x/vmware-nsx
Code Issues Proposed changes

NSX-v3: Use logical switch id in FWaaS V2 rules

Browse Source 
When adding the FWaaS V2 rules to the NSX router, logical router ports
should not be used as source or destination.
Instead the logical swith id sghould be used.

Change-Id: I819127363f58a1fa9e63306ee4dbc7ca0819394f
This commit is contained in:
Adit Sarfaty 2018-01-10 13:46:35 +02:00
parent d18e17af8f
commit 5e15477020
5 changed files with 43 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
vmware_nsx/plugins/nsx_v3/plugin.py
View File

@ -3619,12 +3619,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
# Add rules to allow dhcp traffic relay servers # Add rules to allow dhcp traffic relay servers
if relay_servers: if relay_servers:
# if it is a single port, the source/dest is this logical port # if it is a single port, the source/dest is this logical switch
if port_id: if port_id:
_net_id, nsx_port_id = nsx_db.get_nsx_switch_and_port_id( nsx_ls_id, _nsx_port_id = nsx_db.get_nsx_switch_and_port_id(
context.session, port_id) context.session, port_id)
port_target = [{'target_type': 'LogicalPort', port_target = [{'target_type': 'LogicalSwitch',
'target_id': nsx_port_id}] 'target_id': nsx_ls_id}]
else: else:
port_target = None port_target = None
# translate the relay server ips to the firewall format # translate the relay server ips to the firewall format

10
vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py
View File

@ -178,18 +178,18 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
nsx_rule['action'] = self._translate_action( nsx_rule['action'] = self._translate_action(
rule['action'], rule['id']) rule['action'], rule['id'])
if replace_dest: if replace_dest:
# set this value as the destination logical port, # set this value as the destination logical switch,
# and set the rule to ingress # and set the rule to ingress
nsx_rule['destinations'] = [{'target_type': 'LogicalPort', nsx_rule['destinations'] = [{'target_type': 'LogicalSwitch',
'target_id': replace_dest}] 'target_id': replace_dest}]
nsx_rule['direction'] = 'IN' nsx_rule['direction'] = 'IN'
elif rule.get('destination_ip_address'): elif rule.get('destination_ip_address'):
nsx_rule['destinations'] = self.translate_addresses_to_target( nsx_rule['destinations'] = self.translate_addresses_to_target(
[rule['destination_ip_address']]) [rule['destination_ip_address']])
if replace_src: if replace_src:
# set this value as the source logical port, # set this value as the source logical switch,
# and set the rule to eggress # and set the rule to egress
nsx_rule['sources'] = [{'target_type': 'LogicalPort', nsx_rule['sources'] = [{'target_type': 'LogicalSwitch',
'target_id': replace_src}] 'target_id': replace_src}]
nsx_rule['direction'] = 'OUT' nsx_rule['direction'] = 'OUT'
elif rule.get('source_ip_address'): elif rule.get('source_ip_address'):

14
vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py
View File

@ -82,7 +82,7 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
for router_id in routers: for router_id in routers:
self.core_plugin.update_router_firewall(context, router_id) self.core_plugin.update_router_firewall(context, router_id)
def get_port_translated_rules(self, nsx_port_id, firewall_group, def get_port_translated_rules(self, nsx_ls_id, firewall_group,
plugin_rules): plugin_rules):
"""Return the list of translated rules per port""" """Return the list of translated rules per port"""
port_rules = [] port_rules = []
@ -92,11 +92,11 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
if firewall_group['admin_state_up']: if firewall_group['admin_state_up']:
port_rules.extend(self._translate_rules( port_rules.extend(self._translate_rules(
firewall_group['ingress_rule_list'], firewall_group['ingress_rule_list'],
replace_dest=nsx_port_id, replace_dest=nsx_ls_id,
logged=logged)) logged=logged))
port_rules.extend(self._translate_rules( port_rules.extend(self._translate_rules(
firewall_group['egress_rule_list'], firewall_group['egress_rule_list'],
replace_src=nsx_port_id, replace_src=nsx_ls_id,
logged=logged)) logged=logged))
# Add the per-port plugin rules # Add the per-port plugin rules
@ -107,13 +107,13 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
port_rules.extend([ port_rules.extend([
{'display_name': "Block port ingress", {'display_name': "Block port ingress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'destinations': [{'target_type': 'LogicalPort', 'destinations': [{'target_type': 'LogicalSwitch',
'target_id': nsx_port_id}], 'target_id': nsx_ls_id}],
'direction': 'IN'}, 'direction': 'IN'},
{'display_name': "Block port egress", {'display_name': "Block port egress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'sources': [{'target_type': 'LogicalPort', 'sources': [{'target_type': 'LogicalSwitch',
'target_id': nsx_port_id}], 'target_id': nsx_ls_id}],
'direction': 'OUT'}]) 'direction': 'OUT'}])
return port_rules return port_rules

8
vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py
View File

@ -62,9 +62,9 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
return True return True
def get_port_rules(self, nsx_port_id, fwg, plugin_rules): def get_port_rules(self, nsx_ls_id, fwg, plugin_rules):
return self.internal_driver.get_port_translated_rules( return self.internal_driver.get_port_translated_rules(
nsx_port_id, fwg, plugin_rules) nsx_ls_id, fwg, plugin_rules)
def update_router_firewall(self, context, nsxlib, router_id, def update_router_firewall(self, context, nsxlib, router_id,
router_interfaces, nsx_router_id, section_id): router_interfaces, nsx_router_id, section_id):
@ -76,7 +76,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
fw_rules = [] fw_rules = []
# Add firewall rules per port attached to a firewall group # Add firewall rules per port attached to a firewall group
for port in router_interfaces: for port in router_interfaces:
_net_id, nsx_port_id = nsx_db.get_nsx_switch_and_port_id( nsx_ls_id, _nsx_port_id = nsx_db.get_nsx_switch_and_port_id(
context.session, port['id']) context.session, port['id'])
# Check if this port has a firewall # Check if this port has a firewall
@ -89,7 +89,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
# add the FWaaS rules for this port # add the FWaaS rules for this port
# ingress/egress firewall rules + default ingress/egress drop # ingress/egress firewall rules + default ingress/egress drop
# rule for this port # rule for this port
fw_rules.extend(self.get_port_rules(nsx_port_id, fwg, fw_rules.extend(self.get_port_rules(nsx_ls_id, fwg,
plugin_rules)) plugin_rules))
# add a default allow-all rule to all other traffic & ports # add a default allow-all rule to all other traffic & ports

46
vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py
View File

@ -30,7 +30,7 @@ FAKE_FW_ID = 'fake_fw_uuid'
FAKE_ROUTER_ID = 'fake_rtr_uuid' FAKE_ROUTER_ID = 'fake_rtr_uuid'
FAKE_PORT_ID = 'fake_port_uuid' FAKE_PORT_ID = 'fake_port_uuid'
FAKE_NET_ID = 'fake_net_uuid' FAKE_NET_ID = 'fake_net_uuid'
FAKE_NSX_PORT_ID = 'fake_nsx_port_uuid' FAKE_NSX_LS_ID = 'fake_nsx_ls_uuid'
MOCK_NSX_ID = 'nsx_nsx_router_id' MOCK_NSX_ID = 'nsx_nsx_router_id'
MOCK_DEFAULT_RULE_ID = 'nsx_default_rule_id' MOCK_DEFAULT_RULE_ID = 'nsx_default_rule_id'
MOCK_SECTION_ID = 'sec_id' MOCK_SECTION_ID = 'sec_id'
@ -149,7 +149,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
field = 'sources' field = 'sources'
direction = 'OUT' direction = 'OUT'
new_val = [{'target_id': nsx_port_id, new_val = [{'target_id': nsx_port_id,
'target_type': 'LogicalPort'}] 'target_type': 'LogicalSwitch'}]
for rule in (rule1, rule2, rule3, rule4): for rule in (rule1, rule2, rule3, rule4):
rule[field] = new_val rule[field] = new_val
rule['direction'] = direction rule['direction'] = direction
@ -206,7 +206,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
return_value=firewall),\ return_value=firewall),\
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
return_value=(0, FAKE_NSX_PORT_ID)),\ return_value=(FAKE_NSX_LS_ID, 0)),\
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
"update") as update_fw: "update") as update_fw:
self.firewall.create_firewall_group('nsx', apply_list, firewall) self.firewall.create_firewall_group('nsx', apply_list, firewall)
@ -215,13 +215,13 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
expected_rules = [ expected_rules = [
{'display_name': "Block port ingress", {'display_name': "Block port ingress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'destinations': [{'target_type': 'LogicalPort', 'destinations': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'direction': 'IN'}, 'direction': 'IN'},
{'display_name': "Block port egress", {'display_name': "Block port egress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'sources': [{'target_type': 'LogicalPort', 'sources': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'direction': 'OUT'}, 'direction': 'OUT'},
self._default_rule() self._default_rule()
] ]
@ -241,21 +241,21 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
return_value=firewall),\ return_value=firewall),\
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
return_value=(0, FAKE_NSX_PORT_ID)),\ return_value=(FAKE_NSX_LS_ID, 0)),\
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
"update") as update_fw: "update") as update_fw:
func('nsx', apply_list, firewall) func('nsx', apply_list, firewall)
expected_rules = self._fake_translated_rules( expected_rules = self._fake_translated_rules(
FAKE_NSX_PORT_ID, is_ingress=is_ingress) + [ FAKE_NSX_LS_ID, is_ingress=is_ingress) + [
{'display_name': "Block port ingress", {'display_name': "Block port ingress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'destinations': [{'target_type': 'LogicalPort', 'destinations': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'direction': 'IN'}, 'direction': 'IN'},
{'display_name': "Block port egress", {'display_name': "Block port egress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'sources': [{'target_type': 'LogicalPort', 'sources': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'direction': 'OUT'}, 'direction': 'OUT'},
self._default_rule() self._default_rule()
] ]
@ -295,7 +295,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
return_value=None),\ return_value=None),\
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
return_value=(0, FAKE_NSX_PORT_ID)),\ return_value=(FAKE_NSX_LS_ID, 0)),\
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
"update") as update_fw: "update") as update_fw:
self.firewall.delete_firewall_group('nsx', apply_list, firewall) self.firewall.delete_firewall_group('nsx', apply_list, firewall)
@ -328,7 +328,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
return_value=firewall),\ return_value=firewall),\
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
return_value=(0, FAKE_NSX_PORT_ID)),\ return_value=(FAKE_NSX_LS_ID, 0)),\
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
"update") as update_fw: "update") as update_fw:
self.firewall.create_firewall_group('nsx', apply_list, firewall) self.firewall.create_firewall_group('nsx', apply_list, firewall)
@ -338,29 +338,29 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
expected_rules = [ expected_rules = [
{'display_name': "DHCP Relay ingress traffic", {'display_name': "DHCP Relay ingress traffic",
'action': consts.FW_ACTION_ALLOW, 'action': consts.FW_ACTION_ALLOW,
'destinations': [{'target_type': 'LogicalPort', 'destinations': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'sources': [{'target_id': relay_server, 'sources': [{'target_id': relay_server,
'target_type': 'IPv4Address'}], 'target_type': 'IPv4Address'}],
'services': self.plugin._get_port_relay_services(), 'services': self.plugin._get_port_relay_services(),
'direction': 'IN'}, 'direction': 'IN'},
{'display_name': "DHCP Relay egress traffic", {'display_name': "DHCP Relay egress traffic",
'action': consts.FW_ACTION_ALLOW, 'action': consts.FW_ACTION_ALLOW,
'sources': [{'target_type': 'LogicalPort', 'sources': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'destinations': [{'target_id': relay_server, 'destinations': [{'target_id': relay_server,
'target_type': 'IPv4Address'}], 'target_type': 'IPv4Address'}],
'services': self.plugin._get_port_relay_services(), 'services': self.plugin._get_port_relay_services(),
'direction': 'OUT'}, 'direction': 'OUT'},
{'display_name': "Block port ingress", {'display_name': "Block port ingress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'destinations': [{'target_type': 'LogicalPort', 'destinations': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'direction': 'IN'}, 'direction': 'IN'},
{'display_name': "Block port egress", {'display_name': "Block port egress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'sources': [{'target_type': 'LogicalPort', 'sources': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'direction': 'OUT'}, 'direction': 'OUT'},
self._default_rule() self._default_rule()
] ]