[Admin-Util] NSX-V|Reorder L3 firewall sections

This is a new utility for the policy security groups support. The order of NSX firewall sections depends on when the first policy was created. This utility reorders the sections so that policy sections are above regular security groups sections. Usage: nsxadmin -r firewall-sections -o nsx-reorder Output example: NSX Plugin in use: nsxv ==== [REORDER] Firewall Sections ==== L3 Firewall sections were reordered. Change-Id: I96e8845b2ef618955dc061fbdcd53b2cf924126b
2017-01-24 00:00:17 +02:00 · 2017-01-24 00:00:17 +02:00 · 2e5ae7a8c8
commit 2e5ae7a8c8
parent 34e165181a
4 changed files with 55 additions and 1 deletions
--- a/doc/source/admin_util.rst
+++ b/doc/source/admin_util.rst
@ -177,6 +177,10 @@ Security Groups, Firewall and Spoofguard

    nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-10 --property security-group-id=733f0741-fa2c-4b32-811c-b78e4dc8ec39

+- Reorder the nsx L3 firewall sections to correctly support the policy security groups
+
+    nsxadmin -r firewall-sections -o nsx-reorder
+
 Metadata
 ~~~~~~~~

--- a/vmware_nsx/plugins/nsx_v/vshield/vcns.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/vcns.py
@ -641,6 +641,12 @@ class Vcns(object):
        uri = FIREWALL_PREFIX
        return self.do_request(HTTP_GET, uri, decode=False, format='xml')

+    def update_dfw_config(self, request, h):
+        uri = FIREWALL_PREFIX
+        headers = self._get_section_header(None, h)
+        return self.do_request(HTTP_PUT, uri, request, format='xml',
+                               decode=False, encode=False, headers=headers)
+
    def get_section_id(self, section_name):
        """Retrieve the id of a section from nsx."""
        h, firewall_config = self.get_dfw_config()
--- a/vmware_nsx/shell/admin/plugins/nsxv/resources/securitygroups.py
+++ b/vmware_nsx/shell/admin/plugins/nsxv/resources/securitygroups.py
@ -128,6 +128,38 @@ class NsxFirewallAPI(object):
                             'id': sec_id})
        return sections

+    def reorder_fw_sections(self):
+        # read all the sections
+        h, firewall_config = self.vcns.get_dfw_config()
+        root = et.fromstring(firewall_config)
+
+        for child in root:
+            if str(child.tag) == 'layer3Sections':
+                # go over the L3 sections and reorder them.
+                # policy sections should come first
+                sections = list(child.iter('section'))
+                regular_sections = []
+                policy_sections = []
+
+                for sec in sections:
+                    if sec.attrib.get('managedBy') == 'NSX Service Composer':
+                        policy_sections.append(sec)
+                    else:
+                        regular_sections.append(sec)
+                    child.remove(sec)
+
+                if not policy_sections:
+                    LOG.info(_LI("No need to reorder the firewall sections."))
+                    return
+
+                # reorder the sections to have the policy sections first
+                reordered_sections = policy_sections + regular_sections
+                child.extend(reordered_sections)
+
+                # update the new order of sections in the backend
+                self.vcns.update_dfw_config(et.tostring(root), h)
+                LOG.info(_LI("L3 Firewall sections were reordered."))
+

 neutron_sg = NeutronSecurityGroupDB()
 nsxv_firewall = NsxFirewallAPI()
@ -219,6 +251,12 @@ def list_missing_firewall_sections(resource, event, trigger, **kwargs):
    return bool(missing_sections_info)


+@admin_utils.list_mismatches_handler(constants.FIREWALL_SECTIONS)
+@admin_utils.output_header
+def reorder_firewall_sections(resource, event, trigger, **kwargs):
+    nsxv_firewall.reorder_fw_sections()
+
+
@admin_utils.fix_mismatches_handler(constants.SECURITY_GROUPS)
@admin_utils.output_header
 def fix_security_groups(resource, event, trigger, **kwargs):
@ -325,3 +363,7 @@ def migrate_sg_to_policy(resource, event, trigger, **kwargs):
 registry.subscribe(migrate_sg_to_policy,
                   constants.SECURITY_GROUPS,
                   shell.Operations.MIGRATE_TO_POLICY.value)
+
+registry.subscribe(reorder_firewall_sections,
+                   constants.FIREWALL_SECTIONS,
+                   shell.Operations.NSX_REORDER.value)
--- a/vmware_nsx/shell/resources.py
+++ b/vmware_nsx/shell/resources.py
@ -46,6 +46,7 @@ class Operations(enum.Enum):
    NSX_UPDATE_ALL = 'nsx-update-all'
    NSX_UPDATE_SECRET = 'nsx-update-secret'
    NSX_RECREATE = 'nsx-recreate'
+    NSX_REORDER = 'nsx-reorder'
    MIGRATE_TO_DYNAMIC_CRITERIA = 'migrate-to-dynamic-criteria'
    NSX_MIGRATE_V_V3 = 'nsx-migrate-v-v3'
    MIGRATE_TO_POLICY = 'migrate-to-policy'
@ -130,7 +131,8 @@ nsxv_resources = {
                                         Operations.MIGRATE_TO_POLICY.value]),
    constants.FIREWALL_SECTIONS: Resource(constants.FIREWALL_SECTIONS,
                                          [Operations.LIST.value,
-                                           Operations.LIST_MISMATCHES.value]),
+                                           Operations.LIST_MISMATCHES.value,
+                                           Operations.NSX_REORDER.value]),
    constants.FIREWALL_NSX_GROUPS: Resource(
        constants.FIREWALL_NSX_GROUPS, [Operations.LIST.value,
                                        Operations.LIST_MISMATCHES.value]),