Infrastructure support for FWaaS logging
This patch lays the infrastructure to add logging to the fwaas rules both in NSX-V and NSX-V3, and for FWaaS v1+v2 In the future we should set the "logged" flag from the configured user objects Change-Id: Ie12e326ac8a166912908ae038760a682fd46e8af
This commit is contained in:
parent
b3a954cefd
commit
5c5bf30c0d
@ -144,6 +144,9 @@ class EdgeFirewallDriver(object):
|
||||
vcns_rule['application'] = {
|
||||
'service': [service]
|
||||
}
|
||||
if rule.get('logged'):
|
||||
vcns_rule['loggingEnabled'] = rule['logged']
|
||||
|
||||
if index:
|
||||
vcns_rule['ruleTag'] = index
|
||||
return vcns_rule
|
||||
@ -182,6 +185,9 @@ class EdgeFirewallDriver(object):
|
||||
fw_rule['name'] = rule['name']
|
||||
if rule.get('description'):
|
||||
fw_rule['description'] = rule['description']
|
||||
if rule.get('loggingEnabled'):
|
||||
fw_rule['logged'] = rule['loggingEnabled']
|
||||
|
||||
return fw_rule
|
||||
|
||||
def _convert_firewall(self, firewall, allow_external=False):
|
||||
|
@ -117,7 +117,7 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
'lookup_id': lookup_id}
|
||||
return edges_map
|
||||
|
||||
def _translate_rules(self, fwaas_rules):
|
||||
def _translate_rules(self, fwaas_rules, logged=False):
|
||||
translated_rules = []
|
||||
for rule in fwaas_rules:
|
||||
if not rule['enabled']:
|
||||
@ -136,6 +136,8 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
rule['destination_ip_address']]
|
||||
if rule.get('source_ip_address'):
|
||||
rule['source_ip_address'] = [rule['source_ip_address']]
|
||||
if logged:
|
||||
rule['logged'] = True
|
||||
translated_rules.append(rule)
|
||||
|
||||
return translated_rules
|
||||
@ -183,7 +185,10 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
return
|
||||
|
||||
# Translate the FWaaS rules
|
||||
rules = self._translate_rules(firewall['firewall_rule_list'])
|
||||
# TODO(asarfaty): get this value from the firewall extensions
|
||||
logged = False
|
||||
rules = self._translate_rules(firewall['firewall_rule_list'],
|
||||
logged=logged)
|
||||
|
||||
# update each relevant edge with the new rules
|
||||
for router_info in apply_list:
|
||||
@ -244,5 +249,8 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
|
||||
|
||||
def get_firewall_translated_rules(self, firewall):
|
||||
if firewall['admin_state_up']:
|
||||
return self._translate_rules(firewall['firewall_rule_list'])
|
||||
# TODO(asarfaty): get this value from the firewall extensions
|
||||
logged = False
|
||||
return self._translate_rules(firewall['firewall_rule_list'],
|
||||
logged=logged)
|
||||
return []
|
||||
|
@ -145,7 +145,7 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
|
||||
]
|
||||
|
||||
def _translate_rules(self, fwaas_rules, replace_src=None,
|
||||
replace_dest=None):
|
||||
replace_dest=None, logged=False):
|
||||
translated_rules = []
|
||||
for rule in fwaas_rules:
|
||||
nsx_rule = {}
|
||||
@ -183,7 +183,8 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
|
||||
[rule['source_ip_address']])
|
||||
if rule.get('protocol'):
|
||||
nsx_rule['services'] = self._translate_services(rule)
|
||||
|
||||
if logged:
|
||||
nsx_rule['logged'] = logged
|
||||
translated_rules.append(nsx_rule)
|
||||
|
||||
return translated_rules
|
||||
|
@ -114,6 +114,9 @@ class EdgeFwaasV3DriverV1(base_driver.CommonEdgeFwaasV3Driver):
|
||||
"""
|
||||
# Return the firewall rules only if the fw is up
|
||||
if firewall['admin_state_up']:
|
||||
return self._translate_rules(firewall['firewall_rule_list'])
|
||||
# TODO(asarfaty): get this value from the firewall extensions
|
||||
logged = False
|
||||
return self._translate_rules(firewall['firewall_rule_list'],
|
||||
logged=logged)
|
||||
|
||||
return []
|
||||
|
@ -86,14 +86,18 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
|
||||
plugin_rules):
|
||||
"""Return the list of translated rules per port"""
|
||||
port_rules = []
|
||||
# TODO(asarfaty): get this value from the firewall group extensions
|
||||
logged = False
|
||||
# Add the firewall group ingress/egress rules only if the fw is up
|
||||
if firewall_group['admin_state_up']:
|
||||
port_rules.extend(self._translate_rules(
|
||||
firewall_group['ingress_rule_list'],
|
||||
replace_dest=nsx_port_id))
|
||||
replace_dest=nsx_port_id,
|
||||
logged=logged))
|
||||
port_rules.extend(self._translate_rules(
|
||||
firewall_group['egress_rule_list'],
|
||||
replace_src=nsx_port_id))
|
||||
replace_src=nsx_port_id,
|
||||
logged=logged))
|
||||
|
||||
# Add the per-port plugin rules
|
||||
if plugin_rules and isinstance(plugin_rules, list):
|
||||
|
@ -53,7 +53,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
|
||||
'id': 'fake-fw-rule3'}
|
||||
return [rule1, rule2, rule3]
|
||||
|
||||
def _fake_backend_rules_v4(self):
|
||||
def _fake_backend_rules_v4(self, logged=False):
|
||||
rule1 = {'enabled': True,
|
||||
'action': 'allow',
|
||||
'ip_version': 4,
|
||||
@ -80,7 +80,9 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
|
||||
'position': '2',
|
||||
'id': 'fake-fw-rule3',
|
||||
'name': 'Fwaas-fake-fw-rule3'}
|
||||
|
||||
if logged:
|
||||
for rule in (rule1, rule2, rule3):
|
||||
rule['loggingEnabled'] = logged
|
||||
return [rule1, rule2, rule3]
|
||||
|
||||
def _fake_firewall_no_rule(self):
|
||||
|
@ -102,7 +102,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
'id': 'fake-fw-rule4'}
|
||||
return [rule1, rule2, rule3, rule4]
|
||||
|
||||
def _fake_translated_rules(self):
|
||||
def _fake_translated_rules(self, logged=False):
|
||||
# The expected translation of the rules in _fake_rules_v4
|
||||
service1 = {'l4_protocol': 'TCP',
|
||||
'resource_type': 'L4PortSetNSService',
|
||||
@ -135,6 +135,9 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
'target_type': 'IPv4Address'}],
|
||||
'display_name': 'Fwaas-fake-fw-rule4'}
|
||||
|
||||
if logged:
|
||||
for rule in (rule1, rule2, rule3, rule4):
|
||||
rule['logged'] = logged
|
||||
return [rule1, rule2, rule3, rule4]
|
||||
|
||||
def _fake_firewall_no_rule(self):
|
||||
|
@ -104,7 +104,8 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
|
||||
return [rule1, rule2, rule3, rule4]
|
||||
|
||||
def _fake_translated_rules(self, nsx_port_id, is_ingress=True):
|
||||
def _fake_translated_rules(self, nsx_port_id, is_ingress=True,
|
||||
logged=False):
|
||||
# The expected translation of the rules in _fake_rules_v4
|
||||
service1 = {'l4_protocol': 'TCP',
|
||||
'resource_type': 'L4PortSetNSService',
|
||||
@ -150,6 +151,9 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
for rule in (rule1, rule2, rule3, rule4):
|
||||
rule[field] = new_val
|
||||
rule['direction'] = direction
|
||||
if logged:
|
||||
for rule in (rule1, rule2, rule3, rule4):
|
||||
rule['logged'] = logged
|
||||
return [rule1, rule2, rule3, rule4]
|
||||
|
||||
def _fake_empty_firewall_group(self):
|
||||
|
Loading…
Reference in New Issue
Block a user