diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py index 3dba4d87a2..ef49620650 100644 --- a/vmware_nsx/plugins/nsx_v3/plugin.py +++ b/vmware_nsx/plugins/nsx_v3/plugin.py @@ -338,12 +338,10 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, self.fwaas_callbacks = None if fwaas_utils.is_fwaas_v1_plugin_enabled(): LOG.info("NSXv3 FWaaS v1 plugin enabled") - self.fwaas_callbacks = fwaas_callbacks_v1.Nsxv3FwaasCallbacksV1( - self.nsxlib) + self.fwaas_callbacks = fwaas_callbacks_v1.Nsxv3FwaasCallbacksV1() if fwaas_utils.is_fwaas_v2_plugin_enabled(): LOG.info("NSXv3 FWaaS v2 plugin enabled") - self.fwaas_callbacks = fwaas_callbacks_v2.Nsxv3FwaasCallbacksV2( - self.nsxlib) + self.fwaas_callbacks = fwaas_callbacks_v2.Nsxv3FwaasCallbacksV2() def _init_lbv2_driver(self): # Get LBaaSv2 driver during plugin initialization. If the platform @@ -3505,6 +3503,28 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, route) router_db['status'] = curr_status + def _get_nsx_router_and_fw_section(self, context, router_id): + # find the backend router id in the DB + nsx_router_id = nsx_db.get_nsx_router_id(context.session, router_id) + if nsx_router_id is None: + LOG.error("Didn't find nsx router for router %s", router_id) + raise self.driver_exception(driver=self.driver_name) + + # get the FW section id of the backend router + try: + section_id = self.nsxlib.logical_router.get_firewall_section_id( + nsx_router_id) + except Exception as e: + LOG.error("Failed to find router firewall section for router " + "%(id)s: %(e)s", {'id': router_id, 'e': e}) + raise self.driver_exception(driver=self.driver_name) + if section_id is None: + LOG.error("Failed to find router firewall section for router " + "%(id)s.", {'id': router_id}) + raise self.driver_exception(driver=self.driver_name) + + return nsx_router_id, section_id + def update_router_firewall(self, context, router_id): """Rewrite all the rules in the router edge firewall @@ -3519,9 +3539,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, # TODO(asarfaty): Add vm ports as well ports = self._get_router_interfaces(context, router_id) + nsx_router_id, section_id = self._get_nsx_router_and_fw_section( + context, router_id) # let the fwaas callbacks update the router FW return self.fwaas_callbacks.update_router_firewall( - context, self.nsxlib, router_id, ports) + context, self.nsxlib, router_id, ports, + nsx_router_id, section_id) def _get_port_relay_servers(self, context, port_id, network_id=None): if not network_id: diff --git a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py index 820d46e983..da1cb705fb 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py +++ b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py @@ -23,7 +23,6 @@ from neutron_lib.callbacks import resources from neutron_lib.plugins import directory from oslo_log import log as logging -from vmware_nsx.db import db as nsx_db from vmware_nsxlib.v3 import nsx_constants as consts LOG = logging.getLogger(__name__) @@ -201,28 +200,6 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase): LOG.error("The NSX backend does not support router firewall") raise self.driver_exception(driver=self.driver_name) - def get_backend_router_and_fw_section(self, context, router_id): - # find the backend router id in the DB - nsx_router_id = nsx_db.get_nsx_router_id(context.session, router_id) - if nsx_router_id is None: - LOG.error("Didn't find nsx router for router %s", router_id) - raise self.driver_exception(driver=self.driver_name) - - # get the FW section id of the backend router - try: - section_id = self.nsx_router.get_firewall_section_id( - nsx_router_id) - except Exception as e: - LOG.error("Failed to find router firewall section for router " - "%(id)s: %(e)s", {'id': router_id, 'e': e}) - raise self.driver_exception(driver=self.driver_name) - if section_id is None: - LOG.error("Failed to find router firewall section for router " - "%(id)s.", {'id': router_id}) - raise self.driver_exception(driver=self.driver_name) - - return nsx_router_id, section_id - def get_default_backend_rule(self, section_id, allow_all=True): # Add default allow all rule old_default_rule = self.nsx_firewall.get_default_rule( diff --git a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py index 44c2af9e8c..de61821ee0 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py +++ b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py @@ -23,7 +23,7 @@ LOG = logging.getLogger(__name__) class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks): """NSX-V3 RPC callbacks for Firewall As A Service - V1.""" - def __init__(self, nsxlib): + def __init__(self): super(Nsxv3FwaasCallbacksV1, self).__init__() def should_apply_firewall_to_router(self, context, router_id): @@ -47,15 +47,12 @@ class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks): return True def update_router_firewall(self, context, nsxlib, router_id, - router_interfaces): + router_interfaces, nsx_router_id, section_id): """Rewrite all the FWaaS v1 rules in the router edge firewall This method should be called on FWaaS updates, and on router interfaces changes. """ - # find the backend router and its firewall section - nsx_id, sect_id = self.fwaas_driver.get_backend_router_and_fw_section( - context, router_id) fw_rules = [] fw_id = None if self.should_apply_firewall_to_router(context, router_id): @@ -74,14 +71,14 @@ class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks): # Add the default drop all rule fw_rules.append(self.fwaas_driver.get_default_backend_rule( - sect_id, allow_all=False)) + section_id, allow_all=False)) else: # default allow all rule fw_rules.append(self.fwaas_driver.get_default_backend_rule( - sect_id, allow_all=True)) + section_id, allow_all=True)) # update the backend - nsxlib.firewall_section.update(sect_id, rules=fw_rules) + nsxlib.firewall_section.update(section_id, rules=fw_rules) # Also update the router tags - self.fwaas_driver.update_nsx_router_tags(nsx_id, fw_id=fw_id) + self.fwaas_driver.update_nsx_router_tags(nsx_router_id, fw_id=fw_id) diff --git a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py index 543334b931..6912e49beb 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py +++ b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py @@ -25,7 +25,7 @@ LOG = logging.getLogger(__name__) class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): """NSX-V3 RPC callbacks for Firewall As A Service - V2.""" - def __init__(self, nsxlib): + def __init__(self): super(Nsxv3FwaasCallbacksV2, self).__init__() def should_apply_firewall_to_router(self, context, router_id): @@ -53,16 +53,12 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): plugin_rules) def update_router_firewall(self, context, nsxlib, router_id, - router_interfaces): + router_interfaces, nsx_router_id, section_id): """Rewrite all the FWaaS v2 rules in the router edge firewall This method should be called on FWaaS updates, and on router interfaces changes. """ - # find the backend router and its firewall section - nsx_id, sect_id = self.fwaas_driver.get_backend_router_and_fw_section( - context, router_id) - fw_rules = [] # Add firewall rules per port attached to a firewall group for port in router_interfaces: @@ -84,7 +80,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): # add a default allow-all rule to all other traffic & ports fw_rules.append(self.fwaas_driver.get_default_backend_rule( - sect_id, allow_all=True)) + section_id, allow_all=True)) # update the backend router firewall - nsxlib.firewall_section.update(sect_id, rules=fw_rules) + nsxlib.firewall_section.update(section_id, rules=fw_rules) diff --git a/vmware_nsx/shell/admin/plugins/nsxv3/resources/utils.py b/vmware_nsx/shell/admin/plugins/nsxv3/resources/utils.py index 6a8cd77d27..82c9ff52e0 100644 --- a/vmware_nsx/shell/admin/plugins/nsxv3/resources/utils.py +++ b/vmware_nsx/shell/admin/plugins/nsxv3/resources/utils.py @@ -119,7 +119,7 @@ class NsxV3PluginWrapper(plugin.NsxV3Plugin): fwaas_plugin_class = manager.NeutronManager.load_class_for_provider( 'neutron.service_plugins', provider) fwaas_plugin = fwaas_plugin_class() - self.fwaas_callbacks = callbacks_class(self.nsxlib) + self.fwaas_callbacks = callbacks_class() # override the fwplugin_rpc since there is no RPC support in adminutils self.fwaas_callbacks.fwplugin_rpc = plugin_callbacks(fwaas_plugin) diff --git a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py index 971b71b308..46cb327f9f 100644 --- a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py +++ b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py @@ -62,7 +62,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): self.plugin = directory.get_plugin() self.plugin.fwaas_callbacks = fwaas_callbacks_v1.\ - Nsxv3FwaasCallbacksV1(self.plugin.nsxlib) + Nsxv3FwaasCallbacksV1() self.plugin.fwaas_callbacks.fwaas_enabled = True self.plugin.fwaas_callbacks.fwaas_driver = self.firewall self.plugin.init_is_complete = True diff --git a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py index de9f3674e4..d2063acef8 100644 --- a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py +++ b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py @@ -62,7 +62,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): self.plugin = directory.get_plugin() self.plugin.fwaas_callbacks = fwaas_callbacks_v2.\ - Nsxv3FwaasCallbacksV2(self.plugin.nsxlib) + Nsxv3FwaasCallbacksV2() self.plugin.fwaas_callbacks.fwaas_enabled = True self.plugin.fwaas_callbacks.fwaas_driver = self.firewall self.plugin.init_is_complete = True