x/vmware-nsx
Code Issues Proposed changes
vmware-nsx/vmware_nsx/services/fwaas/nsx_v3/fwaas_callbacks_v1.py
Adit Sarfaty 189d8d6955 NSX-TV fwaas drivers 
Drivers for FWaaS V1/V2 for the NSX-TV plugin
Those drivers are just wrappers calling the right driver according to
the project of the firewall object.

Change-Id: Ia073da9c91cb4d69d772b3e0d0ab6f5c3fd60795
2017-12-19 08:49:32 +02:00

98 lines
3.8 KiB
Python
Raw Blame History

# Copyright 2017 VMware, Inc.
# All Rights Reserved
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import log as logging
from vmware_nsx.extensions import projectpluginmap
from vmware_nsx.services.fwaas.common import fwaas_callbacks_v1 as com_clbcks
from vmware_nsx.services.fwaas.nsx_tv import edge_fwaas_driver_v1 as tv_driver
LOG = logging.getLogger(__name__)
class Nsxv3FwaasCallbacksV1(com_clbcks.NsxFwaasCallbacks):
"""NSX-V3 RPC callbacks for Firewall As A Service - V1."""
def __init__(self):
super(Nsxv3FwaasCallbacksV1, self).__init__()
# update the fwaas driver in case of TV plugin
if self.fwaas_enabled:
if self.fwaas_driver.driver_name == tv_driver.FWAAS_DRIVER_NAME:
self.internal_driver = self.fwaas_driver.get_T_driver()
else:
self.internal_driver = self.fwaas_driver
@property
def plugin_type(self):
return projectpluginmap.NsxPlugins.NSX_T
def should_apply_firewall_to_router(self, context, router_id):
"""Return True if the FWaaS rules should be added to this router."""
if not super(Nsxv3FwaasCallbacksV1,
self).should_apply_firewall_to_router(context,
router_id):
return False
# get all the relevant router info
ctx_elevated = context.elevated()
router_data = self.core_plugin.get_router(ctx_elevated, router_id)
if not router_data:
LOG.error("Couldn't read router %s data", router_id)
return False
# Check if the FWaaS driver supports this router
if not self.internal_driver.should_apply_firewall_to_router(
router_data):
return False
return True
def update_router_firewall(self, context, nsxlib, router_id,
router_interfaces, nsx_router_id, section_id):
"""Rewrite all the FWaaS v1 rules in the router edge firewall
This method should be called on FWaaS updates, and on router
interfaces changes.
"""
fw_rules = []
fw_id = None
if self.should_apply_firewall_to_router(context, router_id):
# Find the firewall attached to this router
# (must have one since should_apply returned true)
firewall = self.get_router_firewall(context, router_id)
fw_id = firewall['id']
# Add the FW rules
fw_rules.extend(self.internal_driver.get_router_translated_rules(
router_id, firewall))
# Add plugin additional allow rules
fw_rules.extend(self.core_plugin.get_extra_fw_rules(
context, router_id))
# Add the default drop all rule
fw_rules.append(self.internal_driver.get_default_backend_rule(
section_id, allow_all=False))
else:
# default allow all rule
fw_rules.append(self.internal_driver.get_default_backend_rule(
section_id, allow_all=True))
# update the backend
nsxlib.firewall_section.update(section_id, rules=fw_rules)
# Also update the router tags
self.internal_driver.update_nsx_router_tags(nsx_router_id, fw_id=fw_id)
View Git Blame Copy Permalink