def add_vlan_iface(self, device_sn, iface_dict): """Add VLAN interface to specified device. @param device_sn: PAN device serial number @param iface_dict: dict with VLAN interface info. Contains: - 'port_id': Neutron port id - 'ip_address': ip address allocated for this interface - 'cidr': interface subnet in cidr notation - 'segmentation_id': vlan tag @return: None """ params = copy.deepcopy(self._params) params['serial'] = device_sn xml_api = xapi.PanXapi(**params) vlan_ifaces = self._list_vlan_interfaces(xml_api) device_cnt = len(vlan_ifaces) vlan_iface_name = "ethernet1/2.%d" % (device_cnt + 1) self._add_vlan_iface(xml_api, vlan_iface_name, iface_dict) self._set_router_iface(xml_api, vlan_iface_name) self._set_security_zone_iface(xml_api, vlan_iface_name, cfg.CONF.pan_dev_internal_security_zone)
def register_ip_address(self, device_sn, ip_address, tags): params = copy.deepcopy(self._params) params['serial'] = device_sn xml_api = xapi.PanXapi(**params) xml_tags = "" tags.sort() for tag in tags: xml_tag = "<member>%s</member>" % tag xml_tags += xml_tag cmd = ("<uid-message>" "<version>2.0</version>" "<type>update</type>" "<payload>" "<register>" "<entry ip=\"%s\">" "<tag>" "%s" "</tag>" "</entry>" "</register>" "</payload>" "</uid-message>" % (ip_address, xml_tags)) try: xml_api.user_id(cmd) except xapi.PanXapiError as e: if 'already exists, ignore' in e.msg.lower(): pass else: raise
def list_devices(self): """Get list of PAN devices in specified (in the config file) device group. @return: list of devices serial numbers """ xml_api = xapi.PanXapi(**self._params) return [item['name'] for item in self._list_group_devices(xml_api)]
def remove_device_tags(self, device_sn, tags): """Remove tags from device. @param device_sn: PAN device serial number @param tags: list of tags @return: None """ xml_api = xapi.PanXapi(**self._params) for tag in tags: self._remove_device_tag(xml_api, device_sn, tag)
def add_device_tags(self, device_sn, tags): """Add tags to specified device. @param device_sn: PAN device serial number @param tags: list of tags @return: None """ xml_api = xapi.PanXapi(**self._params) for tag in tags: self._add_device_tag(xml_api, device_sn, tag)
def add_external_nat(self, device_sn, ip_dict): """Add external NAT rule to allow internet access from Nova instances. @param device_sn: PAN device serial number @param ip_dict: dict with ip address info. Contains: - 'ip_address': ip address allocated for this interface - 'cidr': interface subnet in cidr notation @return: None """ ip = ip_dict['ip_address'] + '/' + ip_dict['cidr'].split('/')[1] params = copy.deepcopy(self._params) params['serial'] = device_sn xml_api = xapi.PanXapi(**params) # If the source (internal) zone doesn't exist, create it sz_xpath = ("/config/devices/entry[@name='localhost.localdomain']" "/vsys/entry[@name='vsys1']/zone/entry[@name='%s']" % cfg.CONF.pan_dev_internal_security_zone) try: xml_api.show(sz_xpath) except xapi.PanXapiError as e: if e.msg.lower() == 'no such node': element = "<network><layer3/></network>" xml_api.set(sz_xpath, element) else: raise xpath = ("/config/devices/entry[@name='localhost.localdomain']/vsys" "/entry[@name='vsys1']/rulebase/nat/rules") element = ( "<entry name='OpenStack'>" "<source-translation>" "<dynamic-ip-and-port>" "<interface-address>" "<ip>%(ip)s</ip>" "<interface>ethernet1/1</interface>" "</interface-address>" "</dynamic-ip-and-port>" "</source-translation>" "<to><member>%(destination_zone)s</member></to>" "<from><member>%(source_zone)s</member></from>" "<source><member>any</member></source>" "<destination><member>any</member></destination>" "<service>any</service>" "<nat-type>ipv4</nat-type>" "</entry>" % {'ip': ip, 'source_zone': cfg.CONF.pan_dev_internal_security_zone, 'destination_zone': cfg.CONF.pan_dev_external_security_zone} ) xml_api.set(xpath, element)
def commit_configuration(self, device_sn=None): """Commit candidate configuration to Panorama or specified device. @param device_sn: PAN device serial number @return: None """ c = commit.PanCommit() params = copy.deepcopy(self._params) params['use_get'] = True if device_sn: params['serial'] = device_sn xml_api = xapi.PanXapi(**params) xml_api.commit(cmd=c.cmd(), sync=True)
def remove_external_nat(self, device_sn): """Remove external NAT rule to deny internet access for Nova instances. @param device_sn: PAN device serial number @return: None """ params = copy.deepcopy(self._params) params['serial'] = device_sn xml_api = xapi.PanXapi(**params) xpath = ("/config/devices/entry[@name='localhost.localdomain']/vsys" "/entry[@name='vsys1']/rulebase/nat/rules" "/entry[@name='OpenStack']") xml_api.delete(xpath)
def unregister_ip_address(self, device_sn, ip_address): params = copy.deepcopy(self._params) params['serial'] = device_sn xml_api = xapi.PanXapi(**params) cmd = ("<uid-message>" "<version>2.0</version>" "<type>update</type>" "<payload>" "<unregister>" "<entry ip=\"%s\">" "</entry>" "</unregister>" "</payload>" "</uid-message>" % ip_address) xml_api.user_id(cmd)
def remove_external_ip(self, device_sn): """Remove ip address from the device external interface. @param device_sn: PAN device serial number @return: None """ params = copy.deepcopy(self._params) params['serial'] = device_sn xml_api = xapi.PanXapi(**params) iface_name = 'ethernet1/1' self._clear_router_iface(xml_api, iface_name) if cfg.CONF.pan_dev_default_route_next_hop: self._clear_default_route(xml_api) self._clear_security_zone_iface( xml_api, iface_name, cfg.CONF.pan_dev_external_security_zone) self._clear_management_profile(xml_api, iface_name) self._remove_external_ip(xml_api)
def add_external_ip(self, device_sn, ip_dict): """Add ip address to the device external interface. @param device_sn: PAN device serial number @param ip_dict: dict with ip address info. Contains: - 'ip_address': ip address allocated for this interface - 'cidr': interface subnet in cidr notation @return: None """ params = copy.deepcopy(self._params) params['serial'] = device_sn xml_api = xapi.PanXapi(**params) iface_name = 'ethernet1/1' self._add_external_ip(xml_api, ip_dict) self._set_router_iface(xml_api, iface_name) if cfg.CONF.pan_dev_default_route_next_hop: self._set_default_route(xml_api) self._set_security_zone_iface(xml_api, iface_name, cfg.CONF.pan_dev_external_security_zone) self._set_management_profile(xml_api, iface_name)
def remove_vlan_iface(self, device_sn, iface_dict): """Remove VLAN interface from specified device. @param device_sn: PAN device serial number @param iface_dict: dict with VLAN interface info. Contains: - 'port_id': Neutron port id @return: None """ params = copy.deepcopy(self._params) params['serial'] = device_sn xml_api = xapi.PanXapi(**params) vlan_ifaces = self._list_vlan_interfaces(xml_api) vlan_iface = next((item for item in vlan_ifaces if iface_dict['port_id'] in item["comment"]), None) if vlan_iface: self._clear_router_iface(xml_api, vlan_iface['name']) self._clear_security_zone_iface( xml_api, vlan_iface['name'], cfg.CONF.pan_dev_internal_security_zone) self._remove_vlan_iface(xml_api, vlan_iface['name'])