x/vmware-nsx
Code Issues Proposed changes
vmware-nsx/vmware_nsx/db/nsxv_models.py
Roey Chen 1f9d16fe8d NSXv: Fine grained control for logging security-group rules 
Allows admin to control security-groups rule logging

NSXv distributed firewall expose an API to control rule logging,
as for the moment, admin user can use this feature only from inside of
the distributed firewall.
This patch make use of this API to provide the cloud admin with three ways
to control security-group logging:

    - log whenever security-group rule is matched
    - log when a packet doesn't match any security-group rule
    - log whenever security-group rule is matched for selected
      security-groups

Change-Id: I2a4dbff2ecba4c6041b4aaad1f20941440a5f6b6
2016-03-29 04:54:58 -07:00

352 lines
13 KiB
Python
Raw Blame History

# Copyright 2015 VMware, Inc.
#
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import sqlalchemy as sa
from sqlalchemy import orm
from neutron.db import l3_db
from neutron.db import model_base
from neutron.db import models_v2
from neutron.db import securitygroups_db
from vmware_nsx.common import nsxv_constants
class NsxvRouterBinding(model_base.BASEV2, models_v2.HasStatusDescription):
"""Represents the mapping between neutron router and vShield Edge."""
__tablename__ = 'nsxv_router_bindings'
# no ForeignKey to routers.id because for now, a router can be removed
# from routers when delete_router is executed, but the binding is only
# removed after the Edge is deleted
router_id = sa.Column(sa.String(36),
primary_key=True)
edge_id = sa.Column(sa.String(36),
nullable=True)
lswitch_id = sa.Column(sa.String(36),
nullable=True)
appliance_size = sa.Column(sa.Enum(
nsxv_constants.COMPACT,
nsxv_constants.LARGE,
nsxv_constants.XLARGE,
nsxv_constants.QUADLARGE,
name='nsxv_router_bindings_appliance_size'))
edge_type = sa.Column(sa.Enum(nsxv_constants.SERVICE_EDGE,
nsxv_constants.VDR_EDGE,
name='nsxv_router_bindings_edge_type'))
class NsxvEdgeVnicBinding(model_base.BASEV2):
"""Represents mapping between vShield Edge vnic and neutron netowrk."""
__tablename__ = 'nsxv_edge_vnic_bindings'
edge_id = sa.Column(sa.String(36),
primary_key=True)
vnic_index = sa.Column(sa.Integer(),
primary_key=True)
tunnel_index = sa.Column(sa.Integer(),
primary_key=True)
network_id = sa.Column(sa.String(36), nullable=True)
class NsxvEdgeDhcpStaticBinding(model_base.BASEV2):
"""Represents mapping between mac addr and bindingId."""
__tablename__ = 'nsxv_edge_dhcp_static_bindings'
edge_id = sa.Column(sa.String(36), primary_key=True)
mac_address = sa.Column(sa.String(32), primary_key=True)
binding_id = sa.Column(sa.String(36), nullable=False)
class NsxvInternalNetworks(model_base.BASEV2):
"""Represents internal networks between NSXV plugin elements."""
__tablename__ = 'nsxv_internal_networks'
network_purpose = sa.Column(
sa.Enum(nsxv_constants.INTER_EDGE_PURPOSE,
name='nsxv_internal_networks_purpose'),
primary_key=True)
network_id = sa.Column(sa.String(36),
sa.ForeignKey("networks.id", ondelete="CASCADE"),
nullable=True)
class NsxvInternalEdges(model_base.BASEV2):
"""Represents internal Edge appliances for NSXV plugin operations."""
__tablename__ = 'nsxv_internal_edges'
ext_ip_address = sa.Column(sa.String(64), primary_key=True)
router_id = sa.Column(sa.String(36), nullable=True)
purpose = sa.Column(
sa.Enum(nsxv_constants.INTER_EDGE_PURPOSE,
name='nsxv_internal_edges_purpose'))
class NsxvSecurityGroupSectionMapping(model_base.BASEV2):
"""Backend mappings for Neutron Rule Sections.
This class maps a neutron security group identifier to the corresponding
NSX layer 3 section.
"""
__tablename__ = 'nsxv_security_group_section_mappings'
neutron_id = sa.Column(sa.String(36),
sa.ForeignKey('securitygroups.id',
ondelete="CASCADE"),
primary_key=True)
ip_section_id = sa.Column(sa.String(100))
logging = sa.Column(sa.Boolean, default=False, nullable=False)
class NsxvRuleMapping(model_base.BASEV2):
"""Backend mappings for Neutron Rule Sections.
This class maps a neutron security group identifier to the corresponding
NSX layer 3 and layer 2 sections.
"""
__tablename__ = 'nsxv_rule_mappings'
neutron_id = sa.Column(sa.String(36),
sa.ForeignKey('securitygrouprules.id',
ondelete="CASCADE"),
primary_key=True)
nsx_rule_id = sa.Column(sa.String(36), primary_key=True)
class NsxvPortVnicMapping(model_base.BASEV2):
"""Maps neutron port to NSXv VM Vnic Id."""
__tablename__ = 'nsxv_port_vnic_mappings'
neutron_id = sa.Column(sa.String(36),
sa.ForeignKey('ports.id', ondelete="CASCADE"),
primary_key=True)
nsx_id = sa.Column(sa.String(42), primary_key=True)
class NsxvRouterExtAttributes(model_base.BASEV2):
"""Router attributes managed by NSX plugin extensions."""
__tablename__ = 'nsxv_router_ext_attributes'
router_id = sa.Column(sa.String(36),
sa.ForeignKey('routers.id', ondelete="CASCADE"),
primary_key=True)
distributed = sa.Column(sa.Boolean, default=False, nullable=False)
router_type = sa.Column(
sa.Enum('shared', 'exclusive',
name='nsxv_router_type'),
default='exclusive', nullable=False)
service_router = sa.Column(sa.Boolean, default=False, nullable=False)
# Add a relationship to the Router model in order to instruct
# SQLAlchemy to eagerly load this association
router = orm.relationship(
l3_db.Router,
backref=orm.backref("nsx_attributes", lazy='joined',
uselist=False, cascade='delete'))
class NsxvTzNetworkBinding(model_base.BASEV2):
"""Represents a binding of a virtual network with a transport zone.
This model class associates a Neutron network with a transport zone;
optionally a vlan ID might be used if the binding type is 'bridge'
"""
__tablename__ = 'nsxv_tz_network_bindings'
network_id = sa.Column(sa.String(36),
sa.ForeignKey('networks.id', ondelete="CASCADE"),
primary_key=True)
binding_type = sa.Column(
sa.Enum('flat', 'vlan', 'portgroup', 'vxlan',
name='nsxv_tz_network_bindings_binding_type'),
nullable=False, primary_key=True)
phy_uuid = sa.Column(sa.String(36), primary_key=True, nullable=True)
vlan_id = sa.Column(sa.Integer, primary_key=True, nullable=True,
autoincrement=False)
def __init__(self, network_id, binding_type, phy_uuid, vlan_id):
self.network_id = network_id
self.binding_type = binding_type
self.phy_uuid = phy_uuid
self.vlan_id = vlan_id
def __repr__(self):
return "<NsxvTzNetworkBinding(%s,%s,%s,%s)>" % (self.network_id,
self.binding_type,
self.phy_uuid,
self.vlan_id)
class NsxvPortIndexMapping(model_base.BASEV2):
"""Associates attached Neutron ports with the instance VNic index."""
__tablename__ = 'nsxv_port_index_mappings'
port_id = sa.Column(sa.String(36),
sa.ForeignKey('ports.id', ondelete="CASCADE"),
primary_key=True)
device_id = sa.Column(sa.String(255), nullable=False)
index = sa.Column(sa.Integer, nullable=False)
__table_args__ = (sa.UniqueConstraint(device_id, index),
model_base.BASEV2.__table_args__)
# Add a relationship to the Port model in order to instruct SQLAlchemy to
# eagerly read port vnic-index
port = orm.relationship(
models_v2.Port,
backref=orm.backref("vnic_index", lazy='joined',
uselist=False, cascade='delete'))
class NsxvEdgeFirewallRuleBinding(model_base.BASEV2):
"""Mapping between firewall rule and edge firewall rule_id."""
__tablename__ = 'nsxv_firewall_rule_bindings'
rule_id = sa.Column(sa.String(36),
primary_key=True)
edge_id = sa.Column(sa.String(36), primary_key=True)
rule_vse_id = sa.Column(sa.String(36))
class NsxvSpoofGuardPolicyNetworkMapping(model_base.BASEV2):
"""Mapping between SpoofGuard and neutron networks"""
__tablename__ = 'nsxv_spoofguard_policy_network_mappings'
network_id = sa.Column(sa.String(36),
sa.ForeignKey('networks.id', ondelete='CASCADE'),
primary_key=True,
nullable=False)
policy_id = sa.Column(sa.String(36), nullable=False)
class NsxvVdrDhcpBinding(model_base.BASEV2):
"""1:1 mapping between VDR and a DHCP Edge."""
__tablename__ = 'nsxv_vdr_dhcp_bindings'
vdr_router_id = sa.Column(sa.String(36), primary_key=True)
dhcp_edge_id = sa.Column(sa.String(36), nullable=False)
__table_args__ = (
sa.UniqueConstraint(
dhcp_edge_id,
name='unique_nsxv_vdr_dhcp_bindings0dhcp_edge_id'),
model_base.BASEV2.__table_args__)
class NsxvLbaasLoadbalancerBinding(model_base.BASEV2):
"""Mapping between Edge LB and LBaaSv2"""
__tablename__ = 'nsxv_lbaas_loadbalancer_bindings'
loadbalancer_id = sa.Column(sa.String(36), primary_key=True)
edge_id = sa.Column(sa.String(36), nullable=False)
edge_fw_rule_id = sa.Column(sa.String(36), nullable=False)
vip_address = sa.Column(sa.String(36), nullable=False)
class NsxvLbaasListenerBinding(model_base.BASEV2):
"""Mapping between Edge VSE and LBaaSv2"""
__tablename__ = 'nsxv_lbaas_listener_bindings'
loadbalancer_id = sa.Column(sa.String(36), primary_key=True)
listener_id = sa.Column(sa.String(36), primary_key=True)
app_profile_id = sa.Column(sa.String(36), nullable=False)
vse_id = sa.Column(sa.String(36), nullable=False)
class NsxvLbaasPoolBinding(model_base.BASEV2):
"""Mapping between Edge Pool and LBaaSv2"""
__tablename__ = 'nsxv_lbaas_pool_bindings'
loadbalancer_id = sa.Column(sa.String(36), primary_key=True)
listener_id = sa.Column(sa.String(36), primary_key=True)
pool_id = sa.Column(sa.String(36), primary_key=True)
edge_pool_id = sa.Column(sa.String(36), nullable=False)
class NsxvLbaasMonitorBinding(model_base.BASEV2):
"""Mapping between Edge Monitor and LBaaSv2"""
__tablename__ = 'nsxv_lbaas_monitor_bindings'
loadbalancer_id = sa.Column(sa.String(36), primary_key=True)
listener_id = sa.Column(sa.String(36), primary_key=True)
pool_id = sa.Column(sa.String(36), primary_key=True)
hm_id = sa.Column(sa.String(36), primary_key=True)
edge_id = sa.Column(sa.String(36), primary_key=True)
edge_mon_id = sa.Column(sa.String(36), nullable=False)
class NsxvLbaasCertificateBinding(model_base.BASEV2):
"""Mapping between Edge certificate and LBaaSv2 object"""
__tablename__ = 'nsxv_lbaas_certificate_bindings'
cert_id = sa.Column(sa.String(128), primary_key=True)
edge_id = sa.Column(sa.String(36), primary_key=True)
edge_cert_id = sa.Column(sa.String(36), nullable=False)
class NsxvSubnetExtAttributes(model_base.BASEV2):
"""Subnet attributes managed by NSX plugin extensions."""
__tablename__ = 'nsxv_subnet_ext_attributes'
subnet_id = sa.Column(sa.String(36),
sa.ForeignKey('subnets.id', ondelete="CASCADE"),
primary_key=True)
dns_search_domain = sa.Column(sa.String(255), nullable=False)
# Add a relationship to the Subnet model in order to instruct
# SQLAlchemy to eagerly load this association
subnet = orm.relationship(
models_v2.Subnet,
backref=orm.backref("nsxv_subnet_attributes", lazy='joined',
uselist=False, cascade='delete'))
class NsxvExtendedSecurityGroupRuleProperties(model_base.BASEV2):
"""Persist security group rule properties for the
extended-security-group-rule extension.
"""
__tablename__ = 'nsxv_extended_security_group_rule_properties'
rule_id = sa.Column(sa.String(36),
sa.ForeignKey('securitygrouprules.id',
ondelete='CASCADE'),
primary_key=True,
nullable=False)
local_ip_prefix = sa.Column(sa.String(255), nullable=False)
rule = orm.relationship(
securitygroups_db.SecurityGroupRule,
backref=orm.backref('ext_properties', lazy='joined',
uselist=False, cascade='delete'))
View Git Blame Copy Permalink