From 4be41bb4b411d1d72b6f8c2522dae5df54f6b128 Mon Sep 17 00:00:00 2001 From: Kobi Samoray Date: Tue, 20 Aug 2019 18:31:19 +0300 Subject: [PATCH] NSXv: Cleanup redundant FW rules from VDR Change-Id: Ida99b5793e9537b581e562fa329d0dc880fc3621 --- vmware_nsx/plugins/nsx_v/plugin.py | 8 +++++- .../admin/plugins/nsxv/resources/routers.py | 28 +++++++++++++++++++ vmware_nsx/tests/unit/nsx_v/test_plugin.py | 3 ++ 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py index 2687637100..9181cf012e 100644 --- a/vmware_nsx/plugins/nsx_v/plugin.py +++ b/vmware_nsx/plugins/nsx_v/plugin.py @@ -4246,6 +4246,12 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, the NSX (in case of distributed router it can be plr or tlr) """ fw_rules = [] + distributed = False + if router_db: + nsx_attr = router_db.get('nsx_attributes', {}) + distributed = ( + nsx_attr.get('distributed', False) if nsx_attr else False) + edge_id = self._get_edge_id_by_rtr_id(context, router_id) # Add FW rule/s to open subnets firewall flows and static routes @@ -4258,7 +4264,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, fw_rules.extend(subnet_rules) # If metadata service is enabled, block access to inter-edge network - if self.metadata_proxy_handler: + if self.metadata_proxy_handler and not distributed: fw_rules += nsx_v_md_proxy.get_router_fw_rules() # Add FWaaS rules if FWaaS is enabled diff --git a/vmware_nsx/shell/admin/plugins/nsxv/resources/routers.py b/vmware_nsx/shell/admin/plugins/nsxv/resources/routers.py index 139a360223..0a7e286222 100644 --- a/vmware_nsx/shell/admin/plugins/nsxv/resources/routers.py +++ b/vmware_nsx/shell/admin/plugins/nsxv/resources/routers.py @@ -28,6 +28,7 @@ from vmware_nsx.common import locking from vmware_nsx.db import nsxv_db from vmware_nsx.extensions import routersize from vmware_nsx.plugins.nsx_v import availability_zones as nsx_az +from vmware_nsx.plugins.nsx_v import md_proxy from vmware_nsx.plugins.nsx_v.vshield import edge_utils from vmware_nsx.plugins.nsx_v.vshield import vcns_driver @@ -192,6 +193,9 @@ def migrate_distributed_routers_dhcp(resource, event, trigger, **kwargs): context = n_context.get_admin_context() nsxv = utils.get_nsxv_client() with utils.NsxVPluginWrapper() as plugin: + nsxv_manager = vcns_driver.VcnsDriver( + edge_utils.NsxVCallbacks(plugin)) + edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin) routers = plugin.get_routers(context) for router in routers: if router.get('distributed', False): @@ -209,6 +213,30 @@ def migrate_distributed_routers_dhcp(resource, event, trigger, **kwargs): nsxv.update_routes(edge_id, route_obj) + _update_vdr_fw_config(nsxv, edge_id) + plr_id = edge_manager.get_plr_by_tlr_id(context, + router['id']) + + if plr_id: + binding = nsxv_db.get_nsxv_router_binding( + context.session, plr_id) + if binding: + _update_vdr_fw_config(nsxv, binding['edge_id']) + + +def _update_vdr_fw_config(nsxv, edge_id): + fw_config = nsxv.get_firewall(edge_id)[1] + + md_rule_names = [rule['name'] for rule in md_proxy.get_router_fw_rules()] + + fw_rules = fw_config.get('firewallRules', {}).get('firewallRules', []) + if fw_rules: + fw_rules = [rule for rule in fw_rules + if rule['name'] not in md_rule_names] + + fw_config['firewallRules']['firewallRules'] = fw_rules + nsxv.update_firewall(edge_id, fw_config) + def is_router_conflicting_on_edge(context, driver, router_id): edge_id = edge_utils.get_router_edge_id(context, router_id) diff --git a/vmware_nsx/tests/unit/nsx_v/test_plugin.py b/vmware_nsx/tests/unit/nsx_v/test_plugin.py index c559d9a20d..10ddb7b226 100644 --- a/vmware_nsx/tests/unit/nsx_v/test_plugin.py +++ b/vmware_nsx/tests/unit/nsx_v/test_plugin.py @@ -4187,6 +4187,9 @@ class TestVdrTestCase(L3NatTest, L3NatTestCaseBase, self._default_tenant_id = self._tenant_id self._router_tenant_id = 'test-router-tenant' + def _get_md_proxy_fw_rules(self): + return [] + @mock.patch.object(edge_utils.EdgeManager, 'update_interface_addr') def test_router_update_gateway_with_different_external_subnet(self, mock):