NSXv: Cleanup redundant FW rules from VDR
Change-Id: Ida99b5793e9537b581e562fa329d0dc880fc3621
This commit is contained in:
parent
f11709dba5
commit
4be41bb4b4
@ -4246,6 +4246,12 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
|||||||
the NSX (in case of distributed router it can be plr or tlr)
|
the NSX (in case of distributed router it can be plr or tlr)
|
||||||
"""
|
"""
|
||||||
fw_rules = []
|
fw_rules = []
|
||||||
|
distributed = False
|
||||||
|
if router_db:
|
||||||
|
nsx_attr = router_db.get('nsx_attributes', {})
|
||||||
|
distributed = (
|
||||||
|
nsx_attr.get('distributed', False) if nsx_attr else False)
|
||||||
|
|
||||||
edge_id = self._get_edge_id_by_rtr_id(context, router_id)
|
edge_id = self._get_edge_id_by_rtr_id(context, router_id)
|
||||||
|
|
||||||
# Add FW rule/s to open subnets firewall flows and static routes
|
# Add FW rule/s to open subnets firewall flows and static routes
|
||||||
@ -4258,7 +4264,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
|||||||
fw_rules.extend(subnet_rules)
|
fw_rules.extend(subnet_rules)
|
||||||
|
|
||||||
# If metadata service is enabled, block access to inter-edge network
|
# If metadata service is enabled, block access to inter-edge network
|
||||||
if self.metadata_proxy_handler:
|
if self.metadata_proxy_handler and not distributed:
|
||||||
fw_rules += nsx_v_md_proxy.get_router_fw_rules()
|
fw_rules += nsx_v_md_proxy.get_router_fw_rules()
|
||||||
|
|
||||||
# Add FWaaS rules if FWaaS is enabled
|
# Add FWaaS rules if FWaaS is enabled
|
||||||
|
@ -28,6 +28,7 @@ from vmware_nsx.common import locking
|
|||||||
from vmware_nsx.db import nsxv_db
|
from vmware_nsx.db import nsxv_db
|
||||||
from vmware_nsx.extensions import routersize
|
from vmware_nsx.extensions import routersize
|
||||||
from vmware_nsx.plugins.nsx_v import availability_zones as nsx_az
|
from vmware_nsx.plugins.nsx_v import availability_zones as nsx_az
|
||||||
|
from vmware_nsx.plugins.nsx_v import md_proxy
|
||||||
from vmware_nsx.plugins.nsx_v.vshield import edge_utils
|
from vmware_nsx.plugins.nsx_v.vshield import edge_utils
|
||||||
from vmware_nsx.plugins.nsx_v.vshield import vcns_driver
|
from vmware_nsx.plugins.nsx_v.vshield import vcns_driver
|
||||||
|
|
||||||
@ -192,6 +193,9 @@ def migrate_distributed_routers_dhcp(resource, event, trigger, **kwargs):
|
|||||||
context = n_context.get_admin_context()
|
context = n_context.get_admin_context()
|
||||||
nsxv = utils.get_nsxv_client()
|
nsxv = utils.get_nsxv_client()
|
||||||
with utils.NsxVPluginWrapper() as plugin:
|
with utils.NsxVPluginWrapper() as plugin:
|
||||||
|
nsxv_manager = vcns_driver.VcnsDriver(
|
||||||
|
edge_utils.NsxVCallbacks(plugin))
|
||||||
|
edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
|
||||||
routers = plugin.get_routers(context)
|
routers = plugin.get_routers(context)
|
||||||
for router in routers:
|
for router in routers:
|
||||||
if router.get('distributed', False):
|
if router.get('distributed', False):
|
||||||
@ -209,6 +213,30 @@ def migrate_distributed_routers_dhcp(resource, event, trigger, **kwargs):
|
|||||||
|
|
||||||
nsxv.update_routes(edge_id, route_obj)
|
nsxv.update_routes(edge_id, route_obj)
|
||||||
|
|
||||||
|
_update_vdr_fw_config(nsxv, edge_id)
|
||||||
|
plr_id = edge_manager.get_plr_by_tlr_id(context,
|
||||||
|
router['id'])
|
||||||
|
|
||||||
|
if plr_id:
|
||||||
|
binding = nsxv_db.get_nsxv_router_binding(
|
||||||
|
context.session, plr_id)
|
||||||
|
if binding:
|
||||||
|
_update_vdr_fw_config(nsxv, binding['edge_id'])
|
||||||
|
|
||||||
|
|
||||||
|
def _update_vdr_fw_config(nsxv, edge_id):
|
||||||
|
fw_config = nsxv.get_firewall(edge_id)[1]
|
||||||
|
|
||||||
|
md_rule_names = [rule['name'] for rule in md_proxy.get_router_fw_rules()]
|
||||||
|
|
||||||
|
fw_rules = fw_config.get('firewallRules', {}).get('firewallRules', [])
|
||||||
|
if fw_rules:
|
||||||
|
fw_rules = [rule for rule in fw_rules
|
||||||
|
if rule['name'] not in md_rule_names]
|
||||||
|
|
||||||
|
fw_config['firewallRules']['firewallRules'] = fw_rules
|
||||||
|
nsxv.update_firewall(edge_id, fw_config)
|
||||||
|
|
||||||
|
|
||||||
def is_router_conflicting_on_edge(context, driver, router_id):
|
def is_router_conflicting_on_edge(context, driver, router_id):
|
||||||
edge_id = edge_utils.get_router_edge_id(context, router_id)
|
edge_id = edge_utils.get_router_edge_id(context, router_id)
|
||||||
|
@ -4187,6 +4187,9 @@ class TestVdrTestCase(L3NatTest, L3NatTestCaseBase,
|
|||||||
self._default_tenant_id = self._tenant_id
|
self._default_tenant_id = self._tenant_id
|
||||||
self._router_tenant_id = 'test-router-tenant'
|
self._router_tenant_id = 'test-router-tenant'
|
||||||
|
|
||||||
|
def _get_md_proxy_fw_rules(self):
|
||||||
|
return []
|
||||||
|
|
||||||
@mock.patch.object(edge_utils.EdgeManager,
|
@mock.patch.object(edge_utils.EdgeManager,
|
||||||
'update_interface_addr')
|
'update_interface_addr')
|
||||||
def test_router_update_gateway_with_different_external_subnet(self, mock):
|
def test_router_update_gateway_with_different_external_subnet(self, mock):
|
||||||
|
Loading…
Reference in New Issue
Block a user