Merge "NSX|V3: Move logic from fwaas driver to the v3 plugin"

vmware_nsx/plugins/nsx_v3/plugin.py

@@ -338,12 +338,10 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
         self.fwaas_callbacks = None
         if fwaas_utils.is_fwaas_v1_plugin_enabled():
             LOG.info("NSXv3 FWaaS v1 plugin enabled")
-            self.fwaas_callbacks = fwaas_callbacks_v1.Nsxv3FwaasCallbacksV1(
+            self.fwaas_callbacks = fwaas_callbacks_v1.Nsxv3FwaasCallbacksV1()
-                self.nsxlib)
         if fwaas_utils.is_fwaas_v2_plugin_enabled():
             LOG.info("NSXv3 FWaaS v2 plugin enabled")
-            self.fwaas_callbacks = fwaas_callbacks_v2.Nsxv3FwaasCallbacksV2(
+            self.fwaas_callbacks = fwaas_callbacks_v2.Nsxv3FwaasCallbacksV2()
-                self.nsxlib)
 
     def _init_lbv2_driver(self):
         # Get LBaaSv2 driver during plugin initialization. If the platform
@@ -3505,6 +3503,28 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
                                                              route)
                 router_db['status'] = curr_status
 
+    def _get_nsx_router_and_fw_section(self, context, router_id):
+        # find the backend router id in the DB
+        nsx_router_id = nsx_db.get_nsx_router_id(context.session, router_id)
+        if nsx_router_id is None:
+            LOG.error("Didn't find nsx router for router %s", router_id)
+            raise self.driver_exception(driver=self.driver_name)
+
+        # get the FW section id of the backend router
+        try:
+            section_id = self.nsxlib.logical_router.get_firewall_section_id(
+                nsx_router_id)
+        except Exception as e:
+            LOG.error("Failed to find router firewall section for router "
+                      "%(id)s: %(e)s", {'id': router_id, 'e': e})
+            raise self.driver_exception(driver=self.driver_name)
+        if section_id is None:
+            LOG.error("Failed to find router firewall section for router "
+                      "%(id)s.", {'id': router_id})
+            raise self.driver_exception(driver=self.driver_name)
+
+        return nsx_router_id, section_id
+
     def update_router_firewall(self, context, router_id):
         """Rewrite all the rules in the router edge firewall
 
@@ -3519,9 +3539,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
             # TODO(asarfaty): Add vm ports as well
             ports = self._get_router_interfaces(context, router_id)
 
+            nsx_router_id, section_id = self._get_nsx_router_and_fw_section(
+                context, router_id)
             # let the fwaas callbacks update the router FW
             return self.fwaas_callbacks.update_router_firewall(
-                context, self.nsxlib, router_id, ports)
+                context, self.nsxlib, router_id, ports,
+                nsx_router_id, section_id)
 
     def _get_port_relay_servers(self, context, port_id, network_id=None):
         if not network_id:

vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py

@@ -23,7 +23,6 @@ from neutron_lib.callbacks import resources
 from neutron_lib.plugins import directory
 from oslo_log import log as logging
 
-from vmware_nsx.db import db as nsx_db
 from vmware_nsxlib.v3 import nsx_constants as consts
 
 LOG = logging.getLogger(__name__)
@@ -201,28 +200,6 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
             LOG.error("The NSX backend does not support router firewall")
             raise self.driver_exception(driver=self.driver_name)
 
-    def get_backend_router_and_fw_section(self, context, router_id):
-        # find the backend router id in the DB
-        nsx_router_id = nsx_db.get_nsx_router_id(context.session, router_id)
-        if nsx_router_id is None:
-            LOG.error("Didn't find nsx router for router %s", router_id)
-            raise self.driver_exception(driver=self.driver_name)
-
-        # get the FW section id of the backend router
-        try:
-            section_id = self.nsx_router.get_firewall_section_id(
-                nsx_router_id)
-        except Exception as e:
-            LOG.error("Failed to find router firewall section for router "
-                      "%(id)s: %(e)s", {'id': router_id, 'e': e})
-            raise self.driver_exception(driver=self.driver_name)
-        if section_id is None:
-            LOG.error("Failed to find router firewall section for router "
-                      "%(id)s.", {'id': router_id})
-            raise self.driver_exception(driver=self.driver_name)
-
-        return nsx_router_id, section_id
-
     def get_default_backend_rule(self, section_id, allow_all=True):
         # Add default allow all rule
         old_default_rule = self.nsx_firewall.get_default_rule(

vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py

@@ -23,7 +23,7 @@ LOG = logging.getLogger(__name__)
 class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks):
     """NSX-V3 RPC callbacks for Firewall As A Service - V1."""
 
-    def __init__(self, nsxlib):
+    def __init__(self):
         super(Nsxv3FwaasCallbacksV1, self).__init__()
 
     def should_apply_firewall_to_router(self, context, router_id):
@@ -47,15 +47,12 @@ class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks):
         return True
 
     def update_router_firewall(self, context, nsxlib, router_id,
-                               router_interfaces):
+                               router_interfaces, nsx_router_id, section_id):
         """Rewrite all the FWaaS v1 rules in the router edge firewall
 
         This method should be called on FWaaS updates, and on router
         interfaces changes.
         """
-        # find the backend router and its firewall section
-        nsx_id, sect_id = self.fwaas_driver.get_backend_router_and_fw_section(
-            context, router_id)
         fw_rules = []
         fw_id = None
         if self.should_apply_firewall_to_router(context, router_id):
@@ -74,14 +71,14 @@ class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks):
 
             # Add the default drop all rule
             fw_rules.append(self.fwaas_driver.get_default_backend_rule(
-                sect_id, allow_all=False))
+                section_id, allow_all=False))
         else:
             # default allow all rule
             fw_rules.append(self.fwaas_driver.get_default_backend_rule(
-                sect_id, allow_all=True))
+                section_id, allow_all=True))
 
         # update the backend
-        nsxlib.firewall_section.update(sect_id, rules=fw_rules)
+        nsxlib.firewall_section.update(section_id, rules=fw_rules)
 
         # Also update the router tags
-        self.fwaas_driver.update_nsx_router_tags(nsx_id, fw_id=fw_id)
+        self.fwaas_driver.update_nsx_router_tags(nsx_router_id, fw_id=fw_id)

vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py

@@ -25,7 +25,7 @@ LOG = logging.getLogger(__name__)
 class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
     """NSX-V3 RPC callbacks for Firewall As A Service - V2."""
 
-    def __init__(self, nsxlib):
+    def __init__(self):
         super(Nsxv3FwaasCallbacksV2, self).__init__()
 
     def should_apply_firewall_to_router(self, context, router_id):
@@ -53,16 +53,12 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
                                                            plugin_rules)
 
     def update_router_firewall(self, context, nsxlib, router_id,
-                               router_interfaces):
+                               router_interfaces, nsx_router_id, section_id):
         """Rewrite all the FWaaS v2 rules in the router edge firewall
 
         This method should be called on FWaaS updates, and on router
         interfaces changes.
         """
-        # find the backend router and its firewall section
-        nsx_id, sect_id = self.fwaas_driver.get_backend_router_and_fw_section(
-            context, router_id)
-
         fw_rules = []
         # Add firewall rules per port attached to a firewall group
         for port in router_interfaces:
@@ -84,7 +80,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
 
         # add a default allow-all rule to all other traffic & ports
         fw_rules.append(self.fwaas_driver.get_default_backend_rule(
-            sect_id, allow_all=True))
+            section_id, allow_all=True))
 
         # update the backend router firewall
-        nsxlib.firewall_section.update(sect_id, rules=fw_rules)
+        nsxlib.firewall_section.update(section_id, rules=fw_rules)

vmware_nsx/shell/admin/plugins/nsxv3/resources/utils.py

@@ -119,7 +119,7 @@ class NsxV3PluginWrapper(plugin.NsxV3Plugin):
         fwaas_plugin_class = manager.NeutronManager.load_class_for_provider(
             'neutron.service_plugins', provider)
         fwaas_plugin = fwaas_plugin_class()
-        self.fwaas_callbacks = callbacks_class(self.nsxlib)
+        self.fwaas_callbacks = callbacks_class()
         # override the fwplugin_rpc since there is no RPC support in adminutils
         self.fwaas_callbacks.fwplugin_rpc = plugin_callbacks(fwaas_plugin)
 

vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py

@@ -62,7 +62,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
 
         self.plugin = directory.get_plugin()
         self.plugin.fwaas_callbacks = fwaas_callbacks_v1.\
-            Nsxv3FwaasCallbacksV1(self.plugin.nsxlib)
+            Nsxv3FwaasCallbacksV1()
         self.plugin.fwaas_callbacks.fwaas_enabled = True
         self.plugin.fwaas_callbacks.fwaas_driver = self.firewall
         self.plugin.init_is_complete = True

vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py

@@ -62,7 +62,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
 
         self.plugin = directory.get_plugin()
         self.plugin.fwaas_callbacks = fwaas_callbacks_v2.\
-            Nsxv3FwaasCallbacksV2(self.plugin.nsxlib)
+            Nsxv3FwaasCallbacksV2()
         self.plugin.fwaas_callbacks.fwaas_enabled = True
         self.plugin.fwaas_callbacks.fwaas_driver = self.firewall
         self.plugin.init_is_complete = True