def _add_inet_public_vrf_filter(cls, firewall_config, inet_type):
firewall_config.set_family(inet_type)
f = FirewallFilter(name=DMUtils.make_public_vrf_filter_name(inet_type))
f.set_comment(DMUtils.public_vrf_filter_comment())
firewall_config.add_firewall_filters(f)
term = Term(name="default-term", then=Then(accept_or_reject=True))
f.add_terms(term)
return f
def add_ether_type_term(self, ff, ether_type_match):
if not ether_type_match:
return None
term = Term()
from_ = From()
term.set_from(from_)
term.set_name("ether-type")
from_.set_ether_type(ether_type_match.lower())
term.set_then(Then(accept_or_reject=True))
ff.add_terms(term)
def add_dns_dhcp_terms(self, ff):
port_list = [67, 68, 53]
term = Term()
term.set_name("allow-dns-dhcp")
from_ = From()
from_.set_ip_protocol("udp")
term.set_from(from_)
for port in port_list:
from_.add_source_ports(str(port))
term.set_then(Then(accept_or_reject=True))
ff.add_terms(term)
def _add_inet_filter_term(self, ri_name, prefixes, inet_type):
if inet_type == 'inet6':
prefixes = DMUtils.get_ipv6_prefixes(prefixes)
else:
prefixes = DMUtils.get_ipv4_prefixes(prefixes)
from_ = From()
for prefix in prefixes:
from_.add_destination_address(self._get_subnet_for_cidr(prefix))
then_ = Then()
then_.add_routing_instance(ri_name)
return Term(name=DMUtils.make_vrf_term_name(ri_name),
fromxx=from_,
then=then_)
def _add_routing_instance(self, ri_conf):
gevent.idle()
ri_name = ri_conf.get("ri_name")
vn = ri_conf.get("vn")
is_l2 = ri_conf.get("is_l2", False)
is_l2_l3 = ri_conf.get("is_l2_l3", False)
import_targets = ri_conf.get("import_targets", set())
export_targets = ri_conf.get("export_targets", set())
prefixes = ri_conf.get("prefixes") or []
gateways = ri_conf.get("gateways") or []
router_external = ri_conf.get("router_external", False)
interfaces = ri_conf.get("interfaces", [])
vni = ri_conf.get("vni", None)
fip_map = ri_conf.get("fip_map", None)
network_id = ri_conf.get("network_id", None)
is_internal_vn = True if '_contrail_lr_internal_vn_' in vn.name \
else False
encapsulation_priorities = ri_conf.get("encapsulation_priorities") or [
"MPLSoGRE"
]
highest_encapsulation = encapsulation_priorities[0]
ri = RoutingInstance(name=ri_name)
is_master_int_vn = False
if vn:
is_nat = True if fip_map else False
ri.set_comment(
DMUtils.vn_ri_comment(vn, is_l2, is_l2_l3, is_nat,
router_external))
if is_internal_vn:
lr_uuid = DMUtils.extract_lr_uuid_from_internal_vn_name(
ri_name)
else:
if vn.logical_router is None:
# try updating logical router to handle DM restart
# vn.logical_router could be none as sequencing of
# locate object calls in device_manager.py
vn.set_logical_router(vn.fq_name[-1])
lr_uuid = vn.logical_router
if lr_uuid:
lr = LogicalRouterDM.get(lr_uuid)
if lr:
is_master_int_vn = lr.is_master
if is_internal_vn:
# set description only for interval VN/VRF
ri.set_description("__contrail_%s_%s" %
(lr.name, lr_uuid))
ri.set_is_master(is_master_int_vn)
ri.set_virtual_network_id(str(network_id))
ri.set_vxlan_id(str(vni))
ri.set_virtual_network_is_internal(is_internal_vn)
ri.set_is_public_network(router_external)
if is_l2_l3:
ri.set_virtual_network_mode('l2-l3')
elif is_l2:
ri.set_virtual_network_mode('l2')
if highest_encapsulation == "VXLAN":
ri.set_routing_instance_type("virtual-switch")
elif highest_encapsulation in ["MPLSoGRE", "MPLSoUDP"]:
ri.set_routing_instance_type("evpn")
else:
ri.set_virtual_network_mode('l3')
if not is_l2:
ri.set_routing_instance_type("vrf")
if fip_map is None and (router_external or not is_internal_vn):
# add RI prefixes for dc-gateway
self._add_ri_prefixes(vn, router_external, interfaces,
prefixes, ri)
if ri.get_routing_instance_type() != 'virtual-switch' and \
ri.get_virtual_network_mode() != 'l2':
self.ri_map[ri_name] = ri
# add irb physical interface and irb vni gateway settings for l2_l3
if self._is_gateway() and is_l2_l3 and not is_internal_vn:
__, li_map = self._add_or_lookup_pi(self.pi_map, 'irb', 'irb')
intf_unit = self._add_or_lookup_li(li_map,
'irb.' + str(network_id),
network_id)
if len(gateways) > 0:
if vn.has_ipv6_subnet is True:
intf_unit.set_is_virtual_router(True)
intf_unit.set_comment(
DMUtils.vn_irb_comment(vn, False, is_l2_l3,
router_external))
for (irb_ip, gateway) in gateways:
if len(gateway) and gateway != '0.0.0.0':
intf_unit.set_gateway(gateway)
self._add_ip_address(intf_unit,
irb_ip,
gateway=gateway)
else:
self._add_ip_address(intf_unit, irb_ip)
if (is_l2 and vni is not None
and self._is_evpn(self._physical_router)):
irb_name = 'irb.' + str(network_id)
self._add_ref_to_list(ri.get_routing_interfaces(), irb_name)
# add firewall config for public VRF
if router_external and is_l2 is False:
self._add_ri_vrf_firewall_config(prefixes, ri)
# add firewall config for DCI Network
if fip_map is not None:
self._add_ref_to_list(ri.get_interfaces(), interfaces[0].name)
self.firewall_config = self.firewall_config or Firewall(
comment=DMUtils.firewall_comment())
f = FirewallFilter(
name=DMUtils.make_private_vrf_filter_name(ri_name))
f.set_comment(DMUtils.vn_firewall_comment(vn, "private"))
self.firewall_config.add_firewall_filters(f)
term = Term(name=DMUtils.make_vrf_term_name(ri_name))
from_ = From()
for fip_user_ip in list(fip_map.keys()):
from_.add_source_address(
self._get_subnet_for_cidr(fip_user_ip))
term.set_from(from_)
term.set_then(Then(routing_instance=[ri_name]))
f.add_terms(term)
__, li_map = self._add_or_lookup_pi(self.pi_map, 'irb', 'irb')
intf_name = 'irb.' + str(network_id)
intf_unit = self._add_or_lookup_li(li_map, intf_name, network_id)
intf_unit.set_comment(DMUtils.vn_irb_fip_inet_comment(vn))
intf_unit.set_family("inet")
intf_unit.add_firewall_filters(
DMUtils.make_private_vrf_filter_name(ri_name))
self._add_ref_to_list(ri.get_routing_interfaces(), intf_name)
# fip services config
nat_rules = NatRules(allow_overlapping_nat_pools=True,
name=DMUtils.make_services_set_name(ri_name),
comment=DMUtils.service_set_comment(vn))
ri.set_nat_rules(nat_rules)
snat_rule = NatRule(name=DMUtils.make_snat_rule_name(ri_name),
comment=DMUtils.service_set_nat_rule_comment(
vn, "SNAT"),
direction="input",
translation_type="basic-nat44")
snat_rule.set_comment(DMUtils.snat_rule_comment())
nat_rules.add_rules(snat_rule)
dnat_rule = NatRule(name=DMUtils.make_dnat_rule_name(ri_name),
comment=DMUtils.service_set_nat_rule_comment(
vn, "DNAT"),
direction="output",
translation_type="dnat-44")
dnat_rule.set_comment(DMUtils.dnat_rule_comment())
nat_rules.add_rules(dnat_rule)
nat_rules.set_inside_interface(interfaces[0].name)
nat_rules.set_outside_interface(interfaces[1].name)
for pip, fip_vn in list(fip_map.items()):
fip = fip_vn["floating_ip"]
snat_rule.add_source_addresses(self._get_subnet_for_cidr(pip))
snat_rule.add_source_prefixes(self._get_subnet_for_cidr(fip))
dnat_rule.add_destination_addresses(
self._get_subnet_for_cidr(fip))
dnat_rule.add_destination_prefixes(
self._get_subnet_for_cidr(pip))
self._add_ref_to_list(ri.get_ingress_interfaces(),
interfaces[0].name)
self._add_ref_to_list(ri.get_egress_interfaces(),
interfaces[1].name)
for target in import_targets:
self._add_to_list(ri.get_import_targets(), target)
for target in export_targets:
self._add_to_list(ri.get_export_targets(), target)
def add_filter_term(self, ff, name):
term = Term()
term.set_name(name)
ff.add_terms(term)
term.set_then(Then(accept_or_reject=True))
return term