Dave Cahill da71f604ba Midonet plugin: Fix source NAT
Source NAT rule was being applied on the incorrect port.
It was being applied to the Neutron gateway port, not to
the MidoNet tenant / provider router link port.

Change-Id: Ib818c09adfb6957b7cad4523e5ce1fdffde9590b
Closes-Bug: #1261665
2013-12-18 04:04:14 +00:00

1268 lines
53 KiB
Python

# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright (C) 2012 Midokura Japan K.K.
# Copyright (C) 2013 Midokura PTE LTD
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# @author: Takaaki Suzuki, Midokura Japan KK
# @author: Tomoe Sugihara, Midokura Japan KK
# @author: Ryu Ishimoto, Midokura Japan KK
# @author: Rossella Sblendido, Midokura Japan KK
# @author: Duarte Nunes, Midokura Japan KK
from midonetclient import api
from oslo.config import cfg
from sqlalchemy.orm import exc as sa_exc
from neutron.api.v2 import attributes
from neutron.common import constants
from neutron.common import exceptions as n_exc
from neutron.common import rpc as n_rpc
from neutron.common import topics
from neutron.db import agents_db
from neutron.db import agentschedulers_db
from neutron.db import api as db
from neutron.db import db_base_plugin_v2
from neutron.db import dhcp_rpc_base
from neutron.db import external_net_db
from neutron.db import l3_db
from neutron.db import models_v2
from neutron.db import portbindings_db
from neutron.db import securitygroups_db
from neutron.extensions import external_net as ext_net
from neutron.extensions import l3
from neutron.extensions import portbindings
from neutron.extensions import securitygroup as ext_sg
from neutron.openstack.common import excutils
from neutron.openstack.common import log as logging
from neutron.openstack.common import rpc
from neutron.plugins.midonet.common import config # noqa
from neutron.plugins.midonet.common import net_util
from neutron.plugins.midonet import midonet_lib
LOG = logging.getLogger(__name__)
EXTERNAL_GW_INFO = l3.EXTERNAL_GW_INFO
METADATA_DEFAULT_IP = "169.254.169.254/32"
OS_FLOATING_IP_RULE_KEY = 'OS_FLOATING_IP'
OS_SG_RULE_KEY = 'OS_SG_RULE_ID'
OS_TENANT_ROUTER_RULE_KEY = 'OS_TENANT_ROUTER_RULE'
PRE_ROUTING_CHAIN_NAME = "OS_PRE_ROUTING_%s"
PORT_INBOUND_CHAIN_NAME = "OS_PORT_%s_INBOUND"
PORT_OUTBOUND_CHAIN_NAME = "OS_PORT_%s_OUTBOUND"
POST_ROUTING_CHAIN_NAME = "OS_POST_ROUTING_%s"
SG_INGRESS_CHAIN_NAME = "OS_SG_%s_INGRESS"
SG_EGRESS_CHAIN_NAME = "OS_SG_%s_EGRESS"
SG_PORT_GROUP_NAME = "OS_PG_%s"
SNAT_RULE = 'SNAT'
def _get_nat_ips(type, fip):
"""Get NAT IP address information.
From the route type given, determine the source and target IP addresses
from the provided floating IP DB object.
"""
if type == 'pre-routing':
return fip["floating_ip_address"], fip["fixed_ip_address"]
elif type == 'post-routing':
return fip["fixed_ip_address"], fip["floating_ip_address"]
else:
raise ValueError(_("Invalid nat_type %s") % type)
def _nat_chain_names(router_id):
"""Get the chain names for NAT.
These names are used to associate MidoNet chains to the NAT rules
applied to the router. For each of these, there are two NAT types,
'dnat' and 'snat' that are returned as keys, and the corresponding
chain names as their values.
"""
pre_routing_name = PRE_ROUTING_CHAIN_NAME % router_id
post_routing_name = POST_ROUTING_CHAIN_NAME % router_id
return {'pre-routing': pre_routing_name, 'post-routing': post_routing_name}
def _sg_chain_names(sg_id):
"""Get the chain names for security group.
These names are used to associate a security group to MidoNet chains.
There are two names for ingress and egress security group directions.
"""
ingress = SG_INGRESS_CHAIN_NAME % sg_id
egress = SG_EGRESS_CHAIN_NAME % sg_id
return {'ingress': ingress, 'egress': egress}
def _port_chain_names(port_id):
"""Get the chain names for a port.
These are chains to hold security group chains.
"""
inbound = PORT_INBOUND_CHAIN_NAME % port_id
outbound = PORT_OUTBOUND_CHAIN_NAME % port_id
return {'inbound': inbound, 'outbound': outbound}
def _sg_port_group_name(sg_id):
"""Get the port group name for security group..
This name is used to associate a security group to MidoNet port groups.
"""
return SG_PORT_GROUP_NAME % sg_id
def _rule_direction(sg_direction):
"""Convert the SG direction to MidoNet direction
MidoNet terms them 'inbound' and 'outbound' instead of 'ingress' and
'egress'. Also, the direction is reversed since MidoNet sees it
from the network port's point of view, not the VM's.
"""
if sg_direction == 'ingress':
return 'outbound'
elif sg_direction == 'egress':
return 'inbound'
else:
raise ValueError(_("Unrecognized direction %s") % sg_direction)
def _is_router_interface_port(port):
"""Check whether the given port is a router interface port."""
device_owner = port['device_owner']
return (device_owner in l3_db.DEVICE_OWNER_ROUTER_INTF)
def _is_router_gw_port(port):
"""Check whether the given port is a router gateway port."""
device_owner = port['device_owner']
return (device_owner in l3_db.DEVICE_OWNER_ROUTER_GW)
def _is_vif_port(port):
"""Check whether the given port is a standard VIF port."""
device_owner = port['device_owner']
return (not _is_dhcp_port(port) and
device_owner not in (l3_db.DEVICE_OWNER_ROUTER_GW,
l3_db.DEVICE_OWNER_ROUTER_INTF))
def _is_dhcp_port(port):
"""Check whether the given port is a DHCP port."""
device_owner = port['device_owner']
return device_owner.startswith('network:dhcp')
def _check_resource_exists(func, id, name, raise_exc=False):
"""Check whether the given resource exists in MidoNet data store."""
try:
func(id)
except midonet_lib.MidonetResourceNotFound as exc:
LOG.error(_("There is no %(name)s with ID %(id)s in MidoNet."),
{"name": name, "id": id})
if raise_exc:
raise MidonetPluginException(msg=exc)
class MidoRpcCallbacks(dhcp_rpc_base.DhcpRpcCallbackMixin):
RPC_API_VERSION = '1.1'
def create_rpc_dispatcher(self):
"""Get the rpc dispatcher for this manager.
This a basic implementation that will call the plugin like get_ports
and handle basic events
If a manager would like to set an rpc API version, or support more than
one class as the target of rpc messages, override this method.
"""
return n_rpc.PluginRpcDispatcher([self,
agents_db.AgentExtRpcCallback()])
class MidonetPluginException(n_exc.NeutronException):
message = _("%(msg)s")
class MidonetPluginV2(db_base_plugin_v2.NeutronDbPluginV2,
portbindings_db.PortBindingMixin,
external_net_db.External_net_db_mixin,
l3_db.L3_NAT_db_mixin,
agentschedulers_db.DhcpAgentSchedulerDbMixin,
securitygroups_db.SecurityGroupDbMixin):
supported_extension_aliases = ['external-net', 'router', 'security-group',
'agent', 'dhcp_agent_scheduler', 'binding']
__native_bulk_support = False
def __init__(self):
# Read config values
midonet_conf = cfg.CONF.MIDONET
midonet_uri = midonet_conf.midonet_uri
admin_user = midonet_conf.username
admin_pass = midonet_conf.password
admin_project_id = midonet_conf.project_id
self.provider_router_id = midonet_conf.provider_router_id
self.provider_router = None
self.mido_api = api.MidonetApi(midonet_uri, admin_user,
admin_pass,
project_id=admin_project_id)
self.client = midonet_lib.MidoClient(self.mido_api)
# self.provider_router_id should have been set.
if self.provider_router_id is None:
msg = _('provider_router_id should be configured in the plugin '
'config file')
LOG.exception(msg)
raise MidonetPluginException(msg=msg)
self.setup_rpc()
db.configure_db()
self.base_binding_dict = {
portbindings.VIF_TYPE: portbindings.VIF_TYPE_MIDONET,
portbindings.CAPABILITIES: {
portbindings.CAP_PORT_FILTER:
'security-group' in self.supported_extension_aliases}}
def _get_provider_router(self):
if self.provider_router is None:
self.provider_router = self.client.get_router(
self.provider_router_id)
return self.provider_router
def _dhcp_mappings(self, context, fixed_ips, mac):
for fixed_ip in fixed_ips:
subnet = self._get_subnet(context, fixed_ip["subnet_id"])
if subnet["ip_version"] == 6:
# TODO(ryu) handle IPv6
continue
if not subnet["enable_dhcp"]:
# Skip if DHCP is disabled
continue
yield subnet['cidr'], fixed_ip["ip_address"], mac
def _metadata_subnets(self, context, fixed_ips):
for fixed_ip in fixed_ips:
subnet = self._get_subnet(context, fixed_ip["subnet_id"])
if subnet["ip_version"] == 6:
continue
yield subnet['cidr'], fixed_ip["ip_address"]
def _initialize_port_chains(self, port, in_chain, out_chain, sg_ids):
tenant_id = port["tenant_id"]
position = 1
# mac spoofing protection
self._add_chain_rule(in_chain, action='drop',
dl_src=port["mac_address"], inv_dl_src=True,
position=position)
# ip spoofing protection
for fixed_ip in port["fixed_ips"]:
position += 1
self._add_chain_rule(in_chain, action="drop",
src_addr=fixed_ip["ip_address"] + "/32",
inv_nw_src=True, dl_type=0x0800, # IPv4
position=position)
# conntrack
position += 1
self._add_chain_rule(in_chain, action='accept',
match_forward_flow=True,
position=position)
# Reset the position to process egress
position = 1
# Add rule for SGs
if sg_ids:
for sg_id in sg_ids:
chain_name = _sg_chain_names(sg_id)["ingress"]
chain = self.client.get_chain_by_name(tenant_id, chain_name)
self._add_chain_rule(out_chain, action='jump',
jump_chain_id=chain.get_id(),
jump_chain_name=chain_name,
position=position)
position += 1
# add reverse flow matching at the end
self._add_chain_rule(out_chain, action='accept',
match_return_flow=True,
position=position)
position += 1
# fall back DROP rule at the end except for ARP
self._add_chain_rule(out_chain, action='drop',
dl_type=0x0806, # ARP
inv_dl_type=True, position=position)
def _bind_port_to_sgs(self, context, port, sg_ids):
self._process_port_create_security_group(context, port, sg_ids)
if sg_ids is not None:
for sg_id in sg_ids:
pg_name = _sg_port_group_name(sg_id)
self.client.add_port_to_port_group_by_name(
port["tenant_id"], pg_name, port["id"])
def _unbind_port_from_sgs(self, context, port_id):
self._delete_port_security_group_bindings(context, port_id)
self.client.remove_port_from_port_groups(port_id)
def _create_accept_chain_rule(self, context, sg_rule, chain=None):
direction = sg_rule["direction"]
tenant_id = sg_rule["tenant_id"]
sg_id = sg_rule["security_group_id"]
chain_name = _sg_chain_names(sg_id)[direction]
if chain is None:
chain = self.client.get_chain_by_name(tenant_id, chain_name)
pg_id = None
if sg_rule["remote_group_id"] is not None:
pg_name = _sg_port_group_name(sg_id)
pg = self.client.get_port_group_by_name(tenant_id, pg_name)
pg_id = pg.get_id()
props = {OS_SG_RULE_KEY: str(sg_rule["id"])}
# Determine source or destination address by looking at direction
src_pg_id = dst_pg_id = None
src_addr = dst_addr = None
src_port_to = dst_port_to = None
src_port_from = dst_port_from = None
if direction == "egress":
dst_pg_id = pg_id
dst_addr = sg_rule["remote_ip_prefix"]
dst_port_from = sg_rule["port_range_min"]
dst_port_to = sg_rule["port_range_max"]
else:
src_pg_id = pg_id
src_addr = sg_rule["remote_ip_prefix"]
src_port_from = sg_rule["port_range_min"]
src_port_to = sg_rule["port_range_max"]
return self._add_chain_rule(
chain, action='accept', port_group_src=src_pg_id,
port_group_dst=dst_pg_id,
src_addr=src_addr, src_port_from=src_port_from,
src_port_to=src_port_to,
dst_addr=dst_addr, dst_port_from=dst_port_from,
dst_port_to=dst_port_to,
nw_proto=net_util.get_protocol_value(sg_rule["protocol"]),
dl_type=net_util.get_ethertype_value(sg_rule["ethertype"]),
properties=props)
def _remove_nat_rules(self, context, fip):
router = self.client.get_router(fip["router_id"])
self.client.remove_static_route(self._get_provider_router(),
fip["floating_ip_address"])
chain_names = _nat_chain_names(router.get_id())
for _type, name in chain_names.iteritems():
self.client.remove_rules_by_property(
router.get_tenant_id(), name,
OS_FLOATING_IP_RULE_KEY, fip["id"])
def setup_rpc(self):
# RPC support
self.topic = topics.PLUGIN
self.conn = rpc.create_connection(new=True)
self.callbacks = MidoRpcCallbacks()
self.dispatcher = self.callbacks.create_rpc_dispatcher()
self.conn.create_consumer(self.topic, self.dispatcher,
fanout=False)
# Consume from all consumers in a thread
self.conn.consume_in_thread()
def create_subnet(self, context, subnet):
"""Create Neutron subnet.
Creates a Neutron subnet and a DHCP entry in MidoNet bridge.
"""
LOG.debug(_("MidonetPluginV2.create_subnet called: subnet=%r"), subnet)
s = subnet["subnet"]
net = super(MidonetPluginV2, self).get_network(
context, subnet['subnet']['network_id'], fields=None)
session = context.session
with session.begin(subtransactions=True):
sn_entry = super(MidonetPluginV2, self).create_subnet(context,
subnet)
bridge = self.client.get_bridge(sn_entry['network_id'])
gateway_ip = s['gateway_ip']
cidr = s['cidr']
if s['enable_dhcp']:
dns_nameservers = None
host_routes = None
if s['dns_nameservers'] is not attributes.ATTR_NOT_SPECIFIED:
dns_nameservers = s['dns_nameservers']
if s['host_routes'] is not attributes.ATTR_NOT_SPECIFIED:
host_routes = s['host_routes']
self.client.create_dhcp(bridge, gateway_ip, cidr,
host_rts=host_routes,
dns_servers=dns_nameservers)
# For external network, link the bridge to the provider router.
if net['router:external']:
self._link_bridge_to_gw_router(
bridge, self._get_provider_router(), gateway_ip, cidr)
LOG.debug(_("MidonetPluginV2.create_subnet exiting: sn_entry=%r"),
sn_entry)
return sn_entry
def delete_subnet(self, context, id):
"""Delete Neutron subnet.
Delete neutron network and its corresponding MidoNet bridge.
"""
LOG.debug(_("MidonetPluginV2.delete_subnet called: id=%s"), id)
subnet = super(MidonetPluginV2, self).get_subnet(context, id,
fields=None)
net = super(MidonetPluginV2, self).get_network(context,
subnet['network_id'],
fields=None)
session = context.session
with session.begin(subtransactions=True):
super(MidonetPluginV2, self).delete_subnet(context, id)
bridge = self.client.get_bridge(subnet['network_id'])
if subnet['enable_dhcp']:
self.client.delete_dhcp(bridge, subnet['cidr'])
# If the network is external, clean up routes, links, ports
if net[ext_net.EXTERNAL]:
self._unlink_bridge_from_gw_router(
bridge, self._get_provider_router())
LOG.debug(_("MidonetPluginV2.delete_subnet exiting"))
def create_network(self, context, network):
"""Create Neutron network.
Create a new Neutron network and its corresponding MidoNet bridge.
"""
LOG.debug(_('MidonetPluginV2.create_network called: network=%r'),
network)
net_data = network['network']
tenant_id = self._get_tenant_id_for_create(context, net_data)
net_data['tenant_id'] = tenant_id
self._ensure_default_security_group(context, tenant_id)
bridge = self.client.create_bridge(**net_data)
net_data['id'] = bridge.get_id()
session = context.session
with session.begin(subtransactions=True):
net = super(MidonetPluginV2, self).create_network(context, network)
self._process_l3_create(context, net, net_data)
LOG.debug(_("MidonetPluginV2.create_network exiting: net=%r"), net)
return net
def update_network(self, context, id, network):
"""Update Neutron network.
Update an existing Neutron network and its corresponding MidoNet
bridge.
"""
LOG.debug(_("MidonetPluginV2.update_network called: id=%(id)r, "
"network=%(network)r"), {'id': id, 'network': network})
session = context.session
with session.begin(subtransactions=True):
net = super(MidonetPluginV2, self).update_network(
context, id, network)
self._process_l3_update(context, net, network['network'])
self.client.update_bridge(id, **network['network'])
LOG.debug(_("MidonetPluginV2.update_network exiting: net=%r"), net)
return net
def get_network(self, context, id, fields=None):
"""Get Neutron network.
Retrieves a Neutron network and its corresponding MidoNet bridge.
"""
LOG.debug(_("MidonetPluginV2.get_network called: id=%(id)r, "
"fields=%(fields)r"), {'id': id, 'fields': fields})
qnet = super(MidonetPluginV2, self).get_network(context, id, fields)
self.client.get_bridge(id)
LOG.debug(_("MidonetPluginV2.get_network exiting: qnet=%r"), qnet)
return qnet
def delete_network(self, context, id):
"""Delete a network and its corresponding MidoNet bridge."""
LOG.debug(_("MidonetPluginV2.delete_network called: id=%r"), id)
self.client.delete_bridge(id)
try:
super(MidonetPluginV2, self).delete_network(context, id)
except Exception:
LOG.error(_('Failed to delete neutron db, while Midonet bridge=%r'
'had been deleted'), id)
raise
def create_port(self, context, port):
"""Create a L2 port in Neutron/MidoNet."""
LOG.debug(_("MidonetPluginV2.create_port called: port=%r"), port)
port_data = port['port']
# Create a bridge port in MidoNet and set the bridge port ID as the
# port ID in Neutron.
bridge = self.client.get_bridge(port_data["network_id"])
tenant_id = bridge.get_tenant_id()
asu = port_data.get("admin_state_up", True)
bridge_port = self.client.add_bridge_port(bridge,
admin_state_up=asu)
port_data["id"] = bridge_port.get_id()
try:
session = context.session
with session.begin(subtransactions=True):
# Create a Neutron port
new_port = super(MidonetPluginV2, self).create_port(context,
port)
port_data.update(new_port)
self._ensure_default_security_group_on_port(context,
port)
if _is_vif_port(port_data):
# Bind security groups to the port
sg_ids = self._get_security_groups_on_port(context, port)
self._bind_port_to_sgs(context, new_port, sg_ids)
# Create port chains
port_chains = {}
for d, name in _port_chain_names(
new_port["id"]).iteritems():
port_chains[d] = self.client.create_chain(tenant_id,
name)
self._initialize_port_chains(port_data,
port_chains['inbound'],
port_chains['outbound'],
sg_ids)
# Update the port with the chain
self.client.update_port_chains(
bridge_port, port_chains["inbound"].get_id(),
port_chains["outbound"].get_id())
# DHCP mapping is only for VIF ports
for cidr, ip, mac in self._dhcp_mappings(
context, port_data["fixed_ips"],
port_data["mac_address"]):
self.client.add_dhcp_host(bridge, cidr, ip, mac)
elif _is_dhcp_port(port_data):
# For DHCP port, add a metadata route
for cidr, ip in self._metadata_subnets(
context, port_data["fixed_ips"]):
self.client.add_dhcp_route_option(bridge, cidr, ip,
METADATA_DEFAULT_IP)
self._process_portbindings_create_and_update(context,
port_data, new_port)
except Exception as ex:
# Try removing the MidoNet port before raising an exception.
with excutils.save_and_reraise_exception():
LOG.error(_("Failed to create a port on network %(net_id)s: "
"%(err)s"),
{"net_id": port_data["network_id"], "err": ex})
self.client.delete_port(bridge_port.get_id())
LOG.debug(_("MidonetPluginV2.create_port exiting: port=%r"), new_port)
return new_port
def get_port(self, context, id, fields=None):
"""Retrieve port."""
LOG.debug(_("MidonetPluginV2.get_port called: id=%(id)s "
"fields=%(fields)r"), {'id': id, 'fields': fields})
port = super(MidonetPluginV2, self).get_port(context, id, fields)
"Check if the port exists in MidoNet DB"""
try:
self.client.get_port(id)
except midonet_lib.MidonetResourceNotFound as exc:
LOG.error(_("There is no port with ID %(id)s in MidoNet."),
{"id": id})
port['status'] = constants.PORT_STATUS_ERROR
raise exc
LOG.debug(_("MidonetPluginV2.get_port exiting: port=%r"), port)
return port
def get_ports(self, context, filters=None, fields=None):
"""List neutron ports and verify that they exist in MidoNet."""
LOG.debug(_("MidonetPluginV2.get_ports called: filters=%(filters)s "
"fields=%(fields)r"),
{'filters': filters, 'fields': fields})
ports = super(MidonetPluginV2, self).get_ports(context, filters,
fields)
return ports
def delete_port(self, context, id, l3_port_check=True):
"""Delete a neutron port and corresponding MidoNet bridge port."""
LOG.debug(_("MidonetPluginV2.delete_port called: id=%(id)s "
"l3_port_check=%(l3_port_check)r"),
{'id': id, 'l3_port_check': l3_port_check})
# if needed, check to see if this is a port owned by
# and l3-router. If so, we should prevent deletion.
if l3_port_check:
self.prevent_l3_port_deletion(context, id)
self.disassociate_floatingips(context, id)
port = self.get_port(context, id)
device_id = port['device_id']
# If this port is for router interface/gw, unlink and delete.
if _is_router_interface_port(port):
self._unlink_bridge_from_router(device_id, id)
elif _is_router_gw_port(port):
# Gateway removed
# Remove all the SNAT rules that are tagged.
router = self._get_router(context, device_id)
tenant_id = router["tenant_id"]
chain_names = _nat_chain_names(device_id)
for _type, name in chain_names.iteritems():
self.client.remove_rules_by_property(
tenant_id, name, OS_TENANT_ROUTER_RULE_KEY,
SNAT_RULE)
# Remove the default routes and unlink
self._remove_router_gateway(port['device_id'])
self.client.delete_port(id, delete_chains=True)
try:
for cidr, ip, mac in self._dhcp_mappings(
context, port["fixed_ips"], port["mac_address"]):
self.client.delete_dhcp_host(port["network_id"], cidr, ip,
mac)
except Exception:
LOG.error(_("Failed to delete DHCP mapping for port %(id)s"),
{"id": id})
super(MidonetPluginV2, self).delete_port(context, id)
def update_port(self, context, id, port):
"""Handle port update, including security groups and fixed IPs."""
with context.session.begin(subtransactions=True):
# Get the port and save the fixed IPs
old_port = self._get_port(context, id)
net_id = old_port["network_id"]
mac = old_port["mac_address"]
old_ips = old_port["fixed_ips"]
# update the port DB
p = super(MidonetPluginV2, self).update_port(context, id, port)
if "admin_state_up" in port["port"]:
asu = port["port"]["admin_state_up"]
mido_port = self.client.update_port(id, admin_state_up=asu)
# If we're changing the admin_state_up flag and the port is
# associated with a router, then we also need to update the
# peer port.
if _is_router_interface_port(p):
self.client.update_port(mido_port.get_peer_id(),
admin_state_up=asu)
new_ips = p["fixed_ips"]
if new_ips:
bridge = self.client.get_bridge(net_id)
# If it's a DHCP port, add a route to reach the MD server
if _is_dhcp_port(p):
for cidr, ip in self._metadata_subnets(
context, new_ips):
self.client.add_dhcp_route_option(
bridge, cidr, ip, METADATA_DEFAULT_IP)
else:
# IPs have changed. Re-map the DHCP entries
for cidr, ip, mac in self._dhcp_mappings(
context, old_ips, mac):
self.client.remove_dhcp_host(
bridge, cidr, ip, mac)
for cidr, ip, mac in self._dhcp_mappings(
context, new_ips, mac):
self.client.add_dhcp_host(
bridge, cidr, ip, mac)
if (self._check_update_deletes_security_groups(port) or
self._check_update_has_security_groups(port)):
self._unbind_port_from_sgs(context, p["id"])
sg_ids = self._get_security_groups_on_port(context, port)
self._bind_port_to_sgs(context, p, sg_ids)
self._process_portbindings_create_and_update(context,
port['port'],
p)
return p
def create_router(self, context, router):
"""Handle router creation.
When a new Neutron router is created, its corresponding MidoNet router
is also created. In MidoNet, this router is initialized with chains
for inbound and outbound traffic, which will be used to hold other
chains that include various rules, such as NAT.
:param router: Router information provided to create a new router.
"""
# NOTE(dcahill): Similar to the Nicira plugin, we completely override
# this method in order to be able to use the MidoNet ID as Neutron ID
# TODO(dcahill): Propose upstream patch for allowing
# 3rd parties to specify IDs as we do with l2 plugin
LOG.debug(_("MidonetPluginV2.create_router called: router=%(router)s"),
{"router": router})
r = router['router']
tenant_id = self._get_tenant_id_for_create(context, r)
r['tenant_id'] = tenant_id
mido_router = self.client.create_router(**r)
mido_router_id = mido_router.get_id()
try:
has_gw_info = False
if EXTERNAL_GW_INFO in r:
has_gw_info = True
gw_info = r.pop(EXTERNAL_GW_INFO)
with context.session.begin(subtransactions=True):
# pre-generate id so it will be available when
# configuring external gw port
router_db = l3_db.Router(id=mido_router_id,
tenant_id=tenant_id,
name=r['name'],
admin_state_up=r['admin_state_up'],
status="ACTIVE")
context.session.add(router_db)
if has_gw_info:
self._update_router_gw_info(context, router_db['id'],
gw_info)
router_data = self._make_router_dict(router_db,
process_extensions=False)
except Exception:
# Try removing the midonet router
with excutils.save_and_reraise_exception():
self.client.delete_router(mido_router_id)
# Create router chains
chain_names = _nat_chain_names(mido_router_id)
try:
self.client.add_router_chains(mido_router,
chain_names["pre-routing"],
chain_names["post-routing"])
except Exception:
# Set the router status to Error
with context.session.begin(subtransactions=True):
r = self._get_router(context, router_data["id"])
router_data['status'] = constants.NET_STATUS_ERROR
r['status'] = router_data['status']
context.session.add(r)
LOG.debug(_("MidonetPluginV2.create_router exiting: "
"router_data=%(router_data)s."),
{"router_data": router_data})
return router_data
def _set_router_gateway(self, id, gw_router, gw_ip):
"""Set router uplink gateway
:param ID: ID of the router
:param gw_router: gateway router to link to
:param gw_ip: gateway IP address
"""
LOG.debug(_("MidonetPluginV2.set_router_gateway called: id=%(id)s, "
"gw_router=%(gw_router)s, gw_ip=%(gw_ip)s"),
{'id': id, 'gw_router': gw_router, 'gw_ip': gw_ip}),
router = self.client.get_router(id)
# Create a port in the gw router
gw_port = self.client.add_router_port(gw_router,
port_address='169.254.255.1',
network_address='169.254.255.0',
network_length=30)
# Create a port in the router
port = self.client.add_router_port(router,
port_address='169.254.255.2',
network_address='169.254.255.0',
network_length=30)
# Link them
self.client.link(gw_port, port.get_id())
# Add a route for gw_ip to bring it down to the router
self.client.add_router_route(gw_router, type='Normal',
src_network_addr='0.0.0.0',
src_network_length=0,
dst_network_addr=gw_ip,
dst_network_length=32,
next_hop_port=gw_port.get_id(),
weight=100)
# Add default route to uplink in the router
self.client.add_router_route(router, type='Normal',
src_network_addr='0.0.0.0',
src_network_length=0,
dst_network_addr='0.0.0.0',
dst_network_length=0,
next_hop_port=port.get_id(),
weight=100)
def _remove_router_gateway(self, id):
"""Clear router gateway
:param ID: ID of the router
"""
LOG.debug(_("MidonetPluginV2.remove_router_gateway called: "
"id=%(id)s"), {'id': id})
router = self.client.get_router(id)
# delete the port that is connected to the gateway router
for p in router.get_ports():
if p.get_port_address() == '169.254.255.2':
peer_port_id = p.get_peer_id()
if peer_port_id is not None:
self.client.unlink(p)
self.client.delete_port(peer_port_id)
# delete default route
for r in router.get_routes():
if (r.get_dst_network_addr() == '0.0.0.0' and
r.get_dst_network_length() == 0):
self.client.delete_route(r.get_id())
def update_router(self, context, id, router):
"""Handle router updates."""
LOG.debug(_("MidonetPluginV2.update_router called: id=%(id)s "
"router=%(router)r"), {"id": id, "router": router})
router_data = router["router"]
# Check if the update included changes to the gateway.
gw_updated = l3_db.EXTERNAL_GW_INFO in router_data
with context.session.begin(subtransactions=True):
# Update the Neutron DB
r = super(MidonetPluginV2, self).update_router(context, id,
router)
tenant_id = r["tenant_id"]
if gw_updated:
if (l3_db.EXTERNAL_GW_INFO in r and
r[l3_db.EXTERNAL_GW_INFO] is not None):
# Gateway created
gw_port_neutron = self._get_port(
context.elevated(), r["gw_port_id"])
gw_ip = gw_port_neutron['fixed_ips'][0]['ip_address']
# First link routers and set up the routes
self._set_router_gateway(r["id"],
self._get_provider_router(),
gw_ip)
gw_port_midonet = self.client.get_link_port(
self._get_provider_router(), r["id"])
# Get the NAT chains and add dynamic SNAT rules.
chain_names = _nat_chain_names(r["id"])
props = {OS_TENANT_ROUTER_RULE_KEY: SNAT_RULE}
self.client.add_dynamic_snat(tenant_id,
chain_names['pre-routing'],
chain_names['post-routing'],
gw_ip,
gw_port_midonet.get_id(),
**props)
self.client.update_router(id, **router_data)
LOG.debug(_("MidonetPluginV2.update_router exiting: router=%r"), r)
return r
def delete_router(self, context, id):
"""Handler for router deletion.
Deleting a router on Neutron simply means deleting its corresponding
router in MidoNet.
:param id: router ID to remove
"""
LOG.debug(_("MidonetPluginV2.delete_router called: id=%s"), id)
self.client.delete_router_chains(id)
self.client.delete_router(id)
super(MidonetPluginV2, self).delete_router(context, id)
def _link_bridge_to_gw_router(self, bridge, gw_router, gw_ip, cidr):
"""Link a bridge to the gateway router
:param bridge: bridge
:param gw_router: gateway router to link to
:param gw_ip: IP address of gateway
:param cidr: network CIDR
"""
net_addr, net_len = net_util.net_addr(cidr)
# create a port on the gateway router
gw_port = self.client.add_router_port(gw_router, port_address=gw_ip,
network_address=net_addr,
network_length=net_len)
# create a bridge port, then link it to the router.
port = self.client.add_bridge_port(bridge)
self.client.link(gw_port, port.get_id())
# add a route for the subnet in the gateway router
self.client.add_router_route(gw_router, type='Normal',
src_network_addr='0.0.0.0',
src_network_length=0,
dst_network_addr=net_addr,
dst_network_length=net_len,
next_hop_port=gw_port.get_id(),
weight=100)
def _unlink_bridge_from_gw_router(self, bridge, gw_router):
"""Unlink a bridge from the gateway router
:param bridge: bridge to unlink
:param gw_router: gateway router to unlink from
"""
# Delete routes and unlink the router and the bridge.
routes = self.client.get_router_routes(gw_router.get_id())
bridge_ports_to_delete = [
p for p in gw_router.get_peer_ports()
if p.get_device_id() == bridge.get_id()]
for p in bridge.get_peer_ports():
if p.get_device_id() == gw_router.get_id():
# delete the routes going to the bridge
for r in routes:
if r.get_next_hop_port() == p.get_id():
self.client.delete_route(r.get_id())
self.client.unlink(p)
self.client.delete_port(p.get_id())
# delete bridge port
for port in bridge_ports_to_delete:
self.client.delete_port(port.get_id())
def _link_bridge_to_router(self, router, bridge_port, net_addr, net_len,
gw_ip, metadata_gw_ip):
router_port = self.client.add_router_port(
router, network_length=net_len, network_address=net_addr,
port_address=gw_ip, admin_state_up=bridge_port['admin_state_up'])
self.client.link(router_port, bridge_port['id'])
self.client.add_router_route(router, type='Normal',
src_network_addr='0.0.0.0',
src_network_length=0,
dst_network_addr=net_addr,
dst_network_length=net_len,
next_hop_port=router_port.get_id(),
weight=100)
if metadata_gw_ip:
# Add a route for the metadata server.
# Not all VM images supports DHCP option 121. Add a route for the
# Metadata server in the router to forward the packet to the bridge
# that will send them to the Metadata Proxy.
md_net_addr, md_net_len = net_util.net_addr(METADATA_DEFAULT_IP)
self.client.add_router_route(
router, type='Normal', src_network_addr=net_addr,
src_network_length=net_len,
dst_network_addr=md_net_addr,
dst_network_length=md_net_len,
next_hop_port=router_port.get_id(),
next_hop_gateway=metadata_gw_ip)
def _unlink_bridge_from_router(self, router_id, bridge_port_id):
"""Unlink a bridge from a router."""
# Remove the routes to the port and unlink the port
bridge_port = self.client.get_port(bridge_port_id)
routes = self.client.get_router_routes(router_id)
self.client.delete_port_routes(routes, bridge_port.get_peer_id())
self.client.unlink(bridge_port)
def add_router_interface(self, context, router_id, interface_info):
"""Handle router linking with network."""
LOG.debug(_("MidonetPluginV2.add_router_interface called: "
"router_id=%(router_id)s "
"interface_info=%(interface_info)r"),
{'router_id': router_id, 'interface_info': interface_info})
with context.session.begin(subtransactions=True):
info = super(MidonetPluginV2, self).add_router_interface(
context, router_id, interface_info)
try:
subnet = self._get_subnet(context, info["subnet_id"])
cidr = subnet["cidr"]
net_addr, net_len = net_util.net_addr(cidr)
router = self.client.get_router(router_id)
# Get the metadata GW IP
metadata_gw_ip = None
rport_qry = context.session.query(models_v2.Port)
dhcp_ports = rport_qry.filter_by(
network_id=subnet["network_id"],
device_owner='network:dhcp').all()
if dhcp_ports and dhcp_ports[0].fixed_ips:
metadata_gw_ip = dhcp_ports[0].fixed_ips[0].ip_address
else:
LOG.warn(_("DHCP agent is not working correctly. No port "
"to reach the Metadata server on this network"))
# Link the router and the bridge
port = super(MidonetPluginV2, self).get_port(context,
info["port_id"])
self._link_bridge_to_router(router, port, net_addr,
net_len, subnet["gateway_ip"],
metadata_gw_ip)
except Exception:
LOG.error(_("Failed to create MidoNet resources to add router "
"interface. info=%(info)s, router_id=%(router_id)s"),
{"info": info, "router_id": router_id})
with excutils.save_and_reraise_exception():
with context.session.begin(subtransactions=True):
self.remove_router_interface(context, router_id, info)
LOG.debug(_("MidonetPluginV2.add_router_interface exiting: "
"info=%r"), info)
return info
def _assoc_fip(self, fip):
router = self.client.get_router(fip["router_id"])
link_port = self.client.get_link_port(
self._get_provider_router(), router.get_id())
self.client.add_router_route(
self._get_provider_router(),
src_network_addr='0.0.0.0',
src_network_length=0,
dst_network_addr=fip["floating_ip_address"],
dst_network_length=32,
next_hop_port=link_port.get_peer_id())
props = {OS_FLOATING_IP_RULE_KEY: fip['id']}
tenant_id = router.get_tenant_id()
chain_names = _nat_chain_names(router.get_id())
for chain_type, name in chain_names.items():
src_ip, target_ip = _get_nat_ips(chain_type, fip)
if chain_type == 'pre-routing':
nat_type = 'dnat'
else:
nat_type = 'snat'
self.client.add_static_nat(tenant_id, name, src_ip,
target_ip,
link_port.get_id(),
nat_type, **props)
def create_floatingip(self, context, floatingip):
session = context.session
with session.begin(subtransactions=True):
fip = super(MidonetPluginV2, self).create_floatingip(
context, floatingip)
if fip['port_id']:
self._assoc_fip(fip)
return fip
def update_floatingip(self, context, id, floatingip):
"""Handle floating IP association and disassociation."""
LOG.debug(_("MidonetPluginV2.update_floatingip called: id=%(id)s "
"floatingip=%(floatingip)s "),
{'id': id, 'floatingip': floatingip})
session = context.session
with session.begin(subtransactions=True):
if floatingip['floatingip']['port_id']:
fip = super(MidonetPluginV2, self).update_floatingip(
context, id, floatingip)
self._assoc_fip(fip)
# disassociate floating IP
elif floatingip['floatingip']['port_id'] is None:
fip = super(MidonetPluginV2, self).get_floatingip(context, id)
self._remove_nat_rules(context, fip)
super(MidonetPluginV2, self).update_floatingip(context, id,
floatingip)
LOG.debug(_("MidonetPluginV2.update_floating_ip exiting: fip=%s"), fip)
return fip
def disassociate_floatingips(self, context, port_id):
"""Disassociate floating IPs (if any) from this port."""
try:
fip_qry = context.session.query(l3_db.FloatingIP)
fip_db = fip_qry.filter_by(fixed_port_id=port_id).one()
self._remove_nat_rules(context, fip_db)
except sa_exc.NoResultFound:
pass
super(MidonetPluginV2, self).disassociate_floatingips(context, port_id)
def create_security_group(self, context, security_group, default_sg=False):
"""Create security group.
Create a new security group, including the default security group.
In MidoNet, this means creating a pair of chains, inbound and outbound,
as well as a new port group.
"""
LOG.debug(_("MidonetPluginV2.create_security_group called: "
"security_group=%(security_group)s "
"default_sg=%(default_sg)s "),
{'security_group': security_group, 'default_sg': default_sg})
sg = security_group.get('security_group')
tenant_id = self._get_tenant_id_for_create(context, sg)
if not default_sg:
self._ensure_default_security_group(context, tenant_id)
# Create the Neutron sg first
sg = super(MidonetPluginV2, self).create_security_group(
context, security_group, default_sg)
try:
# Process the MidoNet side
self.client.create_port_group(tenant_id,
_sg_port_group_name(sg["id"]))
chain_names = _sg_chain_names(sg["id"])
chains = {}
for direction, chain_name in chain_names.iteritems():
c = self.client.create_chain(tenant_id, chain_name)
chains[direction] = c
# Create all the rules for this SG. Only accept rules are created
for r in sg['security_group_rules']:
self._create_accept_chain_rule(context, r,
chain=chains[r['direction']])
except Exception:
LOG.error(_("Failed to create MidoNet resources for sg %(sg)r"),
{"sg": sg})
with excutils.save_and_reraise_exception():
with context.session.begin(subtransactions=True):
sg = self._get_security_group(context, sg["id"])
context.session.delete(sg)
LOG.debug(_("MidonetPluginV2.create_security_group exiting: sg=%r"),
sg)
return sg
def delete_security_group(self, context, id):
"""Delete chains for Neutron security group."""
LOG.debug(_("MidonetPluginV2.delete_security_group called: id=%s"), id)
with context.session.begin(subtransactions=True):
sg = super(MidonetPluginV2, self).get_security_group(context, id)
if not sg:
raise ext_sg.SecurityGroupNotFound(id=id)
if sg["name"] == 'default' and not context.is_admin:
raise ext_sg.SecurityGroupCannotRemoveDefault()
sg_id = sg['id']
filters = {'security_group_id': [sg_id]}
if super(MidonetPluginV2, self)._get_port_security_group_bindings(
context, filters):
raise ext_sg.SecurityGroupInUse(id=sg_id)
# Delete MidoNet Chains and portgroup for the SG
tenant_id = sg['tenant_id']
self.client.delete_chains_by_names(
tenant_id, _sg_chain_names(sg["id"]).values())
self.client.delete_port_group_by_name(
tenant_id, _sg_port_group_name(sg["id"]))
super(MidonetPluginV2, self).delete_security_group(context, id)
def create_security_group_rule(self, context, security_group_rule):
"""Create a security group rule
Create a security group rule in the Neutron DB and corresponding
MidoNet resources in its data store.
"""
LOG.debug(_("MidonetPluginV2.create_security_group_rule called: "
"security_group_rule=%(security_group_rule)r"),
{'security_group_rule': security_group_rule})
with context.session.begin(subtransactions=True):
rule = super(MidonetPluginV2, self).create_security_group_rule(
context, security_group_rule)
self._create_accept_chain_rule(context, rule)
LOG.debug(_("MidonetPluginV2.create_security_group_rule exiting: "
"rule=%r"), rule)
return rule
def delete_security_group_rule(self, context, sg_rule_id):
"""Delete a security group rule
Delete a security group rule from the Neutron DB and corresponding
MidoNet resources from its data store.
"""
LOG.debug(_("MidonetPluginV2.delete_security_group_rule called: "
"sg_rule_id=%s"), sg_rule_id)
with context.session.begin(subtransactions=True):
rule = super(MidonetPluginV2, self).get_security_group_rule(
context, sg_rule_id)
if not rule:
raise ext_sg.SecurityGroupRuleNotFound(id=sg_rule_id)
sg = self._get_security_group(context,
rule["security_group_id"])
chain_name = _sg_chain_names(sg["id"])[rule["direction"]]
self.client.remove_rules_by_property(rule["tenant_id"], chain_name,
OS_SG_RULE_KEY,
str(rule["id"]))
super(MidonetPluginV2, self).delete_security_group_rule(
context, sg_rule_id)
def _add_chain_rule(self, chain, action, **kwargs):
nw_proto = kwargs.get("nw_proto")
src_addr = kwargs.pop("src_addr", None)
dst_addr = kwargs.pop("dst_addr", None)
src_port_from = kwargs.pop("src_port_from", None)
src_port_to = kwargs.pop("src_port_to", None)
dst_port_from = kwargs.pop("dst_port_from", None)
dst_port_to = kwargs.pop("dst_port_to", None)
# Convert to the keys and values that midonet client understands
if src_addr:
kwargs["nw_src_addr"], kwargs["nw_src_length"] = net_util.net_addr(
src_addr)
if dst_addr:
kwargs["nw_dst_addr"], kwargs["nw_dst_length"] = net_util.net_addr(
dst_addr)
kwargs["tp_src"] = {"start": src_port_from, "end": src_port_to}
kwargs["tp_dst"] = {"start": dst_port_from, "end": dst_port_to}
if nw_proto == 1: # ICMP
# Overwrite port fields regardless of the direction
kwargs["tp_src"] = {"start": src_port_from, "end": src_port_from}
kwargs["tp_dst"] = {"start": dst_port_to, "end": dst_port_to}
return self.client.add_chain_rule(chain, action=action, **kwargs)