def create_firewall_policy(cls,
name,
namespace,
spec,
tag_last=False,
is_global=False,
k8s_uuid=None):
if not cls.cluster_aps_uuid:
raise Exception("Cluster Application Policy Set not available.")
# Get parent object for this firewall policy.
aps_obj = cls.vnc_lib.application_policy_set_read(
id=cls.cluster_aps_uuid)
try:
pm_obj = cls.vnc_lib.policy_management_read(
fq_name=aps_obj.get_parent_fq_name())
except NoIdError:
raise
fw_policy_obj = FirewallPolicy(
cls.get_firewall_policy_name(name, namespace, is_global), pm_obj)
custom_ann_kwargs = {}
custom_ann_kwargs['k8s_uuid'] = k8s_uuid
curr_fw_policy = None
fw_rules_del_candidates = set()
# If this firewall policy already exists, get its uuid.
fw_policy_uuid = VncSecurityPolicy.get_firewall_policy_uuid(
name, namespace, is_global)
if fw_policy_uuid:
#
# FW policy exists.
# Check for modidifcation to its spec.
# If not modifications are found, return the uuid of policy.
#
curr_fw_policy = FirewallPolicyKM.locate(fw_policy_uuid)
if curr_fw_policy and curr_fw_policy.spec:
if curr_fw_policy.spec == json.dumps(spec):
# Input spec is same as existing spec. Nothing to do.
# Just return the uuid.
return fw_policy_uuid
# Get the current firewall rules on this policy.
# All rules are delete candidates as any of them could have
# changed.
fw_rules_del_candidates = curr_fw_policy.firewall_rules
# Annotate the FW policy object with input spec.
# This will be used later to identify and validate subsequent modify
# or add (i.e post restart) events.
custom_ann_kwargs['spec'] = json.dumps(spec)
# Check if we are being asked to place this firewall policy in the end
# of fw policy list in its Application Policy Set.
# If yes, tag accordingly.
if tag_last:
custom_ann_kwargs['tail'] = "True"
# Parse input spec and construct the list of rules for this FW policy.
fw_rules = []
deny_all_rule_uuid = None
egress_deny_all_rule_uuid = None
if spec is not None:
fw_rules, deny_all_rule_uuid, egress_deny_all_rule_uuid =\
FWRule.parser(name, namespace, pm_obj, spec)
for rule in fw_rules:
try:
rule_uuid = cls.vnc_lib.firewall_rule_create(rule)
except RefsExistError:
cls.vnc_lib.firewall_rule_update(rule)
rule_uuid = rule.get_uuid()
# The rule is in use and needs to stay.
# Remove it from delete candidate collection.
if fw_rules_del_candidates and\
rule_uuid in fw_rules_del_candidates:
fw_rules_del_candidates.remove(rule_uuid)
rule_obj = cls.vnc_lib.firewall_rule_read(id=rule_uuid)
FirewallRuleKM.locate(rule_uuid)
fw_policy_obj.add_firewall_rule(
rule_obj, cls.construct_sequence_number(fw_rules.index(rule)))
if deny_all_rule_uuid:
VncSecurityPolicy.add_firewall_rule(
VncSecurityPolicy.deny_all_fw_policy_uuid, deny_all_rule_uuid)
custom_ann_kwargs['deny_all_rule_uuid'] = deny_all_rule_uuid
if egress_deny_all_rule_uuid:
VncSecurityPolicy.add_firewall_rule(
VncSecurityPolicy.deny_all_fw_policy_uuid,
egress_deny_all_rule_uuid)
custom_ann_kwargs['egress_deny_all_rule_uuid'] =\
egress_deny_all_rule_uuid
FirewallPolicyKM.add_annotations(
VncSecurityPolicy.vnc_security_policy_instance, fw_policy_obj,
namespace, name, None, **custom_ann_kwargs)
try:
fw_policy_uuid = cls.vnc_lib.firewall_policy_create(fw_policy_obj)
except RefsExistError:
# Remove existing firewall rule refs on this fw policy.
# Once existing firewall rules are remove, firewall policy will
# be updated with rules correspoinding to current input spec.
for rule in fw_rules_del_candidates:
cls.delete_firewall_rule(fw_policy_uuid, rule)
cls.vnc_lib.firewall_policy_update(fw_policy_obj)
fw_policy_uuid = fw_policy_obj.get_uuid()
fw_policy_obj = cls.vnc_lib.firewall_policy_read(id=fw_policy_uuid)
FirewallPolicyKM.locate(fw_policy_uuid)
return fw_policy_uuid
def create_firewall_policy(cls, name, namespace, spec, tag_last=False,
is_global=False):
if not cls.cluster_aps_uuid:
raise Exception("Cluster Application Policy Set not available.")
# Get parent object for this firewall policy.
aps_obj = cls.vnc_lib.application_policy_set_read(
id=cls.cluster_aps_uuid)
try:
pm_obj = cls.vnc_lib.policy_management_read(
fq_name=aps_obj.get_parent_fq_name())
except NoIdError:
raise
fw_policy_obj = FirewallPolicy(
cls.get_firewall_policy_name(name, namespace, is_global), pm_obj)
custom_ann_kwargs = {}
if tag_last:
custom_ann_kwargs['tail'] = "True"
# Parse input spec and construct the list of rules for this FW policy.
fw_rules = []
deny_all_rule_uuid = None
if spec is not None:
fw_rules, deny_all_rule_uuid = FWRule.parser(name, namespace,
pm_obj, spec)
for rule in fw_rules:
try:
rule_uuid = cls.vnc_lib.firewall_rule_create(rule)
except RefsExistError:
cls.vnc_lib.firewall_rule_update(rule)
rule_uuid = rule.get_uuid()
rule_obj = cls.vnc_lib.firewall_rule_read(id=rule_uuid)
FirewallRuleKM.locate(rule_uuid)
#FirewallSequence(
# sequence=cls.construct_sequence_number(fw_rules.index(rule)))
fw_policy_obj.add_firewall_rule(rule_obj,
cls.construct_sequence_number(fw_rules.index(rule)))
if deny_all_rule_uuid:
VncSecurityPolicy.add_firewall_rule(
VncSecurityPolicy.deny_all_fw_policy_uuid, deny_all_rule_uuid)
custom_ann_kwargs['deny_all_rule_uuid'] = deny_all_rule_uuid
FirewallPolicyKM.add_annotations(
VncSecurityPolicy.vnc_security_policy_instance,
fw_policy_obj, namespace, name, None, **custom_ann_kwargs)
try:
fw_policy_uuid = cls.vnc_lib.firewall_policy_create(fw_policy_obj)
except RefsExistError:
cls.vnc_lib.firewall_policy_update(fw_policy_obj)
fw_policy_uuid = fw_policy_obj.get_uuid()
fw_policy_obj = cls.vnc_lib.firewall_policy_read(id=fw_policy_uuid)
FirewallPolicyKM.locate(fw_policy_uuid)
return fw_policy_uuid