x/vmware-nsx
Code Issues Proposed changes

Merge "NSX|P: Refactor GW FW creation & deletion"

Browse Source
This commit is contained in:
Zuul 2019-07-02 05:16:28 +00:00 committed by Gerrit Code Review
commit e931aae5d6
2 changed files with 18 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
vmware_nsx/services/fwaas/nsx_p/fwaas_callbacks_v2.py
View File

@ -57,7 +57,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
def _get_default_backend_rule(self, router_id):
"""Return the default allow-all rule entry
This rule enrty will be added to the end of the rules list
This rule entry will be added to the end of the rules list
"""
return self.nsxpolicy.gateway_policy.build_entry(
DEFAULT_RULE_NAME,
@ -363,17 +363,19 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
sr_exists_on_backend = False
if sr_exists_on_backend:
# update the edge firewall
self.create_router_gateway_policy(context, router_id,
router, fw_rules)
if router_with_fw:
self.create_or_update_router_gateway_policy(context, router_id,
router, fw_rules)
else:
# Do all the cleanup once the router has no more FW rules
# create or update the edge firewall
# TODO(asarfaty): Consider keeping the FW with default allow
# rule instead of deletion as it may be created again soon
self.delete_router_gateway_policy(router_id)
self.cleanup_router_fw_resources(router_id)
if not router_with_fw:
# Do all the cleanup once the router has no more FW rules
self.delete_router_gateway_policy(router_id)
self.cleanup_router_fw_resources(router_id)
def create_router_gateway_policy(self, context, router_id,
router, fw_rules):
def create_or_update_router_gateway_policy(self, context, router_id,
router, fw_rules):
"""Create/Overwrite gateway policy for a router with firewall rules"""
# Check if the gateway policy already exists
try:

31
vmware_nsx/tests/unit/nsx_p/test_fwaas_v2_driver.py
View File

@ -337,20 +337,10 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
return_value={'project_id': self.project_id}),\
mock.patch.object(self.plugin, 'service_router_has_services',
return_value=True), \
mock.patch(GW_POLICY_PATH + ".update_entries") as update_fw:
mock.patch(GW_POLICY_PATH + ".delete") as delete_fw:
self.firewall.delete_firewall_group('nsx', apply_list, firewall)
# expecting only the default allow-all rule
expected_rules = [self._default_rule(0)]
update_fw.assert_called_once_with(
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY,
category=policy_constants.CATEGORY_LOCAL_GW)
# compare rules one by one
actual_rules = update_fw.call_args[0][2]
self.assertEqual(len(expected_rules), len(actual_rules))
for index in range(len(actual_rules)):
self.assertEqual(expected_rules[index],
actual_rules[index].get_obj_dict())
delete_fw.assert_called_once_with(
policy_constants.DEFAULT_DOMAIN, map_id=FAKE_ROUTER_ID)
def test_create_firewall_with_admin_down(self):
apply_list = self._fake_apply_list()
@ -360,17 +350,6 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
return_value=True), \
mock.patch.object(self.plugin, '_get_router',
return_value={'project_id': self.project_id}),\
mock.patch(GW_POLICY_PATH + ".update_entries") as update_fw:
mock.patch(GW_POLICY_PATH + ".create_with_entries") as update_fw:
self.firewall.create_firewall_group('nsx', apply_list, firewall)
# expecting only the default allow-all rule
expected_rules = [self._default_rule(0)]
update_fw.assert_called_once_with(
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY,
category=policy_constants.CATEGORY_LOCAL_GW)
# compare rules one by one
actual_rules = update_fw.call_args[0][2]
self.assertEqual(len(expected_rules), len(actual_rules))
for index in range(len(actual_rules)):
self.assertEqual(expected_rules[index],
actual_rules[index].get_obj_dict())
update_fw.assert_not_called()