From 5e1547702010b0d5b831353857c4fd25a79dad15 Mon Sep 17 00:00:00 2001 From: Adit Sarfaty Date: Wed, 10 Jan 2018 13:46:35 +0200 Subject: [PATCH] NSX-v3: Use logical switch id in FWaaS V2 rules When adding the FWaaS V2 rules to the NSX router, logical router ports should not be used as source or destination. Instead the logical swith id sghould be used. Change-Id: I819127363f58a1fa9e63306ee4dbc7ca0819394f --- vmware_nsx/plugins/nsx_v3/plugin.py | 8 ++-- .../fwaas/nsx_v3/edge_fwaas_driver_base.py | 10 ++-- .../fwaas/nsx_v3/edge_fwaas_driver_v2.py | 14 +++--- .../fwaas/nsx_v3/fwaas_callbacks_v2.py | 8 ++-- .../tests/unit/nsx_v3/test_fwaas_v2_driver.py | 46 +++++++++---------- 5 files changed, 43 insertions(+), 43 deletions(-) diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py index 6cac134969..1c8124757c 100644 --- a/vmware_nsx/plugins/nsx_v3/plugin.py +++ b/vmware_nsx/plugins/nsx_v3/plugin.py @@ -3619,12 +3619,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, # Add rules to allow dhcp traffic relay servers if relay_servers: - # if it is a single port, the source/dest is this logical port + # if it is a single port, the source/dest is this logical switch if port_id: - _net_id, nsx_port_id = nsx_db.get_nsx_switch_and_port_id( + nsx_ls_id, _nsx_port_id = nsx_db.get_nsx_switch_and_port_id( context.session, port_id) - port_target = [{'target_type': 'LogicalPort', - 'target_id': nsx_port_id}] + port_target = [{'target_type': 'LogicalSwitch', + 'target_id': nsx_ls_id}] else: port_target = None # translate the relay server ips to the firewall format diff --git a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py index 59791abf4b..b07cd06554 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py +++ b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py @@ -178,18 +178,18 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase): nsx_rule['action'] = self._translate_action( rule['action'], rule['id']) if replace_dest: - # set this value as the destination logical port, + # set this value as the destination logical switch, # and set the rule to ingress - nsx_rule['destinations'] = [{'target_type': 'LogicalPort', + nsx_rule['destinations'] = [{'target_type': 'LogicalSwitch', 'target_id': replace_dest}] nsx_rule['direction'] = 'IN' elif rule.get('destination_ip_address'): nsx_rule['destinations'] = self.translate_addresses_to_target( [rule['destination_ip_address']]) if replace_src: - # set this value as the source logical port, - # and set the rule to eggress - nsx_rule['sources'] = [{'target_type': 'LogicalPort', + # set this value as the source logical switch, + # and set the rule to egress + nsx_rule['sources'] = [{'target_type': 'LogicalSwitch', 'target_id': replace_src}] nsx_rule['direction'] = 'OUT' elif rule.get('source_ip_address'): diff --git a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py index c6ba0c7839..d01ef7068b 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py +++ b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py @@ -82,7 +82,7 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver): for router_id in routers: self.core_plugin.update_router_firewall(context, router_id) - def get_port_translated_rules(self, nsx_port_id, firewall_group, + def get_port_translated_rules(self, nsx_ls_id, firewall_group, plugin_rules): """Return the list of translated rules per port""" port_rules = [] @@ -92,11 +92,11 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver): if firewall_group['admin_state_up']: port_rules.extend(self._translate_rules( firewall_group['ingress_rule_list'], - replace_dest=nsx_port_id, + replace_dest=nsx_ls_id, logged=logged)) port_rules.extend(self._translate_rules( firewall_group['egress_rule_list'], - replace_src=nsx_port_id, + replace_src=nsx_ls_id, logged=logged)) # Add the per-port plugin rules @@ -107,13 +107,13 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver): port_rules.extend([ {'display_name': "Block port ingress", 'action': consts.FW_ACTION_DROP, - 'destinations': [{'target_type': 'LogicalPort', - 'target_id': nsx_port_id}], + 'destinations': [{'target_type': 'LogicalSwitch', + 'target_id': nsx_ls_id}], 'direction': 'IN'}, {'display_name': "Block port egress", 'action': consts.FW_ACTION_DROP, - 'sources': [{'target_type': 'LogicalPort', - 'target_id': nsx_port_id}], + 'sources': [{'target_type': 'LogicalSwitch', + 'target_id': nsx_ls_id}], 'direction': 'OUT'}]) return port_rules diff --git a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py index 5951a45f55..b75cd4f306 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py +++ b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py @@ -62,9 +62,9 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): return True - def get_port_rules(self, nsx_port_id, fwg, plugin_rules): + def get_port_rules(self, nsx_ls_id, fwg, plugin_rules): return self.internal_driver.get_port_translated_rules( - nsx_port_id, fwg, plugin_rules) + nsx_ls_id, fwg, plugin_rules) def update_router_firewall(self, context, nsxlib, router_id, router_interfaces, nsx_router_id, section_id): @@ -76,7 +76,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): fw_rules = [] # Add firewall rules per port attached to a firewall group for port in router_interfaces: - _net_id, nsx_port_id = nsx_db.get_nsx_switch_and_port_id( + nsx_ls_id, _nsx_port_id = nsx_db.get_nsx_switch_and_port_id( context.session, port['id']) # Check if this port has a firewall @@ -89,7 +89,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): # add the FWaaS rules for this port # ingress/egress firewall rules + default ingress/egress drop # rule for this port - fw_rules.extend(self.get_port_rules(nsx_port_id, fwg, + fw_rules.extend(self.get_port_rules(nsx_ls_id, fwg, plugin_rules)) # add a default allow-all rule to all other traffic & ports diff --git a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py index c9e1e709c0..37fc3e7207 100644 --- a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py +++ b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py @@ -30,7 +30,7 @@ FAKE_FW_ID = 'fake_fw_uuid' FAKE_ROUTER_ID = 'fake_rtr_uuid' FAKE_PORT_ID = 'fake_port_uuid' FAKE_NET_ID = 'fake_net_uuid' -FAKE_NSX_PORT_ID = 'fake_nsx_port_uuid' +FAKE_NSX_LS_ID = 'fake_nsx_ls_uuid' MOCK_NSX_ID = 'nsx_nsx_router_id' MOCK_DEFAULT_RULE_ID = 'nsx_default_rule_id' MOCK_SECTION_ID = 'sec_id' @@ -149,7 +149,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): field = 'sources' direction = 'OUT' new_val = [{'target_id': nsx_port_id, - 'target_type': 'LogicalPort'}] + 'target_type': 'LogicalSwitch'}] for rule in (rule1, rule2, rule3, rule4): rule[field] = new_val rule['direction'] = direction @@ -206,7 +206,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', return_value=firewall),\ mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", - return_value=(0, FAKE_NSX_PORT_ID)),\ + return_value=(FAKE_NSX_LS_ID, 0)),\ mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." "update") as update_fw: self.firewall.create_firewall_group('nsx', apply_list, firewall) @@ -215,13 +215,13 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): expected_rules = [ {'display_name': "Block port ingress", 'action': consts.FW_ACTION_DROP, - 'destinations': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'destinations': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'direction': 'IN'}, {'display_name': "Block port egress", 'action': consts.FW_ACTION_DROP, - 'sources': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'sources': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'direction': 'OUT'}, self._default_rule() ] @@ -241,21 +241,21 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', return_value=firewall),\ mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", - return_value=(0, FAKE_NSX_PORT_ID)),\ + return_value=(FAKE_NSX_LS_ID, 0)),\ mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." "update") as update_fw: func('nsx', apply_list, firewall) expected_rules = self._fake_translated_rules( - FAKE_NSX_PORT_ID, is_ingress=is_ingress) + [ + FAKE_NSX_LS_ID, is_ingress=is_ingress) + [ {'display_name': "Block port ingress", 'action': consts.FW_ACTION_DROP, - 'destinations': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'destinations': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'direction': 'IN'}, {'display_name': "Block port egress", 'action': consts.FW_ACTION_DROP, - 'sources': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'sources': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'direction': 'OUT'}, self._default_rule() ] @@ -295,7 +295,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', return_value=None),\ mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", - return_value=(0, FAKE_NSX_PORT_ID)),\ + return_value=(FAKE_NSX_LS_ID, 0)),\ mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." "update") as update_fw: self.firewall.delete_firewall_group('nsx', apply_list, firewall) @@ -328,7 +328,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', return_value=firewall),\ mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", - return_value=(0, FAKE_NSX_PORT_ID)),\ + return_value=(FAKE_NSX_LS_ID, 0)),\ mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." "update") as update_fw: self.firewall.create_firewall_group('nsx', apply_list, firewall) @@ -338,29 +338,29 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): expected_rules = [ {'display_name': "DHCP Relay ingress traffic", 'action': consts.FW_ACTION_ALLOW, - 'destinations': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'destinations': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'sources': [{'target_id': relay_server, 'target_type': 'IPv4Address'}], 'services': self.plugin._get_port_relay_services(), 'direction': 'IN'}, {'display_name': "DHCP Relay egress traffic", 'action': consts.FW_ACTION_ALLOW, - 'sources': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'sources': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'destinations': [{'target_id': relay_server, 'target_type': 'IPv4Address'}], 'services': self.plugin._get_port_relay_services(), 'direction': 'OUT'}, {'display_name': "Block port ingress", 'action': consts.FW_ACTION_DROP, - 'destinations': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'destinations': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'direction': 'IN'}, {'display_name': "Block port egress", 'action': consts.FW_ACTION_DROP, - 'sources': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'sources': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'direction': 'OUT'}, self._default_rule() ]