From 5c5bf30c0d3d444a2aa66c1ae3de9527a45f3da6 Mon Sep 17 00:00:00 2001 From: Adit Sarfaty Date: Wed, 1 Nov 2017 15:18:03 +0200 Subject: [PATCH] Infrastructure support for FWaaS logging This patch lays the infrastructure to add logging to the fwaas rules both in NSX-V and NSX-V3, and for FWaaS v1+v2 In the future we should set the "logged" flag from the configured user objects Change-Id: Ie12e326ac8a166912908ae038760a682fd46e8af --- .../plugins/nsx_v/vshield/edge_firewall_driver.py | 6 ++++++ .../services/fwaas/nsx_v/edge_fwaas_driver.py | 14 +++++++++++--- .../fwaas/nsx_v3/edge_fwaas_driver_base.py | 5 +++-- .../services/fwaas/nsx_v3/edge_fwaas_driver_v1.py | 5 ++++- .../services/fwaas/nsx_v3/edge_fwaas_driver_v2.py | 8 ++++++-- vmware_nsx/tests/unit/nsx_v/test_fwaas_driver.py | 6 ++++-- .../tests/unit/nsx_v3/test_fwaas_v1_driver.py | 5 ++++- .../tests/unit/nsx_v3/test_fwaas_v2_driver.py | 6 +++++- 8 files changed, 43 insertions(+), 12 deletions(-) diff --git a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py index 96437f0bad..b9d7414f2b 100644 --- a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py +++ b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py @@ -144,6 +144,9 @@ class EdgeFirewallDriver(object): vcns_rule['application'] = { 'service': [service] } + if rule.get('logged'): + vcns_rule['loggingEnabled'] = rule['logged'] + if index: vcns_rule['ruleTag'] = index return vcns_rule @@ -182,6 +185,9 @@ class EdgeFirewallDriver(object): fw_rule['name'] = rule['name'] if rule.get('description'): fw_rule['description'] = rule['description'] + if rule.get('loggingEnabled'): + fw_rule['logged'] = rule['loggingEnabled'] + return fw_rule def _convert_firewall(self, firewall, allow_external=False): diff --git a/vmware_nsx/services/fwaas/nsx_v/edge_fwaas_driver.py b/vmware_nsx/services/fwaas/nsx_v/edge_fwaas_driver.py index 53220bac6c..ab607a478a 100644 --- a/vmware_nsx/services/fwaas/nsx_v/edge_fwaas_driver.py +++ b/vmware_nsx/services/fwaas/nsx_v/edge_fwaas_driver.py @@ -117,7 +117,7 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase): 'lookup_id': lookup_id} return edges_map - def _translate_rules(self, fwaas_rules): + def _translate_rules(self, fwaas_rules, logged=False): translated_rules = [] for rule in fwaas_rules: if not rule['enabled']: @@ -136,6 +136,8 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase): rule['destination_ip_address']] if rule.get('source_ip_address'): rule['source_ip_address'] = [rule['source_ip_address']] + if logged: + rule['logged'] = True translated_rules.append(rule) return translated_rules @@ -183,7 +185,10 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase): return # Translate the FWaaS rules - rules = self._translate_rules(firewall['firewall_rule_list']) + # TODO(asarfaty): get this value from the firewall extensions + logged = False + rules = self._translate_rules(firewall['firewall_rule_list'], + logged=logged) # update each relevant edge with the new rules for router_info in apply_list: @@ -244,5 +249,8 @@ class EdgeFwaasDriver(fwaas_base.FwaasDriverBase): def get_firewall_translated_rules(self, firewall): if firewall['admin_state_up']: - return self._translate_rules(firewall['firewall_rule_list']) + # TODO(asarfaty): get this value from the firewall extensions + logged = False + return self._translate_rules(firewall['firewall_rule_list'], + logged=logged) return [] diff --git a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py index dd9392cf92..a5d0fffc84 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py +++ b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py @@ -145,7 +145,7 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase): ] def _translate_rules(self, fwaas_rules, replace_src=None, - replace_dest=None): + replace_dest=None, logged=False): translated_rules = [] for rule in fwaas_rules: nsx_rule = {} @@ -183,7 +183,8 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase): [rule['source_ip_address']]) if rule.get('protocol'): nsx_rule['services'] = self._translate_services(rule) - + if logged: + nsx_rule['logged'] = logged translated_rules.append(nsx_rule) return translated_rules diff --git a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v1.py b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v1.py index 4aadefe5cb..aa2aa9b829 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v1.py +++ b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v1.py @@ -114,6 +114,9 @@ class EdgeFwaasV3DriverV1(base_driver.CommonEdgeFwaasV3Driver): """ # Return the firewall rules only if the fw is up if firewall['admin_state_up']: - return self._translate_rules(firewall['firewall_rule_list']) + # TODO(asarfaty): get this value from the firewall extensions + logged = False + return self._translate_rules(firewall['firewall_rule_list'], + logged=logged) return [] diff --git a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py index 3f938274af..c6ba0c7839 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py +++ b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py @@ -86,14 +86,18 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver): plugin_rules): """Return the list of translated rules per port""" port_rules = [] + # TODO(asarfaty): get this value from the firewall group extensions + logged = False # Add the firewall group ingress/egress rules only if the fw is up if firewall_group['admin_state_up']: port_rules.extend(self._translate_rules( firewall_group['ingress_rule_list'], - replace_dest=nsx_port_id)) + replace_dest=nsx_port_id, + logged=logged)) port_rules.extend(self._translate_rules( firewall_group['egress_rule_list'], - replace_src=nsx_port_id)) + replace_src=nsx_port_id, + logged=logged)) # Add the per-port plugin rules if plugin_rules and isinstance(plugin_rules, list): diff --git a/vmware_nsx/tests/unit/nsx_v/test_fwaas_driver.py b/vmware_nsx/tests/unit/nsx_v/test_fwaas_driver.py index ec96ef1535..7b8f0d5779 100644 --- a/vmware_nsx/tests/unit/nsx_v/test_fwaas_driver.py +++ b/vmware_nsx/tests/unit/nsx_v/test_fwaas_driver.py @@ -53,7 +53,7 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase): 'id': 'fake-fw-rule3'} return [rule1, rule2, rule3] - def _fake_backend_rules_v4(self): + def _fake_backend_rules_v4(self, logged=False): rule1 = {'enabled': True, 'action': 'allow', 'ip_version': 4, @@ -80,7 +80,9 @@ class NsxvFwaasTestCase(test_v_plugin.NsxVPluginV2TestCase): 'position': '2', 'id': 'fake-fw-rule3', 'name': 'Fwaas-fake-fw-rule3'} - + if logged: + for rule in (rule1, rule2, rule3): + rule['loggingEnabled'] = logged return [rule1, rule2, rule3] def _fake_firewall_no_rule(self): diff --git a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py index 8f6d472101..33b240b158 100644 --- a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py +++ b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v1_driver.py @@ -102,7 +102,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): 'id': 'fake-fw-rule4'} return [rule1, rule2, rule3, rule4] - def _fake_translated_rules(self): + def _fake_translated_rules(self, logged=False): # The expected translation of the rules in _fake_rules_v4 service1 = {'l4_protocol': 'TCP', 'resource_type': 'L4PortSetNSService', @@ -135,6 +135,9 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): 'target_type': 'IPv4Address'}], 'display_name': 'Fwaas-fake-fw-rule4'} + if logged: + for rule in (rule1, rule2, rule3, rule4): + rule['logged'] = logged return [rule1, rule2, rule3, rule4] def _fake_firewall_no_rule(self): diff --git a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py index 942c95f97e..10dd5190c2 100644 --- a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py +++ b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py @@ -104,7 +104,8 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): return [rule1, rule2, rule3, rule4] - def _fake_translated_rules(self, nsx_port_id, is_ingress=True): + def _fake_translated_rules(self, nsx_port_id, is_ingress=True, + logged=False): # The expected translation of the rules in _fake_rules_v4 service1 = {'l4_protocol': 'TCP', 'resource_type': 'L4PortSetNSService', @@ -150,6 +151,9 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): for rule in (rule1, rule2, rule3, rule4): rule[field] = new_val rule['direction'] = direction + if logged: + for rule in (rule1, rule2, rule3, rule4): + rule['logged'] = logged return [rule1, rule2, rule3, rule4] def _fake_empty_firewall_group(self):