def update_port_filter(self, port): """Update rules for given port Current existing filtering rules are removed and new ones are generated based on current loaded security group rules and members. """ if not firewall.port_sec_enabled(port): self.remove_port_filter(port) self._initialize_egress_no_port_security(port['device']) return elif not self.is_port_managed(port): try: self._remove_egress_no_port_security(port['device']) except exceptions.OVSFWPortNotHandled as e: LOG.debug(e) else: self.prepare_port_filter(port) return try: # Make sure delete old allowed_address_pair MACs because # allowed_address_pair MACs will be updated in # self.get_or_create_ofport(port) old_of_port = self.get_ofport(port) of_port = self.get_or_create_ofport(port) if old_of_port: self._update_flows_for_port(of_port, old_of_port) else: self._set_port_filters(of_port) except exceptions.OVSFWPortNotFound as not_found_error: LOG.info("port %(port_id)s does not exist in ovsdb: %(err)s.", {'port_id': port['device'], 'err': not_found_error})
def update_port_filter(self, port): """Update rules for given port Current existing filtering rules are removed and new ones are generated based on current loaded security group rules and members. """ if not firewall.port_sec_enabled(port): self.remove_port_filter(port) self._initialize_egress_no_port_security(port['device']) return elif not self.is_port_managed(port): self._remove_egress_no_port_security(port['device']) self.prepare_port_filter(port) return old_of_port = self.get_ofport(port) try: of_port = self.get_or_create_ofport(port) except exceptions.OVSFWPortNotFound as not_found_error: LOG.info("port %(port_id)s does not exist in ovsdb: %(err)s.", {'port_id': port['device'], 'err': not_found_error}) return # TODO(jlibosva): Handle firewall blink self.delete_all_port_flows(old_of_port) self.initialize_port_flows(of_port) self.add_flows_from_rules(of_port)
def _set_ports(self, port): if not firewall.port_sec_enabled(port): self.unfiltered_ports[port['device']] = port self.filtered_ports.pop(port['device'], None) else: self.filtered_ports[port['device']] = port self.unfiltered_ports.pop(port['device'], None)
def prepare_port_filter(self, port): if not firewall.port_sec_enabled(port): return port_exists = self.is_port_managed(port) of_port = self.get_or_create_ofport(port) if port_exists: LOG.error(_LE("Initializing port %s that was already " "initialized."), port["device"]) self.delete_all_port_flows(of_port) self.initialize_port_flows(of_port) self.add_flows_from_rules(of_port)
def _setup_pf_rules(self, port, update=False): if not firewall.port_sec_enabled(port): self.unfiltered_ports[port['device']] = port self.filtered_ports.pop(port['device'], None) self._remove_rule_port_sec(port) else: self.filtered_ports[port['device']] = port self.unfiltered_ports.pop(port['device'], None) if update: self._remove_rule_port_sec(port) self._add_rules_by_security_group(port, firewall.INGRESS_DIRECTION) self._add_rules_by_security_group(port, firewall.EGRESS_DIRECTION)
def prepare_port_filter(self, port): if not firewall.port_sec_enabled(port): return port_exists = self.is_port_managed(port) of_port = self.get_or_create_ofport(port) if port_exists: LOG.error( _LE("Initializing port %s that was already " "initialized."), port['device']) self.delete_all_port_flows(of_port) self.initialize_port_flows(of_port) self.add_flows_from_rules(of_port)
def prepare_port_filter(self, port): if not firewall.port_sec_enabled(port): self._initialize_egress_no_port_security(port['device']) return old_of_port = self.get_ofport(port) of_port = self.get_or_create_ofport(port) if old_of_port: LOG.error( _LE("Initializing port %s that was already " "initialized."), port['device']) self.delete_all_port_flows(old_of_port) self.initialize_port_flows(of_port) self.add_flows_from_rules(of_port)
def prepare_port_filter(self, port): self.iptables_helper.cleanup_port(port) if not firewall.port_sec_enabled(port): self._initialize_egress_no_port_security(port['device']) return old_of_port = self.get_ofport(port) of_port = self.get_or_create_ofport(port) if old_of_port: LOG.info("Initializing port %s that was already initialized.", port['device']) self._update_flows_for_port(of_port, old_of_port) else: self._set_port_filters(of_port)
def _set_ports(self, port): port_already_set = False for existingport in self.ports.values(): if port['device'] == existingport['device']: port_already_set = True if not port_already_set: LOG.info( "cfarquhar: (_set_ports): adding {} to IptablesFirewallDriver.ports. If this does not happen before _security_group_updated is called we have a problem." .format(port['device'])) if not firewall.port_sec_enabled(port): self.unfiltered_ports[port['device']] = port self.filtered_ports.pop(port['device'], None) else: self.filtered_ports[port['device']] = port self.unfiltered_ports.pop(port['device'], None)
def prepare_port_filter(self, port): if not firewall.port_sec_enabled(port): self._initialize_egress_no_port_security(port['device']) return old_of_port = self.get_ofport(port) # Make sure delete old allow_address_pair MACs because # allow_address_pair MACs will be updated in # self.get_or_create_ofport(port) if old_of_port: LOG.error("Initializing port %s that was already " "initialized.", port['device']) self.delete_all_port_flows(old_of_port) of_port = self.get_or_create_ofport(port) self.initialize_port_flows(of_port) self.add_flows_from_rules(of_port)
def prepare_port_filter(self, port): # NOTE(annp): port no security should be handled by security group in # co-existence mode, otherwise(standalone mode) fwg will handle it. if not firewall.port_sec_enabled(port) and not self.sg_with_ovs: self._initialize_egress_no_port_security(port) return old_of_port = self.get_ofport(port) # Make sure delete old allow_address_pair MACs because # allow_address_pair MACs will be updated in # self.get_or_create_ofport(port) if old_of_port: LOG.error("Initializing port %s that was already " "initialized.", port['device']) self.delete_all_port_flows(old_of_port) of_port = self.get_or_create_ofport(port) self.initialize_port_flows(of_port) self.add_flows_from_rules(of_port)
def prepare_port_filter(self, port): self.iptables_helper.cleanup_port(port) if not firewall.port_sec_enabled(port): self._initialize_egress_no_port_security(port['device']) return old_of_port = self.get_ofport(port) # Make sure delete old allowed_address_pair MACs because # allowed_address_pair MACs will be updated in # self.get_or_create_ofport(port) if old_of_port: LOG.error("Initializing port %s that was already " "initialized.", port['device']) self.delete_all_port_flows(old_of_port) of_port = self.get_or_create_ofport(port) self.initialize_port_flows(of_port) self.add_flows_from_rules(of_port)
def update_port_filter(self, port): """Update rules for given port Current existing filtering rules are removed and new ones are generated based on current loaded security group rules and members. """ if not firewall.port_sec_enabled(port): self.remove_port_filter(port) return elif not self.is_port_managed(port): self.prepare_port_filter(port) return of_port = self.get_or_create_ofport(port) # TODO(jlibosva): Handle firewall blink self.delete_all_port_flows(of_port) self.initialize_port_flows(of_port) self.add_flows_from_rules(of_port)
def update_port_filter(self, port): """Update rules for given port Current existing filtering rules are removed and new ones are generated based on current loaded security group rules and members. """ if not firewall.port_sec_enabled(port): self.remove_port_filter(port) self._initialize_egress_no_port_security(port['device']) return elif not self.is_port_managed(port): try: self._remove_egress_no_port_security(port['device']) except exceptions.OVSFWPortNotHandled as e: LOG.debug(e) else: self.prepare_port_filter(port) return try: # Make sure delete old allowed_address_pair MACs because # allowed_address_pair MACs will be updated in # self.get_or_create_ofport(port) old_of_port = self.get_ofport(port) of_port = self.get_or_create_ofport(port) if old_of_port: self._update_flows_for_port(of_port, old_of_port) else: self._set_port_filters(of_port) except exceptions.OVSFWPortNotFound as not_found_error: LOG.info("port %(port_id)s does not exist in ovsdb: %(err)s.", { 'port_id': port['device'], 'err': not_found_error }) # If port doesn't exist in ovsdb, lets ensure that there are no # leftovers self.remove_port_filter(port) except exceptions.OVSFWTagNotFound as tag_not_found: LOG.info("Tag was not found for port %(port_id)s: %(err)s.", { 'port_id': port['device'], 'err': tag_not_found })
def prepare_port_filter(self, port): self.iptables_helper.cleanup_port(port) if not firewall.port_sec_enabled(port): self._initialize_egress_no_port_security(port['device']) return self._set_port_filters(port, old_port_expected=False)