NSX|V3: Warn if backend does not support FWaaS

In case the NSX-V3 does not support router-firewall, but the service plugin is enabled, a warning will be logged at init, and all firewall actions will issue a driver error (meaning the firewall will be in ERROR state) Change-Id: Ia4adc4d6433d16e0de7d7ad0439017acbe836d96
2017-06-20 10:12:59 +03:00 · 2017-06-20 10:12:59 +03:00 · e91518a472
commit e91518a472
parent 38e1a0c8cb
2 changed files with 27 additions and 13 deletions
--- a/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver.py
+++ b/vmware_nsx/services/fwaas/nsx_v3/edge_fwaas_driver.py
@ -18,6 +18,9 @@ import netaddr
 from neutron_fwaas.common import exceptions
 from neutron_fwaas.services.firewall.drivers import fwaas_base
 from neutron_lib.api.definitions import constants as fwaas_consts
+from neutron_lib.callbacks import events
+from neutron_lib.callbacks import registry
+from neutron_lib.callbacks import resources
 from neutron_lib import context as n_context
 from neutron_lib.plugins import directory
 from oslo_log import helpers as log_helpers
@ -39,6 +42,11 @@ class EdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
        LOG.debug("Loading FWaaS NsxV3Driver.")
        super(EdgeFwaasV3Driver, self).__init__()

+        self.backend_support = True
+        registry.subscribe(
+            self.check_backend_version,
+            resources.PROCESS, events.BEFORE_SPAWN)
+
    @property
    def nsxlib(self):
        return directory.get_plugin().nsxlib
@ -51,6 +59,14 @@ class EdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
    def nsx_router(self):
        return self.nsxlib.logical_router

+    def check_backend_version(self, resource, event, trigger, **kwargs):
+        if not self.nsxlib.feature_supported(consts.FEATURE_ROUTER_FIREWALL):
+            # router firewall is not supported
+            LOG.warning("FWaaS is not supported by the NSX backend (version "
+                        "%s): Router firewall is not supported",
+                        self.nsxlib.get_version())
+            self.backend_support = False
+
    def should_apply_firewall_to_router(self, router_data):
        """Return True if the firewall rules should be added the router

@ -166,14 +182,23 @@ class EdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
        # update each router using the core plugin code
        self._update_backend_routers(context, apply_list, rules=rules)

+    def validate_backend_version(self):
+        # prevent firewall actions if the backend does not support it
+        if not self.backend_support:
+            LOG.error("The NSX backend does not support router firewall")
+            raise exceptions.FirewallInternalDriverError(
+                driver=FWAAS_DRIVER_NAME)
+
    @log_helpers.log_method_call
    def create_firewall(self, agent_mode, apply_list, firewall):
        """Create the Firewall with a given policy. """
+        self.validate_backend_version()
        self._create_or_update_firewall(agent_mode, apply_list, firewall)

    @log_helpers.log_method_call
    def update_firewall(self, agent_mode, apply_list, firewall):
        """Remove previous policy and apply the new policy."""
+        self.validate_backend_version()
        self._create_or_update_firewall(agent_mode, apply_list, firewall)

    @log_helpers.log_method_call
@ -183,6 +208,7 @@ class EdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
        Removes rules created by this instance from the backend firewall
        And add the default allow rule.
        """
+        self.validate_backend_version()
        context = n_context.get_admin_context()
        self._update_backend_routers(context, apply_list, delete_fw=True)

@ -193,6 +219,7 @@ class EdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
        The backend firewall always has this policy (=deny all) as default,
        so we only need to delete the current rules.
        """
+        self.validate_backend_version()
        context = n_context.get_admin_context()
        self._update_backend_routers(context, apply_list, rules=[])

--- a/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks.py
+++ b/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks.py
@ -15,9 +15,7 @@

 from oslo_log import log as logging

-from vmware_nsx.common import exceptions as nsx_exc
 from vmware_nsx.services.fwaas.common import fwaas_callbacks as com_callbacks
-from vmware_nsxlib.v3 import nsx_constants as consts

 LOG = logging.getLogger(__name__)

@ -27,17 +25,6 @@ class Nsxv3FwaasCallbacks(com_callbacks.NsxFwaasCallbacks):

    def __init__(self, nsxlib):
        super(Nsxv3FwaasCallbacks, self).__init__()
-        # Verify that the nsx backend supports FWaaS
-        if self.fwaas_enabled:
-            self.verify_backend_version(nsxlib)
-
-    def verify_backend_version(self, nsxlib):
-        if not nsxlib.feature_supported(consts.FEATURE_ROUTER_FIREWALL):
-            # router firewall is not supported
-            msg = (_("FWaaS is not supported by the NSX backend (version %s): "
-                     "Router firewall is not supported") %
-                   self.nsxlib.get_version())
-            raise nsx_exc.NsxPluginException(err_msg=msg)

    def should_apply_firewall_to_router(self, context, router_id):
        """Return True if the FWaaS rules should be added to this router."""