NSX|v: Add FW rules for same scope subnets

When the router gateway is on the same address scope as some of the interfaces, we do not add SNAT rules for those subnets. For the traffic to pass, we should also add a matching FW rule to allow the return traffic, the same way we do it for no-SNAT routers. Change-Id: Ief4519111b20aed43f660c78a461cd208332a502
2017-06-29 16:44:57 +03:00 · 2017-06-29 16:44:57 +03:00 · bca98b22a8
commit bca98b22a8
parent 80dfbcdc9a
5 changed files with 78 additions and 11 deletions
--- a/vmware_nsx/plugins/nsx_v/drivers/shared_router_driver.py
+++ b/vmware_nsx/plugins/nsx_v/drivers/shared_router_driver.py
@ -294,7 +294,7 @@ class RouterSharedDriver(router_driver.RouterBaseDriver):
                context, router['id'])
            subnet_cidrs.extend([route['destination'] for route in routes])
            if subnet_cidrs:
-                # Fake fw rule to open subnets firewall flows and static routes
+                # Add fw rule to open subnets firewall flows and static routes
                # relative flows
                fake_subnet_fw_rule = {
                    'name': 'Subnet Rule',
@ -313,6 +313,14 @@ class RouterSharedDriver(router_driver.RouterBaseDriver):
                    'enabled': True,
                    'destination_ip_address': dnat_cidrs}
                fake_fw_rules.append(fake_dnat_fw_rule)
+
+            # Add rule for not NAT-ed allocation pools
+            alloc_pool_rule = self.plugin._get_allocation_pools_fw_rule(
+                context, router)
+            if alloc_pool_rule:
+                fake_fw_rules.append(alloc_pool_rule)
+
+            # Add no-snat rules
            nosnat_fw_rules = self.plugin._get_nosnat_subnets_fw_rules(
                context, router)
            fake_fw_rules.extend(nosnat_fw_rules)
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -141,6 +141,11 @@ PORTGROUP_PREFIX = 'dvportgroup'
 ROUTER_SIZE = routersize.ROUTER_SIZE
 VALID_EDGE_SIZES = routersize.VALID_EDGE_SIZES

+SUBNET_RULE_NAME = 'Subnet Rule'
+DNAT_RULE_NAME = 'DNAT Rule'
+ALLOCATION_POOL_RULE_NAME = 'Allocation Pool Rule'
+NO_SNAT_RULE_NAME = 'No SNAT Rule'
+

@resource_extend.has_resource_extenders
 class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
@ -3326,13 +3331,47 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
                                                           router['id'])
            if subnet_cidrs:
                no_snat_fw_rules.append({
-                    'name': edge_firewall_driver.NO_SNAT_RULE_NAME,
+                    'name': NO_SNAT_RULE_NAME,
                    'action': 'allow',
                    'enabled': True,
                    'source_vnic_groups': ["external"],
                    'destination_ip_address': subnet_cidrs})
        return no_snat_fw_rules

+    def _get_allocation_pools_fw_rule(self, context, router):
+        """Get the firewall rule for the default gateway address pool
+
+        Return the firewall rule that should be added in order to allow
+        not SNAT-ed traffic to external gateway with the same address scope as
+        the interfaces
+        """
+        gw_port = router.gw_port
+        if not gw_port or not router.enable_snat:
+            return
+
+        gw_address_scope = self._get_network_address_scope(
+            context, gw_port['network_id'])
+        if gw_address_scope is None:
+            return
+
+        subnets = self._find_router_subnets_and_cidrs(context.elevated(),
+                                                      router['id'])
+        no_nat_cidrs = []
+        for subnet in subnets:
+            # if the subnets address scope is the same as the gateways:
+            # we should add it to the rule
+            subnet_address_scope = self._get_subnet_address_scope(
+                context, subnet['id'])
+            if (gw_address_scope == subnet_address_scope):
+                no_nat_cidrs.append(subnet['cidr'])
+
+        if no_nat_cidrs:
+            return {'name': ALLOCATION_POOL_RULE_NAME,
+                    'action': 'allow',
+                    'enabled': True,
+                    'source_vnic_groups': ["external"],
+                    'destination_ip_address': no_nat_cidrs}
+
    def _update_nat_rules(self, context, router, router_id=None):
        snat, dnat = self._get_nat_rules(context, router)
        if not router_id:
@ -3577,7 +3616,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        subnet_cidrs.extend([route['destination'] for route in routes])
        if subnet_cidrs:
            subnet_fw_rule = {
-                'name': edge_firewall_driver.SUBNET_RULE_NAME,
+                'name': SUBNET_RULE_NAME,
                'action': 'allow',
                'enabled': True,
                'source_ip_address': subnet_cidrs,
@ -3598,12 +3637,18 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
            dnat_cidrs = [rule['dst'] for rule in dnat_rules]
            if dnat_cidrs:
                dnat_fw_rule = {
-                    'name': edge_firewall_driver.DNAT_RULE_NAME,
+                    'name': DNAT_RULE_NAME,
                    'action': 'allow',
                    'enabled': True,
                    'destination_ip_address': dnat_cidrs}
                fw_rules.append(dnat_fw_rule)

+            # Add rule for not NAT-ed allocation pools
+            alloc_pool_rule = self._get_allocation_pools_fw_rule(
+                context, router_db)
+            if alloc_pool_rule:
+                fw_rules.append(alloc_pool_rule)
+
            # Add no-snat rules
            nosnat_fw_rules = self._get_nosnat_subnets_fw_rules(
                context, router_db)
--- a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
@ -32,10 +32,6 @@ FWAAS_DENY = "deny"
 FWAAS_REJECT = "reject"
 FWAAS_ALLOW_EXT_RULE_NAME = 'Allow To External'

-SUBNET_RULE_NAME = 'Subnet Rule'
-DNAT_RULE_NAME = 'DNAT Rule'
-NO_SNAT_RULE_NAME = 'No SNAT Rule'
-

 class EdgeFirewallDriver(object):
    """Implementation of driver APIs for
--- a/vmware_nsx/tests/unit/nsx_v/test_md_proxy.py
+++ b/vmware_nsx/tests/unit/nsx_v/test_md_proxy.py
@ -184,6 +184,9 @@ class TestExclusiveRouterWithMdTestCase(
    def test_floatingip_delete_router_intf_with_port_id_returns_409(self):
        self.skipTest("The test is not suitable for the metadata test case")

+    def test_router_address_scope_snat_rules(self):
+        self.skipTest("The test is not suitable for the metadata test case")
+

 class TestVdrWithMdTestCase(test_plugin.TestVdrTestCase,
                            NsxVPluginWithMdV2TestCase):
--- a/vmware_nsx/tests/unit/nsx_v/test_plugin.py
+++ b/vmware_nsx/tests/unit/nsx_v/test_plugin.py
@ -3601,7 +3601,7 @@ class TestExclusiveRouterTestCase(L3NatTest, L3NatTestCaseBase,

    def test_router_address_scope_snat_rules(self):
        """Test that if the router interface had the same address scope
-        as the gateway - snat rule is not added.
+        as the gateway - snat rule is not added, but firewall rule is.
        """
        # create an external network on one address scope
        with self.address_scope(name='as1') as addr_scope, \
@ -3639,9 +3639,11 @@ class TestExclusiveRouterTestCase(L3NatTest, L3NatTestCaseBase,
                        r['router']['id'],
                        ext_subnet['subnet']['network_id'])

-                    # Add the interface
+                    # Add the interface to the router
                    with mock.patch.object(
-                        edge_utils, 'update_nat_rules') as update_nat:
+                        edge_utils, 'update_nat_rules') as update_nat,\
+                        mock.patch.object(
+                            edge_utils, 'update_firewall') as update_fw:
                        self._router_interface_action(
                            'add',
                            r['router']['id'],
@ -3651,6 +3653,19 @@ class TestExclusiveRouterTestCase(L3NatTest, L3NatTestCaseBase,
                        update_nat.assert_called_once_with(
                            mock.ANY, mock.ANY, r['router']['id'], [], [])

+                        # check fw rules
+                        fw_rules = update_fw.call_args[0][3][
+                            'firewall_rule_list']
+                        self.assertEqual(2, len(fw_rules))
+                        self.assertEqual('Allocation Pool Rule',
+                                         fw_rules[1]['name'])
+                        self.assertEqual('allow', fw_rules[1]['action'])
+                        self.assertEqual(
+                            int_subnet['subnet']['cidr'],
+                            fw_rules[1]['destination_ip_address'][0])
+                        self.assertEqual('external',
+                                         fw_rules[1]['source_vnic_groups'][0])
+

 class ExtGwModeTestCase(NsxVPluginV2TestCase,
                        test_ext_gw_mode.ExtGwModeIntTestCase):