def update_port_filter(self, port):
"""Update rules for given port
Current existing filtering rules are removed and new ones are generated
based on current loaded security group rules and members.
"""
if not firewall.port_sec_enabled(port):
self.remove_port_filter(port)
self._initialize_egress_no_port_security(port['device'])
return
elif not self.is_port_managed(port):
try:
self._remove_egress_no_port_security(port['device'])
except exceptions.OVSFWPortNotHandled as e:
LOG.debug(e)
else:
self.prepare_port_filter(port)
return
try:
# Make sure delete old allowed_address_pair MACs because
# allowed_address_pair MACs will be updated in
# self.get_or_create_ofport(port)
old_of_port = self.get_ofport(port)
of_port = self.get_or_create_ofport(port)
if old_of_port:
self._update_flows_for_port(of_port, old_of_port)
else:
self._set_port_filters(of_port)
except exceptions.OVSFWPortNotFound as not_found_error:
LOG.info("port %(port_id)s does not exist in ovsdb: %(err)s.",
{'port_id': port['device'],
'err': not_found_error})
def update_port_filter(self, port):
"""Update rules for given port
Current existing filtering rules are removed and new ones are generated
based on current loaded security group rules and members.
"""
if not firewall.port_sec_enabled(port):
self.remove_port_filter(port)
self._initialize_egress_no_port_security(port['device'])
return
elif not self.is_port_managed(port):
self._remove_egress_no_port_security(port['device'])
self.prepare_port_filter(port)
return
old_of_port = self.get_ofport(port)
try:
of_port = self.get_or_create_ofport(port)
except exceptions.OVSFWPortNotFound as not_found_error:
LOG.info("port %(port_id)s does not exist in ovsdb: %(err)s.",
{'port_id': port['device'],
'err': not_found_error})
return
# TODO(jlibosva): Handle firewall blink
self.delete_all_port_flows(old_of_port)
self.initialize_port_flows(of_port)
self.add_flows_from_rules(of_port)
def _set_ports(self, port):
if not firewall.port_sec_enabled(port):
self.unfiltered_ports[port['device']] = port
self.filtered_ports.pop(port['device'], None)
else:
self.filtered_ports[port['device']] = port
self.unfiltered_ports.pop(port['device'], None)
def prepare_port_filter(self, port):
if not firewall.port_sec_enabled(port):
return
port_exists = self.is_port_managed(port)
of_port = self.get_or_create_ofport(port)
if port_exists:
LOG.error(_LE("Initializing port %s that was already " "initialized."), port["device"])
self.delete_all_port_flows(of_port)
self.initialize_port_flows(of_port)
self.add_flows_from_rules(of_port)
def _setup_pf_rules(self, port, update=False):
if not firewall.port_sec_enabled(port):
self.unfiltered_ports[port['device']] = port
self.filtered_ports.pop(port['device'], None)
self._remove_rule_port_sec(port)
else:
self.filtered_ports[port['device']] = port
self.unfiltered_ports.pop(port['device'], None)
if update:
self._remove_rule_port_sec(port)
self._add_rules_by_security_group(port, firewall.INGRESS_DIRECTION)
self._add_rules_by_security_group(port, firewall.EGRESS_DIRECTION)
def prepare_port_filter(self, port):
if not firewall.port_sec_enabled(port):
return
port_exists = self.is_port_managed(port)
of_port = self.get_or_create_ofport(port)
if port_exists:
LOG.error(
_LE("Initializing port %s that was already "
"initialized."), port['device'])
self.delete_all_port_flows(of_port)
self.initialize_port_flows(of_port)
self.add_flows_from_rules(of_port)
def prepare_port_filter(self, port):
if not firewall.port_sec_enabled(port):
self._initialize_egress_no_port_security(port['device'])
return
old_of_port = self.get_ofport(port)
of_port = self.get_or_create_ofport(port)
if old_of_port:
LOG.error(
_LE("Initializing port %s that was already "
"initialized."), port['device'])
self.delete_all_port_flows(old_of_port)
self.initialize_port_flows(of_port)
self.add_flows_from_rules(of_port)
def prepare_port_filter(self, port):
self.iptables_helper.cleanup_port(port)
if not firewall.port_sec_enabled(port):
self._initialize_egress_no_port_security(port['device'])
return
old_of_port = self.get_ofport(port)
of_port = self.get_or_create_ofport(port)
if old_of_port:
LOG.info("Initializing port %s that was already initialized.",
port['device'])
self._update_flows_for_port(of_port, old_of_port)
else:
self._set_port_filters(of_port)
def prepare_port_filter(self, port):
self.iptables_helper.cleanup_port(port)
if not firewall.port_sec_enabled(port):
self._initialize_egress_no_port_security(port['device'])
return
old_of_port = self.get_ofport(port)
of_port = self.get_or_create_ofport(port)
if old_of_port:
LOG.info("Initializing port %s that was already initialized.",
port['device'])
self._update_flows_for_port(of_port, old_of_port)
else:
self._set_port_filters(of_port)
def _set_ports(self, port):
port_already_set = False
for existingport in self.ports.values():
if port['device'] == existingport['device']:
port_already_set = True
if not port_already_set:
LOG.info(
"cfarquhar: (_set_ports): adding {} to IptablesFirewallDriver.ports. If this does not happen before _security_group_updated is called we have a problem."
.format(port['device']))
if not firewall.port_sec_enabled(port):
self.unfiltered_ports[port['device']] = port
self.filtered_ports.pop(port['device'], None)
else:
self.filtered_ports[port['device']] = port
self.unfiltered_ports.pop(port['device'], None)
def prepare_port_filter(self, port):
if not firewall.port_sec_enabled(port):
self._initialize_egress_no_port_security(port['device'])
return
old_of_port = self.get_ofport(port)
# Make sure delete old allow_address_pair MACs because
# allow_address_pair MACs will be updated in
# self.get_or_create_ofport(port)
if old_of_port:
LOG.error("Initializing port %s that was already "
"initialized.", port['device'])
self.delete_all_port_flows(old_of_port)
of_port = self.get_or_create_ofport(port)
self.initialize_port_flows(of_port)
self.add_flows_from_rules(of_port)
def prepare_port_filter(self, port):
# NOTE(annp): port no security should be handled by security group in
# co-existence mode, otherwise(standalone mode) fwg will handle it.
if not firewall.port_sec_enabled(port) and not self.sg_with_ovs:
self._initialize_egress_no_port_security(port)
return
old_of_port = self.get_ofport(port)
# Make sure delete old allow_address_pair MACs because
# allow_address_pair MACs will be updated in
# self.get_or_create_ofport(port)
if old_of_port:
LOG.error("Initializing port %s that was already "
"initialized.", port['device'])
self.delete_all_port_flows(old_of_port)
of_port = self.get_or_create_ofport(port)
self.initialize_port_flows(of_port)
self.add_flows_from_rules(of_port)
def prepare_port_filter(self, port):
self.iptables_helper.cleanup_port(port)
if not firewall.port_sec_enabled(port):
self._initialize_egress_no_port_security(port['device'])
return
old_of_port = self.get_ofport(port)
# Make sure delete old allowed_address_pair MACs because
# allowed_address_pair MACs will be updated in
# self.get_or_create_ofport(port)
if old_of_port:
LOG.error("Initializing port %s that was already "
"initialized.",
port['device'])
self.delete_all_port_flows(old_of_port)
of_port = self.get_or_create_ofport(port)
self.initialize_port_flows(of_port)
self.add_flows_from_rules(of_port)
def update_port_filter(self, port):
"""Update rules for given port
Current existing filtering rules are removed and new ones are generated
based on current loaded security group rules and members.
"""
if not firewall.port_sec_enabled(port):
self.remove_port_filter(port)
return
elif not self.is_port_managed(port):
self.prepare_port_filter(port)
return
of_port = self.get_or_create_ofport(port)
# TODO(jlibosva): Handle firewall blink
self.delete_all_port_flows(of_port)
self.initialize_port_flows(of_port)
self.add_flows_from_rules(of_port)
def update_port_filter(self, port):
"""Update rules for given port
Current existing filtering rules are removed and new ones are generated
based on current loaded security group rules and members.
"""
if not firewall.port_sec_enabled(port):
self.remove_port_filter(port)
return
elif not self.is_port_managed(port):
self.prepare_port_filter(port)
return
of_port = self.get_or_create_ofport(port)
# TODO(jlibosva): Handle firewall blink
self.delete_all_port_flows(of_port)
self.initialize_port_flows(of_port)
self.add_flows_from_rules(of_port)
def update_port_filter(self, port):
"""Update rules for given port
Current existing filtering rules are removed and new ones are generated
based on current loaded security group rules and members.
"""
if not firewall.port_sec_enabled(port):
self.remove_port_filter(port)
self._initialize_egress_no_port_security(port['device'])
return
elif not self.is_port_managed(port):
try:
self._remove_egress_no_port_security(port['device'])
except exceptions.OVSFWPortNotHandled as e:
LOG.debug(e)
else:
self.prepare_port_filter(port)
return
try:
# Make sure delete old allowed_address_pair MACs because
# allowed_address_pair MACs will be updated in
# self.get_or_create_ofport(port)
old_of_port = self.get_ofport(port)
of_port = self.get_or_create_ofport(port)
if old_of_port:
self._update_flows_for_port(of_port, old_of_port)
else:
self._set_port_filters(of_port)
except exceptions.OVSFWPortNotFound as not_found_error:
LOG.info("port %(port_id)s does not exist in ovsdb: %(err)s.", {
'port_id': port['device'],
'err': not_found_error
})
# If port doesn't exist in ovsdb, lets ensure that there are no
# leftovers
self.remove_port_filter(port)
except exceptions.OVSFWTagNotFound as tag_not_found:
LOG.info("Tag was not found for port %(port_id)s: %(err)s.", {
'port_id': port['device'],
'err': tag_not_found
})
def prepare_port_filter(self, port):
self.iptables_helper.cleanup_port(port)
if not firewall.port_sec_enabled(port):
self._initialize_egress_no_port_security(port['device'])
return
self._set_port_filters(port, old_port_expected=False)
