From f728cf56468d95bb7ffb820710ce111c482919c6 Mon Sep 17 00:00:00 2001 From: Adit Sarfaty Date: Wed, 13 Dec 2017 19:03:57 +0200 Subject: [PATCH] NSX|V3: Move logic from fwaas driver to the v3 plugin As a preparation towards a unified TV driver, moving some logic that could be in the plugin instead of the driver, to make the transition easier Also remove the unused nsxlib from the fwaas v3 callbacks init Change-Id: Ia29cba8c7e6d048ff28940d1b08e7df08c585641 --- vmware_nsx/plugins/nsx_v3/plugin.py | 33 ++++++++++++++++--- .../fwaas/nsx_v3/edge_fwaas_driver_base.py | 23 ------------- .../fwaas/nsx_v3/fwaas_callbacks_v1.py | 15 ++++----- .../fwaas/nsx_v3/fwaas_callbacks_v2.py | 12 +++---- .../admin/plugins/nsxv3/resources/utils.py | 2 +- .../tests/unit/nsx_v3/test_fwaas_v1_driver.py | 2 +- .../tests/unit/nsx_v3/test_fwaas_v2_driver.py | 2 +- 7 files changed, 41 insertions(+), 48 deletions(-) diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py index 3dba4d87a2..ef49620650 100644 --- a/vmware_nsx/plugins/nsx_v3/plugin.py +++ b/vmware_nsx/plugins/nsx_v3/plugin.py @@ -338,12 +338,10 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, self.fwaas_callbacks = None if fwaas_utils.is_fwaas_v1_plugin_enabled(): LOG.info("NSXv3 FWaaS v1 plugin enabled") - self.fwaas_callbacks = fwaas_callbacks_v1.Nsxv3FwaasCallbacksV1( - self.nsxlib) + self.fwaas_callbacks = fwaas_callbacks_v1.Nsxv3FwaasCallbacksV1() if fwaas_utils.is_fwaas_v2_plugin_enabled(): LOG.info("NSXv3 FWaaS v2 plugin enabled") - self.fwaas_callbacks = fwaas_callbacks_v2.Nsxv3FwaasCallbacksV2( - self.nsxlib) + self.fwaas_callbacks = fwaas_callbacks_v2.Nsxv3FwaasCallbacksV2() def _init_lbv2_driver(self): # Get LBaaSv2 driver during plugin initialization. If the platform @@ -3505,6 +3503,28 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, route) router_db['status'] = curr_status + def _get_nsx_router_and_fw_section(self, context, router_id): + # find the backend router id in the DB + nsx_router_id = nsx_db.get_nsx_router_id(context.session, router_id) + if nsx_router_id is None: + LOG.error("Didn't find nsx router for router %s", router_id) + raise self.driver_exception(driver=self.driver_name) + + # get the FW section id of the backend router + try: + section_id = self.nsxlib.logical_router.get_firewall_section_id( + nsx_router_id) + except Exception as e: + LOG.error("Failed to find router firewall section for router " + "%(id)s: %(e)s", {'id': router_id, 'e': e}) + raise self.driver_exception(driver=self.driver_name) + if section_id is None: + LOG.error("Failed to find router firewall section for router " + "%(id)s.", {'id': router_id}) + raise self.driver_exception(driver=self.driver_name) + + return nsx_router_id, section_id + def update_router_firewall(self, context, router_id): """Rewrite all the rules in the router edge firewall @@ -3519,9 +3539,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, # TODO(asarfaty): Add vm ports as well ports = self._get_router_interfaces(context, router_id) + nsx_router_id, section_id = self._get_nsx_router_and_fw_section( + context, router_id) # let the fwaas callbacks update the router FW return self.fwaas_callbacks.update_router_firewall( - context, self.nsxlib, router_id, ports) + context, self.nsxlib, router_id, ports, + nsx_router_id, section_id) def _get_port_relay_servers(self, context, port_id, network_id=None): if not network_id: diff --git a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py index 820d46e983..da1cb705fb 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py +++ b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py @@ -23,7 +23,6 @@ from neutron_lib.callbacks import resources from neutron_lib.plugins import directory from oslo_log import log as logging -from vmware_nsx.db import db as nsx_db from vmware_nsxlib.v3 import nsx_constants as consts LOG = logging.getLogger(__name__) @@ -201,28 +200,6 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase): LOG.error("The NSX backend does not support router firewall") raise self.driver_exception(driver=self.driver_name) - def get_backend_router_and_fw_section(self, context, router_id): - # find the backend router id in the DB - nsx_router_id = nsx_db.get_nsx_router_id(context.session, router_id) - if nsx_router_id is None: - LOG.error("Didn't find nsx router for router %s", router_id) - raise self.driver_exception(driver=self.driver_name) - - # get the FW section id of the backend router - try: - section_id = self.nsx_router.get_firewall_section_id( - nsx_router_id) - except Exception as e: - LOG.error("Failed to find router firewall section for router " - "%(id)s: %(e)s", {'id': router_id, 'e': e}) - raise self.driver_exception(driver=self.driver_name) - if section_id is None: - LOG.error("Failed to find router firewall section for router " - "%(id)s.", {'id': router_id}) - raise self.driver_exception(driver=self.driver_name) - - return nsx_router_id, section_id - def get_default_backend_rule(self, section_id, allow_all=True): # Add default allow all rule old_default_rule = self.nsx_firewall.get_default_rule( diff --git a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py index 44c2af9e8c..de61821ee0 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py +++ b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py @@ -23,7 +23,7 @@ LOG = logging.getLogger(__name__) class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks): """NSX-V3 RPC callbacks for Firewall As A Service - V1.""" - def __init__(self, nsxlib): + def __init__(self): super(Nsxv3FwaasCallbacksV1, self).__init__() def should_apply_firewall_to_router(self, context, router_id): @@ -47,15 +47,12 @@ class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks): return True def update_router_firewall(self, context, nsxlib, router_id, - router_interfaces): + router_interfaces, nsx_router_id, section_id): """Rewrite all the FWaaS v1 rules in the router edge firewall This method should be called on FWaaS updates, and on router interfaces changes. """ - # find the backend router and its firewall section - nsx_id, sect_id = self.fwaas_driver.get_backend_router_and_fw_section( - context, router_id) fw_rules = [] fw_id = None if self.should_apply_firewall_to_router(context, router_id): @@ -74,14 +71,14 @@ class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks): # Add the default drop all rule fw_rules.append(self.fwaas_driver.get_default_backend_rule( - sect_id, allow_all=False)) + section_id, allow_all=False)) else: # default allow all rule fw_rules.append(self.fwaas_driver.get_default_backend_rule( - sect_id, allow_all=True)) + section_id, allow_all=True)) # update the backend - nsxlib.firewall_section.update(sect_id, rules=fw_rules) + nsxlib.firewall_section.update(section_id, rules=fw_rules) # Also update the router tags - self.fwaas_driver.update_nsx_router_tags(nsx_id, fw_id=fw_id) + self.fwaas_driver.update_nsx_router_tags(nsx_router_id, fw_id=fw_id) diff --git a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py index 543334b931..6912e49beb 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py +++ b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py @@ -25,7 +25,7 @@ LOG = logging.getLogger(__name__) class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): """NSX-V3 RPC callbacks for Firewall As A Service - V2.""" - def __init__(self, nsxlib): + def __init__(self): super(Nsxv3FwaasCallbacksV2, self).__init__() def should_apply_firewall_to_router(self, context, router_id): @@ -53,16 +53,12 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): plugin_rules) def update_router_firewall(self, context, nsxlib, router_id, - router_interfaces): + router_interfaces, nsx_router_id, section_id): """Rewrite all the FWaaS v2 rules in the router edge firewall This method should be called on FWaaS updates, and on router interfaces changes. """ - # find the backend router and its firewall section - nsx_id, sect_id = self.fwaas_driver.get_backend_router_and_fw_section( - context, router_id) - fw_rules = [] # Add firewall rules per port attached to a firewall group for port in router_interfaces: @@ -84,7 +80,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): # add a default allow-all rule to all other traffic & ports fw_rules.append(self.fwaas_driver.get_default_backend_rule( - sect_id, allow_all=True)) + section_id, allow_all=True)) # update the backend router firewall - nsxlib.firewall_section.update(sect_id, rules=fw_rules) + nsxlib.firewall_section.update(section_id, rules=fw_rules) diff --git a/vmware_nsx/shell/admin/plugins/nsxv3/resources/utils.py b/vmware_nsx/shell/admin/plugins/nsxv3/resources/utils.py index 6a8cd77d27..82c9ff52e0 100644 --- a/vmware_nsx/shell/admin/plugins/nsxv3/resources/utils.py +++ b/vmware_nsx/shell/admin/plugins/nsxv3/resources/utils.py @@ -119,7 +119,7 @@ class NsxV3PluginWrapper(plugin.NsxV3Plugin): fwaas_plugin_class = manager.NeutronManager.load_class_for_provider( 'neutron.service_plugins', provider) fwaas_plugin = fwaas_plugin_class() - self.fwaas_callbacks = callbacks_class(self.nsxlib) + self.fwaas_callbacks = callbacks_class() # override the fwplugin_rpc since there is no RPC support in adminutils self.fwaas_callbacks.fwplugin_rpc = plugin_callbacks(fwaas_plugin) diff --git a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py index 971b71b308..46cb327f9f 100644 --- a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py +++ b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py @@ -62,7 +62,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): self.plugin = directory.get_plugin() self.plugin.fwaas_callbacks = fwaas_callbacks_v1.\ - Nsxv3FwaasCallbacksV1(self.plugin.nsxlib) + Nsxv3FwaasCallbacksV1() self.plugin.fwaas_callbacks.fwaas_enabled = True self.plugin.fwaas_callbacks.fwaas_driver = self.firewall self.plugin.init_is_complete = True diff --git a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py index de9f3674e4..d2063acef8 100644 --- a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py +++ b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py @@ -62,7 +62,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): self.plugin = directory.get_plugin() self.plugin.fwaas_callbacks = fwaas_callbacks_v2.\ - Nsxv3FwaasCallbacksV2(self.plugin.nsxlib) + Nsxv3FwaasCallbacksV2() self.plugin.fwaas_callbacks.fwaas_enabled = True self.plugin.fwaas_callbacks.fwaas_driver = self.firewall self.plugin.init_is_complete = True