x/vmware-nsx
Code Issues Proposed changes

Merge "NSX-v3: Use logical switch id in FWaaS V2 rules"

Browse Source
This commit is contained in:
Zuul 2018-01-15 15:16:21 +00:00 committed by Gerrit Code Review
commit c4a462d131
5 changed files with 43 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
vmware_nsx/plugins/nsx_v3/plugin.py
View File

@ -3613,12 +3613,12 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
# Add rules to allow dhcp traffic relay servers
if relay_servers:
# if it is a single port, the source/dest is this logical port
# if it is a single port, the source/dest is this logical switch
if port_id:
_net_id, nsx_port_id = nsx_db.get_nsx_switch_and_port_id(
nsx_ls_id, _nsx_port_id = nsx_db.get_nsx_switch_and_port_id(
context.session, port_id)
port_target = [{'target_type': 'LogicalPort',
'target_id': nsx_port_id}]
port_target = [{'target_type': 'LogicalSwitch',
'target_id': nsx_ls_id}]
else:
port_target = None
# translate the relay server ips to the firewall format

10
vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_base.py
View File

@ -178,18 +178,18 @@ class CommonEdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
nsx_rule['action'] = self._translate_action(
rule['action'], rule['id'])
if replace_dest:
# set this value as the destination logical port,
# set this value as the destination logical switch,
# and set the rule to ingress
nsx_rule['destinations'] = [{'target_type': 'LogicalPort',
nsx_rule['destinations'] = [{'target_type': 'LogicalSwitch',
'target_id': replace_dest}]
nsx_rule['direction'] = 'IN'
elif rule.get('destination_ip_address'):
nsx_rule['destinations'] = self.translate_addresses_to_target(
[rule['destination_ip_address']])
if replace_src:
# set this value as the source logical port,
# and set the rule to eggress
nsx_rule['sources'] = [{'target_type': 'LogicalPort',
# set this value as the source logical switch,
# and set the rule to egress
nsx_rule['sources'] = [{'target_type': 'LogicalSwitch',
'target_id': replace_src}]
nsx_rule['direction'] = 'OUT'
elif rule.get('source_ip_address'):

14
vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver_v2.py
View File

@ -82,7 +82,7 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
for router_id in routers:
self.core_plugin.update_router_firewall(context, router_id)
def get_port_translated_rules(self, nsx_port_id, firewall_group,
def get_port_translated_rules(self, nsx_ls_id, firewall_group,
plugin_rules):
"""Return the list of translated rules per port"""
port_rules = []
@ -92,11 +92,11 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
if firewall_group['admin_state_up']:
port_rules.extend(self._translate_rules(
firewall_group['ingress_rule_list'],
replace_dest=nsx_port_id,
replace_dest=nsx_ls_id,
logged=logged))
port_rules.extend(self._translate_rules(
firewall_group['egress_rule_list'],
replace_src=nsx_port_id,
replace_src=nsx_ls_id,
logged=logged))
# Add the per-port plugin rules
@ -107,13 +107,13 @@ class EdgeFwaasV3DriverV2(base_driver.CommonEdgeFwaasV3Driver):
port_rules.extend([
{'display_name': "Block port ingress",
'action': consts.FW_ACTION_DROP,
'destinations': [{'target_type': 'LogicalPort',
'target_id': nsx_port_id}],
'destinations': [{'target_type': 'LogicalSwitch',
'target_id': nsx_ls_id}],
'direction': 'IN'},
{'display_name': "Block port egress",
'action': consts.FW_ACTION_DROP,
'sources': [{'target_type': 'LogicalPort',
'target_id': nsx_port_id}],
'sources': [{'target_type': 'LogicalSwitch',
'target_id': nsx_ls_id}],
'direction': 'OUT'}])
return port_rules

8
vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v2.py
View File

@ -64,9 +64,9 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
return True
def get_port_rules(self, nsx_port_id, fwg, plugin_rules):
def get_port_rules(self, nsx_ls_id, fwg, plugin_rules):
return self.internal_driver.get_port_translated_rules(
nsx_port_id, fwg, plugin_rules)
nsx_ls_id, fwg, plugin_rules)
def update_router_firewall(self, context, nsxlib, router_id,
router_interfaces, nsx_router_id, section_id):
@ -78,7 +78,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
fw_rules = []
# Add firewall rules per port attached to a firewall group
for port in router_interfaces:
_net_id, nsx_port_id = nsx_db.get_nsx_switch_and_port_id(
nsx_ls_id, _nsx_port_id = nsx_db.get_nsx_switch_and_port_id(
context.session, port['id'])
# Check if this port has a firewall
@ -91,7 +91,7 @@ class Nsxv3FwaasCallbacksV2(com_callbacks.NsxFwaasCallbacksV2):
# add the FWaaS rules for this port
# ingress/egress firewall rules + default ingress/egress drop
# rule for this port
fw_rules.extend(self.get_port_rules(nsx_port_id, fwg,
fw_rules.extend(self.get_port_rules(nsx_ls_id, fwg,
plugin_rules))
# add a default allow-all rule to all other traffic & ports

46
vmware_nsx/tests/unit/nsx_v3/test_fwaas_v2_driver.py
View File

@ -30,7 +30,7 @@ FAKE_FW_ID = 'fake_fw_uuid'
FAKE_ROUTER_ID = 'fake_rtr_uuid'
FAKE_PORT_ID = 'fake_port_uuid'
FAKE_NET_ID = 'fake_net_uuid'
FAKE_NSX_PORT_ID = 'fake_nsx_port_uuid'
FAKE_NSX_LS_ID = 'fake_nsx_ls_uuid'
MOCK_NSX_ID = 'nsx_nsx_router_id'
MOCK_DEFAULT_RULE_ID = 'nsx_default_rule_id'
MOCK_SECTION_ID = 'sec_id'
@ -149,7 +149,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
field = 'sources'
direction = 'OUT'
new_val = [{'target_id': nsx_port_id,
'target_type': 'LogicalPort'}]
'target_type': 'LogicalSwitch'}]
for rule in (rule1, rule2, rule3, rule4):
rule[field] = new_val
rule['direction'] = direction
@ -206,7 +206,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
return_value=firewall),\
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
return_value=(0, FAKE_NSX_PORT_ID)),\
return_value=(FAKE_NSX_LS_ID, 0)),\
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
"update") as update_fw:
self.firewall.create_firewall_group('nsx', apply_list, firewall)
@ -215,13 +215,13 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
expected_rules = [
{'display_name': "Block port ingress",
'action': consts.FW_ACTION_DROP,
'destinations': [{'target_type': 'LogicalPort',
'target_id': FAKE_NSX_PORT_ID}],
'destinations': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_LS_ID}],
'direction': 'IN'},
{'display_name': "Block port egress",
'action': consts.FW_ACTION_DROP,
'sources': [{'target_type': 'LogicalPort',
'target_id': FAKE_NSX_PORT_ID}],
'sources': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_LS_ID}],
'direction': 'OUT'},
self._default_rule()
]
@ -241,21 +241,21 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
return_value=firewall),\
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
return_value=(0, FAKE_NSX_PORT_ID)),\
return_value=(FAKE_NSX_LS_ID, 0)),\
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
"update") as update_fw:
func('nsx', apply_list, firewall)
expected_rules = self._fake_translated_rules(
FAKE_NSX_PORT_ID, is_ingress=is_ingress) + [
FAKE_NSX_LS_ID, is_ingress=is_ingress) + [
{'display_name': "Block port ingress",
'action': consts.FW_ACTION_DROP,
'destinations': [{'target_type': 'LogicalPort',
'target_id': FAKE_NSX_PORT_ID}],
'destinations': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_LS_ID}],
'direction': 'IN'},
{'display_name': "Block port egress",
'action': consts.FW_ACTION_DROP,
'sources': [{'target_type': 'LogicalPort',
'target_id': FAKE_NSX_PORT_ID}],
'sources': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_LS_ID}],
'direction': 'OUT'},
self._default_rule()
]
@ -295,7 +295,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
return_value=None),\
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
return_value=(0, FAKE_NSX_PORT_ID)),\
return_value=(FAKE_NSX_LS_ID, 0)),\
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
"update") as update_fw:
self.firewall.delete_firewall_group('nsx', apply_list, firewall)
@ -328,7 +328,7 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
mock.patch.object(self.plugin.fwaas_callbacks, 'get_port_fwg',
return_value=firewall),\
mock.patch("vmware_nsx.db.db.get_nsx_switch_and_port_id",
return_value=(0, FAKE_NSX_PORT_ID)),\
return_value=(FAKE_NSX_LS_ID, 0)),\
mock.patch("vmware_nsxlib.v3.security.NsxLibFirewallSection."
"update") as update_fw:
self.firewall.create_firewall_group('nsx', apply_list, firewall)
@ -338,29 +338,29 @@ class Nsxv3FwaasTestCase(test_v3_plugin.NsxV3PluginTestCaseMixin):
expected_rules = [
{'display_name': "DHCP Relay ingress traffic",
'action': consts.FW_ACTION_ALLOW,
'destinations': [{'target_type': 'LogicalPort',
'target_id': FAKE_NSX_PORT_ID}],
'destinations': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_LS_ID}],
'sources': [{'target_id': relay_server,
'target_type': 'IPv4Address'}],
'services': self.plugin._get_port_relay_services(),
'direction': 'IN'},
{'display_name': "DHCP Relay egress traffic",
'action': consts.FW_ACTION_ALLOW,
'sources': [{'target_type': 'LogicalPort',
'target_id': FAKE_NSX_PORT_ID}],
'sources': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_LS_ID}],
'destinations': [{'target_id': relay_server,
'target_type': 'IPv4Address'}],
'services': self.plugin._get_port_relay_services(),
'direction': 'OUT'},
{'display_name': "Block port ingress",
'action': consts.FW_ACTION_DROP,
'destinations': [{'target_type': 'LogicalPort',
'target_id': FAKE_NSX_PORT_ID}],
'destinations': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_LS_ID}],
'direction': 'IN'},
{'display_name': "Block port egress",
'action': consts.FW_ACTION_DROP,
'sources': [{'target_type': 'LogicalPort',
'target_id': FAKE_NSX_PORT_ID}],
'sources': [{'target_type': 'LogicalSwitch',
'target_id': FAKE_NSX_LS_ID}],
'direction': 'OUT'},
self._default_rule()
]