Merge "NSX|P: Always use default domain"
This commit is contained in:
Zuul
Gerrit Code Review
commit
df7d9da7f1
@ -1471,8 +1471,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
|
||||
# remove the edge firewall
|
||||
if self.fwaas_callbacks and self.fwaas_callbacks.fwaas_enabled:
|
||||
self.fwaas_callbacks.delete_router_gateway_policy(
|
||||
project_id, router_id)
|
||||
self.fwaas_callbacks.delete_router_gateway_policy(router_id)
|
||||
self.nsxpolicy.tier1.update(router_id, disable_firewall=True)
|
||||
|
||||
# remove the edge cluster from the tier1 router
|
||||
@ -2226,8 +2225,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
self._prepare_exclude_list_group()
|
||||
self._add_exclude_list_group()
|
||||
|
||||
def _create_security_group_backend_resources(self, context, secgroup,
|
||||
domain_id):
|
||||
def _create_security_group_backend_resources(self, context, secgroup):
|
||||
"""Create communication map (=section) and group (=NS group)
|
||||
|
||||
Both will have the security group id as their NSX id.
|
||||
@ -2247,7 +2245,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
# Create the group
|
||||
try:
|
||||
self.nsxpolicy.group.create_or_overwrite_with_conditions(
|
||||
nsx_name, domain_id, group_id=sg_id,
|
||||
nsx_name, NSX_P_GLOBAL_DOMAIN_ID, group_id=sg_id,
|
||||
description=secgroup.get('description'),
|
||||
conditions=[condition], tags=tags)
|
||||
except Exception as e:
|
||||
@ -2261,13 +2259,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
# create the communication map (=section) without and entries (=rules)
|
||||
try:
|
||||
self.nsxpolicy.comm_map.create_or_overwrite_map_only(
|
||||
nsx_name, domain_id, map_id=sg_id,
|
||||
nsx_name, NSX_P_GLOBAL_DOMAIN_ID, map_id=sg_id,
|
||||
description=secgroup.get('description'),
|
||||
tags=tags, category=category)
|
||||
except Exception as e:
|
||||
msg = (_("Failed to create NSX communication map for SG %(sg)s: "
|
||||
"%(e)s") % {'sg': sg_id, 'e': e})
|
||||
self.nsxpolicy.group.delete(domain_id, sg_id)
|
||||
self.nsxpolicy.group.delete(NSX_P_GLOBAL_DOMAIN_ID, sg_id)
|
||||
raise nsx_exc.NsxPluginException(err_msg=msg)
|
||||
|
||||
def _get_rule_ip_protocol(self, sg_rule):
|
||||
@ -2333,7 +2331,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
def _get_sg_rule_local_ip_group_id(self, sg_rule):
|
||||
return '%s_local_group' % sg_rule['id']
|
||||
|
||||
def _create_security_group_backend_rule(self, context, domain_id, map_id,
|
||||
def _create_security_group_backend_rule(self, context, map_id,
|
||||
sg_rule, secgroup_logging,
|
||||
is_provider_sg=False):
|
||||
# The id of the map and group is the same as the security group id
|
||||
@ -2361,7 +2359,8 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
expr = self.nsxpolicy.group.build_ip_address_expression(
|
||||
[remote_ip])
|
||||
self.nsxpolicy.group.create_or_overwrite_with_conditions(
|
||||
remote_group_id, domain_id, group_id=remote_group_id,
|
||||
remote_group_id, NSX_P_GLOBAL_DOMAIN_ID,
|
||||
group_id=remote_group_id,
|
||||
description='%s for OS rule %s' % (remote_ip, sg_rule['id']),
|
||||
conditions=[expr], tags=tags)
|
||||
source = remote_group_id
|
||||
@ -2372,7 +2371,8 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
expr = self.nsxpolicy.group.build_ip_address_expression(
|
||||
[local_ip])
|
||||
self.nsxpolicy.group.create_or_overwrite_with_conditions(
|
||||
local_group_id, domain_id, group_id=local_group_id,
|
||||
local_group_id, NSX_P_GLOBAL_DOMAIN_ID,
|
||||
group_id=local_group_id,
|
||||
description='%s for OS rule %s' % (local_ip, sg_rule['id']),
|
||||
conditions=[expr], tags=tags)
|
||||
destination = local_group_id
|
||||
@ -2385,11 +2385,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
ip_protocol = self._get_rule_ip_protocol(sg_rule)
|
||||
logging = (cfg.CONF.nsx_p.log_security_groups_allowed_traffic or
|
||||
secgroup_logging)
|
||||
scope = [self.nsxpolicy.group.get_path(domain_id, this_group_id)]
|
||||
scope = [self.nsxpolicy.group.get_path(NSX_P_GLOBAL_DOMAIN_ID,
|
||||
this_group_id)]
|
||||
action = (policy_constants.ACTION_DENY if is_provider_sg
|
||||
else policy_constants.ACTION_ALLOW)
|
||||
self.nsxpolicy.comm_map.create_entry(
|
||||
nsx_name, domain_id, map_id, entry_id=sg_rule['id'],
|
||||
nsx_name, NSX_P_GLOBAL_DOMAIN_ID,
|
||||
map_id, entry_id=sg_rule['id'],
|
||||
description=sg_rule.get('description'),
|
||||
service_ids=[service] if service else None,
|
||||
ip_protocol=ip_protocol,
|
||||
@ -2399,27 +2401,6 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
scope=scope,
|
||||
direction=direction, logged=logging)
|
||||
|
||||
def _create_project_domain(self, context, project_id):
|
||||
"""Return the NSX domain id of a neutron project
|
||||
|
||||
The ID of the created domain will be the same as the project ID
|
||||
so there is no need to keep it in the neutron DB
|
||||
"""
|
||||
tags = self.nsxpolicy.build_v3_api_version_project_tag(
|
||||
context.tenant_name)
|
||||
try:
|
||||
domain_id = self.nsxpolicy.domain.create_or_overwrite(
|
||||
name=project_id,
|
||||
domain_id=project_id,
|
||||
description="Domain for OS project %s" % project_id,
|
||||
tags=tags)
|
||||
except Exception as e:
|
||||
msg = (_("Failed to create NSX domain for project %(proj)s: "
|
||||
"%(e)s") % {'proj': project_id, 'e': e})
|
||||
raise nsx_exc.NsxPluginException(err_msg=msg)
|
||||
LOG.info("NSX Domain was created for project %s", project_id)
|
||||
return domain_id
|
||||
|
||||
def create_security_group(self, context, security_group, default_sg=False):
|
||||
secgroup = security_group['security_group']
|
||||
# Make sure the ID is initialized, as it is used for the backend
|
||||
@ -2429,9 +2410,6 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
project_id = secgroup['tenant_id']
|
||||
if not default_sg:
|
||||
self._ensure_default_security_group(context, project_id)
|
||||
else:
|
||||
# create the NSX policy domain for this new project
|
||||
self._create_project_domain(context, project_id)
|
||||
|
||||
# create the Neutron SG
|
||||
with db_api.CONTEXT_WRITER.using(context):
|
||||
@ -2451,14 +2429,14 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
try:
|
||||
# Create Group & communication map on the NSX
|
||||
self._create_security_group_backend_resources(
|
||||
context, secgroup, project_id)
|
||||
context, secgroup)
|
||||
|
||||
# Add the security-group rules
|
||||
sg_rules = secgroup_db['security_group_rules']
|
||||
secgroup_logging = secgroup.get(sg_logging.LOGGING, False)
|
||||
for sg_rule in sg_rules:
|
||||
self._create_security_group_backend_rule(
|
||||
context, project_id, secgroup_db['id'], sg_rule,
|
||||
context, secgroup_db['id'], sg_rule,
|
||||
secgroup_logging)
|
||||
except Exception as e:
|
||||
with excutils.save_and_reraise_exception():
|
||||
@ -2486,11 +2464,11 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
self._process_security_group_properties_update(
|
||||
context, secgroup_res, sg_data)
|
||||
|
||||
domain_id = NSX_P_GLOBAL_DOMAIN_ID
|
||||
# Update the name and description on NSX backend
|
||||
if 'name' in sg_data or 'description' in sg_data:
|
||||
nsx_name = utils.get_name_and_uuid(
|
||||
secgroup_res['name'] or 'securitygroup', sg_id)
|
||||
domain_id = secgroup_res['tenant_id']
|
||||
try:
|
||||
self.nsxpolicy.group.update(
|
||||
domain_id, sg_id,
|
||||
@ -2520,13 +2498,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
|
||||
super(NsxPolicyPlugin, self).delete_security_group(context, sg_id)
|
||||
|
||||
domain_id = sg['tenant_id']
|
||||
domain_id = NSX_P_GLOBAL_DOMAIN_ID
|
||||
try:
|
||||
self.nsxpolicy.comm_map.delete(domain_id, sg_id)
|
||||
self.nsxpolicy.group.delete(domain_id, sg_id)
|
||||
for rule in sg['security_group_rules']:
|
||||
self._delete_security_group_rule_backend_resources(
|
||||
context, domain_id, rule)
|
||||
context, rule)
|
||||
except nsx_lib_exc.ResourceNotFound:
|
||||
# If the resource was not found on the backend do not worry about
|
||||
# it. The conditions has already been logged, so there is no need
|
||||
@ -2566,19 +2544,18 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
self._process_security_group_rule_properties(
|
||||
context, rules_db[i], r['security_group_rule'])
|
||||
|
||||
domain_id = sg['tenant_id']
|
||||
is_provider_sg = sg.get(provider_sg.PROVIDER)
|
||||
secgroup_logging = self._is_security_group_logged(context, sg_id)
|
||||
for rule_data in rules_db:
|
||||
# create the NSX backend rule
|
||||
self._create_security_group_backend_rule(
|
||||
context, domain_id, sg_id, rule_data, secgroup_logging,
|
||||
context, sg_id, rule_data, secgroup_logging,
|
||||
is_provider_sg=is_provider_sg)
|
||||
|
||||
return rules_db
|
||||
|
||||
def _delete_security_group_rule_backend_resources(
|
||||
self, context, domain_id, rule_db):
|
||||
self, context, rule_db):
|
||||
rule_id = rule_db['id']
|
||||
# try to delete the service of this rule, if exists
|
||||
if rule_db['protocol']:
|
||||
@ -2591,7 +2568,8 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
if rule_db['remote_ip_prefix']:
|
||||
try:
|
||||
remote_group_id = self._get_sg_rule_remote_ip_group_id(rule_db)
|
||||
self.nsxpolicy.group.delete(domain_id, remote_group_id)
|
||||
self.nsxpolicy.group.delete(NSX_P_GLOBAL_DOMAIN_ID,
|
||||
remote_group_id)
|
||||
except nsx_lib_exc.ResourceNotFound:
|
||||
pass
|
||||
|
||||
@ -2599,7 +2577,8 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
if self._get_security_group_rule_local_ip(context, rule_id):
|
||||
try:
|
||||
local_group_id = self._get_sg_rule_local_ip_group_id(rule_db)
|
||||
self.nsxpolicy.group.delete(domain_id, local_group_id)
|
||||
self.nsxpolicy.group.delete(NSX_P_GLOBAL_DOMAIN_ID,
|
||||
local_group_id)
|
||||
except nsx_lib_exc.ResourceNotFound:
|
||||
pass
|
||||
|
||||
@ -2607,13 +2586,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
rule_db = self._get_security_group_rule(context, rule_id)
|
||||
sg_id = rule_db['security_group_id']
|
||||
self._prevent_non_admin_edit_provider_sg(context, sg_id)
|
||||
domain_id = rule_db['tenant_id']
|
||||
|
||||
# Delete the rule itself
|
||||
try:
|
||||
self.nsxpolicy.comm_map.delete_entry(domain_id, sg_id, rule_id)
|
||||
self.nsxpolicy.comm_map.delete_entry(
|
||||
policy_constants.DEFAULT_DOMAIN, sg_id, rule_id)
|
||||
self._delete_security_group_rule_backend_resources(
|
||||
context, domain_id, rule_db)
|
||||
context, rule_db)
|
||||
except nsx_lib_exc.ResourceNotFound:
|
||||
# Go on with the deletion anyway
|
||||
pass
|
||||
|
||||
@ -54,13 +54,14 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
def nsxpolicy(self):
|
||||
return self.core_plugin.nsxpolicy
|
||||
|
||||
def _get_default_backend_rule(self, domain_id, router_id):
|
||||
def _get_default_backend_rule(self, router_id):
|
||||
"""Return the default allow-all rule entry
|
||||
|
||||
This rule enrty will be added to the end of the rules list
|
||||
"""
|
||||
return self.nsxpolicy.gateway_policy.build_entry(
|
||||
DEFAULT_RULE_NAME, domain_id, router_id,
|
||||
DEFAULT_RULE_NAME,
|
||||
policy_constants.DEFAULT_DOMAIN, router_id,
|
||||
self._get_random_rule_id(DEFAULT_RULE_ID),
|
||||
description=DEFAULT_RULE_NAME,
|
||||
sequence_number=None,
|
||||
@ -69,7 +70,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
source_groups=None, dest_groups=None,
|
||||
direction=nsx_constants.IN_OUT)
|
||||
|
||||
def _translate_service(self, domain_id, router_id, rule):
|
||||
def _translate_service(self, project_id, router_id, rule):
|
||||
"""Return the NSX Policy service id matching the FW rule service.
|
||||
|
||||
L4 protocol service will be created per router-id & rule-id
|
||||
@ -81,7 +82,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
if rule.get('protocol'):
|
||||
tags = self.nsxpolicy.build_v3_tags_payload(
|
||||
rule, resource_type='os-neutron-fwrule-id',
|
||||
project_name=domain_id)
|
||||
project_name=project_id)
|
||||
tags = nsxlib_utils.add_v3_tag(tags, ROUTER_FW_TAG, router_id)
|
||||
l4_protocol = v3_utils.translate_fw_rule_protocol(
|
||||
rule.get('protocol'))
|
||||
@ -155,7 +156,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
LOG.error(error_msg)
|
||||
raise self.driver_exception(driver=self.driver_name)
|
||||
|
||||
def _get_rule_cidr_group(self, domain_id, router_id, rule, is_source,
|
||||
def _get_rule_cidr_group(self, project_id, router_id, rule, is_source,
|
||||
is_ingress):
|
||||
field = 'source_ip_address' if is_source else 'destination_ip_address'
|
||||
direction_text = 'source' if is_source else 'destination'
|
||||
@ -169,16 +170,16 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
[group_ips])
|
||||
tags = self.nsxpolicy.build_v3_tags_payload(
|
||||
rule, resource_type='os-neutron-fwrule-id',
|
||||
project_name=domain_id)
|
||||
project_name=project_id)
|
||||
tags = nsxlib_utils.add_v3_tag(tags, ROUTER_FW_TAG, router_id)
|
||||
self.nsxpolicy.group.create_or_overwrite_with_conditions(
|
||||
"FW_rule_%s_%s" % (rule['id'], direction_text),
|
||||
domain_id, group_id=group_id,
|
||||
policy_constants.DEFAULT_DOMAIN, group_id=group_id,
|
||||
description='%s: %s' % (direction_text, group_ips),
|
||||
conditions=[expr], tags=tags)
|
||||
return group_id
|
||||
|
||||
def _create_network_group(self, domain_id, router_id, neutron_net_id):
|
||||
def _create_network_group(self, router_id, neutron_net_id):
|
||||
scope_and_tag = "%s|%s" % ('os-neutron-net-id', neutron_net_id)
|
||||
tags = []
|
||||
tags = nsxlib_utils.add_v3_tag(tags, ROUTER_FW_TAG, router_id)
|
||||
@ -189,14 +190,14 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
group_id = '%s-%s' % (router_id, neutron_net_id)
|
||||
self.nsxpolicy.group.create_or_overwrite_with_conditions(
|
||||
"Segment_%s" % neutron_net_id,
|
||||
domain_id,
|
||||
policy_constants.DEFAULT_DOMAIN,
|
||||
group_id=group_id,
|
||||
description='Group for segment %s' % neutron_net_id,
|
||||
conditions=[expr],
|
||||
tags=tags)
|
||||
return group_id
|
||||
|
||||
def _translate_rules(self, domain_id, router_id, segment_group,
|
||||
def _translate_rules(self, project_id, router_id, segment_group,
|
||||
fwaas_rules, is_ingress, logged=False):
|
||||
"""Translate a list of FWaaS rules to NSX rule structure"""
|
||||
translated_rules = []
|
||||
@ -223,22 +224,24 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
driver=self.internal_driver.driver_name)
|
||||
|
||||
src_group = self._get_rule_cidr_group(
|
||||
domain_id, router_id, rule, is_source=True,
|
||||
project_id, router_id, rule, is_source=True,
|
||||
is_ingress=is_ingress)
|
||||
if not is_ingress and not src_group:
|
||||
src_group = segment_group
|
||||
dest_group = self._get_rule_cidr_group(
|
||||
domain_id, router_id, rule, is_source=False,
|
||||
project_id, router_id, rule, is_source=False,
|
||||
is_ingress=is_ingress)
|
||||
if is_ingress and not dest_group:
|
||||
dest_group = segment_group
|
||||
|
||||
srv_id = self._translate_service(domain_id, router_id, rule)
|
||||
srv_id = self._translate_service(project_id, router_id, rule)
|
||||
direction = nsx_constants.IN if is_ingress else nsx_constants.OUT
|
||||
ip_protocol = (nsx_constants.IPV4 if rule.get('ip_version', 4) == 4
|
||||
else nsx_constants.IPV6)
|
||||
rule_entry = self.nsxpolicy.gateway_policy.build_entry(
|
||||
rule_name, domain_id, router_id, rule_id,
|
||||
rule_name,
|
||||
policy_constants.DEFAULT_DOMAIN,
|
||||
router_id, rule_id,
|
||||
description=rule.get('description'),
|
||||
action=action,
|
||||
source_groups=[src_group] if src_group else None,
|
||||
@ -251,28 +254,29 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
translated_rules.append(rule_entry)
|
||||
return translated_rules
|
||||
|
||||
def _get_port_translated_rules(self, domain_id, router_id, neutron_net_id,
|
||||
def _get_port_translated_rules(self, project_id, router_id, neutron_net_id,
|
||||
firewall_group):
|
||||
"""Return the list of translated FWaaS rules per port
|
||||
Add the egress/ingress rules of this port +
|
||||
default drop rules in each direction for this port.
|
||||
"""
|
||||
net_group_id = self._create_network_group(
|
||||
domain_id, router_id, neutron_net_id)
|
||||
router_id, neutron_net_id)
|
||||
port_rules = []
|
||||
# Add the firewall group ingress/egress rules only if the fw is up
|
||||
if firewall_group['admin_state_up']:
|
||||
port_rules.extend(self._translate_rules(
|
||||
domain_id, router_id, net_group_id,
|
||||
project_id, router_id, net_group_id,
|
||||
firewall_group['ingress_rule_list'], is_ingress=True))
|
||||
port_rules.extend(self._translate_rules(
|
||||
domain_id, router_id, net_group_id,
|
||||
project_id, router_id, net_group_id,
|
||||
firewall_group['egress_rule_list'], is_ingress=False))
|
||||
|
||||
# Add ingress/egress block rules for this port
|
||||
port_rules.extend([
|
||||
self.nsxpolicy.gateway_policy.build_entry(
|
||||
"Block port ingress", domain_id, router_id,
|
||||
"Block port ingress",
|
||||
policy_constants.DEFAULT_DOMAIN, router_id,
|
||||
self._get_random_rule_id(
|
||||
DEFAULT_RULE_ID + neutron_net_id + 'ingress'),
|
||||
action=nsx_constants.FW_ACTION_DROP,
|
||||
@ -280,7 +284,8 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
scope=[self.nsxpolicy.tier1.get_path(router_id)],
|
||||
direction=nsx_constants.IN),
|
||||
self.nsxpolicy.gateway_policy.build_entry(
|
||||
"Block port egress", domain_id, router_id,
|
||||
"Block port egress",
|
||||
policy_constants.DEFAULT_DOMAIN, router_id,
|
||||
self._get_random_rule_id(
|
||||
DEFAULT_RULE_ID + neutron_net_id + 'egress'),
|
||||
action=nsx_constants.FW_ACTION_DROP,
|
||||
@ -308,7 +313,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
router calls, and if it is True - add the service router accordingly.
|
||||
"""
|
||||
plugin = self.core_plugin
|
||||
domain_id = router['project_id']
|
||||
project_id = router['project_id']
|
||||
fw_rules = []
|
||||
router_with_fw = False
|
||||
# Add firewall rules per port attached to a firewall group
|
||||
@ -321,10 +326,10 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
# Add the FWaaS rules for this port:ingress/egress firewall
|
||||
# rules + default ingress/egress drop rule for this port
|
||||
fw_rules.extend(self._get_port_translated_rules(
|
||||
domain_id, router_id, port['network_id'], fwg))
|
||||
project_id, router_id, port['network_id'], fwg))
|
||||
|
||||
# Add a default allow-all rule to all other traffic & ports
|
||||
fw_rules.append(self._get_default_backend_rule(domain_id, router_id))
|
||||
fw_rules.append(self._get_default_backend_rule(router_id))
|
||||
self._set_rules_order(fw_rules)
|
||||
|
||||
# Update the backend router firewall
|
||||
@ -345,31 +350,32 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
# No other services that require service router: delete it
|
||||
# This also deleted the gateway policy.
|
||||
self.core_plugin.delete_service_router(
|
||||
context, domain_id, router_id)
|
||||
context, policy_constants.DEFAULT_DOMAIN, router_id)
|
||||
sr_exists_on_backend = False
|
||||
|
||||
if sr_exists_on_backend:
|
||||
# update the edge firewall
|
||||
self.create_router_gateway_policy(context, domain_id, router_id,
|
||||
self.create_router_gateway_policy(context, router_id,
|
||||
router, fw_rules)
|
||||
|
||||
if not router_with_fw:
|
||||
# Do all the cleanup once the router has no more FW rules
|
||||
self.delete_router_gateway_policy(domain_id, router_id)
|
||||
self.cleanup_router_fw_resources(domain_id, router_id)
|
||||
self.delete_router_gateway_policy(router_id)
|
||||
self.cleanup_router_fw_resources(router_id)
|
||||
|
||||
def create_router_gateway_policy(self, context, domain_id, router_id,
|
||||
def create_router_gateway_policy(self, context, router_id,
|
||||
router, fw_rules):
|
||||
"""Create/Overwrite gateway policy for a router with firewall rules"""
|
||||
# Check if the gateway policy already exists
|
||||
try:
|
||||
self.nsxpolicy.gateway_policy.get(domain_id, map_id=router_id)
|
||||
self.nsxpolicy.gateway_policy.get(policy_constants.DEFAULT_DOMAIN,
|
||||
map_id=router_id)
|
||||
except nsx_lib_exc.ResourceNotFound:
|
||||
LOG.info("Going to create gateway policy for router %s", router_id)
|
||||
else:
|
||||
# only update the rules of this policy
|
||||
self.nsxpolicy.gateway_policy.update_entries(
|
||||
domain_id, router_id, fw_rules)
|
||||
policy_constants.DEFAULT_DOMAIN, router_id, fw_rules)
|
||||
return
|
||||
|
||||
tags = self.nsxpolicy.build_v3_tags_payload(
|
||||
@ -377,33 +383,37 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
project_name=context.tenant_name)
|
||||
policy_name = GATEWAY_POLICY_NAME % router_id
|
||||
self.nsxpolicy.gateway_policy.create_with_entries(
|
||||
policy_name, domain_id, map_id=router_id,
|
||||
policy_name, policy_constants.DEFAULT_DOMAIN,
|
||||
map_id=router_id,
|
||||
description=policy_name,
|
||||
tags=tags,
|
||||
entries=fw_rules,
|
||||
category=policy_constants.CATEGORY_LOCAL_GW)
|
||||
|
||||
def delete_router_gateway_policy(self, domain_id, router_id):
|
||||
def delete_router_gateway_policy(self, router_id):
|
||||
"""Delete the gateway policy associated with a router, it it exists.
|
||||
Should be called when the router is deleted / FW removed from it
|
||||
"""
|
||||
try:
|
||||
self.nsxpolicy.gateway_policy.get(domain_id, map_id=router_id)
|
||||
self.nsxpolicy.gateway_policy.get(policy_constants.DEFAULT_DOMAIN,
|
||||
map_id=router_id)
|
||||
except nsx_lib_exc.ResourceNotFound:
|
||||
return
|
||||
self.nsxpolicy.gateway_policy.delete(domain_id, map_id=router_id)
|
||||
self.nsxpolicy.gateway_policy.delete(policy_constants.DEFAULT_DOMAIN,
|
||||
map_id=router_id)
|
||||
|
||||
# Also delete all groups & services
|
||||
self.cleanup_router_fw_resources(domain_id, router_id)
|
||||
self.cleanup_router_fw_resources(router_id)
|
||||
|
||||
def cleanup_router_fw_resources(self, domain_id, router_id):
|
||||
def cleanup_router_fw_resources(self, router_id):
|
||||
tags_to_search = [{'scope': ROUTER_FW_TAG, 'tag': router_id}]
|
||||
# Delete per rule & per network groups
|
||||
groups = self.nsxpolicy.search_by_tags(
|
||||
tags_to_search,
|
||||
self.nsxpolicy.group.entry_def.resource_type())['results']
|
||||
for group in groups:
|
||||
self.nsxpolicy.group.delete(domain_id, group['id'])
|
||||
self.nsxpolicy.group.delete(policy_constants.DEFAULT_DOMAIN,
|
||||
group['id'])
|
||||
|
||||
services = self.nsxpolicy.search_by_tags(
|
||||
tags_to_search,
|
||||
|
||||
@ -19,6 +19,8 @@ from vmware_nsx.shell.admin.plugins.common import constants
|
||||
from vmware_nsx.shell.admin.plugins.common import utils as admin_utils
|
||||
from vmware_nsx.shell.admin.plugins.nsxp.resources import utils as p_utils
|
||||
|
||||
from vmware_nsxlib.v3.policy import constants as policy_constants
|
||||
|
||||
neutron_client = securitygroups_db.SecurityGroupDbMixin()
|
||||
|
||||
|
||||
@ -33,8 +35,8 @@ def list_security_groups(resource, event, trigger, **kwargs):
|
||||
nsxpolicy = p_utils.get_connected_nsxpolicy()
|
||||
ctx = context.get_admin_context()
|
||||
sgs = neutron_client.get_security_groups(ctx)
|
||||
domain_id = policy_constants.DEFAULT_DOMAIN
|
||||
for sg in sgs:
|
||||
domain_id = sg['tenant_id']
|
||||
map_status = p_utils.get_realization_info(
|
||||
nsxpolicy.comm_map, domain_id, sg['id'])
|
||||
group_status = p_utils.get_realization_info(
|
||||
|
||||
@ -409,11 +409,11 @@ class TestNSXpProviderSecurityGrp(test_nsxp_plugin.NsxPPluginTestCaseMixin,
|
||||
with self.security_group_rule(security_group_id=sg_id) as rule:
|
||||
rule_data = rule['security_group_rule']
|
||||
rule_id = rule_data['id']
|
||||
project_id = rule_data['project_id']
|
||||
scope = [self.plugin.nsxpolicy.group.get_path(
|
||||
project_id, sg_id)]
|
||||
policy_constants.DEFAULT_DOMAIN, sg_id)]
|
||||
entry_create.assert_called_once_with(
|
||||
rule_id, project_id, sg_id, entry_id=rule_id,
|
||||
rule_id, policy_constants.DEFAULT_DOMAIN,
|
||||
sg_id, entry_id=rule_id,
|
||||
description='',
|
||||
direction=nsx_constants.IN,
|
||||
ip_protocol=nsx_constants.IPV4,
|
||||
|
||||
@ -25,6 +25,7 @@ from vmware_nsx.services.fwaas.nsx_p import edge_fwaas_driver_v2
|
||||
from vmware_nsx.services.fwaas.nsx_p import fwaas_callbacks_v2
|
||||
from vmware_nsx.tests.unit.nsx_p import test_plugin as test_p_plugin
|
||||
from vmware_nsxlib.v3 import nsx_constants as consts
|
||||
from vmware_nsxlib.v3.policy import constants as policy_constants
|
||||
|
||||
FAKE_FW_ID = 'fake_fw_uuid'
|
||||
FAKE_ROUTER_ID = 'fake_rtr_uuid'
|
||||
@ -60,7 +61,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
|
||||
def _default_rule(self, seq_num):
|
||||
return self.plugin.nsxpolicy.gateway_policy.build_entry(
|
||||
fwaas_callbacks_v2.DEFAULT_RULE_NAME,
|
||||
self.project_id, FAKE_ROUTER_ID,
|
||||
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID,
|
||||
fwaas_callbacks_v2.DEFAULT_RULE_ID,
|
||||
description=fwaas_callbacks_v2.DEFAULT_RULE_NAME,
|
||||
action=consts.FW_ACTION_ALLOW,
|
||||
@ -72,7 +73,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
|
||||
net_group_id = '%s-%s' % (FAKE_ROUTER_ID, FAKE_NET_ID)
|
||||
ingress_rule = self.plugin.nsxpolicy.gateway_policy.build_entry(
|
||||
"Block port ingress",
|
||||
self.project_id, FAKE_ROUTER_ID,
|
||||
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID,
|
||||
fwaas_callbacks_v2.DEFAULT_RULE_ID + FAKE_NET_ID + 'ingress',
|
||||
action=consts.FW_ACTION_DROP,
|
||||
dest_groups=[net_group_id],
|
||||
@ -82,7 +83,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
|
||||
|
||||
egress_rule = self.plugin.nsxpolicy.gateway_policy.build_entry(
|
||||
"Block port egress",
|
||||
self.project_id, FAKE_ROUTER_ID,
|
||||
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID,
|
||||
fwaas_callbacks_v2.DEFAULT_RULE_ID + FAKE_NET_ID + 'egress',
|
||||
action=consts.FW_ACTION_DROP,
|
||||
source_groups=[net_group_id],
|
||||
@ -172,21 +173,25 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
|
||||
if (fw_rule.get('source_ip_address') and
|
||||
not fw_rule['source_ip_address'].startswith('0.0.0.0')):
|
||||
self.assertEqual(['/infra/domains/%s/groups/source-%s' % (
|
||||
self.project_id, fw_rule['id'])],
|
||||
policy_constants.DEFAULT_DOMAIN,
|
||||
fw_rule['id'])],
|
||||
nsx_rule['source_groups'])
|
||||
elif not is_ingress:
|
||||
self.assertEqual(['/infra/domains/%s/groups/%s-%s' % (
|
||||
self.project_id, FAKE_ROUTER_ID, FAKE_NET_ID)],
|
||||
policy_constants.DEFAULT_DOMAIN,
|
||||
FAKE_ROUTER_ID, FAKE_NET_ID)],
|
||||
nsx_rule['source_groups'])
|
||||
|
||||
if (fw_rule.get('destination_ip_address') and
|
||||
not fw_rule['destination_ip_address'].startswith('0.0.0.0')):
|
||||
self.assertEqual(['/infra/domains/%s/groups/destination-%s' % (
|
||||
self.project_id, fw_rule['id'])],
|
||||
policy_constants.DEFAULT_DOMAIN,
|
||||
fw_rule['id'])],
|
||||
nsx_rule['destination_groups'])
|
||||
elif is_ingress:
|
||||
self.assertEqual(['/infra/domains/%s/groups/%s-%s' % (
|
||||
self.project_id, FAKE_ROUTER_ID, FAKE_NET_ID)],
|
||||
policy_constants.DEFAULT_DOMAIN,
|
||||
FAKE_ROUTER_ID, FAKE_NET_ID)],
|
||||
nsx_rule['destination_groups'])
|
||||
|
||||
def _fake_empty_firewall_group(self):
|
||||
@ -245,7 +250,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
|
||||
expected_rules = (self._block_interface_rules(0) +
|
||||
[self._default_rule(2)])
|
||||
update_fw.assert_called_once_with(
|
||||
self.project_id, FAKE_ROUTER_ID, mock.ANY)
|
||||
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY)
|
||||
# compare rules one by one
|
||||
actual_rules = update_fw.call_args[0][2]
|
||||
self.assertEqual(len(expected_rules), len(actual_rules))
|
||||
@ -274,7 +279,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
|
||||
expected_default_rules = self._block_interface_rules(
|
||||
len(rule_list)) + [self._default_rule(len(rule_list) + 2)]
|
||||
update_fw.assert_called_once_with(
|
||||
self.project_id, FAKE_ROUTER_ID, mock.ANY)
|
||||
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY)
|
||||
|
||||
# compare rules one by one
|
||||
actual_rules = update_fw.call_args[0][2]
|
||||
@ -336,7 +341,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
|
||||
# expecting only the default allow-all rule
|
||||
expected_rules = [self._default_rule(0)]
|
||||
update_fw.assert_called_once_with(
|
||||
self.project_id, FAKE_ROUTER_ID, mock.ANY)
|
||||
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY)
|
||||
# compare rules one by one
|
||||
actual_rules = update_fw.call_args[0][2]
|
||||
self.assertEqual(len(expected_rules), len(actual_rules))
|
||||
@ -358,7 +363,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
|
||||
# expecting only the default allow-all rule
|
||||
expected_rules = [self._default_rule(0)]
|
||||
update_fw.assert_called_once_with(
|
||||
self.project_id, FAKE_ROUTER_ID, mock.ANY)
|
||||
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY)
|
||||
# compare rules one by one
|
||||
actual_rules = update_fw.call_args[0][2]
|
||||
self.assertEqual(len(expected_rules), len(actual_rules))
|
||||
|
||||
@ -1197,11 +1197,11 @@ class NsxPTestSecurityGroup(common_v3.FixExternalNetBaseTest,
|
||||
sg_id = sg['security_group']['id']
|
||||
nsx_name = utils.get_name_and_uuid(name, sg_id)
|
||||
group_create.assert_called_once_with(
|
||||
nsx_name, self.project_id, group_id=sg_id,
|
||||
nsx_name, policy_constants.DEFAULT_DOMAIN, group_id=sg_id,
|
||||
description=description,
|
||||
conditions=[mock.ANY], tags=mock.ANY)
|
||||
comm_map_create.assert_called_once_with(
|
||||
nsx_name, self.project_id, map_id=sg_id,
|
||||
nsx_name, policy_constants.DEFAULT_DOMAIN, map_id=sg_id,
|
||||
description=description,
|
||||
tags=mock.ANY,
|
||||
category=policy_constants.CATEGORY_ENVIRONMENT)
|
||||
@ -1285,9 +1285,10 @@ class NsxPTestSecurityGroup(common_v3.FixExternalNetBaseTest,
|
||||
remote_ip_prefix) as rule:
|
||||
rule_id = rule['security_group_rule']['id']
|
||||
scope = [self.plugin.nsxpolicy.group.get_path(
|
||||
self.project_id, sg_id)]
|
||||
policy_constants.DEFAULT_DOMAIN, sg_id)]
|
||||
entry_create.assert_called_once_with(
|
||||
rule_id, self.project_id, sg_id, entry_id=rule_id,
|
||||
rule_id, policy_constants.DEFAULT_DOMAIN,
|
||||
sg_id, entry_id=rule_id,
|
||||
description='',
|
||||
direction=nsx_constants.IN,
|
||||
ip_protocol=nsx_constants.IPV4,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user