def _update_subnets_and_dnat_firewall_on_routers(self, context,
target_router_id,
router_ids,
allow_external=True):
fake_fw_rules = []
for router_id in router_ids:
router_qry = context.session.query(l3_db_models.Router)
router = router_qry.filter_by(id=router_id).one()
subnet_cidrs = self.plugin._find_router_subnets_cidrs(
context, router['id'])
routes = self.plugin._get_extra_routes_by_router_id(
context, router['id'])
subnet_cidrs.extend([route['destination'] for route in routes])
if subnet_cidrs:
# Add fw rule to open subnets firewall flows and static routes
# relative flows
fake_subnet_fw_rule = {
'name': 'Subnet Rule',
'action': 'allow',
'enabled': True,
'source_ip_address': subnet_cidrs,
'destination_ip_address': subnet_cidrs}
fake_fw_rules.append(fake_subnet_fw_rule)
_, dnat_rules = self.plugin._get_nat_rules(context, router)
dnat_cidrs = [rule['dst'] for rule in dnat_rules]
if dnat_cidrs:
# Fake fw rule to open dnat firewall flows
fake_dnat_fw_rule = {
'name': 'DNAT Rule',
'action': 'allow',
'enabled': True,
'destination_ip_address': dnat_cidrs}
fake_fw_rules.append(fake_dnat_fw_rule)
# Add rule for not NAT-ed allocation pools
alloc_pool_rule = self.plugin._get_allocation_pools_fw_rule(
context, router)
if alloc_pool_rule:
fake_fw_rules.append(alloc_pool_rule)
# Add no-snat rules
nosnat_fw_rules = self.plugin._get_nosnat_subnets_fw_rules(
context, router)
fake_fw_rules.extend(nosnat_fw_rules)
# If metadata service is enabled, block access to inter-edge network
if self.plugin.metadata_proxy_handler:
fake_fw_rules += (
nsx_v_md_proxy.get_router_fw_rules())
# TODO(asarfaty): Add fwaas rules when fwaas supports shared routers
fake_fw = {'firewall_rule_list': fake_fw_rules}
edge_utils.update_firewall(self.nsx_v, context, target_router_id,
fake_fw, allow_external=allow_external)
def _update_subnets_and_dnat_firewall_on_routers(self,
context,
target_router_id,
router_ids,
allow_external=True):
fake_fw_rules = []
for router_id in router_ids:
router_qry = context.session.query(l3_db.Router)
router = router_qry.filter_by(id=router_id).one()
subnet_cidrs = self.plugin._find_router_subnets_cidrs(
context, router['id'])
routes = self.plugin._get_extra_routes_by_router_id(
context, router['id'])
subnet_cidrs.extend([route['destination'] for route in routes])
if subnet_cidrs:
# Fake fw rule to open subnets firewall flows and static routes
# relative flows
fake_subnet_fw_rule = {
'action': 'allow',
'enabled': True,
'source_ip_address': subnet_cidrs,
'destination_ip_address': subnet_cidrs
}
fake_fw_rules.append(fake_subnet_fw_rule)
_, dnat_rules = self.plugin._get_nat_rules(context, router)
dnat_cidrs = [rule['dst'] for rule in dnat_rules]
if dnat_cidrs:
# Fake fw rule to open dnat firewall flows
fake_dnat_fw_rule = {
'action': 'allow',
'enabled': True,
'destination_ip_address': dnat_cidrs
}
fake_fw_rules.append(fake_dnat_fw_rule)
nosnat_fw_rules = self.plugin._get_nosnat_subnets_fw_rules(
context, router)
fake_fw_rules.extend(nosnat_fw_rules)
# If metadata service is enabled, block access to inter-edge network
if self.plugin.metadata_proxy_handler:
fake_fw_rules += (nsx_v_md_proxy.get_router_fw_rules())
# TODO(berlin): Add fw rules if fw service is supported
fake_fw = {'firewall_rule_list': fake_fw_rules}
edge_utils.update_firewall(self.nsx_v,
context,
target_router_id,
fake_fw,
allow_external=allow_external)
def _update_subnets_and_dnat_firewall_on_routers(self, context,
target_router_id,
router_ids,
allow_external=True):
fake_fw_rules = []
for router_id in router_ids:
router_qry = context.session.query(l3_db.Router)
router = router_qry.filter_by(id=router_id).one()
subnet_cidrs = self.plugin._find_router_subnets_cidrs(
context, router['id'])
routes = self.plugin._get_extra_routes_by_router_id(
context, router['id'])
subnet_cidrs.extend([route['destination'] for route in routes])
if subnet_cidrs:
# Fake fw rule to open subnets firewall flows and static routes
# relative flows
fake_subnet_fw_rule = {
'action': 'allow',
'enabled': True,
'source_ip_address': subnet_cidrs,
'destination_ip_address': subnet_cidrs}
fake_fw_rules.append(fake_subnet_fw_rule)
_, dnat_rules = self.plugin._get_nat_rules(context, router)
dnat_cidrs = [rule['dst'] for rule in dnat_rules]
if dnat_cidrs:
# Fake fw rule to open dnat firewall flows
fake_dnat_fw_rule = {
'action': 'allow',
'enabled': True,
'destination_ip_address': dnat_cidrs}
fake_fw_rules.append(fake_dnat_fw_rule)
nosnat_fw_rules = self.plugin._get_nosnat_subnets_fw_rules(
context, router)
fake_fw_rules.extend(nosnat_fw_rules)
# If metadata service is enabled, block access to inter-edge network
if self.plugin.metadata_proxy_handler:
fake_fw_rules += (
nsx_v_md_proxy.get_router_fw_rules())
# TODO(berlin): Add fw rules if fw service is supported
fake_fw = {'firewall_rule_list': fake_fw_rules}
edge_utils.update_firewall(self.nsx_v, context, target_router_id,
fake_fw, allow_external=allow_external)
def _update_subnets_and_dnat_firewall_on_routers(self,
context,
target_router_id,
router_ids,
allow_external=True):
fw_rules = []
for router_id in router_ids:
# Add FW rules per single router
router_qry = context.session.query(l3_db_models.Router)
router = router_qry.filter_by(id=router_id).one()
# subnet rules to allow east-west traffic
subnet_rules = self.plugin._get_subnet_fw_rules(context, router)
if subnet_rules:
fw_rules.extend(subnet_rules)
# DNAT rules
dnat_rule = self.plugin._get_dnat_fw_rule(context, router)
if dnat_rule:
fw_rules.append(dnat_rule)
# Add rule for not NAT-ed allocation pools
alloc_pool_rule = self.plugin._get_allocation_pools_fw_rule(
context, router)
if alloc_pool_rule:
fw_rules.append(alloc_pool_rule)
# Add no-snat rules
nosnat_fw_rules = self.plugin._get_nosnat_subnets_fw_rules(
context, router)
fw_rules.extend(nosnat_fw_rules)
# If metadata service is enabled, block access to inter-edge network
if self.plugin.metadata_proxy_handler:
fw_rules += nsx_v_md_proxy.get_router_fw_rules()
# TODO(asarfaty): Add fwaas rules when fwaas supports shared routers
fw = {'firewall_rule_list': fw_rules}
edge_utils.update_firewall(self.nsx_v,
context,
target_router_id,
fw,
allow_external=allow_external)
def _update_subnets_and_dnat_firewall_on_routers(self, context,
target_router_id,
router_ids,
allow_external=True):
fw_rules = []
for router_id in router_ids:
# Add FW rules per single router
router_qry = context.session.query(l3_db_models.Router)
router = router_qry.filter_by(id=router_id).one()
# subnet rules to allow east-west traffic
subnet_rules = self.plugin._get_subnet_fw_rules(context, router)
if subnet_rules:
fw_rules.extend(subnet_rules)
# DNAT rules
dnat_rule = self.plugin._get_dnat_fw_rule(context, router)
if dnat_rule:
fw_rules.append(dnat_rule)
# Add rule for not NAT-ed allocation pools
alloc_pool_rule = self.plugin._get_allocation_pools_fw_rule(
context, router)
if alloc_pool_rule:
fw_rules.append(alloc_pool_rule)
# Add no-snat rules
nosnat_fw_rules = self.plugin._get_nosnat_subnets_fw_rules(
context, router)
fw_rules.extend(nosnat_fw_rules)
# If metadata service is enabled, block access to inter-edge network
if self.plugin.metadata_proxy_handler:
fw_rules += nsx_v_md_proxy.get_router_fw_rules()
# TODO(asarfaty): Add fwaas rules when fwaas supports shared routers
fw = {'firewall_rule_list': fw_rules}
edge_utils.update_firewall(self.nsx_v, context, target_router_id,
fw, allow_external=allow_external)
def _setup_new_proxy_edge(self, rtr_ext_ip):
# Use separate context per each as we use this in tread context
context = neutron_context.get_admin_context()
rtr_id = None
try:
rtr_name = 'metadata_proxy_router'
if not self.az.is_default():
rtr_name = '%s-%s' % (rtr_name, self.az.name)
router_data = {
'router': {
'name': rtr_name,
'admin_state_up': True,
'router_type': 'exclusive',
'availability_zone_hints': [self.az.name],
'tenant_id': nsxv_constants.INTERNAL_TENANT_ID}}
rtr = self.nsxv_plugin.create_router(
context,
router_data,
allow_metadata=False)
rtr_id = rtr['id']
edge_id = self._get_edge_id_by_rtr_id(context, rtr_id)
if not edge_id:
LOG.error('No edge create for router - %s', rtr_id)
if rtr_id:
self.nsxv_plugin.delete_router(context, rtr_id)
return
self.nsxv_plugin.nsx_v.update_interface(
rtr['id'],
edge_id,
vcns_const.EXTERNAL_VNIC_INDEX,
self.az.mgt_net_moid,
address=rtr_ext_ip,
netmask=self.az.mgt_net_proxy_netmask,
secondary=[])
port_data = {
'port': {
'network_id': self.internal_net,
'name': None,
'admin_state_up': True,
'device_id': rtr_id,
'device_owner': (constants.DEVICE_OWNER_NETWORK_PREFIX +
'md_interface'),
'fixed_ips': constants.ATTR_NOT_SPECIFIED,
'mac_address': constants.ATTR_NOT_SPECIFIED,
'port_security_enabled': False,
'tenant_id': nsxv_constants.INTERNAL_TENANT_ID}}
port = self.nsxv_plugin.base_create_port(context, port_data)
address_groups = self._get_address_groups(
context, self.internal_net, rtr_id, is_proxy=True)
edge_ip = port['fixed_ips'][0]['ip_address']
with locking.LockManager.get_lock(edge_id):
edge_utils.update_internal_interface(
self.nsxv_plugin.nsx_v, context, rtr_id,
self.internal_net, address_groups)
self._setup_metadata_lb(rtr_id,
port['fixed_ips'][0]['ip_address'],
cfg.CONF.nsxv.nova_metadata_port,
cfg.CONF.nsxv.nova_metadata_port,
cfg.CONF.nsxv.nova_metadata_ips,
proxy_lb=True)
firewall_rules = [
DEFAULT_EDGE_FIREWALL_RULE,
{
'action': 'allow',
'enabled': True,
'source_ip_address': [INTERNAL_SUBNET]}]
edge_utils.update_firewall(
self.nsxv_plugin.nsx_v,
context,
rtr_id,
{'firewall_rule_list': firewall_rules},
allow_external=False)
if self.az.mgt_net_default_gateway:
self.nsxv_plugin._update_routes(
context, rtr_id,
self.az.mgt_net_default_gateway)
nsxv_db.create_nsxv_internal_edge(
context.session, rtr_ext_ip,
vcns_const.InternalEdgePurposes.INTER_EDGE_PURPOSE, rtr_id)
return edge_ip
except Exception as e:
LOG.exception("Exception %s while creating internal edge "
"for metadata service", e)
ports = self.nsxv_plugin.get_ports(
context, filters={'device_id': [rtr_id]})
for port in ports:
self.nsxv_plugin.delete_port(context, port['id'],
l3_port_check=True,
nw_gw_port_check=True)
nsxv_db.delete_nsxv_internal_edge(
context.session,
rtr_ext_ip)
if rtr_id:
self.nsxv_plugin.delete_router(context, rtr_id)
def _setup_new_proxy_edge(self, rtr_ext_ip):
# Use separate context per each as we use this in tread context
context = neutron_context.get_admin_context()
rtr_id = None
try:
rtr_name = 'metadata_proxy_router'
if not self.az.is_default():
rtr_name = '%s-%s' % (rtr_name, self.az.name)
router_data = {
'router': {
'name': rtr_name,
'admin_state_up': True,
'router_type': 'exclusive',
'availability_zone_hints': [self.az.name],
'tenant_id': nsxv_constants.INTERNAL_TENANT_ID}}
rtr = self.nsxv_plugin.create_router(
context,
router_data,
allow_metadata=False)
rtr_id = rtr['id']
edge_id = self._get_edge_id_by_rtr_id(context, rtr_id)
if not edge_id:
LOG.error('No edge create for router - %s', rtr_id)
if rtr_id:
self.nsxv_plugin.delete_router(context, rtr_id)
return
self.nsxv_plugin.nsx_v.update_interface(
rtr['id'],
edge_id,
vcns_const.EXTERNAL_VNIC_INDEX,
self.az.mgt_net_moid,
address=rtr_ext_ip,
netmask=self.az.mgt_net_proxy_netmask,
secondary=[])
port_data = {
'port': {
'network_id': self.internal_net,
'name': None,
'admin_state_up': True,
'device_id': rtr_id,
'device_owner': (constants.DEVICE_OWNER_NETWORK_PREFIX +
'md_interface'),
'fixed_ips': constants.ATTR_NOT_SPECIFIED,
'mac_address': constants.ATTR_NOT_SPECIFIED,
'port_security_enabled': False,
'tenant_id': nsxv_constants.INTERNAL_TENANT_ID}}
port = self.nsxv_plugin.base_create_port(context, port_data)
address_groups = self._get_address_groups(
context, self.internal_net, rtr_id, is_proxy=True)
edge_ip = port['fixed_ips'][0]['ip_address']
with locking.LockManager.get_lock(edge_id):
edge_utils.update_internal_interface(
self.nsxv_plugin.nsx_v, context, rtr_id,
self.internal_net, address_groups)
self._setup_metadata_lb(rtr_id,
port['fixed_ips'][0]['ip_address'],
cfg.CONF.nsxv.nova_metadata_port,
cfg.CONF.nsxv.nova_metadata_port,
cfg.CONF.nsxv.nova_metadata_ips,
proxy_lb=True)
firewall_rules = [
DEFAULT_EDGE_FIREWALL_RULE,
{
'action': 'allow',
'enabled': True,
'source_ip_address': [INTERNAL_SUBNET]}]
edge_utils.update_firewall(
self.nsxv_plugin.nsx_v,
context,
rtr_id,
{'firewall_rule_list': firewall_rules},
allow_external=False)
if self.az.mgt_net_default_gateway:
self.nsxv_plugin._update_routes(
context, rtr_id,
self.az.mgt_net_default_gateway)
nsxv_db.create_nsxv_internal_edge(
context.session, rtr_ext_ip,
vcns_const.InternalEdgePurposes.INTER_EDGE_PURPOSE, rtr_id)
return edge_ip
except Exception as e:
LOG.exception("Exception %s while creating internal edge "
"for metadata service", e)
ports = self.nsxv_plugin.get_ports(
context, filters={'device_id': [rtr_id]})
for port in ports:
self.nsxv_plugin.delete_port(context, port['id'],
l3_port_check=True,
nw_gw_port_check=True,
allow_delete_internal=True)
nsxv_db.delete_nsxv_internal_edge(
context.session,
rtr_ext_ip)
if rtr_id:
self.nsxv_plugin.delete_router(context, rtr_id)
def _setup_new_proxy_edge(self, rtr_ext_ip):
rtr_id = None
try:
router_data = {
'router': {
'name': 'metadata_proxy_router',
'admin_state_up': True,
'router_type': 'exclusive',
'tenant_id': None
}
}
rtr = self.nsxv_plugin.create_router(self.context,
router_data,
allow_metadata=False)
rtr_id = rtr['id']
edge_id = self._get_edge_id_by_rtr_id(rtr_id)
self.nsxv_plugin.nsx_v.update_interface(
rtr['id'],
edge_id,
vcns_const.EXTERNAL_VNIC_INDEX,
cfg.CONF.nsxv.mgt_net_moid,
address=rtr_ext_ip,
netmask=cfg.CONF.nsxv.mgt_net_proxy_netmask,
secondary=[])
port_data = {
'port': {
'network_id': self.internal_net,
'name': None,
'admin_state_up': True,
'device_id': rtr_id,
'device_owner': constants.DEVICE_OWNER_ROUTER_INTF,
'fixed_ips': constants.ATTR_NOT_SPECIFIED,
'mac_address': constants.ATTR_NOT_SPECIFIED,
'port_security_enabled': False,
'tenant_id': None
}
}
port = self.nsxv_plugin.create_port(self.context, port_data)
address_groups = self._get_address_groups(self.context,
self.internal_net,
rtr_id,
is_proxy=True)
edge_ip = port['fixed_ips'][0]['ip_address']
edge_utils.update_internal_interface(self.nsxv_plugin.nsx_v,
self.context, rtr_id,
self.internal_net,
address_groups)
self._setup_metadata_lb(rtr_id,
port['fixed_ips'][0]['ip_address'],
cfg.CONF.nsxv.nova_metadata_port,
cfg.CONF.nsxv.nova_metadata_port,
cfg.CONF.nsxv.nova_metadata_ips,
proxy_lb=True)
firewall_rules = [
DEFAULT_EDGE_FIREWALL_RULE, {
'action': 'allow',
'enabled': True,
'source_ip_address': [INTERNAL_SUBNET]
}
]
edge_utils.update_firewall(self.nsxv_plugin.nsx_v,
self.context,
rtr_id,
{'firewall_rule_list': firewall_rules},
allow_external=False)
if cfg.CONF.nsxv.mgt_net_default_gateway:
self.nsxv_plugin._update_routes(
self.context, rtr_id,
cfg.CONF.nsxv.mgt_net_default_gateway)
nsxv_db.create_nsxv_internal_edge(
self.context.session, rtr_ext_ip,
vcns_const.InternalEdgePurposes.INTER_EDGE_PURPOSE, rtr_id)
return edge_ip
except Exception as e:
LOG.exception(
_LE("Exception %s while creating internal edge "
"for metadata service"), e)
ports = self.nsxv_plugin.get_ports(self.context,
filters={'device_id': [rtr_id]})
for port in ports:
self.nsxv_plugin.delete_port(self.context,
port['id'],
l3_port_check=True,
nw_gw_port_check=True)
nsxv_db.delete_nsxv_internal_edge(self.context.session, rtr_ext_ip)
if rtr_id:
self.nsxv_plugin.delete_router(self.context, rtr_id)
def _setup_new_proxy_edge(self, rtr_ext_ip):
rtr_id = None
try:
router_data = {
'router': {
'name': 'metadata_proxy_router',
'admin_state_up': True,
'router_type': 'exclusive',
'tenant_id': None}}
rtr = self.nsxv_plugin.create_router(
self.context,
router_data,
allow_metadata=False)
rtr_id = rtr['id']
edge_id = self._get_edge_id_by_rtr_id(rtr_id)
self.nsxv_plugin.nsx_v.update_interface(
rtr['id'],
edge_id,
vcns_const.EXTERNAL_VNIC_INDEX,
cfg.CONF.nsxv.mgt_net_moid,
address=rtr_ext_ip,
netmask=cfg.CONF.nsxv.mgt_net_proxy_netmask,
secondary=[])
port_data = {
'port': {
'network_id': self.internal_net,
'name': None,
'admin_state_up': True,
'device_id': rtr_id,
'device_owner': constants.DEVICE_OWNER_ROUTER_INTF,
'fixed_ips': constants.ATTR_NOT_SPECIFIED,
'mac_address': constants.ATTR_NOT_SPECIFIED,
'port_security_enabled': False,
'tenant_id': None}}
port = self.nsxv_plugin.create_port(self.context, port_data)
address_groups = self._get_address_groups(
self.context, self.internal_net, rtr_id, is_proxy=True)
edge_ip = port['fixed_ips'][0]['ip_address']
edge_utils.update_internal_interface(
self.nsxv_plugin.nsx_v, self.context, rtr_id,
self.internal_net, address_groups)
self._setup_metadata_lb(rtr_id,
port['fixed_ips'][0]['ip_address'],
cfg.CONF.nsxv.nova_metadata_port,
cfg.CONF.nsxv.nova_metadata_port,
cfg.CONF.nsxv.nova_metadata_ips,
proxy_lb=True)
firewall_rules = [
DEFAULT_EDGE_FIREWALL_RULE,
{
'action': 'allow',
'enabled': True,
'source_ip_address': [INTERNAL_SUBNET]}]
edge_utils.update_firewall(
self.nsxv_plugin.nsx_v,
self.context,
rtr_id,
{'firewall_rule_list': firewall_rules},
allow_external=False)
if cfg.CONF.nsxv.mgt_net_default_gateway:
self.nsxv_plugin._update_routes(
self.context, rtr_id,
cfg.CONF.nsxv.mgt_net_default_gateway)
nsxv_db.create_nsxv_internal_edge(
self.context.session, rtr_ext_ip,
vcns_const.InternalEdgePurposes.INTER_EDGE_PURPOSE, rtr_id)
return edge_ip
except Exception as e:
LOG.exception(_LE("Exception %s while creating internal edge "
"for metadata service"), e)
ports = self.nsxv_plugin.get_ports(
self.context, filters={'device_id': [rtr_id]})
for port in ports:
self.nsxv_plugin.delete_port(self.context, port['id'],
l3_port_check=True,
nw_gw_port_check=True)
nsxv_db.delete_nsxv_internal_edge(
self.context.session,
rtr_ext_ip)
if rtr_id:
self.nsxv_plugin.delete_router(self.context, rtr_id)