Infrastructure support for FWaaS logging

This patch lays the infrastructure to add logging to the
fwaas rules both in NSX-V and NSX-V3, and for FWaaS v1+v2
In the future we should set the "logged" flag from the
configured user objects

Change-Id: Ie12e326ac8a166912908ae038760a682fd46e8af
This commit is contained in:
Adit Sarfaty 2017-11-01 15:18:03 +02:00
parent b3a954cefd
commit 5c5bf30c0d
8 changed files with 43 additions and 12 deletions

View File

@ -144,6 +144,9 @@ class EdgeFirewallDriver(object):
vcns_rule['application'] = {
'service': [service]
}
if rule.get('logged'):
vcns_rule['loggingEnabled'] = rule['logged']
if index:
vcns_rule['ruleTag'] = index
return vcns_rule
@ -182,6 +185,9 @@ class EdgeFirewallDriver(object):
fw_rule['name'] = rule['name']
if rule.get('description'):
fw_rule['description'] = rule['description']
if rule.get('loggingEnabled'):
fw_rule['logged'] = rule['loggingEnabled']
return fw_rule
def _convert_firewall(self, firewall, allow_external=False):

View File

@ -117,7 +117,7 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
'lookup_id': lookup_id}
return edges_map
def _translate_rules(self, fwaas_rules):
def _translate_rules(self, fwaas_rules, logged=False):
translated_rules = []
for rule in fwaas_rules:
if not rule['enabled']:
@ -136,6 +136,8 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
rule['destination_ip_address']]
if rule.get('source_ip_address'):
rule['source_ip_address'] = [rule['source_ip_address']]
if logged:
rule['logged'] = True
translated_rules.append(rule)
return translated_rules
@ -183,7 +185,10 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
return
# Translate the FWaaS rules
rules = self._translate_rules(firewall['firewall_rule_list'])
# TODO(asarfaty): get this value from the firewall extensions
logged = False
rules = self._translate_rules(firewall['firewall_rule_list'],
logged=logged)
# update each relevant edge with the new rules
for router_info in apply_list:
@ -244,5 +249,8 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase):
def get_firewall_translated_rules(self, firewall):
if firewall['admin_state_up']:
return self._translate_rules(firewall['firewall_rule_list'])
# TODO(asarfaty): get this value from the firewall extensions
logged = False
return self._translate_rules(firewall['firewall_rule_list'],
logged=logged)
return []

View File

@ -145,7 +145,7 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
]
def _translate_rules(self, fwaas_rules, replace_src=None,
replace_dest=None):
replace_dest=None, logged=False):
translated_rules = []
for rule in fwaas_rules:
nsx_rule = {}
@ -183,7 +183,8 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
[rule['source_ip_address']])
if rule.get('protocol'):
nsx_rule['services'] = self._translate_services(rule)
if logged:
nsx_rule['logged'] = logged
translated_rules.append(nsx_rule)
return translated_rules

View File

@ -114,6 +114,9 @@ class EdgeFwaasV3DriverV1(base_driver.CommonEdgeFwaasV3Driver):
"""
# Return the firewall rules only if the fw is up
if firewall['admin_state_up']:
return self._translate_rules(firewall['firewall_rule_list'])
# TODO(asarfaty): get this value from the firewall extensions
logged = False
return self._translate_rules(firewall['firewall_rule_list'],
logged=logged)
return []

View File

@ -86,14 +86,18 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
plugin_rules):
"""Return the list of translated rules per port"""
port_rules = []
# TODO(asarfaty): get this value from the firewall group extensions
logged = False
# Add the firewall group ingress/egress rules only if the fw is up
if firewall_group['admin_state_up']:
port_rules.extend(self._translate_rules(
firewall_group['ingress_rule_list'],
replace_dest=nsx_port_id))
replace_dest=nsx_port_id,
logged=logged))
port_rules.extend(self._translate_rules(
firewall_group['egress_rule_list'],
replace_src=nsx_port_id))
replace_src=nsx_port_id,
logged=logged))
# Add the per-port plugin rules
if plugin_rules and isinstance(plugin_rules, list):

View File

@ -53,7 +53,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
'id': 'fake-fw-rule3'}
return [rule1, rule2, rule3]
def _fake_backend_rules_v4(self):
def _fake_backend_rules_v4(self, logged=False):
rule1 = {'enabled': True,
'action': 'allow',
'ip_version': 4,
@ -80,7 +80,9 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase):
'position': '2',
'id': 'fake-fw-rule3',
'name': 'Fwaas-fake-fw-rule3'}
if logged:
for rule in (rule1, rule2, rule3):
rule['loggingEnabled'] = logged
return [rule1, rule2, rule3]
def _fake_firewall_no_rule(self):

View File

@ -102,7 +102,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
'id': 'fake-fw-rule4'}
return [rule1, rule2, rule3, rule4]
def _fake_translated_rules(self):
def _fake_translated_rules(self, logged=False):
# The expected translation of the rules in _fake_rules_v4
service1 = {'l4_protocol': 'TCP',
'resource_type': 'L4PortSetNSService',
@ -135,6 +135,9 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
'target_type': 'IPv4Address'}],
'display_name': 'Fwaas-fake-fw-rule4'}
if logged:
for rule in (rule1, rule2, rule3, rule4):
rule['logged'] = logged
return [rule1, rule2, rule3, rule4]
def _fake_firewall_no_rule(self):

View File

@ -104,7 +104,8 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
return [rule1, rule2, rule3, rule4]
def _fake_translated_rules(self, nsx_port_id, is_ingress=True):
def _fake_translated_rules(self, nsx_port_id, is_ingress=True,
logged=False):
# The expected translation of the rules in _fake_rules_v4
service1 = {'l4_protocol': 'TCP',
'resource_type': 'L4PortSetNSService',
@ -150,6 +151,9 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
for rule in (rule1, rule2, rule3, rule4):
rule[field] = new_val
rule['direction'] = direction
if logged:
for rule in (rule1, rule2, rule3, rule4):
rule['logged'] = logged
return [rule1, rule2, rule3, rule4]
def _fake_empty_firewall_group(self):