vmware-nsx/quantum/agent/firewall.py
Nachi Ueno f14af5dc75 Iptables security group implementation for LinuxBridge
Implements bp quantum-security-groups-iptables-lb
- Added firewall driver
- Added iptables based firewall driver
- Implemented security groups for rpc support mixin classes

Change-Id: I974d2f1cae75ce4a55c2b5d820a0b42ff5661309
2013-01-08 10:19:23 -08:00

106 lines
3.4 KiB
Python

# vim: tabstop=4 shiftwidth=4 softtabstop=4
#
# Copyright 2012, Nachi Ueno, NTT MCL, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import abc
import contextlib
class FirewallDriver(object):
""" Firewall Driver base class.
Defines methods that any driver providing security groups
and provider firewall functionality should implement.
Note port attribute should have information of security group ids and
security group rules.
the dict of port should have
device : interface name
fixed_ips: ips of the device
mac_address: mac_address of the device
security_groups: [sgid, sgid]
security_group_rules : [ rule, rule ]
the rule must contain ethertype and direction
the rule may contain security_group_id,
protocol, port_min, port_max
source_ip_prefix, source_port_min,
source_port_max, dest_ip_prefix,
Note: source_group_ip in REST API should be converted by this rule
if direction is ingress:
source_group_ip will be a soruce_prefix_ip
if direction is egress:
source_group_ip will be a dest_prefix_ip
Note: source_group_id in REST API should be converted by this rule
if direction is ingress:
source_group_id will be a list of soruce_prefix_ip
if direction is egress:
source_group_id will be a list of dest_prefix_ip
"""
__metaclass__ = abc.ABCMeta
def prepare_port_filter(self, port):
"""Prepare filters for the port.
This method should be called before the port is created.
"""
raise NotImplementedError()
def apply_port_filter(self, port):
"""Apply port filter.
Once this method returns, the port should be firewalled
appropriately. This method should as far as possible be a
no-op. It's vastly preferred to get everything set up in
prepare_port_filter.
"""
raise NotImplementedError()
def update_port_filter(self, port):
"""Refresh security group rules from data store
Gets called when an port gets added to or removed from
the security group the port is a member of or if the
group gains or looses a rule.
"""
raise NotImplementedError()
def remove_port_filter(self, port):
"""Stop filtering port"""
raise NotImplementedError()
def filter_defer_apply_on(self):
"""Defer application of filtering rule"""
pass
def filter_defer_apply_off(self):
"""Turn off deferral of rules and apply the rules now"""
pass
@property
def ports(self):
""" returns filterd ports"""
pass
@contextlib.contextmanager
def defer_apply(self):
"""defer apply context"""
self.filter_defer_apply_on()
try:
yield
finally:
self.filter_defer_apply_off()