def _disassociate_floatingip(self, context, id): l3db_fip = self._get_floatingip(context, id) db_namespace = fortinet_db.query_record(context, fortinet_db.Fortinet_ML2_Namespace, tenant_id=l3db_fip.tenant_id) db_fip = fortinet_db.query_record(context, fortinet_db.Fortinet_FloatingIP_Allocation, floating_ip_address=l3db_fip.floating_ip_address, allocated=True) int_intf, ext_intf = utils.get_vlink_intf(self, context, vdom=db_namespace.vdom) db_ip = fortinet_db.query_record(context, models_v2.IPAllocation, port_id=l3db_fip.fixed_port_id) vlan_inf = utils.get_intf(context, db_ip.network_id) mappedip = utils.get_ipaddr(db_fip.ip_subnet, 0) utils.delete_fwpolicy(self, context, vdom=db_namespace.vdom, srcintf=vlan_inf, srcaddr=l3db_fip.fixed_ip_address, dstintf=int_intf, poolname=mappedip) utils.delete_fwaddress(self, context, name=l3db_fip.fixed_ip_address, vdom=db_namespace.vdom) utils.delete_fwpolicy(self, context, vdom=db_namespace.vdom, dstaddr=db_fip.floating_ip_address) utils.delete_vip(self, context, vdom=db_namespace.vdom, name=db_fip.floating_ip_address)
def add_router_interface(self, context, router_id, interface_info): """creates vlnk on the fortinet device.""" LOG.debug("FortinetL3ServicePlugin.add_router_interface: " "router_id=%(router_id)s " "interface_info=%(interface_info)r", {'router_id': router_id, 'interface_info': interface_info}) with context.session.begin(subtransactions=True): info = super(FortinetL3ServicePlugin, self).add_router_interface( context, router_id, interface_info) port = db.get_port(context, info['port_id']) port['admin_state_up'] = True port['port'] = port LOG.debug("FortinetL3ServicePlugin: " "context=%(context)s" "port=%(port)s " "info=%(info)r", {'context': context, 'port': port, 'info': info}) interface_info = info subnet = self._core_plugin._get_subnet(context, interface_info['subnet_id']) network_id = subnet['network_id'] tenant_id = port['tenant_id'] port_filters = {'network_id': [network_id], 'device_owner': [DEVICE_OWNER_ROUTER_INTF]} port_count = self._core_plugin.get_ports_count(context, port_filters) # port count is checked against 2 since the current port is already # added to db if port_count == 2: # This subnet is already part of some router LOG.error(_LE("FortinetL3ServicePlugin: adding redundant " "router interface is not supported")) raise Exception(_("FortinetL3ServicePlugin:adding redundant " "router interface is not supported")) try: db_namespace = fortinet_db.query_record(context, fortinet_db.Fortinet_ML2_Namespace, tenant_id=tenant_id) vlan_inf = utils.get_intf(context, network_id) int_intf, ext_intf = utils.get_vlink_intf(self, context, vdom=db_namespace.vdom) utils.add_fwpolicy(self, context, vdom=db_namespace.vdom, srcintf=vlan_inf, dstintf=int_intf, nat='enable') except Exception as e: LOG.error(_LE("Failed to create Fortinet resources to add " "router interface. info=%(info)s, " "router_id=%(router_id)s"), {"info": info, "router_id": router_id}) utils._rollback_on_err(self, context, e) with excutils.save_and_reraise_exception(): self.remove_router_interface(context, router_id, interface_info) utils.update_status(self, context, t_consts.TaskStatus.COMPLETED) return info
def add_router_interface(self, context, port): """creates vlnk on the fortinet device.""" db_namespace = fortinet_db.query_record(context, fortinet_db.Fortinet_ML2_Namespace, tenant_id=port['tenant_id']) vlan_inf = utils.get_intf(context, port['network_id']) int_intf, ext_intf = utils.get_vlink_intf(self, context, vdom=db_namespace.vdom) utils.add_fwpolicy(self, context, vdom=db_namespace.vdom, srcintf=vlan_inf, dstintf=int_intf, nat='enable')
def add_router_interface(self, context, port): """creates vlnk on the fortinet device.""" db_namespace = fortinet_db.query_record( context, fortinet_db.Fortinet_ML2_Namespace, tenant_id=port['tenant_id']) vlan_inf = utils.get_intf(context, port['network_id']) int_intf, ext_intf = utils.get_vlink_intf(self, context, vdom=db_namespace.vdom) utils.add_fwpolicy(self, context, vdom=db_namespace.vdom, srcintf=vlan_inf, dstintf=int_intf, nat='enable')
def _disassociate_floatingip(self, context, id): l3db_fip = self._get_floatingip(context, id) db_namespace = fortinet_db.query_record( context, fortinet_db.Fortinet_ML2_Namespace, tenant_id=l3db_fip.tenant_id) db_fip = fortinet_db.query_record( context, fortinet_db.Fortinet_FloatingIP_Allocation, floating_ip_address=l3db_fip.floating_ip_address, allocated=True) int_intf, ext_intf = utils.get_vlink_intf(self, context, vdom=db_namespace.vdom) db_ip = fortinet_db.query_record(context, models_v2.IPAllocation, port_id=l3db_fip.fixed_port_id) vlan_inf = utils.get_intf(context, db_ip.network_id) mappedip = utils.get_ipaddr(db_fip.ip_subnet, 0) utils.delete_fwpolicy(self, context, vdom=db_namespace.vdom, srcintf=vlan_inf, srcaddr=l3db_fip.fixed_ip_address, dstintf=int_intf, poolname=mappedip) utils.delete_fwaddress(self, context, name=l3db_fip.fixed_ip_address, vdom=db_namespace.vdom) utils.delete_fwpolicy(self, context, vdom=db_namespace.vdom, dstaddr=db_fip.floating_ip_address) utils.delete_vip(self, context, vdom=db_namespace.vdom, name=db_fip.floating_ip_address)
def _update_firewall_rule(self, context, id, firewall_rule): LOG.debug("# _add_firewall_rule() called") fwps_int = fortinet_db.Fortinet_FW_Rule_Association.query_all( context, fwr_id=id, type=constants.TYPE_INT) fwps_ext = fortinet_db.Fortinet_FW_Rule_Association.query_all( context, fwr_id=id, type=constants.TYPE_EXT) if fwps_ext and fwps_int: fwps = fwps_int + fwps_ext else: fwps = fwps_int or fwps_ext if not fwps: return firewall_rule.setdefault('id', id) srcaddr = self._make_fortinet_fwaddress_dict( place='source_ip_address', **firewall_rule) dstaddr = self._make_fortinet_fwaddress_dict( place='destination_ip_address', **firewall_rule) service = self._make_fortinet_fwservice_dict(**firewall_rule) action = self._get_fwr_action(**firewall_rule) profiles = self._get_fwp_profiles(action) for fwp in fwps_int: vdom = fwp.fortinet_policy.vdom if service['name'] != 'ALL': utils.set_fwservice(self, context, vdom=vdom, **service) if srcaddr['name'] != 'all': utils.set_fwaddress(self, context, vdom=vdom, **srcaddr) if dstaddr['name'] != 'all': utils.set_fwaddress(self, context, vdom=vdom, **dstaddr) # check whether related firewall policies need to update fwp = fwps_int[0].fortinet_policy name = firewall_rule.setdefault('name', fwp.comments) if fwp.srcaddr == srcaddr['name'] and fwp.action == action and \ fwp.dstaddr == dstaddr['name'] and fwp.service == service['name']: return if action in ['accept']: for fwp in fwps: fortinet_fwp = utils.set_fwpolicy(self, context, id=fwp.fortinet_pid, srcaddr=srcaddr['name'], dstaddr=dstaddr['name'], service=service['name'], action=action, comments=name, **profiles) if not fwps_ext: inf_int, inf_ext = utils.get_vlink_intf( self, context, vdom=fortinet_fwp.vdom) utils.add_fwaas_subpolicy(self, context, before=fortinet_fwp.edit_id, vdom=fortinet_fwp.vdom, srcaddr=srcaddr['name'], dstaddr=dstaddr['name'], dstintf=inf_int, nat='enable', service=service['name'], action=action, comments=name, fwr_id=id, type=constants.TYPE_EXT, **profiles) elif action in ['deny']: for fwp_ext in fwps_ext: utils.delete_fwaas_subpolicy(self, context, fwr_id=fwp_ext.fwr_id, fortinet_pid=fwp_ext.fortinet_pid) for fwp in fwps_int: utils.set_fwpolicy(self, context, id=fwp.fortinet_pid, srcaddr=srcaddr['name'], dstaddr=dstaddr['name'], service=service['name'], action=action, comments=name, **profiles) for fwp in fwps_int: vdom = fwp.fortinet_policy.vdom if service['name'] == 'ALL': #delete all old services if exist utils.delete_fwservice(self, context, vdom=vdom, name=id) if srcaddr['name'] == 'all': name = constants.PREFIX['source_ip_address'] + id utils.delete_fwaddress(self, context, vdom=vdom, name=name) if dstaddr['name'] == 'all': name = constants.PREFIX['destination_ip_address'] + id utils.delete_fwaddress(self, context, vdom=vdom, name=name)
def _add_firewall_rule(self, context, fwp_tenant_id, **fwr): """ :param obj: :param context: :param kwargs: dictionary, firewall rule firewall_rule: {'source_ip_address': u'192.176.10.0/24',... } :return: """ LOG.debug("# _add_firewall_rule() called") namespace = fortinet_db.Fortinet_ML2_Namespace.query_one( context, tenant_id=fwp_tenant_id) vdom = getattr(namespace, 'vdom', None) if not vdom or not fwr: return None inf_int, inf_ext = utils.get_vlink_intf( self, context, vdom=namespace.vdom) srcaddr = self._add_fwr_ip_address( context, vdom, place='source_ip_address', **fwr) dstaddr = self._add_fwr_ip_address( context, vdom, place='destination_ip_address', **fwr) service = self._add_fwr_service(context, vdom, **fwr) action = self._get_fwr_action(**fwr) profiles = self._get_fwp_profiles(action) match_vip = 'enable' name = fwr.get('name', '') # add a basic firewall rule('accept': incoming, 'deny': bidirectional) fortinet_fwp = utils.add_fwpolicy_to_head(self, context, vdom=vdom, srcaddr=srcaddr['name'], srcintf='any', dstaddr=dstaddr['name'], dstintf='any', service=service['name'], match_vip=match_vip, action=action, comments=name, **profiles) utils.add_record(self, context, fortinet_db.Fortinet_FW_Rule_Association, fwr_id=fwr['id'], fortinet_pid=fortinet_fwp.id, type=constants.TYPE_INT) if action in ['accept']: # if allow, for the outgoing traffic it need to enable nat fortinet_fwp = utils.add_fwpolicy_to_head(self, context, vdom=vdom, srcaddr=srcaddr['name'], srcintf='any', dstaddr=dstaddr['name'], dstintf=inf_int, nat='enable', service=service['name'], action=action, comments=name, **profiles) utils.add_record(self, context, fortinet_db.Fortinet_FW_Rule_Association, fwr_id=fwr['id'], fortinet_pid=fortinet_fwp.id, type=constants.TYPE_EXT)
def _release_floatingip(self, context, id): """ :param context: :param id: the floatingip id in neutron.db.l3_db.FloatingIP. { tenant_id=u'3998b33381fb48f694369689065a3760', id=u'25e1588a-5ec5-4fbc-bdef-eff8713da8f8', floating_ip_address=u'10.160.37.111', floating_network_id=u'1c1dbecc-9dac-4311-a346-f147a04c8dc8', floating_port_id=u'4b4120d4-77f9-4f82-b823-05876929a1c4', fixed_port_id=None, fixed_ip_address=None, router_id=None, last_known_router_id=None, status=u'DOWN' } :return: """ with context.session.begin(subtransactions=True): l3db_fip = self._get_floatingip(context, id) tenant_id = l3db_fip.tenant_id db_namespace = fortinet_db.query_record(context, fortinet_db.Fortinet_ML2_Namespace, tenant_id=tenant_id) db_fip = fortinet_db.query_record(context, fortinet_db.Fortinet_FloatingIP_Allocation, floating_ip_address=l3db_fip.floating_ip_address, allocated=True) if not db_fip or not db_namespace: return int_intf, ext_intf = utils.get_vlink_intf(self, context, vdom=db_namespace.vdom) mappedip = utils.get_ipaddr(db_fip.ip_subnet, 0) utils.delete_fwippool(self, context, name=mappedip, vdom=db_namespace.vdom, startip=mappedip) utils.delete_fwpolicy(self, context, vdom=const.EXT_VDOM, srcintf=ext_intf, srcaddr=mappedip, dstintf=self._fortigate['ext_interface'], poolname=db_fip.floating_ip_address) utils.delete_fwaddress(self, context, name=mappedip, vdom=const.EXT_VDOM, subnet="%s 255.255.255.255" % mappedip) utils.delete_fwippool(self, context, name=db_fip.floating_ip_address, vdom=const.EXT_VDOM, startip=db_fip.floating_ip_address) utils.delete_routerstatic(self, context, vdom=const.EXT_VDOM, dst="%s 255.255.255.255" % mappedip, device=ext_intf, gateway=const.DEF_GW) utils.delete_fwpolicy(self, context, vdom=const.EXT_VDOM, dstintf=ext_intf, dstaddr=l3db_fip.floating_ip_address) utils.delete_vip(self, context, vdom=const.EXT_VDOM, name=db_fip.vip_name, extip=db_fip.floating_ip_address, extintf='any', mappedip=mappedip) fortinet_db.delete_record(context, fortinet_db.Fortinet_FloatingIP_Allocation, vdom=db_namespace.vdom, floating_ip_address=db_fip.floating_ip_address, vip_name=db_fip.floating_ip_address) # TODO(jerryz): move this out of transaction. setattr(context, 'GUARD_TRANSACTION', False) super(FortinetL3ServicePlugin, self).delete_floatingip(context, id) utils.delete_vlink(self, context, tenant_id) utils.delete_vdom(self, context, tenant_id=tenant_id)
def _allocate_floatingip(self, context, obj): """ 1. mapping floatingip to the one of a pair of internal ips based on the vip function. 2. add another ip of the ip pair to the secondaryip list of the external interface. obj example: { 'floating_network_id': u'1c1dbecc-9dac-4311-a346-f147a04c8dc8', 'router_id': None, 'fixed_ip_address': None, 'floating_ip_address': u'10.160.37.113', 'tenant_id': u'3998b33381fb48f694369689065a3760', 'status': 'DOWN', 'port_id': None, 'id': '5ec1b08b-77c1-4e39-80ac-224ee937ee9f' } The floatingip is a instance of neutron.db.l3_db.FloatingIP, example: { tenant_id=u'3998b33381fb48f694369689065a3760', id=u'25e1588a-5ec5-4fbc-bdef-eff8713da8f8', floating_ip_address=u'10.160.37.111', floating_network_id=u'1c1dbecc-9dac-4311-a346-f147a04c8dc8', floating_port_id=u'4b4120d4-77f9-4f82-b823-05876929a1c4', fixed_port_id=None, fixed_ip_address=None, router_id=None, last_known_router_id=None, status=u'DOWN' } """ with context.session.begin(subtransactions=True): try: db_namespace = utils.add_vdom(self, context, tenant_id=obj['tenant_id']) db_fip = utils.add_record(self, context, fortinet_db.Fortinet_FloatingIP_Allocation, vdom=db_namespace.vdom, floating_ip_address=obj['floating_ip_address'], vip_name=obj['floating_ip_address']) mappedip = utils.get_ipaddr(db_fip.ip_subnet, 0) utils.add_vip(self, context, vdom=const.EXT_VDOM, name=db_fip.vip_name, extip=db_fip.floating_ip_address, extintf='any', mappedip=mappedip) int_intf, ext_intf = utils.get_vlink_intf(self, context, vdom=db_namespace.vdom) utils.add_fwpolicy(self, context, vdom=const.EXT_VDOM, dstintf=ext_intf, dstaddr=db_fip.vip_name, nat='enable') utils.add_routerstatic(self, context, vdom=const.EXT_VDOM, dst="%s 255.255.255.255" % mappedip, device=ext_intf, gateway=const.DEF_GW) utils.add_fwippool(self, context, name=db_fip.floating_ip_address, vdom=const.EXT_VDOM, startip=db_fip.floating_ip_address) utils.add_fwaddress(self, context, name=mappedip, vdom=const.EXT_VDOM, subnet="%s 255.255.255.255" % mappedip) db_fwpolicy = utils.add_fwpolicy(self, context, vdom=const.EXT_VDOM, srcintf=ext_intf, srcaddr=mappedip, dstintf=self._fortigate['ext_interface'], poolname=db_fip.floating_ip_address) utils.head_firewall_policy(self, context, vdom=const.EXT_VDOM, id=db_fwpolicy.edit_id) utils.add_fwippool(self, context, name=mappedip, vdom=db_namespace.vdom, startip=mappedip) except Exception as e: with excutils.save_and_reraise_exception(): utils._rollback_on_err(self, context, e) utils.update_status(self, context, t_consts.TaskStatus.COMPLETED)
def _associate_floatingip(self, context, id, floatingip): try: l3db_fip = self._get_floatingip(context, id) db_namespace = fortinet_db.query_record(context, fortinet_db.Fortinet_ML2_Namespace, tenant_id=l3db_fip.tenant_id) db_fip = fortinet_db.query_record(context, fortinet_db.Fortinet_FloatingIP_Allocation, floating_ip_address=l3db_fip.floating_ip_address, allocated=True) int_intf, ext_intf = utils.get_vlink_intf(self, context, vdom=db_namespace.vdom) mappedip = utils.get_ipaddr(db_fip.ip_subnet, 0) fixed_ip_address = floatingip['floatingip']['fixed_ip_address'] utils.add_vip(self, context, vdom=db_namespace.vdom, name=db_fip.floating_ip_address, extip=mappedip, extintf=int_intf, mappedip=fixed_ip_address) db_ip = fortinet_db.query_record(context, models_v2.IPAllocation, port_id=floatingip['floatingip']['port_id']) vlan_inf = utils.get_intf(context, db_ip.network_id) utils.add_fwpolicy(self, context, vdom=db_namespace.vdom, srcintf=int_intf, dstintf=vlan_inf, dstaddr=db_fip.floating_ip_address, nat='enable') utils.add_fwaddress(self, context, name=fixed_ip_address, vdom=db_namespace.vdom, subnet="%s 255.255.255.255" % fixed_ip_address, associated_interface=vlan_inf) db_fwpolicy = utils.add_fwpolicy(self, context, vdom=db_namespace.vdom, srcintf=vlan_inf, srcaddr=fixed_ip_address, dstintf=int_intf, poolname=mappedip) if self.enable_fwaas: fwrass = fortinet_db.Fortinet_FW_Rule_Association.query_one( context, fwr_id=db_namespace.tenant_id) default_fwp = getattr(fwrass, 'fortinet_policy', None) if getattr(default_fwp, 'edit_id', None): utils.head_firewall_policy(self, context, vdom=db_namespace.vdom, id=db_fwpolicy.edit_id, after=default_fwp.edit_id) _headed = True if '_headed' not in locals(): utils.head_firewall_policy(self, context, vdom=db_namespace.vdom, id=db_fwpolicy.edit_id) except Exception as e: with excutils.save_and_reraise_exception(): utils._rollback_on_err(self, context, e) utils.update_status(self, context, t_consts.TaskStatus.COMPLETED)
def _release_floatingip(self, context, id): """ :param context: :param id: the floatingip id in neutron.db.l3_db.FloatingIP. { tenant_id=u'3998b33381fb48f694369689065a3760', id=u'25e1588a-5ec5-4fbc-bdef-eff8713da8f8', floating_ip_address=u'10.160.37.111', floating_network_id=u'1c1dbecc-9dac-4311-a346-f147a04c8dc8', floating_port_id=u'4b4120d4-77f9-4f82-b823-05876929a1c4', fixed_port_id=None, fixed_ip_address=None, router_id=None, last_known_router_id=None, status=u'DOWN' } :return: """ with context.session.begin(subtransactions=True): l3db_fip = self._get_floatingip(context, id) tenant_id = l3db_fip.tenant_id db_namespace = fortinet_db.query_record( context, fortinet_db.Fortinet_ML2_Namespace, tenant_id=tenant_id) db_fip = fortinet_db.query_record( context, fortinet_db.Fortinet_FloatingIP_Allocation, floating_ip_address=l3db_fip.floating_ip_address, allocated=True) if not db_fip or not db_namespace: return int_intf, ext_intf = utils.get_vlink_intf(self, context, vdom=db_namespace.vdom) mappedip = utils.get_ipaddr(db_fip.ip_subnet, 0) utils.delete_fwippool(self, context, name=mappedip, vdom=db_namespace.vdom, startip=mappedip) utils.delete_fwpolicy(self, context, vdom=const.EXT_VDOM, srcintf=ext_intf, srcaddr=mappedip, dstintf=self._fortigate['ext_interface'], poolname=db_fip.floating_ip_address) utils.delete_fwaddress(self, context, name=mappedip, vdom=const.EXT_VDOM, subnet="%s 255.255.255.255" % mappedip) utils.delete_fwippool(self, context, name=db_fip.floating_ip_address, vdom=const.EXT_VDOM, startip=db_fip.floating_ip_address) utils.delete_routerstatic(self, context, vdom=const.EXT_VDOM, dst="%s 255.255.255.255" % mappedip, device=ext_intf, gateway=const.DEF_GW) utils.delete_fwpolicy(self, context, vdom=const.EXT_VDOM, dstintf=ext_intf, dstaddr=l3db_fip.floating_ip_address) utils.delete_vip(self, context, vdom=const.EXT_VDOM, name=db_fip.vip_name, extip=db_fip.floating_ip_address, extintf='any', mappedip=mappedip) fortinet_db.delete_record( context, fortinet_db.Fortinet_FloatingIP_Allocation, vdom=db_namespace.vdom, floating_ip_address=db_fip.floating_ip_address, vip_name=db_fip.floating_ip_address) # TODO(jerryz): move this out of transaction. setattr(context, 'GUARD_TRANSACTION', False) super(FortinetL3ServicePlugin, self).delete_floatingip(context, id) utils.delete_vlink(self, context, tenant_id) utils.delete_vdom(self, context, tenant_id=tenant_id)
def _allocate_floatingip(self, context, obj): """ 1. mapping floatingip to the one of a pair of internal ips based on the vip function. 2. add another ip of the ip pair to the secondaryip list of the external interface. obj example: { 'floating_network_id': u'1c1dbecc-9dac-4311-a346-f147a04c8dc8', 'router_id': None, 'fixed_ip_address': None, 'floating_ip_address': u'10.160.37.113', 'tenant_id': u'3998b33381fb48f694369689065a3760', 'status': 'DOWN', 'port_id': None, 'id': '5ec1b08b-77c1-4e39-80ac-224ee937ee9f' } The floatingip is a instance of neutron.db.l3_db.FloatingIP, example: { tenant_id=u'3998b33381fb48f694369689065a3760', id=u'25e1588a-5ec5-4fbc-bdef-eff8713da8f8', floating_ip_address=u'10.160.37.111', floating_network_id=u'1c1dbecc-9dac-4311-a346-f147a04c8dc8', floating_port_id=u'4b4120d4-77f9-4f82-b823-05876929a1c4', fixed_port_id=None, fixed_ip_address=None, router_id=None, last_known_router_id=None, status=u'DOWN' } """ with context.session.begin(subtransactions=True): try: db_namespace = utils.add_vdom(self, context, tenant_id=obj['tenant_id']) db_fip = utils.add_record( self, context, fortinet_db.Fortinet_FloatingIP_Allocation, vdom=db_namespace.vdom, floating_ip_address=obj['floating_ip_address'], vip_name=obj['floating_ip_address']) mappedip = utils.get_ipaddr(db_fip.ip_subnet, 0) utils.add_vip(self, context, vdom=const.EXT_VDOM, name=db_fip.vip_name, extip=db_fip.floating_ip_address, extintf='any', mappedip=mappedip) int_intf, ext_intf = utils.get_vlink_intf( self, context, vdom=db_namespace.vdom) utils.add_fwpolicy(self, context, vdom=const.EXT_VDOM, dstintf=ext_intf, dstaddr=db_fip.vip_name, nat='enable') utils.add_routerstatic(self, context, vdom=const.EXT_VDOM, dst="%s 255.255.255.255" % mappedip, device=ext_intf, gateway=const.DEF_GW) utils.add_fwippool(self, context, name=db_fip.floating_ip_address, vdom=const.EXT_VDOM, startip=db_fip.floating_ip_address) utils.add_fwaddress(self, context, name=mappedip, vdom=const.EXT_VDOM, subnet="%s 255.255.255.255" % mappedip) db_fwpolicy = utils.add_fwpolicy( self, context, vdom=const.EXT_VDOM, srcintf=ext_intf, srcaddr=mappedip, dstintf=self._fortigate['ext_interface'], poolname=db_fip.floating_ip_address) utils.head_firewall_policy(self, context, vdom=const.EXT_VDOM, id=db_fwpolicy.edit_id) utils.add_fwippool(self, context, name=mappedip, vdom=db_namespace.vdom, startip=mappedip) except Exception as e: with excutils.save_and_reraise_exception(): utils._rollback_on_err(self, context, e) utils.update_status(self, context, t_consts.TaskStatus.COMPLETED)
def _associate_floatingip(self, context, id, floatingip): try: l3db_fip = self._get_floatingip(context, id) db_namespace = fortinet_db.query_record( context, fortinet_db.Fortinet_ML2_Namespace, tenant_id=l3db_fip.tenant_id) db_fip = fortinet_db.query_record( context, fortinet_db.Fortinet_FloatingIP_Allocation, floating_ip_address=l3db_fip.floating_ip_address, allocated=True) int_intf, ext_intf = utils.get_vlink_intf(self, context, vdom=db_namespace.vdom) mappedip = utils.get_ipaddr(db_fip.ip_subnet, 0) fixed_ip_address = floatingip['floatingip']['fixed_ip_address'] utils.add_vip(self, context, vdom=db_namespace.vdom, name=db_fip.floating_ip_address, extip=mappedip, extintf=int_intf, mappedip=fixed_ip_address) db_ip = fortinet_db.query_record( context, models_v2.IPAllocation, port_id=floatingip['floatingip']['port_id']) vlan_inf = utils.get_intf(context, db_ip.network_id) utils.add_fwpolicy(self, context, vdom=db_namespace.vdom, srcintf=int_intf, dstintf=vlan_inf, dstaddr=db_fip.floating_ip_address, nat='enable') utils.add_fwaddress(self, context, name=fixed_ip_address, vdom=db_namespace.vdom, subnet="%s 255.255.255.255" % fixed_ip_address, associated_interface=vlan_inf) db_fwpolicy = utils.add_fwpolicy(self, context, vdom=db_namespace.vdom, srcintf=vlan_inf, srcaddr=fixed_ip_address, dstintf=int_intf, poolname=mappedip) if self.enable_fwaas: fwrass = fortinet_db.Fortinet_FW_Rule_Association.query_one( context, fwr_id=db_namespace.tenant_id) default_fwp = getattr(fwrass, 'fortinet_policy', None) if getattr(default_fwp, 'edit_id', None): utils.head_firewall_policy(self, context, vdom=db_namespace.vdom, id=db_fwpolicy.edit_id, after=default_fwp.edit_id) _headed = True if '_headed' not in locals(): utils.head_firewall_policy(self, context, vdom=db_namespace.vdom, id=db_fwpolicy.edit_id) except Exception as e: with excutils.save_and_reraise_exception(): utils._rollback_on_err(self, context, e) utils.update_status(self, context, t_consts.TaskStatus.COMPLETED)
def add_router_interface(self, context, router_id, interface_info): """creates vlnk on the fortinet device.""" LOG.debug( "FortinetL3ServicePlugin.add_router_interface: " "router_id=%(router_id)s " "interface_info=%(interface_info)r", { 'router_id': router_id, 'interface_info': interface_info }) with context.session.begin(subtransactions=True): info = super(FortinetL3ServicePlugin, self).add_router_interface(context, router_id, interface_info) port = db.get_port(context, info['port_id']) port['admin_state_up'] = True port['port'] = port LOG.debug( "FortinetL3ServicePlugin: " "context=%(context)s" "port=%(port)s " "info=%(info)r", { 'context': context, 'port': port, 'info': info }) interface_info = info subnet = self._core_plugin._get_subnet(context, interface_info['subnet_id']) network_id = subnet['network_id'] tenant_id = port['tenant_id'] port_filters = { 'network_id': [network_id], 'device_owner': [DEVICE_OWNER_ROUTER_INTF] } port_count = self._core_plugin.get_ports_count( context, port_filters) # port count is checked against 2 since the current port is already # added to db if port_count == 2: # This subnet is already part of some router LOG.error( _LE("FortinetL3ServicePlugin: adding redundant " "router interface is not supported")) raise Exception( _("FortinetL3ServicePlugin:adding redundant " "router interface is not supported")) try: db_namespace = fortinet_db.query_record( context, fortinet_db.Fortinet_ML2_Namespace, tenant_id=tenant_id) vlan_inf = utils.get_intf(context, network_id) int_intf, ext_intf = utils.get_vlink_intf( self, context, vdom=db_namespace.vdom) utils.add_fwpolicy(self, context, vdom=db_namespace.vdom, srcintf=vlan_inf, dstintf=int_intf, nat='enable') except Exception as e: LOG.error( _LE("Failed to create Fortinet resources to add " "router interface. info=%(info)s, " "router_id=%(router_id)s"), { "info": info, "router_id": router_id }) utils._rollback_on_err(self, context, e) with excutils.save_and_reraise_exception(): self.remove_router_interface(context, router_id, interface_info) utils.update_status(self, context, t_consts.TaskStatus.COMPLETED) return info