def _va_config_trusted_zone(self, ri, plist): zone = va_utils.get_trusted_zone_name(ri) LOG.debug(_("_va_config_trusted_zone: %s"), zone) body = { 'name': zone, 'type': 'L3', 'interface': [] } if not self._va_unset_zone_interfaces(zone): # if zone doesn't exist, create it self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body) self.rest.commit() # add new internal ports to trusted zone for p in ri.internal_ports: if p['admin_state_up']: dev = self.get_internal_device_name(p['id']) pif = self._va_get_port_name(plist, dev) if pif: lif = self._va_pif_2_lif(pif) if lif not in body['interface']: body['interface'].append(lif) self._va_set_interface_ip(pif, p['ip_cidr']) if body['interface']: self.rest.rest_api('PUT', va_utils.REST_URL_CONF_ZONE, body) self.rest.commit()
def _va_config_trusted_zone(self, ri, plist): zone = va_utils.get_trusted_zone_name(ri) LOG.debug(_("_va_config_trusted_zone: %s"), zone) body = {'name': zone, 'type': 'L3', 'interface': []} if not self._va_unset_zone_interfaces(zone): # if zone doesn't exist, create it self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body) self.rest.commit() # add new internal ports to trusted zone for p in ri.internal_ports: if p['admin_state_up']: dev = self.get_internal_device_name(p['id']) pif = self._va_get_port_name(plist, dev) if pif: lif = self._va_pif_2_lif(pif) if lif not in body['interface']: body['interface'].append(lif) self._va_set_interface_ip(pif, p['ip_cidr']) if body['interface']: self.rest.rest_api('PUT', va_utils.REST_URL_CONF_ZONE, body) self.rest.commit()
def _va_config_trusted_zone(self, ri, plist): zone = va_utils.get_trusted_zone_name(ri) LOG.debug(_("_va_config_trusted_zone: %s"), zone) body = {"name": zone, "type": "L3", "interface": []} if not self._va_unset_zone_interfaces(zone): # if zone doesn't exist, create it self.rest.rest_api("POST", va_utils.REST_URL_CONF_ZONE, body) self.rest.commit() # add new internal ports to trusted zone for p in ri.internal_ports: if p["admin_state_up"]: dev = self.get_internal_device_name(p["id"]) pif = self._va_get_port_name(plist, dev) if pif: lif = self._va_pif_2_lif(pif) if lif not in body["interface"]: body["interface"].append(lif) self._va_set_interface_ip(pif, p["ip_cidr"]) if body["interface"]: self.rest.rest_api("PUT", va_utils.REST_URL_CONF_ZONE, body) self.rest.commit()
def _setup_policy(self, ri, fw): # create zones no matter if they exist. Interfaces are added by router body = { 'type': 'L3', 'interface': [] } body['name'] = va_utils.get_trusted_zone_name(ri) self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body) body['name'] = va_utils.get_untrusted_zone_name(ri) self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body) self.rest.commit() servs = dict() addrs = dict() for rule in fw['firewall_rule_list']: if not rule['enabled']: continue if rule['ip_version'] == 4: service = self._make_service(ri, fw, rule, servs) s_addr = self._make_address(ri, fw, rule, addrs, True) d_addr = self._make_address(ri, fw, rule, addrs, False) policy = va_utils.get_firewall_policy_name(ri, fw, rule) z0 = va_utils.get_trusted_zone_name(ri) z1 = va_utils.get_untrusted_zone_name(ri) body = self._make_policy(policy + '_0', rule, z0, z0, s_addr, d_addr, service) self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body) body = self._make_policy(policy + '_1', rule, z0, z1, s_addr, d_addr, service) self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body) body = self._make_policy(policy + '_2', rule, z1, z0, s_addr, d_addr, service) self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body) self.rest.commit() else: LOG.warn(_("Unsupported IP version rule."))
def _setup_policy(self, ri, fw): # create zones no matter if they exist. Interfaces are added by router body = { 'type': 'L3', 'interface': [] } body['name'] = va_utils.get_trusted_zone_name(ri) self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body) body['name'] = va_utils.get_untrusted_zone_name(ri) self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body) self.rest.commit() servs = dict() addrs = dict() for rule in fw['firewall_rule_list']: if not rule['enabled']: continue if rule['ip_version'] == 4: service = self._make_service(ri, fw, rule, servs) s_addr = self._make_address(ri, fw, rule, addrs, True) d_addr = self._make_address(ri, fw, rule, addrs, False) policy = va_utils.get_firewall_policy_name(ri, fw, rule) z0 = va_utils.get_trusted_zone_name(ri) z1 = va_utils.get_untrusted_zone_name(ri) body = self._make_policy(policy + '_0', rule, z0, z0, s_addr, d_addr, service) self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body) body = self._make_policy(policy + '_1', rule, z0, z1, s_addr, d_addr, service) self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body) body = self._make_policy(policy + '_2', rule, z1, z0, s_addr, d_addr, service) self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body) self.rest.commit() else: LOG.warn(_LW("Unsupported IP version rule."))
def _router_removed(self, router_id): LOG.debug(_("_router_removed: %s"), router_id) ri = self.router_info[router_id] if ri: ri.router['gw_port'] = None ri.router[l3_constants.INTERFACE_KEY] = [] ri.router[l3_constants.FLOATINGIP_KEY] = [] self.process_router(ri) name = va_utils.get_snat_rule_name(ri) self.rest.del_cfg_objs(va_utils.REST_URL_CONF_NAT_RULE, name) name = va_utils.get_dnat_rule_name(ri) self.rest.del_cfg_objs(va_utils.REST_URL_CONF_NAT_RULE, name) name = va_utils.get_trusted_zone_name(ri) self._va_unset_zone_interfaces(name, True) name = va_utils.get_untrusted_zone_name(ri) self._va_unset_zone_interfaces(name, True) del self.router_info[router_id]