Merge "Fix firewall rule to allow ping on DHCP edge"

2016-12-21 12:56:04 +00:00 · 2016-12-21 12:56:04 +00:00 · 793a87b1b6
commit 793a87b1b6
parent ec41e9b0f3 e635d0a0f8
5 changed files with 58 additions and 3 deletions
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -2249,11 +2249,24 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                              subnet['id'])

    def setup_dhcp_edge_fw_rules(self, context, plugin, router_id):
-        rules = [{"name": "ICMPPing",
+        rules = []
+        # It would be best to configure the rule with icmp type 8 (Echo),
+        # but this format is broken on Edge (should be fixed in 6.3.1)
+        # TODO(annak): use icmp type when fix is available
+        # Workaround: use applications, but since application ids can change,
+        # need to look them up by application name
+        try:
+            application_ids = plugin.nsx_v.get_icmp_echo_application_ids()
+
+            rules = [{"name": "ICMPPing",
                  "enabled": True,
                  "action": "allow",
-                  "protocol": "icmp",
-                  "icmp_type": 8}]
+                  "application": {
+                      "applicationId": application_ids}}]
+
+        except Exception as e:
+            LOG.error(
+                _LE('Could not find ICMP Echo application. Exception %s'), e)

        if plugin.metadata_proxy_handler:
            rules += nsx_v_md_proxy.get_router_fw_rules()
--- a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
@ -16,6 +16,7 @@ from oslo_log import log as logging
 from oslo_utils import excutils

 from vmware_nsx._i18n import _, _LE
+from vmware_nsx.common import exceptions as nsx_exc
 from vmware_nsx.db import nsxv_db
 from vmware_nsx.plugins.nsx_v.vshield.common import (
    exceptions as vcns_exc)
@ -33,6 +34,10 @@ class EdgeFirewallDriver(object):
    """Implementation of driver APIs for
       Edge Firewall feature configuration
    """
+    def __init__(self):
+        super(EdgeFirewallDriver, self).__init__()
+        self._icmp_echo_application_ids = None
+
    def _convert_firewall_action(self, action):
        if action == FWAAS_ALLOW:
            return VSE_FWAAS_ALLOW
@ -409,3 +414,26 @@ class EdgeFirewallDriver(object):
                        }
                        nsxv_db.add_nsxv_edge_firewallrule_binding(
                            context.session, map_info)
+
+    def get_icmp_echo_application_ids(self):
+        # check cached list first
+        # (if backend version changes, neutron should be restarted)
+        if self._icmp_echo_application_ids:
+            return self._icmp_echo_application_ids
+
+        self._icmp_echo_application_ids = self.get_application_ids(
+                ['ICMP Echo', 'IPv6-ICMP Echo'])
+        if not self._icmp_echo_application_ids:
+            raise nsx_exc.NsxResourceNotFound(
+                        res_name='ICMP Echo', res_id='')
+        return self._icmp_echo_application_ids
+
+    def get_application_ids(self, application_names):
+        results = self.vcns.list_applications()
+        application_ids = []
+        for result in results:
+            for name in application_names:
+                if result['name'] == name:
+                    application_ids.append(result['objectId'])
+
+        return application_ids
--- a/vmware_nsx/plugins/nsx_v/vshield/vcns.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/vcns.py
@ -50,6 +50,7 @@ TRUSTSTORE_PREFIX = '%s/%s' % (SERVICES_PREFIX, 'truststore')
 EXCLUDELIST_PREFIX = '/api/2.1/app/excludelist'
 SERVICE_INSERTION_PROFILE_PREFIX = '/api/2.0/si/serviceprofile'
 SECURITY_POLICY_PREFIX = '/api/2.0/services/policy/securitypolicy'
+APPLICATION_PREFIX = '%s/%s' % (SERVICES_PREFIX, 'application')

 #LbaaS Constants
 LOADBALANCER_SERVICE = "loadbalancer/config"
@ -1030,3 +1031,8 @@ class Vcns(object):
        uri = '%s/all' % (SECURITY_POLICY_PREFIX)
        h, policies = self.do_request(HTTP_GET, uri, decode=True)
        return policies
+
+    def list_applications(self):
+        uri = '%s/scope/globalroot-0' % APPLICATION_PREFIX
+        h, apps = self.do_request(HTTP_GET, uri, decode=True)
+        return apps
--- a/vmware_nsx/services/lbaas/nsx_v/v2/edge_loadbalancer_driver_v2.py
+++ b/vmware_nsx/services/lbaas/nsx_v/v2/edge_loadbalancer_driver_v2.py
@ -26,6 +26,7 @@ from vmware_nsx.services.lbaas.nsx_v.v2 import pool_mgr
 class EdgeLoadbalancerDriverV2(object):
    @log_helpers.log_method_call
    def __init__(self):
+        super(EdgeLoadbalancerDriverV2, self).__init__()
        self.loadbalancer = lb_mgr.EdgeLoadBalancerManager(self)
        self.listener = listener_mgr.EdgeListenerManager(self)
        self.pool = pool_mgr.EdgePoolManager(self)
--- a/vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py
+++ b/vmware_nsx/tests/unit/nsx_v/vshield/fake_vcns.py
@ -1402,3 +1402,10 @@ class FakeVcns(object):
        for id in ['policy-1', 'policy-2', 'policy-3']:
            policies.append(self.get_security_policy(id, return_xml=False))
        return {'policies': policies}
+
+    def list_applications(self):
+        applications = [{'name': 'ICMP Echo', 'objectID': 'application-333'},
+                        {'name': 'IPv6-ICMP Echo',
+                            'objectID': 'application-1001'}]
+
+        return applications