From 4452f3a83b1ab82d1b4ee03e93c98a0281ad939f Mon Sep 17 00:00:00 2001 From: Aaron Rosen Date: Wed, 6 Mar 2013 12:21:08 -0800 Subject: [PATCH] Add explicit egress rules to nvp security profile The following commit 7e26074b changed the previous behavior of quantum security groups by explicitly adding egress rules to the security profile. When these rules are removed the vm is no longer able to send traffic out. This patch adds these rules for NVP. One thing to note in the patch is that now a bunk rule of IPv4 127.0.0.1/32 is added to each security profile. The reason for this is by default NVP security profiles allow all egress traffic until a rule is added and then it just lets traffic matching those rules out. Adding this bunk rule achieves this behavior that quantum now uses. Fixes bug 1150378 Change-Id: I005880fcf39d539ae99be428d75c43cc0b39a7b6 --- .../nicira/nicira_nvp_plugin/nvplib.py | 33 ++++++++++++------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py b/quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py index 109ffa9515..3308db3fd8 100644 --- a/quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py +++ b/quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py @@ -1049,31 +1049,38 @@ def set_tenant_id_tag(tenant_id, taglist=None): def create_security_profile(cluster, tenant_id, security_profile): path = "/ws.v1/security-profile" tags = set_tenant_id_tag(tenant_id) - # Allow all dhcp responses in - dhcp = {'logical_port_egress_rules': [{'ethertype': 'IPv4', - 'protocol': 17, - 'port_range_min': 68, - 'port_range_max': 68, - 'ip_prefix': '0.0.0.0/0'}], - 'logical_port_ingress_rules': []} + # Allow all dhcp responses and all ingress traffic + hidden_rules = {'logical_port_egress_rules': + [{'ethertype': 'IPv4', + 'protocol': constants.UDP_PROTOCOL, + 'port_range_min': constants.DHCP_RESPONSE_PORT, + 'port_range_max': constants.DHCP_RESPONSE_PORT, + 'ip_prefix': '0.0.0.0/0'}], + 'logical_port_ingress_rules': + [{'ethertype': 'IPv4'}, + {'ethertype': 'IPv6'}]} try: display_name = _check_and_truncate_name(security_profile.get('name')) body = mk_body( tags=tags, display_name=display_name, - logical_port_ingress_rules=dhcp['logical_port_ingress_rules'], - logical_port_egress_rules=dhcp['logical_port_egress_rules']) + logical_port_ingress_rules=( + hidden_rules['logical_port_ingress_rules']), + logical_port_egress_rules=hidden_rules['logical_port_egress_rules'] + ) rsp = do_request(HTTP_POST, path, body, cluster=cluster) except NvpApiClient.NvpApiException as e: LOG.error(format_exception("Unknown", e, locals())) raise exception.QuantumException() if security_profile.get('name') == 'default': # If security group is default allow ip traffic between - # members of the same security profile. + # members of the same security profile is allowed and ingress traffic + # from the switch rules = {'logical_port_egress_rules': [{'ethertype': 'IPv4', 'profile_uuid': rsp['uuid']}, {'ethertype': 'IPv6', 'profile_uuid': rsp['uuid']}], - 'logical_port_ingress_rules': []} + 'logical_port_ingress_rules': [{'ethertype': 'IPv4'}, + {'ethertype': 'IPv6'}]} update_security_group_rules(cluster, rsp['uuid'], rules) LOG.debug(_("Created Security Profile: %s"), rsp) @@ -1089,6 +1096,10 @@ def update_security_group_rules(cluster, spid, rules): 'port_range_min': constants.DHCP_RESPONSE_PORT, 'port_range_max': constants.DHCP_RESPONSE_PORT, 'ip_prefix': '0.0.0.0/0'}) + # If there are no ingress rules add bunk rule to drop all ingress traffic + if not len(rules['logical_port_ingress_rules']): + rules['logical_port_ingress_rules'].append( + {'ethertype': 'IPv4', 'ip_prefix': '127.0.0.1/32'}) try: body = mk_body( logical_port_ingress_rules=rules['logical_port_ingress_rules'],