vmware-nsx/vmware_nsx/db/extended_security_group_rule.py
Roey Chen c60f22384c Extending security-group ingress rule
This adds an extension to the security-group API, using this extension will
allow a user to define rules with the notation of local-prefix-ip, which
matches on the destination address of packets going into the port.
One may use this extended API in order to specify a specific set of
multicast groups addresses in which a port (or group of ports) should
be allowed to accept packets from.

Change-Id: I9756cb27395b7b936dbfa94f403d98ac43c2e872
2016-03-03 07:22:48 -08:00

68 lines
2.7 KiB
Python

# Copyright 2016 VMware, Inc.
# All Rights Reserved
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from sqlalchemy.orm import exc
from neutron.api.v2 import attributes as attr
from neutron.db import securitygroups_db as secgroup_db
from neutron_lib import exceptions as nexception
from vmware_nsx._i18n import _
from vmware_nsx.db import nsxv_models
from vmware_nsx.extensions import secgroup_rule_local_ip_prefix as ext_loip
class NotIngressRule(nexception.BadRequest):
message = _("Specifying local_ip_prefix is supported "
"with ingress rules only.")
class ExtendedSecurityGroupRuleMixin(object):
def _check_local_ip_prefix(self, context, rule):
rule_specify_local_ip_prefix = attr.is_attr_set(
rule.get(ext_loip.LOCAL_IP_PREFIX))
if rule_specify_local_ip_prefix and rule['direction'] != 'ingress':
raise NotIngressRule()
return rule_specify_local_ip_prefix
def _save_extended_rule_properties(self, context, rule):
if not attr.is_attr_set(rule.get(ext_loip.LOCAL_IP_PREFIX)):
return
with context.session.begin(subtransactions=True):
properties = nsxv_models.NsxvExtendedSecurityGroupRuleProperties(
rule_id=rule['id'],
local_ip_prefix=rule[ext_loip.LOCAL_IP_PREFIX])
context.session.add(properties)
def _get_security_group_rule_properties(self, context, sgr):
try:
properties = (context.session.query(
nsxv_models.NsxvExtendedSecurityGroupRuleProperties).filter_by(
rule_id=sgr['id']).one())
except exc.NoResultFound:
sgr[ext_loip.LOCAL_IP_PREFIX] = None
else:
sgr[ext_loip.LOCAL_IP_PREFIX] = properties.local_ip_prefix
return sgr
def _make_security_group_rule_dict(self, rule_db, fields=None):
res = secgroup_db.SecurityGroupDbMixin._make_security_group_rule_dict(
self, rule_db, fields=None)
if rule_db.ext_properties:
res[ext_loip.LOCAL_IP_PREFIX] = (
rule_db.ext_properties.local_ip_prefix)
else:
res[ext_loip.LOCAL_IP_PREFIX] = None
return self._fields(res, fields)