diff --git a/vmware_nsx/db/nsxv_db.py b/vmware_nsx/db/nsxv_db.py index 2c5b985975..42975c87e9 100644 --- a/vmware_nsx/db/nsxv_db.py +++ b/vmware_nsx/db/nsxv_db.py @@ -465,7 +465,7 @@ def add_nsxv_edge_firewallrule_binding(session, map_info): with session.begin(subtransactions=True): binding = nsxv_models.NsxvEdgeFirewallRuleBinding( rule_id=map_info['rule_id'], - rule_vseid=map_info['rule_vseid'], + rule_vse_id=map_info['rule_vseid'], edge_id=map_info['edge_id']) session.add(binding) return binding @@ -490,7 +490,7 @@ def get_nsxv_edge_firewallrule_binding_by_vseid( with session.begin(subtransactions=True): try: return (session.query(nsxv_models.NsxvEdgeFirewallRuleBinding). - filter_by(edge_id=edge_id, rule_vseid=rule_vseid).one()) + filter_by(edge_id=edge_id, rule_vse_id=rule_vseid).one()) except exc.NoResultFound: msg = _("Rule Resource binding not found!") raise nsx_exc.NsxPluginException(err_msg=msg) diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py index 046624f34b..b1479c48e7 100644 --- a/vmware_nsx/plugins/nsx_v/plugin.py +++ b/vmware_nsx/plugins/nsx_v/plugin.py @@ -86,6 +86,7 @@ from vmware_nsx.plugins.nsx_v import managers from vmware_nsx.plugins.nsx_v import md_proxy as nsx_v_md_proxy from vmware_nsx.plugins.nsx_v.vshield.common import ( constants as vcns_const) +from vmware_nsx.plugins.nsx_v.vshield import edge_firewall_driver from vmware_nsx.plugins.nsx_v.vshield import edge_utils from vmware_nsx.plugins.nsx_v.vshield import securitygroup_utils from vmware_nsx.plugins.nsx_v.vshield import vcns_driver @@ -2108,6 +2109,23 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, nosnat_fw_rules = self._get_nosnat_subnets_fw_rules( context, router) fake_fw_rules.extend(nosnat_fw_rules) + + # Get the load balancer rules in case they are refreshed + edge_id = self._get_edge_id_by_rtr_id(context, router_id) + lb_rules = nsxv_db.get_nsxv_lbaas_loadbalancer_binding_by_edge( + context.session, edge_id) + for rule in lb_rules: + vsm_rule = self.nsx_v.vcns.get_firewall_rule( + edge_id, rule['edge_fw_rule_id'])[1] + lb_fw_rule = { + 'action': edge_firewall_driver.FWAAS_ALLOW, + 'enabled': vsm_rule['enabled'], + 'destination_ip_address': vsm_rule['destination']['ipAddress'], + 'name': vsm_rule['name'], + 'ruleTag': vsm_rule['ruleTag'] + } + fake_fw_rules.append(lb_fw_rule) + # TODO(berlin): Add fw rules if fw service is supported fake_fw = {'firewall_rule_list': fake_fw_rules} edge_utils.update_firewall(self.nsx_v, context, router_id, fake_fw, diff --git a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py index 38378eada5..fb2274950a 100644 --- a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py +++ b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py @@ -152,9 +152,11 @@ class EdgeFirewallDriver(db_base_plugin_v2.NeutronDbPluginV2): ruleTag = 1 vcns_rules = [] for rule in firewall['firewall_rule_list']: - vcns_rule = self._convert_firewall_rule(context, rule, ruleTag) + tag = rule.get('ruleTag', ruleTag) + vcns_rule = self._convert_firewall_rule(context, rule, tag) vcns_rules.append(vcns_rule) - ruleTag += 1 + if not rule.get('ruleTag'): + ruleTag += 1 if allow_external: vcns_rules.append( {'action': "accept",