diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py index f7d094b41f..bd1c7b0e97 100644 --- a/vmware_nsx/plugins/nsx_v3/plugin.py +++ b/vmware_nsx/plugins/nsx_v3/plugin.py @@ -3613,12 +3613,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, # Add rules to allow dhcp traffic relay servers if relay_servers: - # if it is a single port, the source/dest is this logical port + # if it is a single port, the source/dest is this logical switch if port_id: - _net_id, nsx_port_id = nsx_db.get_nsx_switch_and_port_id( + nsx_ls_id, _nsx_port_id = nsx_db.get_nsx_switch_and_port_id( context.session, port_id) - port_target = [{'target_type': 'LogicalPort', - 'target_id': nsx_port_id}] + port_target = [{'target_type': 'LogicalSwitch', + 'target_id': nsx_ls_id}] else: port_target = None # translate the relay server ips to the firewall format diff --git a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py index 59791abf4b..b07cd06554 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py +++ b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py @@ -178,18 +178,18 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase): nsx_rule['action'] = self._translate_action( rule['action'], rule['id']) if replace_dest: - # set this value as the destination logical port, + # set this value as the destination logical switch, # and set the rule to ingress - nsx_rule['destinations'] = [{'target_type': 'LogicalPort', + nsx_rule['destinations'] = [{'target_type': 'LogicalSwitch', 'target_id': replace_dest}] nsx_rule['direction'] = 'IN' elif rule.get('destination_ip_address'): nsx_rule['destinations'] = self.translate_addresses_to_target( [rule['destination_ip_address']]) if replace_src: - # set this value as the source logical port, - # and set the rule to eggress - nsx_rule['sources'] = [{'target_type': 'LogicalPort', + # set this value as the source logical switch, + # and set the rule to egress + nsx_rule['sources'] = [{'target_type': 'LogicalSwitch', 'target_id': replace_src}] nsx_rule['direction'] = 'OUT' elif rule.get('source_ip_address'): diff --git a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py index c6ba0c7839..d01ef7068b 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py +++ b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py @@ -82,7 +82,7 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver): for router_id in routers: self.core_plugin.update_router_firewall(context, router_id) - def get_port_translated_rules(self, nsx_port_id, firewall_group, + def get_port_translated_rules(self, nsx_ls_id, firewall_group, plugin_rules): """Return the list of translated rules per port""" port_rules = [] @@ -92,11 +92,11 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver): if firewall_group['admin_state_up']: port_rules.extend(self._translate_rules( firewall_group['ingress_rule_list'], - replace_dest=nsx_port_id, + replace_dest=nsx_ls_id, logged=logged)) port_rules.extend(self._translate_rules( firewall_group['egress_rule_list'], - replace_src=nsx_port_id, + replace_src=nsx_ls_id, logged=logged)) # Add the per-port plugin rules @@ -107,13 +107,13 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver): port_rules.extend([ {'display_name': "Block port ingress", 'action': consts.FW_ACTION_DROP, - 'destinations': [{'target_type': 'LogicalPort', - 'target_id': nsx_port_id}], + 'destinations': [{'target_type': 'LogicalSwitch', + 'target_id': nsx_ls_id}], 'direction': 'IN'}, {'display_name': "Block port egress", 'action': consts.FW_ACTION_DROP, - 'sources': [{'target_type': 'LogicalPort', - 'target_id': nsx_port_id}], + 'sources': [{'target_type': 'LogicalSwitch', + 'target_id': nsx_ls_id}], 'direction': 'OUT'}]) return port_rules diff --git a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py index f5b669603d..361daefeb7 100644 --- a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py +++ b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py @@ -64,9 +64,9 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): return True - def get_port_rules(self, nsx_port_id, fwg, plugin_rules): + def get_port_rules(self, nsx_ls_id, fwg, plugin_rules): return self.internal_driver.get_port_translated_rules( - nsx_port_id, fwg, plugin_rules) + nsx_ls_id, fwg, plugin_rules) def update_router_firewall(self, context, nsxlib, router_id, router_interfaces, nsx_router_id, section_id): @@ -78,7 +78,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): fw_rules = [] # Add firewall rules per port attached to a firewall group for port in router_interfaces: - _net_id, nsx_port_id = nsx_db.get_nsx_switch_and_port_id( + nsx_ls_id, _nsx_port_id = nsx_db.get_nsx_switch_and_port_id( context.session, port['id']) # Check if this port has a firewall @@ -91,7 +91,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2): # add the FWaaS rules for this port # ingress/egress firewall rules + default ingress/egress drop # rule for this port - fw_rules.extend(self.get_port_rules(nsx_port_id, fwg, + fw_rules.extend(self.get_port_rules(nsx_ls_id, fwg, plugin_rules)) # add a default allow-all rule to all other traffic & ports diff --git a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py index c9e1e709c0..37fc3e7207 100644 --- a/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py +++ b/vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py @@ -30,7 +30,7 @@ FAKE_FW_ID = 'fake_fw_uuid' FAKE_ROUTER_ID = 'fake_rtr_uuid' FAKE_PORT_ID = 'fake_port_uuid' FAKE_NET_ID = 'fake_net_uuid' -FAKE_NSX_PORT_ID = 'fake_nsx_port_uuid' +FAKE_NSX_LS_ID = 'fake_nsx_ls_uuid' MOCK_NSX_ID = 'nsx_nsx_router_id' MOCK_DEFAULT_RULE_ID = 'nsx_default_rule_id' MOCK_SECTION_ID = 'sec_id' @@ -149,7 +149,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): field = 'sources' direction = 'OUT' new_val = [{'target_id': nsx_port_id, - 'target_type': 'LogicalPort'}] + 'target_type': 'LogicalSwitch'}] for rule in (rule1, rule2, rule3, rule4): rule[field] = new_val rule['direction'] = direction @@ -206,7 +206,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', return_value=firewall),\ mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", - return_value=(0, FAKE_NSX_PORT_ID)),\ + return_value=(FAKE_NSX_LS_ID, 0)),\ mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." "update") as update_fw: self.firewall.create_firewall_group('nsx', apply_list, firewall) @@ -215,13 +215,13 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): expected_rules = [ {'display_name': "Block port ingress", 'action': consts.FW_ACTION_DROP, - 'destinations': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'destinations': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'direction': 'IN'}, {'display_name': "Block port egress", 'action': consts.FW_ACTION_DROP, - 'sources': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'sources': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'direction': 'OUT'}, self._default_rule() ] @@ -241,21 +241,21 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', return_value=firewall),\ mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", - return_value=(0, FAKE_NSX_PORT_ID)),\ + return_value=(FAKE_NSX_LS_ID, 0)),\ mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." "update") as update_fw: func('nsx', apply_list, firewall) expected_rules = self._fake_translated_rules( - FAKE_NSX_PORT_ID, is_ingress=is_ingress) + [ + FAKE_NSX_LS_ID, is_ingress=is_ingress) + [ {'display_name': "Block port ingress", 'action': consts.FW_ACTION_DROP, - 'destinations': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'destinations': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'direction': 'IN'}, {'display_name': "Block port egress", 'action': consts.FW_ACTION_DROP, - 'sources': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'sources': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'direction': 'OUT'}, self._default_rule() ] @@ -295,7 +295,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', return_value=None),\ mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", - return_value=(0, FAKE_NSX_PORT_ID)),\ + return_value=(FAKE_NSX_LS_ID, 0)),\ mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." "update") as update_fw: self.firewall.delete_firewall_group('nsx', apply_list, firewall) @@ -328,7 +328,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', return_value=firewall),\ mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", - return_value=(0, FAKE_NSX_PORT_ID)),\ + return_value=(FAKE_NSX_LS_ID, 0)),\ mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." "update") as update_fw: self.firewall.create_firewall_group('nsx', apply_list, firewall) @@ -338,29 +338,29 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin): expected_rules = [ {'display_name': "DHCP Relay ingress traffic", 'action': consts.FW_ACTION_ALLOW, - 'destinations': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'destinations': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'sources': [{'target_id': relay_server, 'target_type': 'IPv4Address'}], 'services': self.plugin._get_port_relay_services(), 'direction': 'IN'}, {'display_name': "DHCP Relay egress traffic", 'action': consts.FW_ACTION_ALLOW, - 'sources': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'sources': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'destinations': [{'target_id': relay_server, 'target_type': 'IPv4Address'}], 'services': self.plugin._get_port_relay_services(), 'direction': 'OUT'}, {'display_name': "Block port ingress", 'action': consts.FW_ACTION_DROP, - 'destinations': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'destinations': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'direction': 'IN'}, {'display_name': "Block port egress", 'action': consts.FW_ACTION_DROP, - 'sources': [{'target_type': 'LogicalPort', - 'target_id': FAKE_NSX_PORT_ID}], + 'sources': [{'target_type': 'LogicalSwitch', + 'target_id': FAKE_NSX_LS_ID}], 'direction': 'OUT'}, self._default_rule() ]