NSX-v3: Use logical switch id in FWaaS V2 rules
When adding the FWaaS V2 rules to the NSX router, logical router ports should not be used as source or destination. Instead the logical swith id sghould be used. Change-Id: I819127363f58a1fa9e63306ee4dbc7ca0819394f
This commit is contained in:
Adit Sarfaty
parent
d18e17af8f
commit
5e15477020
@ -3619,12 +3619,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
||||
|
||||
# Add rules to allow dhcp traffic relay servers
|
||||
if relay_servers:
|
||||
# if it is a single port, the source/dest is this logical port
|
||||
# if it is a single port, the source/dest is this logical switch
|
||||
if port_id:
|
||||
_net_id, nsx_port_id = nsx_db.get_nsx_switch_and_port_id(
|
||||
nsx_ls_id, _nsx_port_id = nsx_db.get_nsx_switch_and_port_id(
|
||||
context.session, port_id)
|
||||
port_target = [{'target_type': 'LogicalPort',
|
||||
'target_id': nsx_port_id}]
|
||||
port_target = [{'target_type': 'LogicalSwitch',
|
||||
'target_id': nsx_ls_id}]
|
||||
else:
|
||||
port_target = None
|
||||
# translate the relay server ips to the firewall format
|
||||
|
||||
@ -178,18 +178,18 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
|
||||
nsx_rule['action'] = self._translate_action(
|
||||
rule['action'], rule['id'])
|
||||
if replace_dest:
|
||||
# set this value as the destination logical port,
|
||||
# set this value as the destination logical switch,
|
||||
# and set the rule to ingress
|
||||
nsx_rule['destinations'] = [{'target_type': 'LogicalPort',
|
||||
nsx_rule['destinations'] = [{'target_type': 'LogicalSwitch',
|
||||
'target_id': replace_dest}]
|
||||
nsx_rule['direction'] = 'IN'
|
||||
elif rule.get('destination_ip_address'):
|
||||
nsx_rule['destinations'] = self.translate_addresses_to_target(
|
||||
[rule['destination_ip_address']])
|
||||
if replace_src:
|
||||
# set this value as the source logical port,
|
||||
# and set the rule to eggress
|
||||
nsx_rule['sources'] = [{'target_type': 'LogicalPort',
|
||||
# set this value as the source logical switch,
|
||||
# and set the rule to egress
|
||||
nsx_rule['sources'] = [{'target_type': 'LogicalSwitch',
|
||||
'target_id': replace_src}]
|
||||
nsx_rule['direction'] = 'OUT'
|
||||
elif rule.get('source_ip_address'):
|
||||
|
||||
@ -82,7 +82,7 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
|
||||
for router_id in routers:
|
||||
self.core_plugin.update_router_firewall(context, router_id)
|
||||
|
||||
def get_port_translated_rules(self, nsx_port_id, firewall_group,
|
||||
def get_port_translated_rules(self, nsx_ls_id, firewall_group,
|
||||
plugin_rules):
|
||||
"""Return the list of translated rules per port"""
|
||||
port_rules = []
|
||||
@ -92,11 +92,11 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
|
||||
if firewall_group['admin_state_up']:
|
||||
port_rules.extend(self._translate_rules(
|
||||
firewall_group['ingress_rule_list'],
|
||||
replace_dest=nsx_port_id,
|
||||
replace_dest=nsx_ls_id,
|
||||
logged=logged))
|
||||
port_rules.extend(self._translate_rules(
|
||||
firewall_group['egress_rule_list'],
|
||||
replace_src=nsx_port_id,
|
||||
replace_src=nsx_ls_id,
|
||||
logged=logged))
|
||||
|
||||
# Add the per-port plugin rules
|
||||
@ -107,13 +107,13 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
|
||||
port_rules.extend([
|
||||
{'display_name': "Block port ingress",
|
||||
'action': consts.FW_ACTION_DROP,
|
||||
'destinations': [{'target_type': 'LogicalPort',
|
||||
'target_id': nsx_port_id}],
|
||||
'destinations': [{'target_type': 'LogicalSwitch',
|
||||
'target_id': nsx_ls_id}],
|
||||
'direction': 'IN'},
|
||||
{'display_name': "Block port egress",
|
||||
'action': consts.FW_ACTION_DROP,
|
||||
'sources': [{'target_type': 'LogicalPort',
|
||||
'target_id': nsx_port_id}],
|
||||
'sources': [{'target_type': 'LogicalSwitch',
|
||||
'target_id': nsx_ls_id}],
|
||||
'direction': 'OUT'}])
|
||||
|
||||
return port_rules
|
||||
|
||||
@ -62,9 +62,9 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
|
||||
|
||||
return True
|
||||
|
||||
def get_port_rules(self, nsx_port_id, fwg, plugin_rules):
|
||||
def get_port_rules(self, nsx_ls_id, fwg, plugin_rules):
|
||||
return self.internal_driver.get_port_translated_rules(
|
||||
nsx_port_id, fwg, plugin_rules)
|
||||
nsx_ls_id, fwg, plugin_rules)
|
||||
|
||||
def update_router_firewall(self, context, nsxlib, router_id,
|
||||
router_interfaces, nsx_router_id, section_id):
|
||||
@ -76,7 +76,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
|
||||
fw_rules = []
|
||||
# Add firewall rules per port attached to a firewall group
|
||||
for port in router_interfaces:
|
||||
_net_id, nsx_port_id = nsx_db.get_nsx_switch_and_port_id(
|
||||
nsx_ls_id, _nsx_port_id = nsx_db.get_nsx_switch_and_port_id(
|
||||
context.session, port['id'])
|
||||
|
||||
# Check if this port has a firewall
|
||||
@ -89,7 +89,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
|
||||
# add the FWaaS rules for this port
|
||||
# ingress/egress firewall rules + default ingress/egress drop
|
||||
# rule for this port
|
||||
fw_rules.extend(self.get_port_rules(nsx_port_id, fwg,
|
||||
fw_rules.extend(self.get_port_rules(nsx_ls_id, fwg,
|
||||
plugin_rules))
|
||||
|
||||
# add a default allow-all rule to all other traffic & ports
|
||||
|
||||
@ -30,7 +30,7 @@ FAKE_FW_ID = 'fake_fw_uuid'
|
||||
FAKE_ROUTER_ID = 'fake_rtr_uuid'
|
||||
FAKE_PORT_ID = 'fake_port_uuid'
|
||||
FAKE_NET_ID = 'fake_net_uuid'
|
||||
FAKE_NSX_PORT_ID = 'fake_nsx_port_uuid'
|
||||
FAKE_NSX_LS_ID = 'fake_nsx_ls_uuid'
|
||||
MOCK_NSX_ID = 'nsx_nsx_router_id'
|
||||
MOCK_DEFAULT_RULE_ID = 'nsx_default_rule_id'
|
||||
MOCK_SECTION_ID = 'sec_id'
|
||||
@ -149,7 +149,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
field = 'sources'
|
||||
direction = 'OUT'
|
||||
new_val = [{'target_id': nsx_port_id,
|
||||
'target_type': 'LogicalPort'}]
|
||||
'target_type': 'LogicalSwitch'}]
|
||||
for rule in (rule1, rule2, rule3, rule4):
|
||||
rule[field] = new_val
|
||||
rule['direction'] = direction
|
||||
@ -206,7 +206,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
|
||||
return_value=firewall),\
|
||||
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
|
||||
return_value=(0, FAKE_NSX_PORT_ID)),\
|
||||
return_value=(FAKE_NSX_LS_ID, 0)),\
|
||||
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
|
||||
"update") as update_fw:
|
||||
self.firewall.create_firewall_group('nsx', apply_list, firewall)
|
||||
@ -215,13 +215,13 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
expected_rules = [
|
||||
{'display_name': "Block port ingress",
|
||||
'action': consts.FW_ACTION_DROP,
|
||||
'destinations': [{'target_type': 'LogicalPort',
|
||||
'target_id': FAKE_NSX_PORT_ID}],
|
||||
'destinations': [{'target_type': 'LogicalSwitch',
|
||||
'target_id': FAKE_NSX_LS_ID}],
|
||||
'direction': 'IN'},
|
||||
{'display_name': "Block port egress",
|
||||
'action': consts.FW_ACTION_DROP,
|
||||
'sources': [{'target_type': 'LogicalPort',
|
||||
'target_id': FAKE_NSX_PORT_ID}],
|
||||
'sources': [{'target_type': 'LogicalSwitch',
|
||||
'target_id': FAKE_NSX_LS_ID}],
|
||||
'direction': 'OUT'},
|
||||
self._default_rule()
|
||||
]
|
||||
@ -241,21 +241,21 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
|
||||
return_value=firewall),\
|
||||
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
|
||||
return_value=(0, FAKE_NSX_PORT_ID)),\
|
||||
return_value=(FAKE_NSX_LS_ID, 0)),\
|
||||
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
|
||||
"update") as update_fw:
|
||||
func('nsx', apply_list, firewall)
|
||||
expected_rules = self._fake_translated_rules(
|
||||
FAKE_NSX_PORT_ID, is_ingress=is_ingress) + [
|
||||
FAKE_NSX_LS_ID, is_ingress=is_ingress) + [
|
||||
{'display_name': "Block port ingress",
|
||||
'action': consts.FW_ACTION_DROP,
|
||||
'destinations': [{'target_type': 'LogicalPort',
|
||||
'target_id': FAKE_NSX_PORT_ID}],
|
||||
'destinations': [{'target_type': 'LogicalSwitch',
|
||||
'target_id': FAKE_NSX_LS_ID}],
|
||||
'direction': 'IN'},
|
||||
{'display_name': "Block port egress",
|
||||
'action': consts.FW_ACTION_DROP,
|
||||
'sources': [{'target_type': 'LogicalPort',
|
||||
'target_id': FAKE_NSX_PORT_ID}],
|
||||
'sources': [{'target_type': 'LogicalSwitch',
|
||||
'target_id': FAKE_NSX_LS_ID}],
|
||||
'direction': 'OUT'},
|
||||
self._default_rule()
|
||||
]
|
||||
@ -295,7 +295,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
|
||||
return_value=None),\
|
||||
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
|
||||
return_value=(0, FAKE_NSX_PORT_ID)),\
|
||||
return_value=(FAKE_NSX_LS_ID, 0)),\
|
||||
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
|
||||
"update") as update_fw:
|
||||
self.firewall.delete_firewall_group('nsx', apply_list, firewall)
|
||||
@ -328,7 +328,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
|
||||
return_value=firewall),\
|
||||
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
|
||||
return_value=(0, FAKE_NSX_PORT_ID)),\
|
||||
return_value=(FAKE_NSX_LS_ID, 0)),\
|
||||
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
|
||||
"update") as update_fw:
|
||||
self.firewall.create_firewall_group('nsx', apply_list, firewall)
|
||||
@ -338,29 +338,29 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
|
||||
expected_rules = [
|
||||
{'display_name': "DHCP Relay ingress traffic",
|
||||
'action': consts.FW_ACTION_ALLOW,
|
||||
'destinations': [{'target_type': 'LogicalPort',
|
||||
'target_id': FAKE_NSX_PORT_ID}],
|
||||
'destinations': [{'target_type': 'LogicalSwitch',
|
||||
'target_id': FAKE_NSX_LS_ID}],
|
||||
'sources': [{'target_id': relay_server,
|
||||
'target_type': 'IPv4Address'}],
|
||||
'services': self.plugin._get_port_relay_services(),
|
||||
'direction': 'IN'},
|
||||
{'display_name': "DHCP Relay egress traffic",
|
||||
'action': consts.FW_ACTION_ALLOW,
|
||||
'sources': [{'target_type': 'LogicalPort',
|
||||
'target_id': FAKE_NSX_PORT_ID}],
|
||||
'sources': [{'target_type': 'LogicalSwitch',
|
||||
'target_id': FAKE_NSX_LS_ID}],
|
||||
'destinations': [{'target_id': relay_server,
|
||||
'target_type': 'IPv4Address'}],
|
||||
'services': self.plugin._get_port_relay_services(),
|
||||
'direction': 'OUT'},
|
||||
{'display_name': "Block port ingress",
|
||||
'action': consts.FW_ACTION_DROP,
|
||||
'destinations': [{'target_type': 'LogicalPort',
|
||||
'target_id': FAKE_NSX_PORT_ID}],
|
||||
'destinations': [{'target_type': 'LogicalSwitch',
|
||||
'target_id': FAKE_NSX_LS_ID}],
|
||||
'direction': 'IN'},
|
||||
{'display_name': "Block port egress",
|
||||
'action': consts.FW_ACTION_DROP,
|
||||
'sources': [{'target_type': 'LogicalPort',
|
||||
'target_id': FAKE_NSX_PORT_ID}],
|
||||
'sources': [{'target_type': 'LogicalSwitch',
|
||||
'target_id': FAKE_NSX_LS_ID}],
|
||||
'direction': 'OUT'},
|
||||
self._default_rule()
|
||||
]
|
||||
|
||||
Loading…
Reference in New Issue
Block a user