x/vmware-nsx
Code Issues Proposed changes

Merge "[Admin-Util] NSX-V|Reorder L3 firewall sections"

Browse Source
This commit is contained in:
Jenkins 2017-01-26 19:02:23 +00:00 committed by Gerrit Code Review
commit 264add749a
4 changed files with 55 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/source/admin_util.rst
View File

@ -181,6 +181,10 @@ Security Groups, Firewall and Spoofguard
nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-10 --property security-group-id=733f0741-fa2c-4b32-811c-b78e4dc8ec39
- Reorder the nsx L3 firewall sections to correctly support the policy security groups
nsxadmin -r firewall-sections -o nsx-reorder
Metadata
~~~~~~~~

6
vmware_nsx/plugins/nsx_v/vshield/vcns.py
View File

@ -641,6 +641,12 @@ class Vcns(object):
uri = FIREWALL_PREFIX
return self.do_request(HTTP_GET, uri, decode=False, format='xml')
def update_dfw_config(self, request, h):
uri = FIREWALL_PREFIX
headers = self._get_section_header(None, h)
return self.do_request(HTTP_PUT, uri, request, format='xml',
decode=False, encode=False, headers=headers)
def get_section_id(self, section_name):
"""Retrieve the id of a section from nsx."""
h, firewall_config = self.get_dfw_config()

42
vmware_nsx/shell/admin/plugins/nsxv/resources/securitygroups.py
View File

@ -128,6 +128,38 @@ class NsxFirewallAPI(object):
'id': sec_id})
return sections
def reorder_fw_sections(self):
# read all the sections
h, firewall_config = self.vcns.get_dfw_config()
root = et.fromstring(firewall_config)
for child in root:
if str(child.tag) == 'layer3Sections':
# go over the L3 sections and reorder them.
# policy sections should come first
sections = list(child.iter('section'))
regular_sections = []
policy_sections = []
for sec in sections:
if sec.attrib.get('managedBy') == 'NSX Service Composer':
policy_sections.append(sec)
else:
regular_sections.append(sec)
child.remove(sec)
if not policy_sections:
LOG.info(_LI("No need to reorder the firewall sections."))
return
# reorder the sections to have the policy sections first
reordered_sections = policy_sections + regular_sections
child.extend(reordered_sections)
# update the new order of sections in the backend
self.vcns.update_dfw_config(et.tostring(root), h)
LOG.info(_LI("L3 Firewall sections were reordered."))
neutron_sg = NeutronSecurityGroupDB()
nsxv_firewall = NsxFirewallAPI()
@ -219,6 +251,12 @@ def list_missing_firewall_sections(resource, event, trigger, **kwargs):
return bool(missing_sections_info)
@admin_utils.list_mismatches_handler(constants.FIREWALL_SECTIONS)
@admin_utils.output_header
def reorder_firewall_sections(resource, event, trigger, **kwargs):
nsxv_firewall.reorder_fw_sections()
@admin_utils.fix_mismatches_handler(constants.SECURITY_GROUPS)
@admin_utils.output_header
def fix_security_groups(resource, event, trigger, **kwargs):
@ -325,3 +363,7 @@ def migrate_sg_to_policy(resource, event, trigger, **kwargs):
registry.subscribe(migrate_sg_to_policy,
constants.SECURITY_GROUPS,
shell.Operations.MIGRATE_TO_POLICY.value)
registry.subscribe(reorder_firewall_sections,
constants.FIREWALL_SECTIONS,
shell.Operations.NSX_REORDER.value)

4
vmware_nsx/shell/resources.py
View File

@ -47,6 +47,7 @@ class Operations(enum.Enum):
NSX_UPDATE_ALL = 'nsx-update-all'
NSX_UPDATE_SECRET = 'nsx-update-secret'
NSX_RECREATE = 'nsx-recreate'
NSX_REORDER = 'nsx-reorder'
MIGRATE_TO_DYNAMIC_CRITERIA = 'migrate-to-dynamic-criteria'
NSX_MIGRATE_V_V3 = 'nsx-migrate-v-v3'
MIGRATE_TO_POLICY = 'migrate-to-policy'
@ -132,7 +133,8 @@ nsxv_resources = {
Operations.MIGRATE_TO_POLICY.value]),
constants.FIREWALL_SECTIONS: Resource(constants.FIREWALL_SECTIONS,
[Operations.LIST.value,
Operations.LIST_MISMATCHES.value]),
Operations.LIST_MISMATCHES.value,
Operations.NSX_REORDER.value]),
constants.FIREWALL_NSX_GROUPS: Resource(
constants.FIREWALL_NSX_GROUPS, [Operations.LIST.value,
Operations.LIST_MISMATCHES.value]),