Merge "NSX|P: Refactor GW FW creation & deletion"
This commit is contained in:
commit
e931aae5d6
@ -57,7 +57,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
|||||||
def _get_default_backend_rule(self, router_id):
|
def _get_default_backend_rule(self, router_id):
|
||||||
"""Return the default allow-all rule entry
|
"""Return the default allow-all rule entry
|
||||||
|
|
||||||
This rule enrty will be added to the end of the rules list
|
This rule entry will be added to the end of the rules list
|
||||||
"""
|
"""
|
||||||
return self.nsxpolicy.gateway_policy.build_entry(
|
return self.nsxpolicy.gateway_policy.build_entry(
|
||||||
DEFAULT_RULE_NAME,
|
DEFAULT_RULE_NAME,
|
||||||
@ -363,17 +363,19 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
|||||||
sr_exists_on_backend = False
|
sr_exists_on_backend = False
|
||||||
|
|
||||||
if sr_exists_on_backend:
|
if sr_exists_on_backend:
|
||||||
# update the edge firewall
|
if router_with_fw:
|
||||||
self.create_router_gateway_policy(context, router_id,
|
self.create_or_update_router_gateway_policy(context, router_id,
|
||||||
router, fw_rules)
|
router, fw_rules)
|
||||||
|
else:
|
||||||
|
# Do all the cleanup once the router has no more FW rules
|
||||||
|
# create or update the edge firewall
|
||||||
|
# TODO(asarfaty): Consider keeping the FW with default allow
|
||||||
|
# rule instead of deletion as it may be created again soon
|
||||||
|
self.delete_router_gateway_policy(router_id)
|
||||||
|
self.cleanup_router_fw_resources(router_id)
|
||||||
|
|
||||||
if not router_with_fw:
|
def create_or_update_router_gateway_policy(self, context, router_id,
|
||||||
# Do all the cleanup once the router has no more FW rules
|
router, fw_rules):
|
||||||
self.delete_router_gateway_policy(router_id)
|
|
||||||
self.cleanup_router_fw_resources(router_id)
|
|
||||||
|
|
||||||
def create_router_gateway_policy(self, context, router_id,
|
|
||||||
router, fw_rules):
|
|
||||||
"""Create/Overwrite gateway policy for a router with firewall rules"""
|
"""Create/Overwrite gateway policy for a router with firewall rules"""
|
||||||
# Check if the gateway policy already exists
|
# Check if the gateway policy already exists
|
||||||
try:
|
try:
|
||||||
|
@ -337,20 +337,10 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
|
|||||||
return_value={'project_id': self.project_id}),\
|
return_value={'project_id': self.project_id}),\
|
||||||
mock.patch.object(self.plugin, 'service_router_has_services',
|
mock.patch.object(self.plugin, 'service_router_has_services',
|
||||||
return_value=True), \
|
return_value=True), \
|
||||||
mock.patch(GW_POLICY_PATH + ".update_entries") as update_fw:
|
mock.patch(GW_POLICY_PATH + ".delete") as delete_fw:
|
||||||
self.firewall.delete_firewall_group('nsx', apply_list, firewall)
|
self.firewall.delete_firewall_group('nsx', apply_list, firewall)
|
||||||
|
delete_fw.assert_called_once_with(
|
||||||
# expecting only the default allow-all rule
|
policy_constants.DEFAULT_DOMAIN, map_id=FAKE_ROUTER_ID)
|
||||||
expected_rules = [self._default_rule(0)]
|
|
||||||
update_fw.assert_called_once_with(
|
|
||||||
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY,
|
|
||||||
category=policy_constants.CATEGORY_LOCAL_GW)
|
|
||||||
# compare rules one by one
|
|
||||||
actual_rules = update_fw.call_args[0][2]
|
|
||||||
self.assertEqual(len(expected_rules), len(actual_rules))
|
|
||||||
for index in range(len(actual_rules)):
|
|
||||||
self.assertEqual(expected_rules[index],
|
|
||||||
actual_rules[index].get_obj_dict())
|
|
||||||
|
|
||||||
def test_create_firewall_with_admin_down(self):
|
def test_create_firewall_with_admin_down(self):
|
||||||
apply_list = self._fake_apply_list()
|
apply_list = self._fake_apply_list()
|
||||||
@ -360,17 +350,6 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
|
|||||||
return_value=True), \
|
return_value=True), \
|
||||||
mock.patch.object(self.plugin, '_get_router',
|
mock.patch.object(self.plugin, '_get_router',
|
||||||
return_value={'project_id': self.project_id}),\
|
return_value={'project_id': self.project_id}),\
|
||||||
mock.patch(GW_POLICY_PATH + ".update_entries") as update_fw:
|
mock.patch(GW_POLICY_PATH + ".create_with_entries") as update_fw:
|
||||||
self.firewall.create_firewall_group('nsx', apply_list, firewall)
|
self.firewall.create_firewall_group('nsx', apply_list, firewall)
|
||||||
|
update_fw.assert_not_called()
|
||||||
# expecting only the default allow-all rule
|
|
||||||
expected_rules = [self._default_rule(0)]
|
|
||||||
update_fw.assert_called_once_with(
|
|
||||||
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY,
|
|
||||||
category=policy_constants.CATEGORY_LOCAL_GW)
|
|
||||||
# compare rules one by one
|
|
||||||
actual_rules = update_fw.call_args[0][2]
|
|
||||||
self.assertEqual(len(expected_rules), len(actual_rules))
|
|
||||||
for index in range(len(actual_rules)):
|
|
||||||
self.assertEqual(expected_rules[index],
|
|
||||||
actual_rules[index].get_obj_dict())
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user