From 75494e4647b9f98b6911827fc6af86df22698c06 Mon Sep 17 00:00:00 2001 From: Salvatore Orlando Date: Wed, 27 Feb 2013 02:28:25 +0100 Subject: [PATCH] NVP Router: Do no perfom SNAT on E-W traffic Bug 1130053 This patch ensures 'No Snat' rules are enforced in order to avoid source natting on east-west traffic. Change-Id: I967e72e7b6bc8e2763c0fbdf6deeafb43ff27f54 --- .../nicira/nicira_nvp_plugin/QuantumPlugin.py | 14 ++++++++-- .../nicira/nicira_nvp_plugin/nvplib.py | 26 ++++++++++++++++++- 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py b/quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py index 3ec2ddda8e..93cc945e49 100644 --- a/quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py +++ b/quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py @@ -71,6 +71,7 @@ from quantum.plugins.nicira.nicira_nvp_plugin import NvpApiClient from quantum.plugins.nicira.nicira_nvp_plugin import nvplib LOG = logging.getLogger("QuantumPlugin") +NVP_NOSNAT_RULES_ORDER = 10 NVP_FLOATINGIP_NAT_RULES_ORDER = 200 NVP_EXTGW_NAT_RULES_ORDER = 255 @@ -1667,7 +1668,7 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2, cluster, context, router_id, port, "PatchAttachment", ls_port['uuid'], subnet_ids=[subnet_id]) - + subnet = self._get_subnet(context, subnet_id) # If there is an external gateway we need to configure the SNAT rule. # Fetch router from DB router = self._get_router(context, router_id) @@ -1677,11 +1678,14 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2, # In that case we will consider only the first one if gw_port.get('fixed_ips'): snat_ip = gw_port['fixed_ips'][0]['ip_address'] - subnet = self._get_subnet(context, subnet_id) nvplib.create_lrouter_snat_rule( cluster, router_id, snat_ip, snat_ip, order=NVP_EXTGW_NAT_RULES_ORDER, match_criteria={'source_ip_addresses': subnet['cidr']}) + nvplib.create_lrouter_nosnat_rule( + cluster, router_id, + order=NVP_NOSNAT_RULES_ORDER, + match_criteria={'destination_ip_addresses': subnet['cidr']}) # Ensure the NVP logical router has a connection to a 'metadata access' # network (with a proxy listening on its DHCP port), by creating it @@ -1761,6 +1765,12 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2, cluster, router_id, "SourceNatRule", max_num_expected=1, min_num_expected=1, source_ip_addresses=subnet['cidr']) + # Relax the minimum expected number as the nosnat rules + # do not exist in 2.x deployments + nvplib.delete_nat_rules_by_match( + cluster, router_id, "NoSourceNatRule", + max_num_expected=1, min_num_expected=0, + destination_ip_addresses=subnet['cidr']) nvplib.delete_router_lport(cluster, router_id, lrouter_port_id) except NvpApiClient.ResourceNotFound: raise nvp_exc.NvpPluginException( diff --git a/quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py b/quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py index 0bbabd5984..6ca93fc077 100644 --- a/quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py +++ b/quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py @@ -1124,6 +1124,11 @@ def _build_snat_rule_obj(min_src_ip, max_src_ip, nat_match_obj): "match": nat_match_obj} +def create_lrouter_nosnat_rule_v2(cluster, _router_id, _match_criteria=None): + LOG.info(_("No SNAT rules cannot be applied as they are not available in " + "this version of the NVP platform")) + + def create_lrouter_snat_rule_v2(cluster, router_id, min_src_ip, max_src_ip, match_criteria=None): @@ -1147,6 +1152,18 @@ def create_lrouter_dnat_rule_v2(cluster, router_id, dst_ip, return _create_lrouter_nat_rule(cluster, router_id, nat_rule_obj) +def create_lrouter_nosnat_rule_v3(cluster, router_id, order=None, + match_criteria=None): + nat_match_obj = _create_nat_match_obj(**match_criteria) + nat_rule_obj = { + "type": "NoSourceNatRule", + "match": nat_match_obj + } + if order: + nat_rule_obj['order'] = order + return _create_lrouter_nat_rule(cluster, router_id, nat_rule_obj) + + def create_lrouter_snat_rule_v3(cluster, router_id, min_src_ip, max_src_ip, order=None, match_criteria=None): nat_match_obj = _create_nat_match_obj(**match_criteria) @@ -1182,6 +1199,11 @@ def create_lrouter_snat_rule(cluster, *args, **kwargs): pass +@version_dependent +def create_lrouter_nosnat_rule(cluster, *args, **kwargs): + pass + + def delete_nat_rules_by_match(cluster, router_id, rule_type, max_num_expected, min_num_expected=0, @@ -1283,7 +1305,9 @@ NVPLIB_FUNC_DICT = { 'create_lrouter_dnat_rule': {2: create_lrouter_dnat_rule_v2, 3: create_lrouter_dnat_rule_v3}, 'create_lrouter_snat_rule': {2: create_lrouter_snat_rule_v2, - 3: create_lrouter_snat_rule_v3} + 3: create_lrouter_snat_rule_v3}, + 'create_lrouter_nosnat_rule': {2: create_lrouter_nosnat_rule_v2, + 3: create_lrouter_nosnat_rule_v3} }