From bca98b22a82350bc946524c098a12b4ef1ae7b92 Mon Sep 17 00:00:00 2001 From: Adit Sarfaty Date: Thu, 29 Jun 2017 16:44:57 +0300 Subject: [PATCH] NSX|v: Add FW rules for same scope subnets When the router gateway is on the same address scope as some of the interfaces, we do not add SNAT rules for those subnets. For the traffic to pass, we should also add a matching FW rule to allow the return traffic, the same way we do it for no-SNAT routers. Change-Id: Ief4519111b20aed43f660c78a461cd208332a502 --- .../nsx_v/drivers/shared_router_driver.py | 10 +++- vmware_nsx/plugins/nsx_v/plugin.py | 51 +++++++++++++++++-- .../nsx_v/vshield/edge_firewall_driver.py | 4 -- vmware_nsx/tests/unit/nsx_v/test_md_proxy.py | 3 ++ vmware_nsx/tests/unit/nsx_v/test_plugin.py | 21 ++++++-- 5 files changed, 78 insertions(+), 11 deletions(-) diff --git a/vmware_nsx/plugins/nsx_v/drivers/shared_router_driver.py b/vmware_nsx/plugins/nsx_v/drivers/shared_router_driver.py index e23d7ab44e..e0df7a3215 100644 --- a/vmware_nsx/plugins/nsx_v/drivers/shared_router_driver.py +++ b/vmware_nsx/plugins/nsx_v/drivers/shared_router_driver.py @@ -294,7 +294,7 @@ class RouterSharedDriver(router_driver.RouterBaseDriver): context, router['id']) subnet_cidrs.extend([route['destination'] for route in routes]) if subnet_cidrs: - # Fake fw rule to open subnets firewall flows and static routes + # Add fw rule to open subnets firewall flows and static routes # relative flows fake_subnet_fw_rule = { 'name': 'Subnet Rule', @@ -313,6 +313,14 @@ class RouterSharedDriver(router_driver.RouterBaseDriver): 'enabled': True, 'destination_ip_address': dnat_cidrs} fake_fw_rules.append(fake_dnat_fw_rule) + + # Add rule for not NAT-ed allocation pools + alloc_pool_rule = self.plugin._get_allocation_pools_fw_rule( + context, router) + if alloc_pool_rule: + fake_fw_rules.append(alloc_pool_rule) + + # Add no-snat rules nosnat_fw_rules = self.plugin._get_nosnat_subnets_fw_rules( context, router) fake_fw_rules.extend(nosnat_fw_rules) diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py index 190c332f1e..acfa329686 100644 --- a/vmware_nsx/plugins/nsx_v/plugin.py +++ b/vmware_nsx/plugins/nsx_v/plugin.py @@ -141,6 +141,11 @@ PORTGROUP_PREFIX = 'dvportgroup' ROUTER_SIZE = routersize.ROUTER_SIZE VALID_EDGE_SIZES = routersize.VALID_EDGE_SIZES +SUBNET_RULE_NAME = 'Subnet Rule' +DNAT_RULE_NAME = 'DNAT Rule' +ALLOCATION_POOL_RULE_NAME = 'Allocation Pool Rule' +NO_SNAT_RULE_NAME = 'No SNAT Rule' + @resource_extend.has_resource_extenders class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, @@ -3326,13 +3331,47 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, router['id']) if subnet_cidrs: no_snat_fw_rules.append({ - 'name': edge_firewall_driver.NO_SNAT_RULE_NAME, + 'name': NO_SNAT_RULE_NAME, 'action': 'allow', 'enabled': True, 'source_vnic_groups': ["external"], 'destination_ip_address': subnet_cidrs}) return no_snat_fw_rules + def _get_allocation_pools_fw_rule(self, context, router): + """Get the firewall rule for the default gateway address pool + + Return the firewall rule that should be added in order to allow + not SNAT-ed traffic to external gateway with the same address scope as + the interfaces + """ + gw_port = router.gw_port + if not gw_port or not router.enable_snat: + return + + gw_address_scope = self._get_network_address_scope( + context, gw_port['network_id']) + if gw_address_scope is None: + return + + subnets = self._find_router_subnets_and_cidrs(context.elevated(), + router['id']) + no_nat_cidrs = [] + for subnet in subnets: + # if the subnets address scope is the same as the gateways: + # we should add it to the rule + subnet_address_scope = self._get_subnet_address_scope( + context, subnet['id']) + if (gw_address_scope == subnet_address_scope): + no_nat_cidrs.append(subnet['cidr']) + + if no_nat_cidrs: + return {'name': ALLOCATION_POOL_RULE_NAME, + 'action': 'allow', + 'enabled': True, + 'source_vnic_groups': ["external"], + 'destination_ip_address': no_nat_cidrs} + def _update_nat_rules(self, context, router, router_id=None): snat, dnat = self._get_nat_rules(context, router) if not router_id: @@ -3577,7 +3616,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, subnet_cidrs.extend([route['destination'] for route in routes]) if subnet_cidrs: subnet_fw_rule = { - 'name': edge_firewall_driver.SUBNET_RULE_NAME, + 'name': SUBNET_RULE_NAME, 'action': 'allow', 'enabled': True, 'source_ip_address': subnet_cidrs, @@ -3598,12 +3637,18 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, dnat_cidrs = [rule['dst'] for rule in dnat_rules] if dnat_cidrs: dnat_fw_rule = { - 'name': edge_firewall_driver.DNAT_RULE_NAME, + 'name': DNAT_RULE_NAME, 'action': 'allow', 'enabled': True, 'destination_ip_address': dnat_cidrs} fw_rules.append(dnat_fw_rule) + # Add rule for not NAT-ed allocation pools + alloc_pool_rule = self._get_allocation_pools_fw_rule( + context, router_db) + if alloc_pool_rule: + fw_rules.append(alloc_pool_rule) + # Add no-snat rules nosnat_fw_rules = self._get_nosnat_subnets_fw_rules( context, router_db) diff --git a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py index fd4bbe13a1..c462bc4fa1 100644 --- a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py +++ b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py @@ -32,10 +32,6 @@ FWAAS_DENY = "deny" FWAAS_REJECT = "reject" FWAAS_ALLOW_EXT_RULE_NAME = 'Allow To External' -SUBNET_RULE_NAME = 'Subnet Rule' -DNAT_RULE_NAME = 'DNAT Rule' -NO_SNAT_RULE_NAME = 'No SNAT Rule' - class EdgeFirewallDriver(object): """Implementation of driver APIs for diff --git a/vmware_nsx/tests/unit/nsx_v/test_md_proxy.py b/vmware_nsx/tests/unit/nsx_v/test_md_proxy.py index 7a4ac1108e..977c8ec857 100644 --- a/vmware_nsx/tests/unit/nsx_v/test_md_proxy.py +++ b/vmware_nsx/tests/unit/nsx_v/test_md_proxy.py @@ -184,6 +184,9 @@ class TestExclusiveRouterWithMdTestCase( def test_floatingip_delete_router_intf_with_port_id_returns_409(self): self.skipTest("The test is not suitable for the metadata test case") + def test_router_address_scope_snat_rules(self): + self.skipTest("The test is not suitable for the metadata test case") + class TestVdrWithMdTestCase(test_plugin.TestVdrTestCase, NsxVPluginWithMdV2TestCase): diff --git a/vmware_nsx/tests/unit/nsx_v/test_plugin.py b/vmware_nsx/tests/unit/nsx_v/test_plugin.py index c2feb69d5a..e37d813d9f 100644 --- a/vmware_nsx/tests/unit/nsx_v/test_plugin.py +++ b/vmware_nsx/tests/unit/nsx_v/test_plugin.py @@ -3601,7 +3601,7 @@ class TestExclusiveRouterTestCase(L3NatTest, L3NatTestCaseBase, def test_router_address_scope_snat_rules(self): """Test that if the router interface had the same address scope - as the gateway - snat rule is not added. + as the gateway - snat rule is not added, but firewall rule is. """ # create an external network on one address scope with self.address_scope(name='as1') as addr_scope, \ @@ -3639,9 +3639,11 @@ class TestExclusiveRouterTestCase(L3NatTest, L3NatTestCaseBase, r['router']['id'], ext_subnet['subnet']['network_id']) - # Add the interface + # Add the interface to the router with mock.patch.object( - edge_utils, 'update_nat_rules') as update_nat: + edge_utils, 'update_nat_rules') as update_nat,\ + mock.patch.object( + edge_utils, 'update_firewall') as update_fw: self._router_interface_action( 'add', r['router']['id'], @@ -3651,6 +3653,19 @@ class TestExclusiveRouterTestCase(L3NatTest, L3NatTestCaseBase, update_nat.assert_called_once_with( mock.ANY, mock.ANY, r['router']['id'], [], []) + # check fw rules + fw_rules = update_fw.call_args[0][3][ + 'firewall_rule_list'] + self.assertEqual(2, len(fw_rules)) + self.assertEqual('Allocation Pool Rule', + fw_rules[1]['name']) + self.assertEqual('allow', fw_rules[1]['action']) + self.assertEqual( + int_subnet['subnet']['cidr'], + fw_rules[1]['destination_ip_address'][0]) + self.assertEqual('external', + fw_rules[1]['source_vnic_groups'][0]) + class ExtGwModeTestCase(NsxVPluginV2TestCase, test_ext_gw_mode.ExtGwModeIntTestCase):