def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: if ':' not in sg: sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg else: sg_fq_name = sg addr = AddressType(security_group=sg_fq_name) elif prefix: addr = AddressType(subnet=SubnetType(prefix, 0)) local_addr = AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[PortType(0, 65535)], ethertype=ethertype) return rule
def _create_policy_entry(self, src_vn_obj, dst_vn_obj): return PolicyRuleType( direction='<>', action_list=ActionListType(simple_action='pass'), protocol='any', src_addresses=[ AddressType(virtual_network=src_vn_obj.get_fq_name_str()) ], src_ports=[PortType(-1, -1)], dst_addresses=[ AddressType(virtual_network=dst_vn_obj.get_fq_name_str()) ], dst_ports=[PortType(-1, -1)])
def add_properties(self, props): left_vn_str, right_vn_str = self.get_virtual_networks(props) ret = (self.auto_policy == props.auto_policy) if (left_vn_str, right_vn_str) != (self.left_vn_str, self.right_vn_str): self.left_vn_str = left_vn_str self.right_vn_str = right_vn_str ret = True if not props.auto_policy: self.delete_properties() return ret self.auto_policy = True if (not self.left_vn_str or not self.right_vn_str): self._logger.error( "%s: route table next hop service instance must " "have left and right virtual networks" % self.name) self.delete_properties() return ret policy_name = "_internal_" + self.name addr1 = AddressType(virtual_network=self.left_vn_str) addr2 = AddressType(virtual_network=self.right_vn_str) action_list = ActionListType(apply_service=[self.name]) prule = PolicyRuleType(direction="<>", protocol="any", src_addresses=[addr1], dst_addresses=[addr2], src_ports=[PortType()], dst_ports=[PortType()], action_list=action_list) pentry = PolicyEntriesType([prule]) policy_obj = NetworkPolicy(policy_name, network_policy_entries=pentry) policy = ResourceBaseST.get_obj_type_map().get( 'network_policy').locate(policy_name, policy_obj) policy.virtual_networks = set([self.left_vn_str, self.right_vn_str]) policy.set_internal() vn1 = ResourceBaseST.get_obj_type_map().get('virtual_network').get( self.left_vn_str) if vn1: vn1.add_policy(policy_name) vn2 = ResourceBaseST.get_obj_type_map().get('virtual_network').get( self.right_vn_str) if vn2: vn2.add_policy(policy_name)
def _get_ingress_sg_rule(self, src_sg_fq_name, dst_port): sgr_uuid = 1 src_addr = AddressType(security_group=':'.join(src_sg_fq_name)) dst_addr = AddressType(security_group='local') proto = dst_port['protocol'].lower() rule = PolicyRuleType(rule_uuid=sgr_uuid, direction='>', protocol=proto, src_addresses=[src_addr], src_ports=[PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[ PortType(int(dst_port['start_port']), int(dst_port['end_port'])) ], ethertype='IPv4') return rule
def gen_network_policy_entries(): """ Returns a configured vnc_api.gen.resource_xsd.PolicyEntriesType Filled with ActionListType and PolicyEntriesType. """ src_port = PortType(start_port=-1, end_port=-1) dst_port = PortType(start_port=-1, end_port=-1) src_address = AddressType(virtual_network='any') dst_address = AddressType(virtual_network='any') action = ActionListType(simple_action='pass') rule = PolicyRuleType(protocol='any', direction='<>', src_ports=[src_port], src_addresses=[src_address], dst_ports=[dst_port], dst_addresses=[dst_address], action_list=action) entry = PolicyEntriesType(policy_rule=[rule]) return entry
and len(rule.get_dst_ports()) == 1 and rule.get_dst_ports()[0].get_start_port() == 0 and rule.get_dst_ports()[0].get_end_port() == 65535 and rule.get_protocol() == 'any'): print "Default Egress rule exists in project %s" % proj_obj.name egress_rule_exists = True if ingress_rule_exists: break sgr_uuid = str(uuid.uuid4()) ingress_rule = PolicyRuleType( rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[ AddressType(security_group=proj_obj.get_fq_name_str() + ':' + 'default') ], src_ports=[PortType(0, 65535)], dst_addresses=[AddressType(security_group='local')], dst_ports=[PortType(0, 65535)]) if not ingress_rule_exists: print "Default Ingress rule doesn't exists in project %s" % proj_obj.name sg_rules.add_policy_rule(ingress_rule) sgr_uuid = str(uuid.uuid4()) egress_rule = PolicyRuleType( rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[AddressType(security_group='local')],
def recreate_vrf_assign_table(self): if not (self.is_left() or self.is_right()): self._set_vrf_assign_table(None) return vn = ResourceBaseST.get_obj_type_map().get('virtual_network').get( self.virtual_network) if vn is None: self._set_vrf_assign_table(None) return vm_pt_list = self.get_virtual_machine_or_port_tuple() if not vm_pt_list: self._set_vrf_assign_table(None) return policy_rule_count = 0 vrf_table = VrfAssignTableType() for vm_pt in vm_pt_list: smode = vm_pt.get_service_mode() if smode not in ['in-network', 'in-network-nat']: self._set_vrf_assign_table(None) return ip_list = [] for ip_name in self.instance_ips: ip = ResourceBaseST.get_obj_type_map().get('instance_ip').get( ip_name) if ip and ip.instance_ip_address: ip_list.append((ip.ip_version, ip.instance_ip_address)) for ip_name in self.floating_ips: ip = ResourceBaseST.get_obj_type_map().get('floating_ip').get( ip_name) if ip and ip.floating_ip_address: ip_list.append((ip.ip_version, ip.floating_ip_address)) for ip_name in self.alias_ips: ip = ResourceBaseST.get_obj_type_map().get('alias_ip').get( ip_name) if ip and ip.alias_ip_address: ip_list.append((ip.ip_version, ip.alias_ip_address)) for (ip_version, ip_address) in ip_list: if ip_version == 6: address = AddressType(subnet=SubnetType(ip_address, 128)) else: address = AddressType(subnet=SubnetType(ip_address, 32)) mc = MatchConditionType(src_address=address, protocol='any', src_port=PortType(), dst_port=PortType()) vrf_rule = VrfAssignRuleType( match_condition=mc, routing_instance=vn._default_ri_name, ignore_acl=False) vrf_table.add_vrf_assign_rule(vrf_rule) si_name = vm_pt.service_instance for service_chain_list in vn.service_chains.values(): for service_chain in service_chain_list: if not service_chain.created: continue service_list = service_chain.service_list if si_name not in service_chain.service_list: continue if ((si_name == service_list[0] and self.is_left()) or (si_name == service_list[-1] and self.is_right())): # Do not generate VRF assign rules for 'book-ends' continue ri_name = vn.get_service_name(service_chain.name, si_name) for sp in service_chain.sp_list: for dp in service_chain.dp_list: if self.is_left(): mc = MatchConditionType( src_port=dp, dst_port=sp, protocol=service_chain.protocol) else: mc = MatchConditionType( src_port=sp, dst_port=dp, protocol=service_chain.protocol) vrf_rule = VrfAssignRuleType( match_condition=mc, routing_instance=ri_name, ignore_acl=True) vrf_table.add_vrf_assign_rule(vrf_rule) policy_rule_count += 1 # end for dp # end for sp # end for service_chain # end for service_chain_list # end for vm_pt_list if policy_rule_count == 0: vrf_table = None self._set_vrf_assign_table(vrf_table)