Merge "Keeping the load balancer firewall on edge"

vmware_nsx/db/nsxv_db.py

@@ -465,7 +465,7 @@ def add_nsxv_edge_firewallrule_binding(session, map_info):
     with session.begin(subtransactions=True):
         binding = nsxv_models.NsxvEdgeFirewallRuleBinding(
             rule_id=map_info['rule_id'],
-            rule_vseid=map_info['rule_vseid'],
+            rule_vse_id=map_info['rule_vseid'],
             edge_id=map_info['edge_id'])
         session.add(binding)
     return binding
@@ -490,7 +490,7 @@ def get_nsxv_edge_firewallrule_binding_by_vseid(
     with session.begin(subtransactions=True):
         try:
             return (session.query(nsxv_models.NsxvEdgeFirewallRuleBinding).
-                    filter_by(edge_id=edge_id, rule_vseid=rule_vseid).one())
+                    filter_by(edge_id=edge_id, rule_vse_id=rule_vseid).one())
         except exc.NoResultFound:
             msg = _("Rule Resource binding not found!")
             raise nsx_exc.NsxPluginException(err_msg=msg)

vmware_nsx/plugins/nsx_v/plugin.py

@@ -86,6 +86,7 @@ from vmware_nsx.plugins.nsx_v import managers
 from vmware_nsx.plugins.nsx_v import md_proxy as nsx_v_md_proxy
 from vmware_nsx.plugins.nsx_v.vshield.common import (
     constants as vcns_const)
+from vmware_nsx.plugins.nsx_v.vshield import edge_firewall_driver
 from vmware_nsx.plugins.nsx_v.vshield import edge_utils
 from vmware_nsx.plugins.nsx_v.vshield import securitygroup_utils
 from vmware_nsx.plugins.nsx_v.vshield import vcns_driver
@@ -2108,6 +2109,23 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
         nosnat_fw_rules = self._get_nosnat_subnets_fw_rules(
             context, router)
         fake_fw_rules.extend(nosnat_fw_rules)
+
+        # Get the load balancer rules in case they are refreshed
+        edge_id = self._get_edge_id_by_rtr_id(context, router_id)
+        lb_rules = nsxv_db.get_nsxv_lbaas_loadbalancer_binding_by_edge(
+                context.session, edge_id)
+        for rule in lb_rules:
+            vsm_rule = self.nsx_v.vcns.get_firewall_rule(
+                    edge_id, rule['edge_fw_rule_id'])[1]
+            lb_fw_rule = {
+                'action': edge_firewall_driver.FWAAS_ALLOW,
+                'enabled': vsm_rule['enabled'],
+                'destination_ip_address': vsm_rule['destination']['ipAddress'],
+                'name': vsm_rule['name'],
+                'ruleTag': vsm_rule['ruleTag']
+            }
+            fake_fw_rules.append(lb_fw_rule)
+
         # TODO(berlin): Add fw rules if fw service is supported
         fake_fw = {'firewall_rule_list': fake_fw_rules}
         edge_utils.update_firewall(self.nsx_v, context, router_id, fake_fw,

vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py

@@ -152,9 +152,11 @@ class EdgeFirewallDriver(db_base_plugin_v2.NeutronDbPluginV2):
         ruleTag = 1
         vcns_rules = []
         for rule in firewall['firewall_rule_list']:
-            vcns_rule = self._convert_firewall_rule(context, rule, ruleTag)
+            tag = rule.get('ruleTag', ruleTag)
+            vcns_rule = self._convert_firewall_rule(context, rule, tag)
             vcns_rules.append(vcns_rule)
-            ruleTag += 1
+            if not rule.get('ruleTag'):
+                ruleTag += 1
         if allow_external:
             vcns_rules.append(
                 {'action': "accept",