source_ports=source_ports,
destination_ports=destination_ports)
elif l4_protocol == firewall.ICMPV4: elif l4_protocol == firewall.ICMPV4:
return firewall.get_nsservice(firewall.ICMP_TYPE_NSSERVICE, return firewall.get_nsservice(firewall.ICMP_TYPE_NSSERVICE,
protocol=l4_protocol, protocol=l4_protocol,
@ -65,8 +76,7 @@ def _decide_service(sg_rule):
def _get_fw_rule_from_sg_rule(sg_rule, nsgroup_id, rmt_nsgroup_id): def _get_fw_rule_from_sg_rule(sg_rule, nsgroup_id, rmt_nsgroup_id):
# IPV4 or IPV6 # IPV4 or IPV6
ip_protocol = sg_rule['ethertype'].upper() ip_protocol = sg_rule['ethertype'].upper()
direction = ( direction = _get_direction(sg_rule)
firewall.IN if sg_rule['direction'] == 'ingress' else firewall.OUT)
source = None source = None
local_group = firewall.get_nsgroup_reference(nsgroup_id) local_group = firewall.get_nsgroup_reference(nsgroup_id)
@ -105,9 +115,9 @@ def create_firewall_rules(context, section_id, nsgroup_id,
fw_rule = _get_fw_rule_from_sg_rule( fw_rule = _get_fw_rule_from_sg_rule(
sg_rule, nsgroup_id, remote_nsgroup_id) sg_rule, nsgroup_id, remote_nsgroup_id)
firewall_rules.append( firewall_rules.append(fw_rule)
firewall.add_rule_in_section(fw_rule, section_id))
return {'rules': firewall_rules} return firewall.add_rules_in_section(firewall_rules, section_id)
def get_nsgroup_name(security_group): def get_nsgroup_name(security_group):
@ -195,8 +205,7 @@ def _init_nsgroup_container(name, description):
nsgroups = firewall.list_nsgroups() nsgroups = firewall.list_nsgroups()
for nsg in nsgroups: for nsg in nsgroups:
if nsg['display_name'] == name: if nsg['display_name'] == name:
# NSGroup container exists and so should the OS default # NSGroup container exists.
# security-groups section.
break break
else: else:
# Need to create the nsgroup container and the OS default # Need to create the nsgroup container and the OS default
@ -216,6 +225,13 @@ def _init_default_section(name, description, nsgroup_id):
# TODO(roeyc): Add aditional rules to allow IPV6 NDP. # TODO(roeyc): Add aditional rules to allow IPV6 NDP.
block_rule = firewall.get_firewall_rule_dict( block_rule = firewall.get_firewall_rule_dict(
'Block All', action=firewall.DROP) 'Block All', action=firewall.DROP)
firewall.add_rule_in_section(block_rule, section['id']) dhcp_client = firewall.get_nsservice(firewall.L4_PORT_SET_NSSERVICE,
l4_protocol=firewall.TCP,
source_ports=[67],
destination_ports=[68])
dhcp_client_rule = firewall.get_firewall_rule_dict(
'DHCP-Client', direction=firewall.IN, service=dhcp_client)
firewall.add_rules_in_section([dhcp_client_rule, block_rule],
section['id'])
return section['id'] return section['id']

View File

@ -475,10 +475,6 @@ class NsxV3Plugin(db_base_plugin_v2.NeutronDbPluginV2,
if sgids is not None: if sgids is not None:
self._process_port_create_security_group( self._process_port_create_security_group(
context, neutron_db, sgids) context, neutron_db, sgids)
#FIXME(abhiraut): Security group should not be processed for
# a port belonging to an external network.
# Below call will fail since there is no lport
# in the backend.
security.update_lport_with_security_groups( security.update_lport_with_security_groups(
context, lport['id'], [], sgids) context, lport['id'], [], sgids)
return neutron_db return neutron_db
@ -1084,7 +1080,7 @@ class NsxV3Plugin(db_base_plugin_v2.NeutronDbPluginV2,
except nsx_exc.ManagerError: except nsx_exc.ManagerError:
with excutils.save_and_reraise_exception(): with excutils.save_and_reraise_exception():
LOG.exception(_LE("Failed to create backend firewall rules " LOG.exception(_LE("Failed to create backend firewall rules "
" for security-group %(name)s (%(id)s), " "for security-group %(name)s (%(id)s), "
"rolling back changes."), secgroup_db) "rolling back changes."), secgroup_db)
# default security group deletion requires admin context # default security group deletion requires admin context
if default_sg: if default_sg: