NSXv: Cleanup redundant FW rules from VDR

Change-Id: Ida99b5793e9537b581e562fa329d0dc880fc3621
This commit is contained in:
Kobi Samoray 2019-08-20 18:31:19 +03:00
parent f11709dba5
commit 4be41bb4b4
3 changed files with 38 additions and 1 deletions

View File

@ -4246,6 +4246,12 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
the NSX (in case of distributed router it can be plr or tlr) the NSX (in case of distributed router it can be plr or tlr)
""" """
fw_rules = [] fw_rules = []
distributed = False
if router_db:
nsx_attr = router_db.get('nsx_attributes', {})
distributed = (
nsx_attr.get('distributed', False) if nsx_attr else False)
edge_id = self._get_edge_id_by_rtr_id(context, router_id) edge_id = self._get_edge_id_by_rtr_id(context, router_id)
# Add FW rule/s to open subnets firewall flows and static routes # Add FW rule/s to open subnets firewall flows and static routes
@ -4258,7 +4264,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
fw_rules.extend(subnet_rules) fw_rules.extend(subnet_rules)
# If metadata service is enabled, block access to inter-edge network # If metadata service is enabled, block access to inter-edge network
if self.metadata_proxy_handler: if self.metadata_proxy_handler and not distributed:
fw_rules += nsx_v_md_proxy.get_router_fw_rules() fw_rules += nsx_v_md_proxy.get_router_fw_rules()
# Add FWaaS rules if FWaaS is enabled # Add FWaaS rules if FWaaS is enabled

View File

@ -28,6 +28,7 @@ from vmware_nsx.common import locking
from vmware_nsx.db import nsxv_db from vmware_nsx.db import nsxv_db
from vmware_nsx.extensions import routersize from vmware_nsx.extensions import routersize
from vmware_nsx.plugins.nsx_v import availability_zones as nsx_az from vmware_nsx.plugins.nsx_v import availability_zones as nsx_az
from vmware_nsx.plugins.nsx_v import md_proxy
from vmware_nsx.plugins.nsx_v.vshield import edge_utils from vmware_nsx.plugins.nsx_v.vshield import edge_utils
from vmware_nsx.plugins.nsx_v.vshield import vcns_driver from vmware_nsx.plugins.nsx_v.vshield import vcns_driver
@ -192,6 +193,9 @@ def migrate_distributed_routers_dhcp(resource, event, trigger, **kwargs):
context = n_context.get_admin_context() context = n_context.get_admin_context()
nsxv = utils.get_nsxv_client() nsxv = utils.get_nsxv_client()
with utils.NsxVPluginWrapper() as plugin: with utils.NsxVPluginWrapper() as plugin:
nsxv_manager = vcns_driver.VcnsDriver(
edge_utils.NsxVCallbacks(plugin))
edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
routers = plugin.get_routers(context) routers = plugin.get_routers(context)
for router in routers: for router in routers:
if router.get('distributed', False): if router.get('distributed', False):
@ -209,6 +213,30 @@ def migrate_distributed_routers_dhcp(resource, event, trigger, **kwargs):
nsxv.update_routes(edge_id, route_obj) nsxv.update_routes(edge_id, route_obj)
_update_vdr_fw_config(nsxv, edge_id)
plr_id = edge_manager.get_plr_by_tlr_id(context,
router['id'])
if plr_id:
binding = nsxv_db.get_nsxv_router_binding(
context.session, plr_id)
if binding:
_update_vdr_fw_config(nsxv, binding['edge_id'])
def _update_vdr_fw_config(nsxv, edge_id):
fw_config = nsxv.get_firewall(edge_id)[1]
md_rule_names = [rule['name'] for rule in md_proxy.get_router_fw_rules()]
fw_rules = fw_config.get('firewallRules', {}).get('firewallRules', [])
if fw_rules:
fw_rules = [rule for rule in fw_rules
if rule['name'] not in md_rule_names]
fw_config['firewallRules']['firewallRules'] = fw_rules
nsxv.update_firewall(edge_id, fw_config)
def is_router_conflicting_on_edge(context, driver, router_id): def is_router_conflicting_on_edge(context, driver, router_id):
edge_id = edge_utils.get_router_edge_id(context, router_id) edge_id = edge_utils.get_router_edge_id(context, router_id)

View File

@ -4187,6 +4187,9 @@ class TestVdrTestCase(L3NatTest, L3NatTestCaseBase,
self._default_tenant_id = self._tenant_id self._default_tenant_id = self._tenant_id
self._router_tenant_id = 'test-router-tenant' self._router_tenant_id = 'test-router-tenant'
def _get_md_proxy_fw_rules(self):
return []
@mock.patch.object(edge_utils.EdgeManager, @mock.patch.object(edge_utils.EdgeManager,
'update_interface_addr') 'update_interface_addr')
def test_router_update_gateway_with_different_external_subnet(self, mock): def test_router_update_gateway_with_different_external_subnet(self, mock):