x/vmware-nsx
Code Issues Proposed changes

Merge "NSX|P: Always use default domain"

Browse Source
This commit is contained in:
Zuul 2019-04-21 05:36:29 +00:00 committed by Gerrit Code Review
commit df7d9da7f1
6 changed files with 102 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
vmware_nsx/plugins/nsx_p/plugin.py
View File

@ -1471,8 +1471,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
# remove the edge firewall # remove the edge firewall
if self.fwaas_callbacks and self.fwaas_callbacks.fwaas_enabled: if self.fwaas_callbacks and self.fwaas_callbacks.fwaas_enabled:
self.fwaas_callbacks.delete_router_gateway_policy( self.fwaas_callbacks.delete_router_gateway_policy(router_id)
project_id, router_id)
self.nsxpolicy.tier1.update(router_id, disable_firewall=True) self.nsxpolicy.tier1.update(router_id, disable_firewall=True)
# remove the edge cluster from the tier1 router # remove the edge cluster from the tier1 router
@ -2226,8 +2225,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
self._prepare_exclude_list_group() self._prepare_exclude_list_group()
self._add_exclude_list_group() self._add_exclude_list_group()
def _create_security_group_backend_resources(self, context, secgroup, def _create_security_group_backend_resources(self, context, secgroup):
domain_id):
"""Create communication map (=section) and group (=NS group) """Create communication map (=section) and group (=NS group)
Both will have the security group id as their NSX id. Both will have the security group id as their NSX id.
@ -2247,7 +2245,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
# Create the group # Create the group
try: try:
self.nsxpolicy.group.create_or_overwrite_with_conditions( self.nsxpolicy.group.create_or_overwrite_with_conditions(
nsx_name, domain_id, group_id=sg_id, nsx_name, NSX_P_GLOBAL_DOMAIN_ID, group_id=sg_id,
description=secgroup.get('description'), description=secgroup.get('description'),
conditions=[condition], tags=tags) conditions=[condition], tags=tags)
except Exception as e: except Exception as e:
@ -2261,13 +2259,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
# create the communication map (=section) without and entries (=rules) # create the communication map (=section) without and entries (=rules)
try: try:
self.nsxpolicy.comm_map.create_or_overwrite_map_only( self.nsxpolicy.comm_map.create_or_overwrite_map_only(
nsx_name, domain_id, map_id=sg_id, nsx_name, NSX_P_GLOBAL_DOMAIN_ID, map_id=sg_id,
description=secgroup.get('description'), description=secgroup.get('description'),
tags=tags, category=category) tags=tags, category=category)
except Exception as e: except Exception as e:
msg = (_("Failed to create NSX communication map for SG %(sg)s: " msg = (_("Failed to create NSX communication map for SG %(sg)s: "
"%(e)s") % {'sg': sg_id, 'e': e}) "%(e)s") % {'sg': sg_id, 'e': e})
self.nsxpolicy.group.delete(domain_id, sg_id) self.nsxpolicy.group.delete(NSX_P_GLOBAL_DOMAIN_ID, sg_id)
raise nsx_exc.NsxPluginException(err_msg=msg) raise nsx_exc.NsxPluginException(err_msg=msg)
def _get_rule_ip_protocol(self, sg_rule): def _get_rule_ip_protocol(self, sg_rule):
@ -2333,7 +2331,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
def _get_sg_rule_local_ip_group_id(self, sg_rule): def _get_sg_rule_local_ip_group_id(self, sg_rule):
return '%s_local_group' % sg_rule['id'] return '%s_local_group' % sg_rule['id']
def _create_security_group_backend_rule(self, context, domain_id, map_id, def _create_security_group_backend_rule(self, context, map_id,
sg_rule, secgroup_logging, sg_rule, secgroup_logging,
is_provider_sg=False): is_provider_sg=False):
# The id of the map and group is the same as the security group id # The id of the map and group is the same as the security group id
@ -2361,7 +2359,8 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
expr = self.nsxpolicy.group.build_ip_address_expression( expr = self.nsxpolicy.group.build_ip_address_expression(
[remote_ip]) [remote_ip])
self.nsxpolicy.group.create_or_overwrite_with_conditions( self.nsxpolicy.group.create_or_overwrite_with_conditions(
remote_group_id, domain_id, group_id=remote_group_id, remote_group_id, NSX_P_GLOBAL_DOMAIN_ID,
group_id=remote_group_id,
description='%s for OS rule %s' % (remote_ip, sg_rule['id']), description='%s for OS rule %s' % (remote_ip, sg_rule['id']),
conditions=[expr], tags=tags) conditions=[expr], tags=tags)
source = remote_group_id source = remote_group_id
@ -2372,7 +2371,8 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
expr = self.nsxpolicy.group.build_ip_address_expression( expr = self.nsxpolicy.group.build_ip_address_expression(
[local_ip]) [local_ip])
self.nsxpolicy.group.create_or_overwrite_with_conditions( self.nsxpolicy.group.create_or_overwrite_with_conditions(
local_group_id, domain_id, group_id=local_group_id, local_group_id, NSX_P_GLOBAL_DOMAIN_ID,
group_id=local_group_id,
description='%s for OS rule %s' % (local_ip, sg_rule['id']), description='%s for OS rule %s' % (local_ip, sg_rule['id']),
conditions=[expr], tags=tags) conditions=[expr], tags=tags)
destination = local_group_id destination = local_group_id
@ -2385,11 +2385,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
ip_protocol = self._get_rule_ip_protocol(sg_rule) ip_protocol = self._get_rule_ip_protocol(sg_rule)
logging = (cfg.CONF.nsx_p.log_security_groups_allowed_traffic or logging = (cfg.CONF.nsx_p.log_security_groups_allowed_traffic or
secgroup_logging) secgroup_logging)
scope = [self.nsxpolicy.group.get_path(domain_id, this_group_id)] scope = [self.nsxpolicy.group.get_path(NSX_P_GLOBAL_DOMAIN_ID,
this_group_id)]
action = (policy_constants.ACTION_DENY if is_provider_sg action = (policy_constants.ACTION_DENY if is_provider_sg
else policy_constants.ACTION_ALLOW) else policy_constants.ACTION_ALLOW)
self.nsxpolicy.comm_map.create_entry( self.nsxpolicy.comm_map.create_entry(
nsx_name, domain_id, map_id, entry_id=sg_rule['id'], nsx_name, NSX_P_GLOBAL_DOMAIN_ID,
map_id, entry_id=sg_rule['id'],
description=sg_rule.get('description'), description=sg_rule.get('description'),
service_ids=[service] if service else None, service_ids=[service] if service else None,
ip_protocol=ip_protocol, ip_protocol=ip_protocol,
@ -2399,27 +2401,6 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
scope=scope, scope=scope,
direction=direction, logged=logging) direction=direction, logged=logging)
def _create_project_domain(self, context, project_id):
"""Return the NSX domain id of a neutron project
The ID of the created domain will be the same as the project ID
so there is no need to keep it in the neutron DB
"""
tags = self.nsxpolicy.build_v3_api_version_project_tag(
context.tenant_name)
try:
domain_id = self.nsxpolicy.domain.create_or_overwrite(
name=project_id,
domain_id=project_id,
description="Domain for OS project %s" % project_id,
tags=tags)
except Exception as e:
msg = (_("Failed to create NSX domain for project %(proj)s: "
"%(e)s") % {'proj': project_id, 'e': e})
raise nsx_exc.NsxPluginException(err_msg=msg)
LOG.info("NSX Domain was created for project %s", project_id)
return domain_id
def create_security_group(self, context, security_group, default_sg=False): def create_security_group(self, context, security_group, default_sg=False):
secgroup = security_group['security_group'] secgroup = security_group['security_group']
# Make sure the ID is initialized, as it is used for the backend # Make sure the ID is initialized, as it is used for the backend
@ -2429,9 +2410,6 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
project_id = secgroup['tenant_id'] project_id = secgroup['tenant_id']
if not default_sg: if not default_sg:
self._ensure_default_security_group(context, project_id) self._ensure_default_security_group(context, project_id)
else:
# create the NSX policy domain for this new project
self._create_project_domain(context, project_id)
# create the Neutron SG # create the Neutron SG
with db_api.CONTEXT_WRITER.using(context): with db_api.CONTEXT_WRITER.using(context):
@ -2451,14 +2429,14 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
try: try:
# Create Group & communication map on the NSX # Create Group & communication map on the NSX
self._create_security_group_backend_resources( self._create_security_group_backend_resources(
context, secgroup, project_id) context, secgroup)
# Add the security-group rules # Add the security-group rules
sg_rules = secgroup_db['security_group_rules'] sg_rules = secgroup_db['security_group_rules']
secgroup_logging = secgroup.get(sg_logging.LOGGING, False) secgroup_logging = secgroup.get(sg_logging.LOGGING, False)
for sg_rule in sg_rules: for sg_rule in sg_rules:
self._create_security_group_backend_rule( self._create_security_group_backend_rule(
context, project_id, secgroup_db['id'], sg_rule, context, secgroup_db['id'], sg_rule,
secgroup_logging) secgroup_logging)
except Exception as e: except Exception as e:
with excutils.save_and_reraise_exception(): with excutils.save_and_reraise_exception():
@ -2486,11 +2464,11 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
self._process_security_group_properties_update( self._process_security_group_properties_update(
context, secgroup_res, sg_data) context, secgroup_res, sg_data)
domain_id = NSX_P_GLOBAL_DOMAIN_ID
# Update the name and description on NSX backend # Update the name and description on NSX backend
if 'name' in sg_data or 'description' in sg_data: if 'name' in sg_data or 'description' in sg_data:
nsx_name = utils.get_name_and_uuid( nsx_name = utils.get_name_and_uuid(
secgroup_res['name'] or 'securitygroup', sg_id) secgroup_res['name'] or 'securitygroup', sg_id)
domain_id = secgroup_res['tenant_id']
try: try:
self.nsxpolicy.group.update( self.nsxpolicy.group.update(
domain_id, sg_id, domain_id, sg_id,
@ -2520,13 +2498,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
super(NsxPolicyPlugin, self).delete_security_group(context, sg_id) super(NsxPolicyPlugin, self).delete_security_group(context, sg_id)
domain_id = sg['tenant_id'] domain_id = NSX_P_GLOBAL_DOMAIN_ID
try: try:
self.nsxpolicy.comm_map.delete(domain_id, sg_id) self.nsxpolicy.comm_map.delete(domain_id, sg_id)
self.nsxpolicy.group.delete(domain_id, sg_id) self.nsxpolicy.group.delete(domain_id, sg_id)
for rule in sg['security_group_rules']: for rule in sg['security_group_rules']:
self._delete_security_group_rule_backend_resources( self._delete_security_group_rule_backend_resources(
context, domain_id, rule) context, rule)
except nsx_lib_exc.ResourceNotFound: except nsx_lib_exc.ResourceNotFound:
# If the resource was not found on the backend do not worry about # If the resource was not found on the backend do not worry about
# it. The conditions has already been logged, so there is no need # it. The conditions has already been logged, so there is no need
@ -2566,19 +2544,18 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
self._process_security_group_rule_properties( self._process_security_group_rule_properties(
context, rules_db[i], r['security_group_rule']) context, rules_db[i], r['security_group_rule'])
domain_id = sg['tenant_id']
is_provider_sg = sg.get(provider_sg.PROVIDER) is_provider_sg = sg.get(provider_sg.PROVIDER)
secgroup_logging = self._is_security_group_logged(context, sg_id) secgroup_logging = self._is_security_group_logged(context, sg_id)
for rule_data in rules_db: for rule_data in rules_db:
# create the NSX backend rule # create the NSX backend rule
self._create_security_group_backend_rule( self._create_security_group_backend_rule(
context, domain_id, sg_id, rule_data, secgroup_logging, context, sg_id, rule_data, secgroup_logging,
is_provider_sg=is_provider_sg) is_provider_sg=is_provider_sg)
return rules_db return rules_db
def _delete_security_group_rule_backend_resources( def _delete_security_group_rule_backend_resources(
self, context, domain_id, rule_db): self, context, rule_db):
rule_id = rule_db['id'] rule_id = rule_db['id']
# try to delete the service of this rule, if exists # try to delete the service of this rule, if exists
if rule_db['protocol']: if rule_db['protocol']:
@ -2591,7 +2568,8 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
if rule_db['remote_ip_prefix']: if rule_db['remote_ip_prefix']:
try: try:
remote_group_id = self._get_sg_rule_remote_ip_group_id(rule_db) remote_group_id = self._get_sg_rule_remote_ip_group_id(rule_db)
self.nsxpolicy.group.delete(domain_id, remote_group_id) self.nsxpolicy.group.delete(NSX_P_GLOBAL_DOMAIN_ID,
remote_group_id)
except nsx_lib_exc.ResourceNotFound: except nsx_lib_exc.ResourceNotFound:
pass pass
@ -2599,7 +2577,8 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
if self._get_security_group_rule_local_ip(context, rule_id): if self._get_security_group_rule_local_ip(context, rule_id):
try: try:
local_group_id = self._get_sg_rule_local_ip_group_id(rule_db) local_group_id = self._get_sg_rule_local_ip_group_id(rule_db)
self.nsxpolicy.group.delete(domain_id, local_group_id) self.nsxpolicy.group.delete(NSX_P_GLOBAL_DOMAIN_ID,
local_group_id)
except nsx_lib_exc.ResourceNotFound: except nsx_lib_exc.ResourceNotFound:
pass pass
@ -2607,13 +2586,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
rule_db = self._get_security_group_rule(context, rule_id) rule_db = self._get_security_group_rule(context, rule_id)
sg_id = rule_db['security_group_id'] sg_id = rule_db['security_group_id']
self._prevent_non_admin_edit_provider_sg(context, sg_id) self._prevent_non_admin_edit_provider_sg(context, sg_id)
domain_id = rule_db['tenant_id']
# Delete the rule itself # Delete the rule itself
try: try:
self.nsxpolicy.comm_map.delete_entry(domain_id, sg_id, rule_id) self.nsxpolicy.comm_map.delete_entry(
policy_constants.DEFAULT_DOMAIN, sg_id, rule_id)
self._delete_security_group_rule_backend_resources( self._delete_security_group_rule_backend_resources(
context, domain_id, rule_db) context, rule_db)
except nsx_lib_exc.ResourceNotFound: except nsx_lib_exc.ResourceNotFound:
# Go on with the deletion anyway # Go on with the deletion anyway
pass pass

84
vmware_nsx/services/fwaas/nsx_p/fwaas_callbacks_v2.py
View File

@ -54,13 +54,14 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
def nsxpolicy(self): def nsxpolicy(self):
return self.core_plugin.nsxpolicy return self.core_plugin.nsxpolicy
def _get_default_backend_rule(self, domain_id, router_id): def _get_default_backend_rule(self, router_id):
"""Return the default allow-all rule entry """Return the default allow-all rule entry
This rule enrty will be added to the end of the rules list This rule enrty will be added to the end of the rules list
""" """
return self.nsxpolicy.gateway_policy.build_entry( return self.nsxpolicy.gateway_policy.build_entry(
DEFAULT_RULE_NAME, domain_id, router_id, DEFAULT_RULE_NAME,
policy_constants.DEFAULT_DOMAIN, router_id,
self._get_random_rule_id(DEFAULT_RULE_ID), self._get_random_rule_id(DEFAULT_RULE_ID),
description=DEFAULT_RULE_NAME, description=DEFAULT_RULE_NAME,
sequence_number=None, sequence_number=None,
@ -69,7 +70,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
source_groups=None, dest_groups=None, source_groups=None, dest_groups=None,
direction=nsx_constants.IN_OUT) direction=nsx_constants.IN_OUT)
def _translate_service(self, domain_id, router_id, rule): def _translate_service(self, project_id, router_id, rule):
"""Return the NSX Policy service id matching the FW rule service. """Return the NSX Policy service id matching the FW rule service.
L4 protocol service will be created per router-id & rule-id L4 protocol service will be created per router-id & rule-id
@ -81,7 +82,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
if rule.get('protocol'): if rule.get('protocol'):
tags = self.nsxpolicy.build_v3_tags_payload( tags = self.nsxpolicy.build_v3_tags_payload(
rule, resource_type='os-neutron-fwrule-id', rule, resource_type='os-neutron-fwrule-id',
project_name=domain_id) project_name=project_id)
tags = nsxlib_utils.add_v3_tag(tags, ROUTER_FW_TAG, router_id) tags = nsxlib_utils.add_v3_tag(tags, ROUTER_FW_TAG, router_id)
l4_protocol = v3_utils.translate_fw_rule_protocol( l4_protocol = v3_utils.translate_fw_rule_protocol(
rule.get('protocol')) rule.get('protocol'))
@ -155,7 +156,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
LOG.error(error_msg) LOG.error(error_msg)
raise self.driver_exception(driver=self.driver_name) raise self.driver_exception(driver=self.driver_name)
def _get_rule_cidr_group(self, domain_id, router_id, rule, is_source, def _get_rule_cidr_group(self, project_id, router_id, rule, is_source,
is_ingress): is_ingress):
field = 'source_ip_address' if is_source else 'destination_ip_address' field = 'source_ip_address' if is_source else 'destination_ip_address'
direction_text = 'source' if is_source else 'destination' direction_text = 'source' if is_source else 'destination'
@ -169,16 +170,16 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
[group_ips]) [group_ips])
tags = self.nsxpolicy.build_v3_tags_payload( tags = self.nsxpolicy.build_v3_tags_payload(
rule, resource_type='os-neutron-fwrule-id', rule, resource_type='os-neutron-fwrule-id',
project_name=domain_id) project_name=project_id)
tags = nsxlib_utils.add_v3_tag(tags, ROUTER_FW_TAG, router_id) tags = nsxlib_utils.add_v3_tag(tags, ROUTER_FW_TAG, router_id)
self.nsxpolicy.group.create_or_overwrite_with_conditions( self.nsxpolicy.group.create_or_overwrite_with_conditions(
"FW_rule_%s_%s" % (rule['id'], direction_text), "FW_rule_%s_%s" % (rule['id'], direction_text),
domain_id, group_id=group_id, policy_constants.DEFAULT_DOMAIN, group_id=group_id,
description='%s: %s' % (direction_text, group_ips), description='%s: %s' % (direction_text, group_ips),
conditions=[expr], tags=tags) conditions=[expr], tags=tags)
return group_id return group_id
def _create_network_group(self, domain_id, router_id, neutron_net_id): def _create_network_group(self, router_id, neutron_net_id):
scope_and_tag = "%s|%s" % ('os-neutron-net-id', neutron_net_id) scope_and_tag = "%s|%s" % ('os-neutron-net-id', neutron_net_id)
tags = [] tags = []
tags = nsxlib_utils.add_v3_tag(tags, ROUTER_FW_TAG, router_id) tags = nsxlib_utils.add_v3_tag(tags, ROUTER_FW_TAG, router_id)
@ -189,14 +190,14 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
group_id = '%s-%s' % (router_id, neutron_net_id) group_id = '%s-%s' % (router_id, neutron_net_id)
self.nsxpolicy.group.create_or_overwrite_with_conditions( self.nsxpolicy.group.create_or_overwrite_with_conditions(
"Segment_%s" % neutron_net_id, "Segment_%s" % neutron_net_id,
domain_id, policy_constants.DEFAULT_DOMAIN,
group_id=group_id, group_id=group_id,
description='Group for segment %s' % neutron_net_id, description='Group for segment %s' % neutron_net_id,
conditions=[expr], conditions=[expr],
tags=tags) tags=tags)
return group_id return group_id
def _translate_rules(self, domain_id, router_id, segment_group, def _translate_rules(self, project_id, router_id, segment_group,
fwaas_rules, is_ingress, logged=False): fwaas_rules, is_ingress, logged=False):
"""Translate a list of FWaaS rules to NSX rule structure""" """Translate a list of FWaaS rules to NSX rule structure"""
translated_rules = [] translated_rules = []
@ -223,22 +224,24 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
driver=self.internal_driver.driver_name) driver=self.internal_driver.driver_name)
src_group = self._get_rule_cidr_group( src_group = self._get_rule_cidr_group(
domain_id, router_id, rule, is_source=True, project_id, router_id, rule, is_source=True,
is_ingress=is_ingress) is_ingress=is_ingress)
if not is_ingress and not src_group: if not is_ingress and not src_group:
src_group = segment_group src_group = segment_group
dest_group = self._get_rule_cidr_group( dest_group = self._get_rule_cidr_group(
domain_id, router_id, rule, is_source=False, project_id, router_id, rule, is_source=False,
is_ingress=is_ingress) is_ingress=is_ingress)
if is_ingress and not dest_group: if is_ingress and not dest_group:
dest_group = segment_group dest_group = segment_group
srv_id = self._translate_service(domain_id, router_id, rule) srv_id = self._translate_service(project_id, router_id, rule)
direction = nsx_constants.IN if is_ingress else nsx_constants.OUT direction = nsx_constants.IN if is_ingress else nsx_constants.OUT
ip_protocol = (nsx_constants.IPV4 if rule.get('ip_version', 4) == 4 ip_protocol = (nsx_constants.IPV4 if rule.get('ip_version', 4) == 4
else nsx_constants.IPV6) else nsx_constants.IPV6)
rule_entry = self.nsxpolicy.gateway_policy.build_entry( rule_entry = self.nsxpolicy.gateway_policy.build_entry(
rule_name, domain_id, router_id, rule_id, rule_name,
policy_constants.DEFAULT_DOMAIN,
router_id, rule_id,
description=rule.get('description'), description=rule.get('description'),
action=action, action=action,
source_groups=[src_group] if src_group else None, source_groups=[src_group] if src_group else None,
@ -251,28 +254,29 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
translated_rules.append(rule_entry) translated_rules.append(rule_entry)
return translated_rules return translated_rules
def _get_port_translated_rules(self, domain_id, router_id, neutron_net_id, def _get_port_translated_rules(self, project_id, router_id, neutron_net_id,
firewall_group): firewall_group):
"""Return the list of translated FWaaS rules per port """Return the list of translated FWaaS rules per port
Add the egress/ingress rules of this port + Add the egress/ingress rules of this port +
default drop rules in each direction for this port. default drop rules in each direction for this port.
""" """
net_group_id = self._create_network_group( net_group_id = self._create_network_group(
domain_id, router_id, neutron_net_id) router_id, neutron_net_id)
port_rules = [] port_rules = []
# Add the firewall group ingress/egress rules only if the fw is up # Add the firewall group ingress/egress rules only if the fw is up
if firewall_group['admin_state_up']: if firewall_group['admin_state_up']:
port_rules.extend(self._translate_rules( port_rules.extend(self._translate_rules(
domain_id, router_id, net_group_id, project_id, router_id, net_group_id,
firewall_group['ingress_rule_list'], is_ingress=True)) firewall_group['ingress_rule_list'], is_ingress=True))
port_rules.extend(self._translate_rules( port_rules.extend(self._translate_rules(
domain_id, router_id, net_group_id, project_id, router_id, net_group_id,
firewall_group['egress_rule_list'], is_ingress=False)) firewall_group['egress_rule_list'], is_ingress=False))
# Add ingress/egress block rules for this port # Add ingress/egress block rules for this port
port_rules.extend([ port_rules.extend([
self.nsxpolicy.gateway_policy.build_entry( self.nsxpolicy.gateway_policy.build_entry(
"Block port ingress", domain_id, router_id, "Block port ingress",
policy_constants.DEFAULT_DOMAIN, router_id,
self._get_random_rule_id( self._get_random_rule_id(
DEFAULT_RULE_ID + neutron_net_id + 'ingress'), DEFAULT_RULE_ID + neutron_net_id + 'ingress'),
action=nsx_constants.FW_ACTION_DROP, action=nsx_constants.FW_ACTION_DROP,
@ -280,7 +284,8 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
scope=[self.nsxpolicy.tier1.get_path(router_id)], scope=[self.nsxpolicy.tier1.get_path(router_id)],
direction=nsx_constants.IN), direction=nsx_constants.IN),
self.nsxpolicy.gateway_policy.build_entry( self.nsxpolicy.gateway_policy.build_entry(
"Block port egress", domain_id, router_id, "Block port egress",
policy_constants.DEFAULT_DOMAIN, router_id,
self._get_random_rule_id( self._get_random_rule_id(
DEFAULT_RULE_ID + neutron_net_id + 'egress'), DEFAULT_RULE_ID + neutron_net_id + 'egress'),
action=nsx_constants.FW_ACTION_DROP, action=nsx_constants.FW_ACTION_DROP,
@ -308,7 +313,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
router calls, and if it is True - add the service router accordingly. router calls, and if it is True - add the service router accordingly.
""" """
plugin = self.core_plugin plugin = self.core_plugin
domain_id = router['project_id'] project_id = router['project_id']
fw_rules = [] fw_rules = []
router_with_fw = False router_with_fw = False
# Add firewall rules per port attached to a firewall group # Add firewall rules per port attached to a firewall group
@ -321,10 +326,10 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
# Add the FWaaS rules for this port:ingress/egress firewall # Add the FWaaS rules for this port:ingress/egress firewall
# rules + default ingress/egress drop rule for this port # rules + default ingress/egress drop rule for this port
fw_rules.extend(self._get_port_translated_rules( fw_rules.extend(self._get_port_translated_rules(
domain_id, router_id, port['network_id'], fwg)) project_id, router_id, port['network_id'], fwg))
# Add a default allow-all rule to all other traffic & ports # Add a default allow-all rule to all other traffic & ports
fw_rules.append(self._get_default_backend_rule(domain_id, router_id)) fw_rules.append(self._get_default_backend_rule(router_id))
self._set_rules_order(fw_rules) self._set_rules_order(fw_rules)
# Update the backend router firewall # Update the backend router firewall
@ -345,31 +350,32 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
# No other services that require service router: delete it # No other services that require service router: delete it
# This also deleted the gateway policy. # This also deleted the gateway policy.
self.core_plugin.delete_service_router( self.core_plugin.delete_service_router(
context, domain_id, router_id) context, policy_constants.DEFAULT_DOMAIN, router_id)
sr_exists_on_backend = False sr_exists_on_backend = False
if sr_exists_on_backend: if sr_exists_on_backend:
# update the edge firewall # update the edge firewall
self.create_router_gateway_policy(context, domain_id, router_id, self.create_router_gateway_policy(context, router_id,
router, fw_rules) router, fw_rules)
if not router_with_fw: if not router_with_fw:
# Do all the cleanup once the router has no more FW rules # Do all the cleanup once the router has no more FW rules
self.delete_router_gateway_policy(domain_id, router_id) self.delete_router_gateway_policy(router_id)
self.cleanup_router_fw_resources(domain_id, router_id) self.cleanup_router_fw_resources(router_id)
def create_router_gateway_policy(self, context, domain_id, router_id, def create_router_gateway_policy(self, context, router_id,
router, fw_rules): router, fw_rules):
"""Create/Overwrite gateway policy for a router with firewall rules""" """Create/Overwrite gateway policy for a router with firewall rules"""
# Check if the gateway policy already exists # Check if the gateway policy already exists
try: try:
self.nsxpolicy.gateway_policy.get(domain_id, map_id=router_id) self.nsxpolicy.gateway_policy.get(policy_constants.DEFAULT_DOMAIN,
map_id=router_id)
except nsx_lib_exc.ResourceNotFound: except nsx_lib_exc.ResourceNotFound:
LOG.info("Going to create gateway policy for router %s", router_id) LOG.info("Going to create gateway policy for router %s", router_id)
else: else:
# only update the rules of this policy # only update the rules of this policy
self.nsxpolicy.gateway_policy.update_entries( self.nsxpolicy.gateway_policy.update_entries(
domain_id, router_id, fw_rules) policy_constants.DEFAULT_DOMAIN, router_id, fw_rules)
return return
tags = self.nsxpolicy.build_v3_tags_payload( tags = self.nsxpolicy.build_v3_tags_payload(
@ -377,33 +383,37 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
project_name=context.tenant_name) project_name=context.tenant_name)
policy_name = GATEWAY_POLICY_NAME % router_id policy_name = GATEWAY_POLICY_NAME % router_id
self.nsxpolicy.gateway_policy.create_with_entries( self.nsxpolicy.gateway_policy.create_with_entries(
policy_name, domain_id, map_id=router_id, policy_name, policy_constants.DEFAULT_DOMAIN,
map_id=router_id,
description=policy_name, description=policy_name,
tags=tags, tags=tags,
entries=fw_rules, entries=fw_rules,
category=policy_constants.CATEGORY_LOCAL_GW) category=policy_constants.CATEGORY_LOCAL_GW)
def delete_router_gateway_policy(self, domain_id, router_id): def delete_router_gateway_policy(self, router_id):
"""Delete the gateway policy associated with a router, it it exists. """Delete the gateway policy associated with a router, it it exists.
Should be called when the router is deleted / FW removed from it Should be called when the router is deleted / FW removed from it
""" """
try: try:
self.nsxpolicy.gateway_policy.get(domain_id, map_id=router_id) self.nsxpolicy.gateway_policy.get(policy_constants.DEFAULT_DOMAIN,
map_id=router_id)
except nsx_lib_exc.ResourceNotFound: except nsx_lib_exc.ResourceNotFound:
return return
self.nsxpolicy.gateway_policy.delete(domain_id, map_id=router_id) self.nsxpolicy.gateway_policy.delete(policy_constants.DEFAULT_DOMAIN,
map_id=router_id)
# Also delete all groups & services # Also delete all groups & services
self.cleanup_router_fw_resources(domain_id, router_id) self.cleanup_router_fw_resources(router_id)
def cleanup_router_fw_resources(self, domain_id, router_id): def cleanup_router_fw_resources(self, router_id):
tags_to_search = [{'scope': ROUTER_FW_TAG, 'tag': router_id}] tags_to_search = [{'scope': ROUTER_FW_TAG, 'tag': router_id}]
# Delete per rule & per network groups # Delete per rule & per network groups
groups = self.nsxpolicy.search_by_tags( groups = self.nsxpolicy.search_by_tags(
tags_to_search, tags_to_search,
self.nsxpolicy.group.entry_def.resource_type())['results'] self.nsxpolicy.group.entry_def.resource_type())['results']
for group in groups: for group in groups:
self.nsxpolicy.group.delete(domain_id, group['id']) self.nsxpolicy.group.delete(policy_constants.DEFAULT_DOMAIN,
group['id'])
services = self.nsxpolicy.search_by_tags( services = self.nsxpolicy.search_by_tags(
tags_to_search, tags_to_search,

4
vmware_nsx/shell/admin/plugins/nsxp/resources/securitygroups.py
View File

@ -19,6 +19,8 @@ from vmware_nsx.shell.admin.plugins.common import constants
from vmware_nsx.shell.admin.plugins.common import utils as admin_utils from vmware_nsx.shell.admin.plugins.common import utils as admin_utils
from vmware_nsx.shell.admin.plugins.nsxp.resources import utils as p_utils from vmware_nsx.shell.admin.plugins.nsxp.resources import utils as p_utils
from vmware_nsxlib.v3.policy import constants as policy_constants
neutron_client = securitygroups_db.SecurityGroupDbMixin() neutron_client = securitygroups_db.SecurityGroupDbMixin()
@ -33,8 +35,8 @@ def list_security_groups(resource, event, trigger, **kwargs):
nsxpolicy = p_utils.get_connected_nsxpolicy() nsxpolicy = p_utils.get_connected_nsxpolicy()
ctx = context.get_admin_context() ctx = context.get_admin_context()
sgs = neutron_client.get_security_groups(ctx) sgs = neutron_client.get_security_groups(ctx)
domain_id = policy_constants.DEFAULT_DOMAIN
for sg in sgs: for sg in sgs:
domain_id = sg['tenant_id']
map_status = p_utils.get_realization_info( map_status = p_utils.get_realization_info(
nsxpolicy.comm_map, domain_id, sg['id']) nsxpolicy.comm_map, domain_id, sg['id'])
group_status = p_utils.get_realization_info( group_status = p_utils.get_realization_info(

6
vmware_nsx/tests/unit/extensions/test_provider_security_groups.py
View File

@ -409,11 +409,11 @@ class TestNSXpProviderSecurityGrp(test_nsxp_plugin.NsxPPluginTestCaseMixin,
with self.security_group_rule(security_group_id=sg_id) as rule: with self.security_group_rule(security_group_id=sg_id) as rule:
rule_data = rule['security_group_rule'] rule_data = rule['security_group_rule']
rule_id = rule_data['id'] rule_id = rule_data['id']
project_id = rule_data['project_id']
scope = [self.plugin.nsxpolicy.group.get_path( scope = [self.plugin.nsxpolicy.group.get_path(
project_id, sg_id)] policy_constants.DEFAULT_DOMAIN, sg_id)]
entry_create.assert_called_once_with( entry_create.assert_called_once_with(
rule_id, project_id, sg_id, entry_id=rule_id, rule_id, policy_constants.DEFAULT_DOMAIN,
sg_id, entry_id=rule_id,
description='', description='',
direction=nsx_constants.IN, direction=nsx_constants.IN,
ip_protocol=nsx_constants.IPV4, ip_protocol=nsx_constants.IPV4,

27
vmware_nsx/tests/unit/nsx_p/test_fwaas_v2_driver.py
View File

@ -25,6 +25,7 @@ from vmware_nsx.services.fwaas.nsx_p import edge_fwaas_driver_v2
from vmware_nsx.services.fwaas.nsx_p import fwaas_callbacks_v2 from vmware_nsx.services.fwaas.nsx_p import fwaas_callbacks_v2
from vmware_nsx.tests.unit.nsx_p import test_plugin as test_p_plugin from vmware_nsx.tests.unit.nsx_p import test_plugin as test_p_plugin
from vmware_nsxlib.v3 import nsx_constants as consts from vmware_nsxlib.v3 import nsx_constants as consts
from vmware_nsxlib.v3.policy import constants as policy_constants
FAKE_FW_ID = 'fake_fw_uuid' FAKE_FW_ID = 'fake_fw_uuid'
FAKE_ROUTER_ID = 'fake_rtr_uuid' FAKE_ROUTER_ID = 'fake_rtr_uuid'
@ -60,7 +61,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
def _default_rule(self, seq_num): def _default_rule(self, seq_num):
return self.plugin.nsxpolicy.gateway_policy.build_entry( return self.plugin.nsxpolicy.gateway_policy.build_entry(
fwaas_callbacks_v2.DEFAULT_RULE_NAME, fwaas_callbacks_v2.DEFAULT_RULE_NAME,
self.project_id, FAKE_ROUTER_ID, policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID,
fwaas_callbacks_v2.DEFAULT_RULE_ID, fwaas_callbacks_v2.DEFAULT_RULE_ID,
description=fwaas_callbacks_v2.DEFAULT_RULE_NAME, description=fwaas_callbacks_v2.DEFAULT_RULE_NAME,
action=consts.FW_ACTION_ALLOW, action=consts.FW_ACTION_ALLOW,
@ -72,7 +73,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
net_group_id = '%s-%s' % (FAKE_ROUTER_ID, FAKE_NET_ID) net_group_id = '%s-%s' % (FAKE_ROUTER_ID, FAKE_NET_ID)
ingress_rule = self.plugin.nsxpolicy.gateway_policy.build_entry( ingress_rule = self.plugin.nsxpolicy.gateway_policy.build_entry(
"Block port ingress", "Block port ingress",
self.project_id, FAKE_ROUTER_ID, policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID,
fwaas_callbacks_v2.DEFAULT_RULE_ID + FAKE_NET_ID + 'ingress', fwaas_callbacks_v2.DEFAULT_RULE_ID + FAKE_NET_ID + 'ingress',
action=consts.FW_ACTION_DROP, action=consts.FW_ACTION_DROP,
dest_groups=[net_group_id], dest_groups=[net_group_id],
@ -82,7 +83,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
egress_rule = self.plugin.nsxpolicy.gateway_policy.build_entry( egress_rule = self.plugin.nsxpolicy.gateway_policy.build_entry(
"Block port egress", "Block port egress",
self.project_id, FAKE_ROUTER_ID, policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID,
fwaas_callbacks_v2.DEFAULT_RULE_ID + FAKE_NET_ID + 'egress', fwaas_callbacks_v2.DEFAULT_RULE_ID + FAKE_NET_ID + 'egress',
action=consts.FW_ACTION_DROP, action=consts.FW_ACTION_DROP,
source_groups=[net_group_id], source_groups=[net_group_id],
@ -172,21 +173,25 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
if (fw_rule.get('source_ip_address') and if (fw_rule.get('source_ip_address') and
not fw_rule['source_ip_address'].startswith('0.0.0.0')): not fw_rule['source_ip_address'].startswith('0.0.0.0')):
self.assertEqual(['/infra/domains/%s/groups/source-%s' % ( self.assertEqual(['/infra/domains/%s/groups/source-%s' % (
self.project_id, fw_rule['id'])], policy_constants.DEFAULT_DOMAIN,
fw_rule['id'])],
nsx_rule['source_groups']) nsx_rule['source_groups'])
elif not is_ingress: elif not is_ingress:
self.assertEqual(['/infra/domains/%s/groups/%s-%s' % ( self.assertEqual(['/infra/domains/%s/groups/%s-%s' % (
self.project_id, FAKE_ROUTER_ID, FAKE_NET_ID)], policy_constants.DEFAULT_DOMAIN,
FAKE_ROUTER_ID, FAKE_NET_ID)],
nsx_rule['source_groups']) nsx_rule['source_groups'])
if (fw_rule.get('destination_ip_address') and if (fw_rule.get('destination_ip_address') and
not fw_rule['destination_ip_address'].startswith('0.0.0.0')): not fw_rule['destination_ip_address'].startswith('0.0.0.0')):
self.assertEqual(['/infra/domains/%s/groups/destination-%s' % ( self.assertEqual(['/infra/domains/%s/groups/destination-%s' % (
self.project_id, fw_rule['id'])], policy_constants.DEFAULT_DOMAIN,
fw_rule['id'])],
nsx_rule['destination_groups']) nsx_rule['destination_groups'])
elif is_ingress: elif is_ingress:
self.assertEqual(['/infra/domains/%s/groups/%s-%s' % ( self.assertEqual(['/infra/domains/%s/groups/%s-%s' % (
self.project_id, FAKE_ROUTER_ID, FAKE_NET_ID)], policy_constants.DEFAULT_DOMAIN,
FAKE_ROUTER_ID, FAKE_NET_ID)],
nsx_rule['destination_groups']) nsx_rule['destination_groups'])
def _fake_empty_firewall_group(self): def _fake_empty_firewall_group(self):
@ -245,7 +250,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
expected_rules = (self._block_interface_rules(0) + expected_rules = (self._block_interface_rules(0) +
[self._default_rule(2)]) [self._default_rule(2)])
update_fw.assert_called_once_with( update_fw.assert_called_once_with(
self.project_id, FAKE_ROUTER_ID, mock.ANY) policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY)
# compare rules one by one # compare rules one by one
actual_rules = update_fw.call_args[0][2] actual_rules = update_fw.call_args[0][2]
self.assertEqual(len(expected_rules), len(actual_rules)) self.assertEqual(len(expected_rules), len(actual_rules))
@ -274,7 +279,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
expected_default_rules = self._block_interface_rules( expected_default_rules = self._block_interface_rules(
len(rule_list)) + [self._default_rule(len(rule_list) + 2)] len(rule_list)) + [self._default_rule(len(rule_list) + 2)]
update_fw.assert_called_once_with( update_fw.assert_called_once_with(
self.project_id, FAKE_ROUTER_ID, mock.ANY) policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY)
# compare rules one by one # compare rules one by one
actual_rules = update_fw.call_args[0][2] actual_rules = update_fw.call_args[0][2]
@ -336,7 +341,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
# expecting only the default allow-all rule # expecting only the default allow-all rule
expected_rules = [self._default_rule(0)] expected_rules = [self._default_rule(0)]
update_fw.assert_called_once_with( update_fw.assert_called_once_with(
self.project_id, FAKE_ROUTER_ID, mock.ANY) policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY)
# compare rules one by one # compare rules one by one
actual_rules = update_fw.call_args[0][2] actual_rules = update_fw.call_args[0][2]
self.assertEqual(len(expected_rules), len(actual_rules)) self.assertEqual(len(expected_rules), len(actual_rules))
@ -358,7 +363,7 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
# expecting only the default allow-all rule # expecting only the default allow-all rule
expected_rules = [self._default_rule(0)] expected_rules = [self._default_rule(0)]
update_fw.assert_called_once_with( update_fw.assert_called_once_with(
self.project_id, FAKE_ROUTER_ID, mock.ANY) policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY)
# compare rules one by one # compare rules one by one
actual_rules = update_fw.call_args[0][2] actual_rules = update_fw.call_args[0][2]
self.assertEqual(len(expected_rules), len(actual_rules)) self.assertEqual(len(expected_rules), len(actual_rules))

9
vmware_nsx/tests/unit/nsx_p/test_plugin.py
View File

@ -1197,11 +1197,11 @@ class NsxPTestSecurityGroup(common_v3.FixExternalNetBaseTest,
sg_id = sg['security_group']['id'] sg_id = sg['security_group']['id']
nsx_name = utils.get_name_and_uuid(name, sg_id) nsx_name = utils.get_name_and_uuid(name, sg_id)
group_create.assert_called_once_with( group_create.assert_called_once_with(
nsx_name, self.project_id, group_id=sg_id, nsx_name, policy_constants.DEFAULT_DOMAIN, group_id=sg_id,
description=description, description=description,
conditions=[mock.ANY], tags=mock.ANY) conditions=[mock.ANY], tags=mock.ANY)
comm_map_create.assert_called_once_with( comm_map_create.assert_called_once_with(
nsx_name, self.project_id, map_id=sg_id, nsx_name, policy_constants.DEFAULT_DOMAIN, map_id=sg_id,
description=description, description=description,
tags=mock.ANY, tags=mock.ANY,
category=policy_constants.CATEGORY_ENVIRONMENT) category=policy_constants.CATEGORY_ENVIRONMENT)
@ -1285,9 +1285,10 @@ class NsxPTestSecurityGroup(common_v3.FixExternalNetBaseTest,
remote_ip_prefix) as rule: remote_ip_prefix) as rule:
rule_id = rule['security_group_rule']['id'] rule_id = rule['security_group_rule']['id']
scope = [self.plugin.nsxpolicy.group.get_path( scope = [self.plugin.nsxpolicy.group.get_path(
self.project_id, sg_id)] policy_constants.DEFAULT_DOMAIN, sg_id)]
entry_create.assert_called_once_with( entry_create.assert_called_once_with(
rule_id, self.project_id, sg_id, entry_id=rule_id, rule_id, policy_constants.DEFAULT_DOMAIN,
sg_id, entry_id=rule_id,
description='', description='',
direction=nsx_constants.IN, direction=nsx_constants.IN,
ip_protocol=nsx_constants.IPV4, ip_protocol=nsx_constants.IPV4,