x/vmware-nsx
Code Issues Proposed changes

NVP Router: Do no perfom SNAT on E-W traffic

Browse Source 
Bug 1130053

This patch ensures 'No Snat' rules are enforced in order to avoid source
natting on east-west traffic.

Change-Id: I967e72e7b6bc8e2763c0fbdf6deeafb43ff27f54
This commit is contained in:
Salvatore Orlando 2013-02-27 02:28:25 +01:00
parent 9d44d51c3a
commit 75494e4647
2 changed files with 37 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py
View File

@ -71,6 +71,7 @@ from quantum.plugins.nicira.nicira_nvp_plugin import NvpApiClient
from quantum.plugins.nicira.nicira_nvp_plugin import nvplib from quantum.plugins.nicira.nicira_nvp_plugin import nvplib
LOG = logging.getLogger("QuantumPlugin") LOG = logging.getLogger("QuantumPlugin")
NVP_NOSNAT_RULES_ORDER = 10
NVP_FLOATINGIP_NAT_RULES_ORDER = 200 NVP_FLOATINGIP_NAT_RULES_ORDER = 200
NVP_EXTGW_NAT_RULES_ORDER = 255 NVP_EXTGW_NAT_RULES_ORDER = 255
@ -1667,7 +1668,7 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
cluster, context, router_id, port, cluster, context, router_id, port,
"PatchAttachment", ls_port['uuid'], "PatchAttachment", ls_port['uuid'],
subnet_ids=[subnet_id]) subnet_ids=[subnet_id])
subnet = self._get_subnet(context, subnet_id)
# If there is an external gateway we need to configure the SNAT rule. # If there is an external gateway we need to configure the SNAT rule.
# Fetch router from DB # Fetch router from DB
router = self._get_router(context, router_id) router = self._get_router(context, router_id)
@ -1677,11 +1678,14 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
# In that case we will consider only the first one # In that case we will consider only the first one
if gw_port.get('fixed_ips'): if gw_port.get('fixed_ips'):
snat_ip = gw_port['fixed_ips'][0]['ip_address'] snat_ip = gw_port['fixed_ips'][0]['ip_address']
subnet = self._get_subnet(context, subnet_id)
nvplib.create_lrouter_snat_rule( nvplib.create_lrouter_snat_rule(
cluster, router_id, snat_ip, snat_ip, cluster, router_id, snat_ip, snat_ip,
order=NVP_EXTGW_NAT_RULES_ORDER, order=NVP_EXTGW_NAT_RULES_ORDER,
match_criteria={'source_ip_addresses': subnet['cidr']}) match_criteria={'source_ip_addresses': subnet['cidr']})
nvplib.create_lrouter_nosnat_rule(
cluster, router_id,
order=NVP_NOSNAT_RULES_ORDER,
match_criteria={'destination_ip_addresses': subnet['cidr']})
# Ensure the NVP logical router has a connection to a 'metadata access' # Ensure the NVP logical router has a connection to a 'metadata access'
# network (with a proxy listening on its DHCP port), by creating it # network (with a proxy listening on its DHCP port), by creating it
@ -1761,6 +1765,12 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
cluster, router_id, "SourceNatRule", cluster, router_id, "SourceNatRule",
max_num_expected=1, min_num_expected=1, max_num_expected=1, min_num_expected=1,
source_ip_addresses=subnet['cidr']) source_ip_addresses=subnet['cidr'])
# Relax the minimum expected number as the nosnat rules
# do not exist in 2.x deployments
nvplib.delete_nat_rules_by_match(
cluster, router_id, "NoSourceNatRule",
max_num_expected=1, min_num_expected=0,
destination_ip_addresses=subnet['cidr'])
nvplib.delete_router_lport(cluster, router_id, lrouter_port_id) nvplib.delete_router_lport(cluster, router_id, lrouter_port_id)
except NvpApiClient.ResourceNotFound: except NvpApiClient.ResourceNotFound:
raise nvp_exc.NvpPluginException( raise nvp_exc.NvpPluginException(

26
quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py
View File

@ -1124,6 +1124,11 @@ def _build_snat_rule_obj(min_src_ip, max_src_ip, nat_match_obj):
"match": nat_match_obj} "match": nat_match_obj}
def create_lrouter_nosnat_rule_v2(cluster, _router_id, _match_criteria=None):
LOG.info(_("No SNAT rules cannot be applied as they are not available in "
"this version of the NVP platform"))
def create_lrouter_snat_rule_v2(cluster, router_id, def create_lrouter_snat_rule_v2(cluster, router_id,
min_src_ip, max_src_ip, match_criteria=None): min_src_ip, max_src_ip, match_criteria=None):
@ -1147,6 +1152,18 @@ def create_lrouter_dnat_rule_v2(cluster, router_id, dst_ip,
return _create_lrouter_nat_rule(cluster, router_id, nat_rule_obj) return _create_lrouter_nat_rule(cluster, router_id, nat_rule_obj)
def create_lrouter_nosnat_rule_v3(cluster, router_id, order=None,
match_criteria=None):
nat_match_obj = _create_nat_match_obj(**match_criteria)
nat_rule_obj = {
"type": "NoSourceNatRule",
"match": nat_match_obj
}
if order:
nat_rule_obj['order'] = order
return _create_lrouter_nat_rule(cluster, router_id, nat_rule_obj)
def create_lrouter_snat_rule_v3(cluster, router_id, min_src_ip, max_src_ip, def create_lrouter_snat_rule_v3(cluster, router_id, min_src_ip, max_src_ip,
order=None, match_criteria=None): order=None, match_criteria=None):
nat_match_obj = _create_nat_match_obj(**match_criteria) nat_match_obj = _create_nat_match_obj(**match_criteria)
@ -1182,6 +1199,11 @@ def create_lrouter_snat_rule(cluster, *args, **kwargs):
pass pass
@version_dependent
def create_lrouter_nosnat_rule(cluster, *args, **kwargs):
pass
def delete_nat_rules_by_match(cluster, router_id, rule_type, def delete_nat_rules_by_match(cluster, router_id, rule_type,
max_num_expected, max_num_expected,
min_num_expected=0, min_num_expected=0,
@ -1283,7 +1305,9 @@ NVPLIB_FUNC_DICT = {
'create_lrouter_dnat_rule': {2: create_lrouter_dnat_rule_v2, 'create_lrouter_dnat_rule': {2: create_lrouter_dnat_rule_v2,
3: create_lrouter_dnat_rule_v3}, 3: create_lrouter_dnat_rule_v3},
'create_lrouter_snat_rule': {2: create_lrouter_snat_rule_v2, 'create_lrouter_snat_rule': {2: create_lrouter_snat_rule_v2,
3: create_lrouter_snat_rule_v3} 3: create_lrouter_snat_rule_v3},
'create_lrouter_nosnat_rule': {2: create_lrouter_nosnat_rule_v2,
3: create_lrouter_nosnat_rule_v3}
} }