Merge "NSX|V3: Move logic from fwaas driver to the v3 plugin"
This commit is contained in:
Zuul
Gerrit Code Review
commit
315e0befe0
@ -338,12 +338,10 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
||||
self.fwaas_callbacks = None
|
||||
if fwaas_utils.is_fwaas_v1_plugin_enabled():
|
||||
LOG.info("NSXv3 FWaaS v1 plugin enabled")
|
||||
self.fwaas_callbacks = fwaas_callbacks_v1.Nsxv3FwaasCallbacksV1(
|
||||
self.nsxlib)
|
||||
self.fwaas_callbacks = fwaas_callbacks_v1.Nsxv3FwaasCallbacksV1()
|
||||
if fwaas_utils.is_fwaas_v2_plugin_enabled():
|
||||
LOG.info("NSXv3 FWaaS v2 plugin enabled")
|
||||
self.fwaas_callbacks = fwaas_callbacks_v2.Nsxv3FwaasCallbacksV2(
|
||||
self.nsxlib)
|
||||
self.fwaas_callbacks = fwaas_callbacks_v2.Nsxv3FwaasCallbacksV2()
|
||||
|
||||
def _init_lbv2_driver(self):
|
||||
# Get LBaaSv2 driver during plugin initialization. If the platform
|
||||
@ -3505,6 +3503,28 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
||||
route)
|
||||
router_db['status'] = curr_status
|
||||
|
||||
def _get_nsx_router_and_fw_section(self, context, router_id):
|
||||
# find the backend router id in the DB
|
||||
nsx_router_id = nsx_db.get_nsx_router_id(context.session, router_id)
|
||||
if nsx_router_id is None:
|
||||
LOG.error("Didn't find nsx router for router %s", router_id)
|
||||
raise self.driver_exception(driver=self.driver_name)
|
||||
|
||||
# get the FW section id of the backend router
|
||||
try:
|
||||
section_id = self.nsxlib.logical_router.get_firewall_section_id(
|
||||
nsx_router_id)
|
||||
except Exception as e:
|
||||
LOG.error("Failed to find router firewall section for router "
|
||||
"%(id)s: %(e)s", {'id': router_id, 'e': e})
|
||||
raise self.driver_exception(driver=self.driver_name)
|
||||
if section_id is None:
|
||||
LOG.error("Failed to find router firewall section for router "
|
||||
"%(id)s.", {'id': router_id})
|
||||
raise self.driver_exception(driver=self.driver_name)
|
||||
|
||||
return nsx_router_id, section_id
|
||||
|
||||
def update_router_firewall(self, context, router_id):
|
||||
"""Rewrite all the rules in the router edge firewall
|
||||
|
||||
@ -3519,9 +3539,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
||||
# TODO(asarfaty): Add vm ports as well
|
||||
ports = self._get_router_interfaces(context, router_id)
|
||||
|
||||
nsx_router_id, section_id = self._get_nsx_router_and_fw_section(
|
||||
context, router_id)
|
||||
# let the fwaas callbacks update the router FW
|
||||
return self.fwaas_callbacks.update_router_firewall(
|
||||
context, self.nsxlib, router_id, ports)
|
||||
context, self.nsxlib, router_id, ports,
|
||||
nsx_router_id, section_id)
|
||||
|
||||
def _get_port_relay_servers(self, context, port_id, network_id=None):
|
||||
if not network_id:
|
||||
|
||||
@ -23,7 +23,6 @@ from neutron_lib.callbacks import resources
|
||||
from neutron_lib.plugins import directory
|
||||
from oslo_log import log as logging
|
||||
|
||||
from vmware_nsx.db import db as nsx_db
|
||||
from vmware_nsxlib.v3 import nsx_constants as consts
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
@ -201,28 +200,6 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
|
||||
LOG.error("The NSX backend does not support router firewall")
|
||||
raise self.driver_exception(driver=self.driver_name)
|
||||
|
||||
def get_backend_router_and_fw_section(self, context, router_id):
|
||||
# find the backend router id in the DB
|
||||
nsx_router_id = nsx_db.get_nsx_router_id(context.session, router_id)
|
||||
if nsx_router_id is None:
|
||||
LOG.error("Didn't find nsx router for router %s", router_id)
|
||||
raise self.driver_exception(driver=self.driver_name)
|
||||
|
||||
# get the FW section id of the backend router
|
||||
try:
|
||||
section_id = self.nsx_router.get_firewall_section_id(
|
||||
nsx_router_id)
|
||||
except Exception as e:
|
||||
LOG.error("Failed to find router firewall section for router "
|
||||
"%(id)s: %(e)s", {'id': router_id, 'e': e})
|
||||
raise self.driver_exception(driver=self.driver_name)
|
||||
if section_id is None:
|
||||
LOG.error("Failed to find router firewall section for router "
|
||||
"%(id)s.", {'id': router_id})
|
||||
raise self.driver_exception(driver=self.driver_name)
|
||||
|
||||
return nsx_router_id, section_id
|
||||
|
||||
def get_default_backend_rule(self, section_id, allow_all=True):
|
||||
# Add default allow all rule
|
||||
old_default_rule = self.nsx_firewall.get_default_rule(
|
||||
|
||||
@ -23,7 +23,7 @@ LOG = logging.getLogger(__name__)
|
||||
class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks):
|
||||
"""NSX-V3 RPC callbacks for Firewall As A Service - V1."""
|
||||
|
||||
def __init__(self, nsxlib):
|
||||
def __init__(self):
|
||||
super(Nsxv3FwaasCallbacksV1, self).__init__()
|
||||
|
||||
def should_apply_firewall_to_router(self, context, router_id):
|
||||
@ -47,15 +47,12 @@ class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks):
|
||||
return True
|
||||
|
||||
def update_router_firewall(self, context, nsxlib, router_id,
|
||||
router_interfaces):
|
||||
router_interfaces, nsx_router_id, section_id):
|
||||
"""Rewrite all the FWaaS v1 rules in the router edge firewall
|
||||
|
||||
This method should be called on FWaaS updates, and on router
|
||||
interfaces changes.
|
||||
"""
|
||||
# find the backend router and its firewall section
|
||||
nsx_id, sect_id = self.fwaas_driver.get_backend_router_and_fw_section(
|
||||
context, router_id)
|
||||
fw_rules = []
|
||||
fw_id = None
|
||||
if self.should_apply_firewall_to_router(context, router_id):
|
||||
@ -74,14 +71,14 @@ class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks):
|
||||
|
||||
# Add the default drop all rule
|
||||
fw_rules.append(self.fwaas_driver.get_default_backend_rule(
|
||||
sect_id, allow_all=False))
|
||||
section_id, allow_all=False))
|
||||
else:
|
||||
# default allow all rule
|
||||
fw_rules.append(self.fwaas_driver.get_default_backend_rule(
|
||||
sect_id, allow_all=True))
|
||||
section_id, allow_all=True))
|
||||
|
||||
# update the backend
|
||||
nsxlib.firewall_section.update(sect_id, rules=fw_rules)
|
||||
nsxlib.firewall_section.update(section_id, rules=fw_rules)
|
||||
|
||||
# Also update the router tags
|
||||
self.fwaas_driver.update_nsx_router_tags(nsx_id, fw_id=fw_id)
|
||||
self.fwaas_driver.update_nsx_router_tags(nsx_router_id, fw_id=fw_id)
|
||||
|
||||
@ -25,7 +25,7 @@ LOG = logging.getLogger(__name__)
|
||||
class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
|
||||
"""NSX-V3 RPC callbacks for Firewall As A Service - V2."""
|
||||
|
||||
def __init__(self, nsxlib):
|
||||
def __init__(self):
|
||||
super(Nsxv3FwaasCallbacksV2, self).__init__()
|
||||
|
||||
def should_apply_firewall_to_router(self, context, router_id):
|
||||
@ -53,16 +53,12 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
|
||||
plugin_rules)
|
||||
|
||||
def update_router_firewall(self, context, nsxlib, router_id,
|
||||
router_interfaces):
|
||||
router_interfaces, nsx_router_id, section_id):
|
||||
"""Rewrite all the FWaaS v2 rules in the router edge firewall
|
||||
|
||||
This method should be called on FWaaS updates, and on router
|
||||
interfaces changes.
|
||||
"""
|
||||
# find the backend router and its firewall section
|
||||
nsx_id, sect_id = self.fwaas_driver.get_backend_router_and_fw_section(
|
||||
context, router_id)
|
||||
|
||||
fw_rules = []
|
||||
# Add firewall rules per port attached to a firewall group
|
||||
for port in router_interfaces:
|
||||
@ -84,7 +80,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
|
||||
|
||||
# add a default allow-all rule to all other traffic & ports
|
||||
fw_rules.append(self.fwaas_driver.get_default_backend_rule(
|
||||
sect_id, allow_all=True))
|
||||
section_id, allow_all=True))
|
||||
|
||||
# update the backend router firewall
|
||||
nsxlib.firewall_section.update(sect_id, rules=fw_rules)
|
||||
nsxlib.firewall_section.update(section_id, rules=fw_rules)
|
||||
|
||||
@ -119,7 +119,7 @@ class NsxV3PluginWrapper(plugin.NsxV3Plugin):
|
||||
fwaas_plugin_class = manager.NeutronManager.load_class_for_provider(
|
||||
'neutron.service_plugins', provider)
|
||||
fwaas_plugin = fwaas_plugin_class()
|
||||
self.fwaas_callbacks = callbacks_class(self.nsxlib)
|
||||
self.fwaas_callbacks = callbacks_class()
|
||||
# override the fwplugin_rpc since there is no RPC support in adminutils
|
||||
self.fwaas_callbacks.fwplugin_rpc = plugin_callbacks(fwaas_plugin)
|
||||
|
||||
|
||||
@ -62,7 +62,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
|
||||
self.plugin = directory.get_plugin()
|
||||
self.plugin.fwaas_callbacks = fwaas_callbacks_v1.\
|
||||
Nsxv3FwaasCallbacksV1(self.plugin.nsxlib)
|
||||
Nsxv3FwaasCallbacksV1()
|
||||
self.plugin.fwaas_callbacks.fwaas_enabled = True
|
||||
self.plugin.fwaas_callbacks.fwaas_driver = self.firewall
|
||||
self.plugin.init_is_complete = True
|
||||
|
||||
@ -62,7 +62,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
|
||||
self.plugin = directory.get_plugin()
|
||||
self.plugin.fwaas_callbacks = fwaas_callbacks_v2.\
|
||||
Nsxv3FwaasCallbacksV2(self.plugin.nsxlib)
|
||||
Nsxv3FwaasCallbacksV2()
|
||||
self.plugin.fwaas_callbacks.fwaas_enabled = True
|
||||
self.plugin.fwaas_callbacks.fwaas_driver = self.firewall
|
||||
self.plugin.init_is_complete = True
|
||||
|
||||
Loading…
Reference in New Issue
Block a user