x/vmware-nsx
Code Issues Proposed changes

Merge "NSX-v3: Use logical switch id in FWaaS V2 rules"

Browse Source
This commit is contained in:
Zuul 2018-01-15 15:16:21 +00:00 committed by Gerrit Code Review
commit c4a462d131
5 changed files with 43 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
vmware_nsx/plugins/nsx_v3/plugin.py
View File

@ -3613,12 +3613,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
# Add rules to allow dhcp traffic relay servers # Add rules to allow dhcp traffic relay servers
if relay_servers: if relay_servers:
# if it is a single port, the source/dest is this logical port # if it is a single port, the source/dest is this logical switch
if port_id: if port_id:
_net_id, nsx_port_id = nsx_db.get_nsx_switch_and_port_id( nsx_ls_id, _nsx_port_id = nsx_db.get_nsx_switch_and_port_id(
context.session, port_id) context.session, port_id)
port_target = [{'target_type': 'LogicalPort', port_target = [{'target_type': 'LogicalSwitch',
'target_id': nsx_port_id}] 'target_id': nsx_ls_id}]
else: else:
port_target = None port_target = None
# translate the relay server ips to the firewall format # translate the relay server ips to the firewall format

10
vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py
View File

@ -178,18 +178,18 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
nsx_rule['action'] = self._translate_action( nsx_rule['action'] = self._translate_action(
rule['action'], rule['id']) rule['action'], rule['id'])
if replace_dest: if replace_dest:
# set this value as the destination logical port, # set this value as the destination logical switch,
# and set the rule to ingress # and set the rule to ingress
nsx_rule['destinations'] = [{'target_type': 'LogicalPort', nsx_rule['destinations'] = [{'target_type': 'LogicalSwitch',
'target_id': replace_dest}] 'target_id': replace_dest}]
nsx_rule['direction'] = 'IN' nsx_rule['direction'] = 'IN'
elif rule.get('destination_ip_address'): elif rule.get('destination_ip_address'):
nsx_rule['destinations'] = self.translate_addresses_to_target( nsx_rule['destinations'] = self.translate_addresses_to_target(
[rule['destination_ip_address']]) [rule['destination_ip_address']])
if replace_src: if replace_src:
# set this value as the source logical port, # set this value as the source logical switch,
# and set the rule to eggress # and set the rule to egress
nsx_rule['sources'] = [{'target_type': 'LogicalPort', nsx_rule['sources'] = [{'target_type': 'LogicalSwitch',
'target_id': replace_src}] 'target_id': replace_src}]
nsx_rule['direction'] = 'OUT' nsx_rule['direction'] = 'OUT'
elif rule.get('source_ip_address'): elif rule.get('source_ip_address'):

14
vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py
View File

@ -82,7 +82,7 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
for router_id in routers: for router_id in routers:
self.core_plugin.update_router_firewall(context, router_id) self.core_plugin.update_router_firewall(context, router_id)
def get_port_translated_rules(self, nsx_port_id, firewall_group, def get_port_translated_rules(self, nsx_ls_id, firewall_group,
plugin_rules): plugin_rules):
"""Return the list of translated rules per port""" """Return the list of translated rules per port"""
port_rules = [] port_rules = []
@ -92,11 +92,11 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
if firewall_group['admin_state_up']: if firewall_group['admin_state_up']:
port_rules.extend(self._translate_rules( port_rules.extend(self._translate_rules(
firewall_group['ingress_rule_list'], firewall_group['ingress_rule_list'],
replace_dest=nsx_port_id, replace_dest=nsx_ls_id,
logged=logged)) logged=logged))
port_rules.extend(self._translate_rules( port_rules.extend(self._translate_rules(
firewall_group['egress_rule_list'], firewall_group['egress_rule_list'],
replace_src=nsx_port_id, replace_src=nsx_ls_id,
logged=logged)) logged=logged))
# Add the per-port plugin rules # Add the per-port plugin rules
@ -107,13 +107,13 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
port_rules.extend([ port_rules.extend([
{'display_name': "Block port ingress", {'display_name': "Block port ingress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'destinations': [{'target_type': 'LogicalPort', 'destinations': [{'target_type': 'LogicalSwitch',
'target_id': nsx_port_id}], 'target_id': nsx_ls_id}],
'direction': 'IN'}, 'direction': 'IN'},
{'display_name': "Block port egress", {'display_name': "Block port egress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'sources': [{'target_type': 'LogicalPort', 'sources': [{'target_type': 'LogicalSwitch',
'target_id': nsx_port_id}], 'target_id': nsx_ls_id}],
'direction': 'OUT'}]) 'direction': 'OUT'}])
return port_rules return port_rules

8
vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py
View File

@ -64,9 +64,9 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
return True return True
def get_port_rules(self, nsx_port_id, fwg, plugin_rules): def get_port_rules(self, nsx_ls_id, fwg, plugin_rules):
return self.internal_driver.get_port_translated_rules( return self.internal_driver.get_port_translated_rules(
nsx_port_id, fwg, plugin_rules) nsx_ls_id, fwg, plugin_rules)
def update_router_firewall(self, context, nsxlib, router_id, def update_router_firewall(self, context, nsxlib, router_id,
router_interfaces, nsx_router_id, section_id): router_interfaces, nsx_router_id, section_id):
@ -78,7 +78,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
fw_rules = [] fw_rules = []
# Add firewall rules per port attached to a firewall group # Add firewall rules per port attached to a firewall group
for port in router_interfaces: for port in router_interfaces:
_net_id, nsx_port_id = nsx_db.get_nsx_switch_and_port_id( nsx_ls_id, _nsx_port_id = nsx_db.get_nsx_switch_and_port_id(
context.session, port['id']) context.session, port['id'])
# Check if this port has a firewall # Check if this port has a firewall
@ -91,7 +91,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
# add the FWaaS rules for this port # add the FWaaS rules for this port
# ingress/egress firewall rules + default ingress/egress drop # ingress/egress firewall rules + default ingress/egress drop
# rule for this port # rule for this port
fw_rules.extend(self.get_port_rules(nsx_port_id, fwg, fw_rules.extend(self.get_port_rules(nsx_ls_id, fwg,
plugin_rules)) plugin_rules))
# add a default allow-all rule to all other traffic & ports # add a default allow-all rule to all other traffic & ports

46
vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py
View File

@ -30,7 +30,7 @@ FAKE_FW_ID = 'fake_fw_uuid'
FAKE_ROUTER_ID = 'fake_rtr_uuid' FAKE_ROUTER_ID = 'fake_rtr_uuid'
FAKE_PORT_ID = 'fake_port_uuid' FAKE_PORT_ID = 'fake_port_uuid'
FAKE_NET_ID = 'fake_net_uuid' FAKE_NET_ID = 'fake_net_uuid'
FAKE_NSX_PORT_ID = 'fake_nsx_port_uuid' FAKE_NSX_LS_ID = 'fake_nsx_ls_uuid'
MOCK_NSX_ID = 'nsx_nsx_router_id' MOCK_NSX_ID = 'nsx_nsx_router_id'
MOCK_DEFAULT_RULE_ID = 'nsx_default_rule_id' MOCK_DEFAULT_RULE_ID = 'nsx_default_rule_id'
MOCK_SECTION_ID = 'sec_id' MOCK_SECTION_ID = 'sec_id'
@ -149,7 +149,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
field = 'sources' field = 'sources'
direction = 'OUT' direction = 'OUT'
new_val = [{'target_id': nsx_port_id, new_val = [{'target_id': nsx_port_id,
'target_type': 'LogicalPort'}] 'target_type': 'LogicalSwitch'}]
for rule in (rule1, rule2, rule3, rule4): for rule in (rule1, rule2, rule3, rule4):
rule[field] = new_val rule[field] = new_val
rule['direction'] = direction rule['direction'] = direction
@ -206,7 +206,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
return_value=firewall),\ return_value=firewall),\
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
return_value=(0, FAKE_NSX_PORT_ID)),\ return_value=(FAKE_NSX_LS_ID, 0)),\
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
"update") as update_fw: "update") as update_fw:
self.firewall.create_firewall_group('nsx', apply_list, firewall) self.firewall.create_firewall_group('nsx', apply_list, firewall)
@ -215,13 +215,13 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
expected_rules = [ expected_rules = [
{'display_name': "Block port ingress", {'display_name': "Block port ingress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'destinations': [{'target_type': 'LogicalPort', 'destinations': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'direction': 'IN'}, 'direction': 'IN'},
{'display_name': "Block port egress", {'display_name': "Block port egress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'sources': [{'target_type': 'LogicalPort', 'sources': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'direction': 'OUT'}, 'direction': 'OUT'},
self._default_rule() self._default_rule()
] ]
@ -241,21 +241,21 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
return_value=firewall),\ return_value=firewall),\
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
return_value=(0, FAKE_NSX_PORT_ID)),\ return_value=(FAKE_NSX_LS_ID, 0)),\
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
"update") as update_fw: "update") as update_fw:
func('nsx', apply_list, firewall) func('nsx', apply_list, firewall)
expected_rules = self._fake_translated_rules( expected_rules = self._fake_translated_rules(
FAKE_NSX_PORT_ID, is_ingress=is_ingress) + [ FAKE_NSX_LS_ID, is_ingress=is_ingress) + [
{'display_name': "Block port ingress", {'display_name': "Block port ingress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'destinations': [{'target_type': 'LogicalPort', 'destinations': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'direction': 'IN'}, 'direction': 'IN'},
{'display_name': "Block port egress", {'display_name': "Block port egress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'sources': [{'target_type': 'LogicalPort', 'sources': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'direction': 'OUT'}, 'direction': 'OUT'},
self._default_rule() self._default_rule()
] ]
@ -295,7 +295,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
return_value=None),\ return_value=None),\
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
return_value=(0, FAKE_NSX_PORT_ID)),\ return_value=(FAKE_NSX_LS_ID, 0)),\
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
"update") as update_fw: "update") as update_fw:
self.firewall.delete_firewall_group('nsx', apply_list, firewall) self.firewall.delete_firewall_group('nsx', apply_list, firewall)
@ -328,7 +328,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg', mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
return_value=firewall),\ return_value=firewall),\
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id", mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
return_value=(0, FAKE_NSX_PORT_ID)),\ return_value=(FAKE_NSX_LS_ID, 0)),\
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection." mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
"update") as update_fw: "update") as update_fw:
self.firewall.create_firewall_group('nsx', apply_list, firewall) self.firewall.create_firewall_group('nsx', apply_list, firewall)
@ -338,29 +338,29 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
expected_rules = [ expected_rules = [
{'display_name': "DHCP Relay ingress traffic", {'display_name': "DHCP Relay ingress traffic",
'action': consts.FW_ACTION_ALLOW, 'action': consts.FW_ACTION_ALLOW,
'destinations': [{'target_type': 'LogicalPort', 'destinations': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'sources': [{'target_id': relay_server, 'sources': [{'target_id': relay_server,
'target_type': 'IPv4Address'}], 'target_type': 'IPv4Address'}],
'services': self.plugin._get_port_relay_services(), 'services': self.plugin._get_port_relay_services(),
'direction': 'IN'}, 'direction': 'IN'},
{'display_name': "DHCP Relay egress traffic", {'display_name': "DHCP Relay egress traffic",
'action': consts.FW_ACTION_ALLOW, 'action': consts.FW_ACTION_ALLOW,
'sources': [{'target_type': 'LogicalPort', 'sources': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'destinations': [{'target_id': relay_server, 'destinations': [{'target_id': relay_server,
'target_type': 'IPv4Address'}], 'target_type': 'IPv4Address'}],
'services': self.plugin._get_port_relay_services(), 'services': self.plugin._get_port_relay_services(),
'direction': 'OUT'}, 'direction': 'OUT'},
{'display_name': "Block port ingress", {'display_name': "Block port ingress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'destinations': [{'target_type': 'LogicalPort', 'destinations': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'direction': 'IN'}, 'direction': 'IN'},
{'display_name': "Block port egress", {'display_name': "Block port egress",
'action': consts.FW_ACTION_DROP, 'action': consts.FW_ACTION_DROP,
'sources': [{'target_type': 'LogicalPort', 'sources': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_PORT_ID}], 'target_id': FAKE_NSX_LS_ID}],
'direction': 'OUT'}, 'direction': 'OUT'},
self._default_rule() self._default_rule()
] ]