Infrastructure support for FWaaS logging
This patch lays the infrastructure to add logging to the fwaas rules both in NSX-V and NSX-V3, and for FWaaS v1+v2 In the future we should set the "logged" flag from the configured user objects Change-Id: Ie12e326ac8a166912908ae038760a682fd46e8af
This commit is contained in:
parent
b3a954cefd
commit
5c5bf30c0d
@ -144,6 +144,9 @@ class EdgeFirewallDriver(object):
|
|||||||
vcns_rule['application'] = {
|
vcns_rule['application'] = {
|
||||||
'service': [service]
|
'service': [service]
|
||||||
}
|
}
|
||||||
|
if rule.get('logged'):
|
||||||
|
vcns_rule['loggingEnabled'] = rule['logged']
|
||||||
|
|
||||||
if index:
|
if index:
|
||||||
vcns_rule['ruleTag'] = index
|
vcns_rule['ruleTag'] = index
|
||||||
return vcns_rule
|
return vcns_rule
|
||||||
@ -182,6 +185,9 @@ class EdgeFirewallDriver(object):
|
|||||||
fw_rule['name'] = rule['name']
|
fw_rule['name'] = rule['name']
|
||||||
if rule.get('description'):
|
if rule.get('description'):
|
||||||
fw_rule['description'] = rule['description']
|
fw_rule['description'] = rule['description']
|
||||||
|
if rule.get('loggingEnabled'):
|
||||||
|
fw_rule['logged'] = rule['loggingEnabled']
|
||||||
|
|
||||||
return fw_rule
|
return fw_rule
|
||||||
|
|
||||||
def _convert_firewall(self, firewall, allow_external=False):
|
def _convert_firewall(self, firewall, allow_external=False):
|
||||||
|
@ -117,7 +117,7 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
|
|||||||
'lookup_id': lookup_id}
|
'lookup_id': lookup_id}
|
||||||
return edges_map
|
return edges_map
|
||||||
|
|
||||||
def _translate_rules(self, fwaas_rules):
|
def _translate_rules(self, fwaas_rules, logged=False):
|
||||||
translated_rules = []
|
translated_rules = []
|
||||||
for rule in fwaas_rules:
|
for rule in fwaas_rules:
|
||||||
if not rule['enabled']:
|
if not rule['enabled']:
|
||||||
@ -136,6 +136,8 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
|
|||||||
rule['destination_ip_address']]
|
rule['destination_ip_address']]
|
||||||
if rule.get('source_ip_address'):
|
if rule.get('source_ip_address'):
|
||||||
rule['source_ip_address'] = [rule['source_ip_address']]
|
rule['source_ip_address'] = [rule['source_ip_address']]
|
||||||
|
if logged:
|
||||||
|
rule['logged'] = True
|
||||||
translated_rules.append(rule)
|
translated_rules.append(rule)
|
||||||
|
|
||||||
return translated_rules
|
return translated_rules
|
||||||
@ -183,7 +185,10 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
|
|||||||
return
|
return
|
||||||
|
|
||||||
# Translate the FWaaS rules
|
# Translate the FWaaS rules
|
||||||
rules = self._translate_rules(firewall['firewall_rule_list'])
|
# TODO(asarfaty): get this value from the firewall extensions
|
||||||
|
logged = False
|
||||||
|
rules = self._translate_rules(firewall['firewall_rule_list'],
|
||||||
|
logged=logged)
|
||||||
|
|
||||||
# update each relevant edge with the new rules
|
# update each relevant edge with the new rules
|
||||||
for router_info in apply_list:
|
for router_info in apply_list:
|
||||||
@ -244,5 +249,8 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
|
|||||||
|
|
||||||
def get_firewall_translated_rules(self, firewall):
|
def get_firewall_translated_rules(self, firewall):
|
||||||
if firewall['admin_state_up']:
|
if firewall['admin_state_up']:
|
||||||
return self._translate_rules(firewall['firewall_rule_list'])
|
# TODO(asarfaty): get this value from the firewall extensions
|
||||||
|
logged = False
|
||||||
|
return self._translate_rules(firewall['firewall_rule_list'],
|
||||||
|
logged=logged)
|
||||||
return []
|
return []
|
||||||
|
@ -145,7 +145,7 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
|
|||||||
]
|
]
|
||||||
|
|
||||||
def _translate_rules(self, fwaas_rules, replace_src=None,
|
def _translate_rules(self, fwaas_rules, replace_src=None,
|
||||||
replace_dest=None):
|
replace_dest=None, logged=False):
|
||||||
translated_rules = []
|
translated_rules = []
|
||||||
for rule in fwaas_rules:
|
for rule in fwaas_rules:
|
||||||
nsx_rule = {}
|
nsx_rule = {}
|
||||||
@ -183,7 +183,8 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
|
|||||||
[rule['source_ip_address']])
|
[rule['source_ip_address']])
|
||||||
if rule.get('protocol'):
|
if rule.get('protocol'):
|
||||||
nsx_rule['services'] = self._translate_services(rule)
|
nsx_rule['services'] = self._translate_services(rule)
|
||||||
|
if logged:
|
||||||
|
nsx_rule['logged'] = logged
|
||||||
translated_rules.append(nsx_rule)
|
translated_rules.append(nsx_rule)
|
||||||
|
|
||||||
return translated_rules
|
return translated_rules
|
||||||
|
@ -114,6 +114,9 @@ class EdgeFwaasV3DriverV1(base_driver.CommonEdgeFwaasV3Driver):
|
|||||||
"""
|
"""
|
||||||
# Return the firewall rules only if the fw is up
|
# Return the firewall rules only if the fw is up
|
||||||
if firewall['admin_state_up']:
|
if firewall['admin_state_up']:
|
||||||
return self._translate_rules(firewall['firewall_rule_list'])
|
# TODO(asarfaty): get this value from the firewall extensions
|
||||||
|
logged = False
|
||||||
|
return self._translate_rules(firewall['firewall_rule_list'],
|
||||||
|
logged=logged)
|
||||||
|
|
||||||
return []
|
return []
|
||||||
|
@ -86,14 +86,18 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
|
|||||||
plugin_rules):
|
plugin_rules):
|
||||||
"""Return the list of translated rules per port"""
|
"""Return the list of translated rules per port"""
|
||||||
port_rules = []
|
port_rules = []
|
||||||
|
# TODO(asarfaty): get this value from the firewall group extensions
|
||||||
|
logged = False
|
||||||
# Add the firewall group ingress/egress rules only if the fw is up
|
# Add the firewall group ingress/egress rules only if the fw is up
|
||||||
if firewall_group['admin_state_up']:
|
if firewall_group['admin_state_up']:
|
||||||
port_rules.extend(self._translate_rules(
|
port_rules.extend(self._translate_rules(
|
||||||
firewall_group['ingress_rule_list'],
|
firewall_group['ingress_rule_list'],
|
||||||
replace_dest=nsx_port_id))
|
replace_dest=nsx_port_id,
|
||||||
|
logged=logged))
|
||||||
port_rules.extend(self._translate_rules(
|
port_rules.extend(self._translate_rules(
|
||||||
firewall_group['egress_rule_list'],
|
firewall_group['egress_rule_list'],
|
||||||
replace_src=nsx_port_id))
|
replace_src=nsx_port_id,
|
||||||
|
logged=logged))
|
||||||
|
|
||||||
# Add the per-port plugin rules
|
# Add the per-port plugin rules
|
||||||
if plugin_rules and isinstance(plugin_rules, list):
|
if plugin_rules and isinstance(plugin_rules, list):
|
||||||
|
@ -53,7 +53,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
|
|||||||
'id': 'fake-fw-rule3'}
|
'id': 'fake-fw-rule3'}
|
||||||
return [rule1, rule2, rule3]
|
return [rule1, rule2, rule3]
|
||||||
|
|
||||||
def _fake_backend_rules_v4(self):
|
def _fake_backend_rules_v4(self, logged=False):
|
||||||
rule1 = {'enabled': True,
|
rule1 = {'enabled': True,
|
||||||
'action': 'allow',
|
'action': 'allow',
|
||||||
'ip_version': 4,
|
'ip_version': 4,
|
||||||
@ -80,7 +80,9 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
|
|||||||
'position': '2',
|
'position': '2',
|
||||||
'id': 'fake-fw-rule3',
|
'id': 'fake-fw-rule3',
|
||||||
'name': 'Fwaas-fake-fw-rule3'}
|
'name': 'Fwaas-fake-fw-rule3'}
|
||||||
|
if logged:
|
||||||
|
for rule in (rule1, rule2, rule3):
|
||||||
|
rule['loggingEnabled'] = logged
|
||||||
return [rule1, rule2, rule3]
|
return [rule1, rule2, rule3]
|
||||||
|
|
||||||
def _fake_firewall_no_rule(self):
|
def _fake_firewall_no_rule(self):
|
||||||
|
@ -102,7 +102,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
|||||||
'id': 'fake-fw-rule4'}
|
'id': 'fake-fw-rule4'}
|
||||||
return [rule1, rule2, rule3, rule4]
|
return [rule1, rule2, rule3, rule4]
|
||||||
|
|
||||||
def _fake_translated_rules(self):
|
def _fake_translated_rules(self, logged=False):
|
||||||
# The expected translation of the rules in _fake_rules_v4
|
# The expected translation of the rules in _fake_rules_v4
|
||||||
service1 = {'l4_protocol': 'TCP',
|
service1 = {'l4_protocol': 'TCP',
|
||||||
'resource_type': 'L4PortSetNSService',
|
'resource_type': 'L4PortSetNSService',
|
||||||
@ -135,6 +135,9 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
|||||||
'target_type': 'IPv4Address'}],
|
'target_type': 'IPv4Address'}],
|
||||||
'display_name': 'Fwaas-fake-fw-rule4'}
|
'display_name': 'Fwaas-fake-fw-rule4'}
|
||||||
|
|
||||||
|
if logged:
|
||||||
|
for rule in (rule1, rule2, rule3, rule4):
|
||||||
|
rule['logged'] = logged
|
||||||
return [rule1, rule2, rule3, rule4]
|
return [rule1, rule2, rule3, rule4]
|
||||||
|
|
||||||
def _fake_firewall_no_rule(self):
|
def _fake_firewall_no_rule(self):
|
||||||
|
@ -104,7 +104,8 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
|||||||
|
|
||||||
return [rule1, rule2, rule3, rule4]
|
return [rule1, rule2, rule3, rule4]
|
||||||
|
|
||||||
def _fake_translated_rules(self, nsx_port_id, is_ingress=True):
|
def _fake_translated_rules(self, nsx_port_id, is_ingress=True,
|
||||||
|
logged=False):
|
||||||
# The expected translation of the rules in _fake_rules_v4
|
# The expected translation of the rules in _fake_rules_v4
|
||||||
service1 = {'l4_protocol': 'TCP',
|
service1 = {'l4_protocol': 'TCP',
|
||||||
'resource_type': 'L4PortSetNSService',
|
'resource_type': 'L4PortSetNSService',
|
||||||
@ -150,6 +151,9 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
|||||||
for rule in (rule1, rule2, rule3, rule4):
|
for rule in (rule1, rule2, rule3, rule4):
|
||||||
rule[field] = new_val
|
rule[field] = new_val
|
||||||
rule['direction'] = direction
|
rule['direction'] = direction
|
||||||
|
if logged:
|
||||||
|
for rule in (rule1, rule2, rule3, rule4):
|
||||||
|
rule['logged'] = logged
|
||||||
return [rule1, rule2, rule3, rule4]
|
return [rule1, rule2, rule3, rule4]
|
||||||
|
|
||||||
def _fake_empty_firewall_group(self):
|
def _fake_empty_firewall_group(self):
|
||||||
|
Loading…
Reference in New Issue
Block a user