def _check_ikepolicy_ipsecpolicy_allowed(self, ikepolicy, ipsecpolicy):
"""Check whether ikepolicy and ipsecpolicy are allowed on vshield edge.
Some IPsec VPN configurations and features are configured by default or
not supported on vshield edge.
"""
# Check validation of IKEPolicy.
if ikepolicy['ike_version'] != 'v1':
msg = _("Unsupported ike_version: %s! Only 'v1' ike version is "
"supported on vshield Edge!") % ikepolicy['ike_version']
LOG.warning(msg)
raise vcns_exc.VcnsBadRequest(resource='ikepolicy', msg=msg)
# In VSE, Phase 1 and Phase 2 share the same encryption_algorithm
# and authentication algorithms setting. At present, just record the
# discrepancy error in log and take ipsecpolicy to do configuration.
if (ikepolicy['auth_algorithm'] != ipsecpolicy['auth_algorithm']
or ikepolicy['encryption_algorithm'] !=
ipsecpolicy['encryption_algorithm']
or ikepolicy['pfs'] != ipsecpolicy['pfs']):
msg = _("IKEPolicy and IPsecPolicy should have consistent "
"auth_algorithm, encryption_algorithm and pfs for VSE!")
LOG.warning(msg)
# Check whether encryption_algorithm is allowed.
encryption_algorithm = ENCRYPTION_ALGORITHM_MAP.get(
ipsecpolicy.get('encryption_algorithm'), None)
if not encryption_algorithm:
msg = _("Unsupported encryption_algorithm: %s! '3des', "
"'aes-128' and 'aes-256' are supported on VSE right now."
) % ipsecpolicy['encryption_algorithm']
LOG.warning(msg)
raise vcns_exc.VcnsBadRequest(resource='ipsecpolicy', msg=msg)
# Check whether pfs is allowed.
if not PFS_MAP.get(ipsecpolicy['pfs']):
msg = _("Unsupported pfs: %s! 'group2' and 'group5' "
"are supported on VSE right now.") % ipsecpolicy['pfs']
LOG.warning(msg)
raise vcns_exc.VcnsBadRequest(resource='ipsecpolicy', msg=msg)
# Check whether transform protocol is allowed.
if ipsecpolicy['transform_protocol'] not in TRANSFORM_PROTOCOL_ALLOWED:
msg = _("Unsupported transform protocol: %s! 'esp' is supported "
"by default on VSE right now."
) % ipsecpolicy['transform_protocol']
LOG.warning(msg)
raise vcns_exc.VcnsBadRequest(resource='ipsecpolicy', msg=msg)
# Check whether encapsulation mode is allowed.
if ipsecpolicy['encapsulation_mode'] not in ENCAPSULATION_MODE_ALLOWED:
msg = _("Unsupported encapsulation mode: %s! 'tunnel' is "
"supported by default on VSE right now."
) % ipsecpolicy['encapsulation_mode']
LOG.warning(msg)
raise vcns_exc.VcnsBadRequest(resource='ipsecpolicy', msg=msg)
def _convert_app_profile(self, name, sess_persist, protocol):
vcns_app_profile = {
'insertXForwardedFor': False,
'name': name,
'serverSslEnabled': False,
'sslPassthrough': False,
'template': protocol,
}
# Since SSL Termination is not supported right now, so just use
# sslPassthrough mehtod if the protocol is HTTPS.
if protocol == lb_constants.PROTOCOL_HTTPS:
vcns_app_profile['sslPassthrough'] = True
if sess_persist.get('type'):
# If protocol is not HTTP, only sourceip is supported
if (protocol != lb_constants.PROTOCOL_HTTP and
sess_persist['type'] != (
lb_constants.SESSION_PERSISTENCE_SOURCE_IP)):
msg = (_("Invalid %(protocol)s persistence method: %(type)s") %
{'protocol': protocol,
'type': sess_persist['type']})
raise vcns_exc.VcnsBadRequest(resource='sess_persist', msg=msg)
persistence = {
'method': SESSION_PERSISTENCE_METHOD_MAP.get(
sess_persist['type'])}
if sess_persist['type'] in SESSION_PERSISTENCE_COOKIE_MAP:
if sess_persist.get('cookie_name'):
persistence['cookieName'] = sess_persist['cookie_name']
else:
persistence['cookieName'] = 'default_cookie_name'
persistence['cookieMode'] = SESSION_PERSISTENCE_COOKIE_MAP.get(
sess_persist['type'])
vcns_app_profile['persistence'] = persistence
return vcns_app_profile
def _convert_firewall_action(self, action):
if action == constants.FWAAS_ALLOW:
return VSE_FWAAS_ALLOW
elif action == constants.FWAAS_DENY:
return VSE_FWAAS_DENY
else:
msg = _("Invalid action value %s in a firewall rule") % action
raise vcns_exc.VcnsBadRequest(resource='firewall_rule', msg=msg)
def _restore_firewall_action(self, action):
if action == VSE_FWAAS_ALLOW:
return constants.FWAAS_ALLOW
elif action == VSE_FWAAS_DENY:
return constants.FWAAS_DENY
else:
msg = (_("Invalid action value %s in "
"a vshield firewall rule") % action)
raise vcns_exc.VcnsBadRequest(resource='firewall_rule', msg=msg)
def insert_rule(self, context, rule_info, edge_id, fwr):
if rule_info.get('insert_before'):
self._add_rule_above(context, rule_info['insert_before'], edge_id,
fwr)
elif rule_info.get('insert_after'):
self._add_rule_below(context, rule_info['insert_after'], edge_id,
fwr)
else:
msg = _("Can't execute insert rule operation "
"without reference rule_id")
raise vcns_exc.VcnsBadRequest(resource='firewall_rule', msg=msg)
