NSX|V3: Warn if backend does not support FWaaS
In case the NSX-V3 does not support router-firewall, but the service plugin is enabled, a warning will be logged at init, and all firewall actions will issue a driver error (meaning the firewall will be in ERROR state) Change-Id: Ia4adc4d6433d16e0de7d7ad0439017acbe836d96
This commit is contained in:
parent
38e1a0c8cb
commit
e91518a472
@ -18,6 +18,9 @@ import netaddr
|
||||
from neutron_fwaas.common import exceptions
|
||||
from neutron_fwaas.services.firewall.drivers import fwaas_base
|
||||
from neutron_lib.api.definitions import constants as fwaas_consts
|
||||
from neutron_lib.callbacks import events
|
||||
from neutron_lib.callbacks import registry
|
||||
from neutron_lib.callbacks import resources
|
||||
from neutron_lib import context as n_context
|
||||
from neutron_lib.plugins import directory
|
||||
from oslo_log import helpers as log_helpers
|
||||
@ -39,6 +42,11 @@ class EdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
|
||||
LOG.debug("Loading FWaaS NsxV3Driver.")
|
||||
super(EdgeFwaasV3Driver, self).__init__()
|
||||
|
||||
self.backend_support = True
|
||||
registry.subscribe(
|
||||
self.check_backend_version,
|
||||
resources.PROCESS, events.BEFORE_SPAWN)
|
||||
|
||||
@property
|
||||
def nsxlib(self):
|
||||
return directory.get_plugin().nsxlib
|
||||
@ -51,6 +59,14 @@ class EdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
|
||||
def nsx_router(self):
|
||||
return self.nsxlib.logical_router
|
||||
|
||||
def check_backend_version(self, resource, event, trigger, **kwargs):
|
||||
if not self.nsxlib.feature_supported(consts.FEATURE_ROUTER_FIREWALL):
|
||||
# router firewall is not supported
|
||||
LOG.warning("FWaaS is not supported by the NSX backend (version "
|
||||
"%s): Router firewall is not supported",
|
||||
self.nsxlib.get_version())
|
||||
self.backend_support = False
|
||||
|
||||
def should_apply_firewall_to_router(self, router_data):
|
||||
"""Return True if the firewall rules should be added the router
|
||||
|
||||
@ -166,14 +182,23 @@ class EdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
|
||||
# update each router using the core plugin code
|
||||
self._update_backend_routers(context, apply_list, rules=rules)
|
||||
|
||||
def validate_backend_version(self):
|
||||
# prevent firewall actions if the backend does not support it
|
||||
if not self.backend_support:
|
||||
LOG.error("The NSX backend does not support router firewall")
|
||||
raise exceptions.FirewallInternalDriverError(
|
||||
driver=FWAAS_DRIVER_NAME)
|
||||
|
||||
@log_helpers.log_method_call
|
||||
def create_firewall(self, agent_mode, apply_list, firewall):
|
||||
"""Create the Firewall with a given policy. """
|
||||
self.validate_backend_version()
|
||||
self._create_or_update_firewall(agent_mode, apply_list, firewall)
|
||||
|
||||
@log_helpers.log_method_call
|
||||
def update_firewall(self, agent_mode, apply_list, firewall):
|
||||
"""Remove previous policy and apply the new policy."""
|
||||
self.validate_backend_version()
|
||||
self._create_or_update_firewall(agent_mode, apply_list, firewall)
|
||||
|
||||
@log_helpers.log_method_call
|
||||
@ -183,6 +208,7 @@ class EdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
|
||||
Removes rules created by this instance from the backend firewall
|
||||
And add the default allow rule.
|
||||
"""
|
||||
self.validate_backend_version()
|
||||
context = n_context.get_admin_context()
|
||||
self._update_backend_routers(context, apply_list, delete_fw=True)
|
||||
|
||||
@ -193,6 +219,7 @@ class EdgeFwaasV3Driver(fwaas_base.FwaasDriverBase):
|
||||
The backend firewall always has this policy (=deny all) as default,
|
||||
so we only need to delete the current rules.
|
||||
"""
|
||||
self.validate_backend_version()
|
||||
context = n_context.get_admin_context()
|
||||
self._update_backend_routers(context, apply_list, rules=[])
|
||||
|
||||
|
@ -15,9 +15,7 @@
|
||||
|
||||
from oslo_log import log as logging
|
||||
|
||||
from vmware_nsx.common import exceptions as nsx_exc
|
||||
from vmware_nsx.services.fwaas.common import fwaas_callbacks as com_callbacks
|
||||
from vmware_nsxlib.v3 import nsx_constants as consts
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
@ -27,17 +25,6 @@ class Nsxv3FwaasCallbacks(com_callbacks.NsxFwaasCallbacks):
|
||||
|
||||
def __init__(self, nsxlib):
|
||||
super(Nsxv3FwaasCallbacks, self).__init__()
|
||||
# Verify that the nsx backend supports FWaaS
|
||||
if self.fwaas_enabled:
|
||||
self.verify_backend_version(nsxlib)
|
||||
|
||||
def verify_backend_version(self, nsxlib):
|
||||
if not nsxlib.feature_supported(consts.FEATURE_ROUTER_FIREWALL):
|
||||
# router firewall is not supported
|
||||
msg = (_("FWaaS is not supported by the NSX backend (version %s): "
|
||||
"Router firewall is not supported") %
|
||||
self.nsxlib.get_version())
|
||||
raise nsx_exc.NsxPluginException(err_msg=msg)
|
||||
|
||||
def should_apply_firewall_to_router(self, context, router_id):
|
||||
"""Return True if the FWaaS rules should be added to this router."""
|
||||
|
Loading…
x
Reference in New Issue
Block a user