Merge "NSX|P: Refactor GW FW creation & deletion"

This commit is contained in:
Zuul 2019-07-02 05:16:28 +00:00 committed by Gerrit Code Review
commit e931aae5d6
2 changed files with 18 additions and 37 deletions

View File

@ -57,7 +57,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
def _get_default_backend_rule(self, router_id): def _get_default_backend_rule(self, router_id):
"""Return the default allow-all rule entry """Return the default allow-all rule entry
This rule enrty will be added to the end of the rules list This rule entry will be added to the end of the rules list
""" """
return self.nsxpolicy.gateway_policy.build_entry( return self.nsxpolicy.gateway_policy.build_entry(
DEFAULT_RULE_NAME, DEFAULT_RULE_NAME,
@ -363,16 +363,18 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
sr_exists_on_backend = False sr_exists_on_backend = False
if sr_exists_on_backend: if sr_exists_on_backend:
# update the edge firewall if router_with_fw:
self.create_router_gateway_policy(context, router_id, self.create_or_update_router_gateway_policy(context, router_id,
router, fw_rules) router, fw_rules)
else:
if not router_with_fw:
# Do all the cleanup once the router has no more FW rules # Do all the cleanup once the router has no more FW rules
# create or update the edge firewall
# TODO(asarfaty): Consider keeping the FW with default allow
# rule instead of deletion as it may be created again soon
self.delete_router_gateway_policy(router_id) self.delete_router_gateway_policy(router_id)
self.cleanup_router_fw_resources(router_id) self.cleanup_router_fw_resources(router_id)
def create_router_gateway_policy(self, context, router_id, def create_or_update_router_gateway_policy(self, context, router_id,
router, fw_rules): router, fw_rules):
"""Create/Overwrite gateway policy for a router with firewall rules""" """Create/Overwrite gateway policy for a router with firewall rules"""
# Check if the gateway policy already exists # Check if the gateway policy already exists

View File

@ -337,20 +337,10 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
return_value={'project_id': self.project_id}),\ return_value={'project_id': self.project_id}),\
mock.patch.object(self.plugin, 'service_router_has_services', mock.patch.object(self.plugin, 'service_router_has_services',
return_value=True), \ return_value=True), \
mock.patch(GW_POLICY_PATH + ".update_entries") as update_fw: mock.patch(GW_POLICY_PATH + ".delete") as delete_fw:
self.firewall.delete_firewall_group('nsx', apply_list, firewall) self.firewall.delete_firewall_group('nsx', apply_list, firewall)
delete_fw.assert_called_once_with(
# expecting only the default allow-all rule policy_constants.DEFAULT_DOMAIN, map_id=FAKE_ROUTER_ID)
expected_rules = [self._default_rule(0)]
update_fw.assert_called_once_with(
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY,
category=policy_constants.CATEGORY_LOCAL_GW)
# compare rules one by one
actual_rules = update_fw.call_args[0][2]
self.assertEqual(len(expected_rules), len(actual_rules))
for index in range(len(actual_rules)):
self.assertEqual(expected_rules[index],
actual_rules[index].get_obj_dict())
def test_create_firewall_with_admin_down(self): def test_create_firewall_with_admin_down(self):
apply_list = self._fake_apply_list() apply_list = self._fake_apply_list()
@ -360,17 +350,6 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
return_value=True), \ return_value=True), \
mock.patch.object(self.plugin, '_get_router', mock.patch.object(self.plugin, '_get_router',
return_value={'project_id': self.project_id}),\ return_value={'project_id': self.project_id}),\
mock.patch(GW_POLICY_PATH + ".update_entries") as update_fw: mock.patch(GW_POLICY_PATH + ".create_with_entries") as update_fw:
self.firewall.create_firewall_group('nsx', apply_list, firewall) self.firewall.create_firewall_group('nsx', apply_list, firewall)
update_fw.assert_not_called()
# expecting only the default allow-all rule
expected_rules = [self._default_rule(0)]
update_fw.assert_called_once_with(
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY,
category=policy_constants.CATEGORY_LOCAL_GW)
# compare rules one by one
actual_rules = update_fw.call_args[0][2]
self.assertEqual(len(expected_rules), len(actual_rules))
for index in range(len(actual_rules)):
self.assertEqual(expected_rules[index],
actual_rules[index].get_obj_dict())