Infrastructure support for FWaaS logging

This patch lays the infrastructure to add logging to the
fwaas rules both in NSX-V and NSX-V3, and for FWaaS v1+v2
In the future we should set the "logged" flag from the
configured user objects

Change-Id: Ie12e326ac8a166912908ae038760a682fd46e8af
This commit is contained in:
Adit Sarfaty 2017-11-01 15:18:03 +02:00
parent b3a954cefd
commit 5c5bf30c0d
8 changed files with 43 additions and 12 deletions

View File

@ -144,6 +144,9 @@ class EdgeFirewallDriver(object):
vcns_rule['application'] = { vcns_rule['application'] = {
'service': [service] 'service': [service]
} }
if rule.get('logged'):
vcns_rule['loggingEnabled'] = rule['logged']
if index: if index:
vcns_rule['ruleTag'] = index vcns_rule['ruleTag'] = index
return vcns_rule return vcns_rule
@ -182,6 +185,9 @@ class EdgeFirewallDriver(object):
fw_rule['name'] = rule['name'] fw_rule['name'] = rule['name']
if rule.get('description'): if rule.get('description'):
fw_rule['description'] = rule['description'] fw_rule['description'] = rule['description']
if rule.get('loggingEnabled'):
fw_rule['logged'] = rule['loggingEnabled']
return fw_rule return fw_rule
def _convert_firewall(self, firewall, allow_external=False): def _convert_firewall(self, firewall, allow_external=False):

View File

@ -117,7 +117,7 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
'lookup_id': lookup_id} 'lookup_id': lookup_id}
return edges_map return edges_map
def _translate_rules(self, fwaas_rules): def _translate_rules(self, fwaas_rules, logged=False):
translated_rules = [] translated_rules = []
for rule in fwaas_rules: for rule in fwaas_rules:
if not rule['enabled']: if not rule['enabled']:
@ -136,6 +136,8 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
rule['destination_ip_address']] rule['destination_ip_address']]
if rule.get('source_ip_address'): if rule.get('source_ip_address'):
rule['source_ip_address'] = [rule['source_ip_address']] rule['source_ip_address'] = [rule['source_ip_address']]
if logged:
rule['logged'] = True
translated_rules.append(rule) translated_rules.append(rule)
return translated_rules return translated_rules
@ -183,7 +185,10 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
return return
# Translate the FWaaS rules # Translate the FWaaS rules
rules = self._translate_rules(firewall['firewall_rule_list']) # TODO(asarfaty): get this value from the firewall extensions
logged = False
rules = self._translate_rules(firewall['firewall_rule_list'],
logged=logged)
# update each relevant edge with the new rules # update each relevant edge with the new rules
for router_info in apply_list: for router_info in apply_list:
@ -244,5 +249,8 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
def get_firewall_translated_rules(self, firewall): def get_firewall_translated_rules(self, firewall):
if firewall['admin_state_up']: if firewall['admin_state_up']:
return self._translate_rules(firewall['firewall_rule_list']) # TODO(asarfaty): get this value from the firewall extensions
logged = False
return self._translate_rules(firewall['firewall_rule_list'],
logged=logged)
return [] return []

View File

@ -145,7 +145,7 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
] ]
def _translate_rules(self, fwaas_rules, replace_src=None, def _translate_rules(self, fwaas_rules, replace_src=None,
replace_dest=None): replace_dest=None, logged=False):
translated_rules = [] translated_rules = []
for rule in fwaas_rules: for rule in fwaas_rules:
nsx_rule = {} nsx_rule = {}
@ -183,7 +183,8 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
[rule['source_ip_address']]) [rule['source_ip_address']])
if rule.get('protocol'): if rule.get('protocol'):
nsx_rule['services'] = self._translate_services(rule) nsx_rule['services'] = self._translate_services(rule)
if logged:
nsx_rule['logged'] = logged
translated_rules.append(nsx_rule) translated_rules.append(nsx_rule)
return translated_rules return translated_rules

View File

@ -114,6 +114,9 @@ class EdgeFwaasV3DriverV1(base_driver.CommonEdgeFwaasV3Driver):
""" """
# Return the firewall rules only if the fw is up # Return the firewall rules only if the fw is up
if firewall['admin_state_up']: if firewall['admin_state_up']:
return self._translate_rules(firewall['firewall_rule_list']) # TODO(asarfaty): get this value from the firewall extensions
logged = False
return self._translate_rules(firewall['firewall_rule_list'],
logged=logged)
return [] return []

View File

@ -86,14 +86,18 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
plugin_rules): plugin_rules):
"""Return the list of translated rules per port""" """Return the list of translated rules per port"""
port_rules = [] port_rules = []
# TODO(asarfaty): get this value from the firewall group extensions
logged = False
# Add the firewall group ingress/egress rules only if the fw is up # Add the firewall group ingress/egress rules only if the fw is up
if firewall_group['admin_state_up']: if firewall_group['admin_state_up']:
port_rules.extend(self._translate_rules( port_rules.extend(self._translate_rules(
firewall_group['ingress_rule_list'], firewall_group['ingress_rule_list'],
replace_dest=nsx_port_id)) replace_dest=nsx_port_id,
logged=logged))
port_rules.extend(self._translate_rules( port_rules.extend(self._translate_rules(
firewall_group['egress_rule_list'], firewall_group['egress_rule_list'],
replace_src=nsx_port_id)) replace_src=nsx_port_id,
logged=logged))
# Add the per-port plugin rules # Add the per-port plugin rules
if plugin_rules and isinstance(plugin_rules, list): if plugin_rules and isinstance(plugin_rules, list):

View File

@ -53,7 +53,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
'id': 'fake-fw-rule3'} 'id': 'fake-fw-rule3'}
return [rule1, rule2, rule3] return [rule1, rule2, rule3]
def _fake_backend_rules_v4(self): def _fake_backend_rules_v4(self, logged=False):
rule1 = {'enabled': True, rule1 = {'enabled': True,
'action': 'allow', 'action': 'allow',
'ip_version': 4, 'ip_version': 4,
@ -80,7 +80,9 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
'position': '2', 'position': '2',
'id': 'fake-fw-rule3', 'id': 'fake-fw-rule3',
'name': 'Fwaas-fake-fw-rule3'} 'name': 'Fwaas-fake-fw-rule3'}
if logged:
for rule in (rule1, rule2, rule3):
rule['loggingEnabled'] = logged
return [rule1, rule2, rule3] return [rule1, rule2, rule3]
def _fake_firewall_no_rule(self): def _fake_firewall_no_rule(self):

View File

@ -102,7 +102,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
'id': 'fake-fw-rule4'} 'id': 'fake-fw-rule4'}
return [rule1, rule2, rule3, rule4] return [rule1, rule2, rule3, rule4]
def _fake_translated_rules(self): def _fake_translated_rules(self, logged=False):
# The expected translation of the rules in _fake_rules_v4 # The expected translation of the rules in _fake_rules_v4
service1 = {'l4_protocol': 'TCP', service1 = {'l4_protocol': 'TCP',
'resource_type': 'L4PortSetNSService', 'resource_type': 'L4PortSetNSService',
@ -135,6 +135,9 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
'target_type': 'IPv4Address'}], 'target_type': 'IPv4Address'}],
'display_name': 'Fwaas-fake-fw-rule4'} 'display_name': 'Fwaas-fake-fw-rule4'}
if logged:
for rule in (rule1, rule2, rule3, rule4):
rule['logged'] = logged
return [rule1, rule2, rule3, rule4] return [rule1, rule2, rule3, rule4]
def _fake_firewall_no_rule(self): def _fake_firewall_no_rule(self):

View File

@ -104,7 +104,8 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
return [rule1, rule2, rule3, rule4] return [rule1, rule2, rule3, rule4]
def _fake_translated_rules(self, nsx_port_id, is_ingress=True): def _fake_translated_rules(self, nsx_port_id, is_ingress=True,
logged=False):
# The expected translation of the rules in _fake_rules_v4 # The expected translation of the rules in _fake_rules_v4
service1 = {'l4_protocol': 'TCP', service1 = {'l4_protocol': 'TCP',
'resource_type': 'L4PortSetNSService', 'resource_type': 'L4PortSetNSService',
@ -150,6 +151,9 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
for rule in (rule1, rule2, rule3, rule4): for rule in (rule1, rule2, rule3, rule4):
rule[field] = new_val rule[field] = new_val
rule['direction'] = direction rule['direction'] = direction
if logged:
for rule in (rule1, rule2, rule3, rule4):
rule['logged'] = logged
return [rule1, rule2, rule3, rule4] return [rule1, rule2, rule3, rule4]
def _fake_empty_firewall_group(self): def _fake_empty_firewall_group(self):