コード例 #1
0
def _create_ncp_boundary_firewall_section(
        nsxt_client,
        anchor_id,
        firewall_section_name,
        tag_value):
    dfw_manager = DFWManager(nsxt_client)

    section = dfw_manager.get_firewall_section(name=firewall_section_name)
    if not section:
        tag = {}
        tag['scope'] = "ncp/fw_sect_marker"
        tag['tag'] = tag_value
        tags = [tag]

        nsxt_client.LOGGER.debug(
            f"Creating DFW section : {firewall_section_name}")
        section = dfw_manager.create_firewall_section(
            name=firewall_section_name,
            tags=tags,
            anchor_id=anchor_id,
            insert_policy=INSERT_POLICY.INSERT_BEFORE)
    else:
        nsxt_client.LOGGER.debug(f"DFW section : {firewall_section_name} "
                                 "already exists.")

    return section
コード例 #2
0
def _create_ncp_boundary_firewall_section(
        nsxt_client,
        ncp_boundary_firewall_section_anchor_id):
    dfw_manager = DFWManager(nsxt_client)

    section = dfw_manager.get_firewall_section(
        name=NCP_BOUNDARY_FIREWALL_SECTION_NAME)
    if not section:
        tag = {}
        tag['scope'] = "ncp/fw_sect_marker"
        tag['tag'] = "top"
        tags = [tag]

        nsxt_client.LOGGER.debug(
            f"Creating DFW section : {NCP_BOUNDARY_FIREWALL_SECTION_NAME}")
        section = dfw_manager.create_firewall_section(
            name=NCP_BOUNDARY_FIREWALL_SECTION_NAME,
            tags=tags,
            anchor_id=ncp_boundary_firewall_section_anchor_id,
            insert_policy=INSERT_POLICY.INSERT_BEFORE)
    else:
        nsxt_client.LOGGER.debug("DFW section : "
                                 f"{NCP_BOUNDARY_FIREWALL_SECTION_NAME}"
                                 " already exists.")

    return section
コード例 #3
0
    def _create_firewall_section_for_cluster(self, cluster_name,
                                             applied_to_nsgroup_id):
        """Create DFW Section for the cluster.

        If DFW Section already exists, delete it and re-create it. Since this
        section is based on cluster name, it possible that a previously
        deployed cluster on deletion failed to cleanup properly. We shouldn't
        re-use such a section rather create it afresh with new rules pointing
        to the correct NSGroups.

        :param str cluster_name: name of the cluster whose network is being
            isolated.
        :param str applied_to_nsgroup_id: id of the NSGroup on which the rules
            in this DFW SEction will apply to.
        """
        section_name = self._get_firewall_section_name_for_cluster(
            cluster_name)
        dfw_manager = DFWManager(self._nsxt_client)
        section = dfw_manager.get_firewall_section(section_name)
        if section:
            self._nsxt_client.LOGGER.debug(f"DFW section : {section_name} "
                                           "already exists.")
            dfw_manager.delete_firewall_section(section_name, cascade=True)
            self._nsxt_client.LOGGER.debug("Deleted DFW section : "
                                           f"{section_name} ")

        target = {}
        target['target_type'] = "NSGroup"
        target['target_id'] = applied_to_nsgroup_id

        anchor_section = dfw_manager.get_firewall_section(
            NCP_BOUNDARY_BOTTOM_FIREWALL_SECTION_NAME)

        self._nsxt_client.LOGGER.debug("Creating DFW section : "
                                       f"{section_name}")
        section = dfw_manager.create_firewall_section(
            name=section_name,
            applied_tos=[target],
            anchor_id=anchor_section['id'],
            insert_policy=INSERT_POLICY.INSERT_AFTER)

        return section