def construct_security_group(project):
security_group = vnc_api.SecurityGroup(name=VNC_VCENTER_DEFAULT_SG,
parent_obj=project)
security_group_entry = vnc_api.PolicyEntriesType()
ingress_rule = vnc_api.PolicyRuleType(
rule_uuid=str(uuid4()),
direction='>',
protocol='any',
src_addresses=[vnc_api.AddressType(
security_group=':'.join(VNC_VCENTER_DEFAULT_SG_FQN))],
src_ports=[vnc_api.PortType(0, 65535)],
dst_addresses=[vnc_api.AddressType(security_group='local')],
dst_ports=[vnc_api.PortType(0, 65535)],
ethertype='IPv4',
)
egress_rule = vnc_api.PolicyRuleType(
rule_uuid=str(uuid4()),
direction='>',
protocol='any',
src_addresses=[vnc_api.AddressType(security_group='local')],
src_ports=[vnc_api.PortType(0, 65535)],
dst_addresses=[vnc_api.AddressType(subnet=vnc_api.SubnetType('0.0.0.0', 0))],
dst_ports=[vnc_api.PortType(0, 65535)],
ethertype='IPv4',
)
security_group_entry.add_policy_rule(ingress_rule)
security_group_entry.add_policy_rule(egress_rule)
security_group.set_security_group_entries(security_group_entry)
return security_group
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
addr = vnc_api.AddressType(
security_group=proj_obj.get_fq_name_str() + ':' + sg)
elif prefix:
addr = vnc_api.AddressType(
subnet=vnc_api.SubnetType(prefix, 0))
local_addr = vnc_api.AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = vnc_api.PolicyRuleType(
rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[vnc_api.PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[vnc_api.PortType(0, 65535)],
ethertype=ethertype)
return rule
def create_NetworkPolicy(policy_name, left_network_name, right_network_name,
vnc, domain, project_name):
""" FUNCTION TO CREATE NETWORK POLICY """
project = vnc.project_read(fq_name=[domain, project_name])
rule = vnc_api.PolicyRuleType(
direction='<>',
protocol='any',
action_list=vnc_api.ActionListType(simple_action='pass'),
src_addresses=[vnc_api.AddressType(virtual_network=left_network_name)],
src_ports=[vnc_api.PortType(start_port=-1, end_port=-1)],
dst_addresses=[
vnc_api.AddressType(virtual_network=right_network_name)
],
dst_ports=[vnc_api.PortType(start_port=-1, end_port=-1)])
policy = vnc_api.NetworkPolicy(
name=policy_name,
parent_obj=project,
network_policy_entries=vnc_api.PolicyEntriesType([rule]))
vnc.network_policy_create(policy)
print 'Policy "{}" created between "{}" & "{}"\n'.format(
policy_name, left_network_name, right_network_name)
def _security_group_rule_neutron_to_vnc(self, sgr_q):
port_min = 0
port_max = 65535
if sgr_q['port_range_min'] is not None:
port_min = sgr_q['port_range_min']
if sgr_q['port_range_max'] is not None:
port_max = sgr_q['port_range_max']
endpt = [vnc_api.AddressType(security_group='any')]
if sgr_q['remote_ip_prefix']:
cidr = sgr_q['remote_ip_prefix'].split('/')
pfx = cidr[0]
pfx_len = int(cidr[1])
endpt = [vnc_api.AddressType(
subnet=vnc_api.SubnetType(pfx, pfx_len))]
elif sgr_q['remote_group_id']:
try:
sg_obj = sg_handler.SecurityGroupHandler(
self._vnc_lib).get_sg_obj(id=sgr_q['remote_group_id'])
except vnc_exc.NoIdError:
self._raise_contrail_exception('SecurityGroupNotFound',
id=sgr_q['remote_group_id'],
resource='security_group_rule')
if sgr_q.get('tenant_id') and (
sg_obj.parent_uuid != sgr_q['tenant_id']):
self._raise_contrail_exception("NotFound")
endpt = [vnc_api.AddressType(
security_group=sg_obj.get_fq_name_str())]
if sgr_q['direction'] == 'ingress':
dir = '>'
local = endpt
remote = [vnc_api.AddressType(security_group='local')]
else:
dir = '>'
remote = endpt
local = [vnc_api.AddressType(security_group='local')]
if not sgr_q['protocol']:
sgr_q['protocol'] = 'any'
if not sgr_q['remote_ip_prefix'] and not sgr_q['remote_group_id']:
if not sgr_q['ethertype']:
sgr_q['ethertype'] = 'IPv4'
sgr_uuid = str(uuid.uuid4()) if 'id' not in sgr_q else sgr_q['id']
rule = vnc_api.PolicyRuleType(
rule_uuid=sgr_uuid, direction=dir,
protocol=sgr_q['protocol'],
src_addresses=local,
src_ports=[vnc_api.PortType(0, 65535)],
dst_addresses=remote,
dst_ports=[vnc_api.PortType(port_min, port_max)],
ethertype=sgr_q['ethertype'])
return rule
def create_networkpolicy(self, policy_name, vn1_name, vn2_name, action):
print "Create network policy %s between %s <---> %s" % (
policy_name, vn1_name, vn2_name)
project = self._vnc_lib.project_read(
fq_name=[self._domain, self._tenant_name])
rule = vnc_api.PolicyRuleType(
direction='<>',
protocol='any',
action_list=vnc_api.ActionListType(simple_action=action),
src_addresses=[vnc_api.AddressType(virtual_network=vn1_name)],
src_ports=[vnc_api.PortType(start_port=-1, end_port=-1)],
dst_addresses=[vnc_api.AddressType(virtual_network=vn2_name)],
dst_ports=[vnc_api.PortType(start_port=-1, end_port=-1)])
policy = vnc_api.NetworkPolicy(
name=policy_name,
parent_obj=project,
network_policy_entries=vnc_api.PolicyEntriesType([rule]))
self._vnc_lib.network_policy_create(policy)
destination_port = "-1"
else:
destination_port = raw_input('Destination Port number -> ')
vnc = vnc_api.VncApi(username="******",
password="******",
tenant_name="admin",
api_server_host="CONTRAIL_IP")
tenant = vnc.project_read(fq_name=['default-domain', tenant_name])
#create policy
rule = vnc_api.PolicyRuleType(
direction='<>',
protocol=policy_protocol,
action_list=vnc_api.ActionListType(simple_action=policy_action),
src_addresses=[vnc_api.AddressType(virtual_network=source_network)],
src_ports=[vnc_api.PortType(start_port=source_port, end_port=source_port)],
dst_addresses=[vnc_api.AddressType(virtual_network=destination_network)],
dst_ports=[
vnc_api.PortType(start_port=destination_port,
end_port=destination_port)
])
policy = vnc_api.NetworkPolicy(
name=policy_name,
parent_obj=tenant,
network_policy_entries=vnc_api.PolicyEntriesType([rule]))
vnc.network_policy_create(policy)
#add the policy to each network
policy = vnc.network_policy_read(
fq_name=['default-domain', tenant_name, policy_name])
)
net1 = vnc_lib.virtual_network_read(id=args.net1_uuid)
net2 = vnc_lib.virtual_network_read(id=args.net2_uuid)
pol1 = vnc_api.NetworkPolicy(
'policy-%s-%s-any' % (net1.name, net2.name),
network_policy_entries=vnc_api.PolicyEntriesType([
vnc_api.PolicyRuleType(
direction='<>',
action_list=vnc_api.ActionListType(simple_action='pass'),
protocol='any',
src_addresses=[
vnc_api.AddressType(virtual_network=net1.get_fq_name_str())
],
src_ports=[vnc_api.PortType(-1, -1)],
dst_addresses=[
vnc_api.AddressType(virtual_network=net2.get_fq_name_str())
],
dst_ports=[vnc_api.PortType(-1, -1)])
]),
parent_obj=vnc_lib.project_read(fq_name=net1.get_parent_fq_name()))
vnc_lib.network_policy_create(pol1)
net1.add_network_policy(
pol1,
vnc_api.VirtualNetworkPolicyType(sequence=vnc_api.SequenceType(0, 0)))
vnc_lib.virtual_network_update(net1)
net2.add_network_policy(
pol1,
from vnc_api import vnc_api
vnc_lib = vnc_api.VncApi(api_server_host='10.10.7.149')
vn_blue_obj = vnc_api.VirtualNetwork('vn-blue')
vn_blue_obj.add_network_ipam(vnc_api.NetworkIpam(),vnc_api.VnSubnetsType([vnc_api.IpamSubnetType(subnet = vnc_api.SubnetType('10.0.2.0', 24))]))
vnc_lib.virtual_network_create(vn_blue_obj)
vn_red_obj = vnc_api.VirtualNetwork('vn-red')
vn_red_obj.add_network_ipam(vnc_api.NetworkIpam(),vnc_api.VnSubnetsType([vnc_api.IpamSubnetType(subnet = vnc_api.SubnetType('10.0.3.0', 24))]))
vnc_lib.virtual_network_create(vn_red_obj)
policy_obj = vnc_api.NetworkPolicy('policy-red-blue',network_policy_entries = vnc_api.PolicyEntriesType([vnc_api.PolicyRuleType(direction='<>',action_list = vnc_api.ActionListType(simple_action='pass'), protocol = 'tcp',src_addresses = [vnc_api.AddressType(virtual_network = vn_blue_obj.get_fq_name_str())], src_ports = [vnc_api.PortType(-1, -1)],dst_addresses = [vnc_api.AddressType(virtual_network = vn_red_obj.get_fq_name_str())], dst_ports = [vnc_api.PortType(80, 80)])]))
vnc_lib.network_policy_create(policy_obj)
vn_blue_obj.add_network_policy(policy_obj, vnc_api.VirtualNetworkPolicyType(sequence=vnc_api.SequenceType(0, 0)))
vn_red_obj.add_network_policy(policy_obj, vnc_api.VirtualNetworkPolicyType(sequence=vnc_api.SequenceType(0, 0)))
vnc_lib.virtual_network_update(vn_blue_obj)
vnc_lib.virtual_network_update(vn_red_obj)
print vnc_lib.virtual_network_read(id = vn_blue_obj.uuid)
print vnc_lib.virtual_networks_list()
def _security_group_rule_neutron_to_vnc(self, sgr_q):
from neutron_plugin_contrail.plugins.opencontrail.vnc_client.sg_res_handler import SecurityGroupHandler
# default port values
if sgr_q['protocol'] in (constants.PROTO_NAME_ICMP,
str(constants.PROTO_NUM_ICMP)):
port_min = None
port_max = None
else:
port_min = 0
port_max = 65535
if sgr_q['port_range_min'] is not None:
port_min = sgr_q['port_range_min']
if sgr_q['port_range_max'] is not None:
port_max = sgr_q['port_range_max']
if sgr_q['remote_ip_prefix'] and sgr_q['remote_group_id']:
self._raise_contrail_exception("BadRequest",
msg="Can't set remote_ip_prefix with remote_group_id",
resource="security_group_rule")
endpt = [vnc_api.AddressType(security_group='any')]
if sgr_q['remote_ip_prefix']:
cidr = sgr_q['remote_ip_prefix'].split('/')
pfx = cidr[0]
pfx_len = int(cidr[1])
endpt = [vnc_api.AddressType(
subnet=vnc_api.SubnetType(pfx, pfx_len))]
elif sgr_q['remote_group_id']:
try:
sg_obj = SecurityGroupHandler(
self._vnc_lib).get_sg_obj(id=sgr_q['remote_group_id'])
except vnc_exc.NoIdError:
self._raise_contrail_exception('SecurityGroupNotFound',
id=sgr_q['remote_group_id'],
resource='security_group_rule')
if sgr_q.get('tenant_id') and (
sg_obj.parent_uuid != self._project_id_neutron_to_vnc(sgr_q['tenant_id'])):
self._raise_contrail_exception("NotFound")
endpt = [vnc_api.AddressType(
security_group=sg_obj.get_fq_name_str())]
if sgr_q['direction'] == 'ingress':
_dir = '>'
local = endpt
remote = [vnc_api.AddressType(security_group='local')]
else:
_dir = '>'
remote = endpt
local = [vnc_api.AddressType(security_group='local')]
if not sgr_q['protocol']:
sgr_q['protocol'] = 'any'
if not sgr_q['remote_ip_prefix'] and not sgr_q['remote_group_id']:
if not sgr_q['ethertype']:
sgr_q['ethertype'] = 'IPv4'
sgr_uuid = str(uuid.uuid4()) if 'id' not in sgr_q else sgr_q['id']
rule = vnc_api.PolicyRuleType(
rule_uuid=sgr_uuid, direction=_dir,
protocol=sgr_q['protocol'],
src_addresses=local,
src_ports=[vnc_api.PortType(0, 65535)],
dst_addresses=remote,
dst_ports=[vnc_api.PortType(port_min, port_max)],
ethertype=sgr_q['ethertype'])
return rule
