Merge "NSX|P: Refactor GW FW creation & deletion"
This commit is contained in:
Zuul
Gerrit Code Review
commit
e931aae5d6
@ -57,7 +57,7 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
def _get_default_backend_rule(self, router_id):
|
||||
"""Return the default allow-all rule entry
|
||||
|
||||
This rule enrty will be added to the end of the rules list
|
||||
This rule entry will be added to the end of the rules list
|
||||
"""
|
||||
return self.nsxpolicy.gateway_policy.build_entry(
|
||||
DEFAULT_RULE_NAME,
|
||||
@ -363,16 +363,18 @@ class NsxpFwaasCallbacksV2(com_callbacks.NsxCommonv3FwaasCallbacksV2):
|
||||
sr_exists_on_backend = False
|
||||
|
||||
if sr_exists_on_backend:
|
||||
# update the edge firewall
|
||||
self.create_router_gateway_policy(context, router_id,
|
||||
if router_with_fw:
|
||||
self.create_or_update_router_gateway_policy(context, router_id,
|
||||
router, fw_rules)
|
||||
|
||||
if not router_with_fw:
|
||||
else:
|
||||
# Do all the cleanup once the router has no more FW rules
|
||||
# create or update the edge firewall
|
||||
# TODO(asarfaty): Consider keeping the FW with default allow
|
||||
# rule instead of deletion as it may be created again soon
|
||||
self.delete_router_gateway_policy(router_id)
|
||||
self.cleanup_router_fw_resources(router_id)
|
||||
|
||||
def create_router_gateway_policy(self, context, router_id,
|
||||
def create_or_update_router_gateway_policy(self, context, router_id,
|
||||
router, fw_rules):
|
||||
"""Create/Overwrite gateway policy for a router with firewall rules"""
|
||||
# Check if the gateway policy already exists
|
||||
|
||||
@ -337,20 +337,10 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
|
||||
return_value={'project_id': self.project_id}),\
|
||||
mock.patch.object(self.plugin, 'service_router_has_services',
|
||||
return_value=True), \
|
||||
mock.patch(GW_POLICY_PATH + ".update_entries") as update_fw:
|
||||
mock.patch(GW_POLICY_PATH + ".delete") as delete_fw:
|
||||
self.firewall.delete_firewall_group('nsx', apply_list, firewall)
|
||||
|
||||
# expecting only the default allow-all rule
|
||||
expected_rules = [self._default_rule(0)]
|
||||
update_fw.assert_called_once_with(
|
||||
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY,
|
||||
category=policy_constants.CATEGORY_LOCAL_GW)
|
||||
# compare rules one by one
|
||||
actual_rules = update_fw.call_args[0][2]
|
||||
self.assertEqual(len(expected_rules), len(actual_rules))
|
||||
for index in range(len(actual_rules)):
|
||||
self.assertEqual(expected_rules[index],
|
||||
actual_rules[index].get_obj_dict())
|
||||
delete_fw.assert_called_once_with(
|
||||
policy_constants.DEFAULT_DOMAIN, map_id=FAKE_ROUTER_ID)
|
||||
|
||||
def test_create_firewall_with_admin_down(self):
|
||||
apply_list = self._fake_apply_list()
|
||||
@ -360,17 +350,6 @@ class NsxpFwaasTestCase(test_p_plugin.NsxPPluginTestCaseMixin):
|
||||
return_value=True), \
|
||||
mock.patch.object(self.plugin, '_get_router',
|
||||
return_value={'project_id': self.project_id}),\
|
||||
mock.patch(GW_POLICY_PATH + ".update_entries") as update_fw:
|
||||
mock.patch(GW_POLICY_PATH + ".create_with_entries") as update_fw:
|
||||
self.firewall.create_firewall_group('nsx', apply_list, firewall)
|
||||
|
||||
# expecting only the default allow-all rule
|
||||
expected_rules = [self._default_rule(0)]
|
||||
update_fw.assert_called_once_with(
|
||||
policy_constants.DEFAULT_DOMAIN, FAKE_ROUTER_ID, mock.ANY,
|
||||
category=policy_constants.CATEGORY_LOCAL_GW)
|
||||
# compare rules one by one
|
||||
actual_rules = update_fw.call_args[0][2]
|
||||
self.assertEqual(len(expected_rules), len(actual_rules))
|
||||
for index in range(len(actual_rules)):
|
||||
self.assertEqual(expected_rules[index],
|
||||
actual_rules[index].get_obj_dict())
|
||||
update_fw.assert_not_called()
|
||||
|
||||
Loading…
Reference in New Issue
Block a user