def _set_subnet_info(self, port): ips = port['fixed_ips'] if not ips: raise Exception(_("Router port %s has no IP address") % port['id']) if len(ips) > 1: LOG.warning(_LW("Ignoring multiple IPs on router port %s"), port['id']) prefixlen = netaddr.IPNetwork(port['subnet']['cidr']).prefixlen port['ip_cidr'] = "%s/%s" % (ips[0]['ip_address'], prefixlen)
def firewall_deleted(self, context, firewall_id, **kwargs): """Agent uses this to indicate firewall is deleted.""" with context.session.begin(subtransactions=True): fw_db = self.plugin._get_firewall(context, firewall_id) # allow to delete firewalls in ERROR state if fw_db.status in (const.PENDING_DELETE, const.ERROR): self.plugin.delete_db_firewall_object(context, firewall_id) return True LOG.warning(_LW('Firewall %(fw)s unexpectedly deleted by agent, ' 'status was %(status)s'), {'fw': firewall_id, 'status': fw_db.status}) fw_db.status = const.ERROR return False
def process_router(self, ri): LOG.debug("process_router: %s", ri.router['id']) super(vArmourL3NATAgent, self).process_router(ri) self.rest.auth() # read internal port name and configuration port name map resp = self.rest.rest_api('GET', va_utils.REST_URL_INTF_MAP) if resp and resp['status'] == 200: try: plist = resp['body']['response'] except ValueError: LOG.warning(_LW("Unable to parse interface mapping.")) return else: LOG.warning(_LW("Unable to read interface mapping.")) return if ri.ex_gw_port: self._set_subnet_info(ri.ex_gw_port) self._va_config_trusted_zone(ri, plist) self._va_config_untrusted_zone(ri, plist) self._va_config_router_snat_rules(ri, plist) self._va_config_floating_ips(ri)
def fetch_element_id(self): json_result = self.get_elements() if not json_result[0]['result']: LOG.warning(_LW("No #{element_type} defined in SMC")) else: for element in json_result[0]['result']: href = element['href'] self.element_id = int(href.split('/')[-1]) if element['name'] == self.name: LOG.debug("%(type)s element with name %(name)s FOUND " "%(href)s", {'type': self.element_type, 'name': self.name, 'href': href}) break LOG.debug("Got ID %s", self.element_id) return self.element_id
def firewall_deleted(self, context, firewall_id, **kwargs): """Agent uses this to indicate firewall is deleted.""" LOG.debug("firewall_deleted() called") try: with context.session.begin(subtransactions=True): fw_db = self.plugin._get_firewall(context, firewall_id) # allow to delete firewalls in ERROR state if fw_db.status in (nl_constants.PENDING_DELETE, nl_constants.ERROR): self.plugin.delete_db_firewall_object(context, firewall_id) return True else: LOG.warning(_LW('Firewall %(fw)s unexpectedly deleted by ' 'agent, status was %(status)s'), {'fw': firewall_id, 'status': fw_db.status}) fw_db.update({"status": nl_constants.ERROR}) return False except fw_ext.FirewallNotFound: LOG.info(_LI('Firewall %s already deleted'), firewall_id) return True
def fetch_element_id(self): json_result = self.get_elements() if not json_result[0]['result']: LOG.warning(_LW("No #{element_type} defined in SMC")) else: for element in json_result[0]['result']: href = element['href'] self.element_id = int(href.split('/')[-1]) if element['name'] == self.name: LOG.debug( "%(type)s element with name %(name)s FOUND " "%(href)s", { 'type': self.element_type, 'name': self.name, 'href': href }) break LOG.debug("Got ID %s", self.element_id) return self.element_id
def _setup_policy(self, ri, fw): # create zones no matter if they exist. Interfaces are added by router body = { 'type': 'L3', 'interface': [] } body['name'] = va_utils.get_trusted_zone_name(ri) self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body) body['name'] = va_utils.get_untrusted_zone_name(ri) self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body) self.rest.commit() servs = dict() addrs = dict() for rule in fw['firewall_rule_list']: if not rule['enabled']: continue if rule['ip_version'] == 4: service = self._make_service(ri, fw, rule, servs) s_addr = self._make_address(ri, fw, rule, addrs, True) d_addr = self._make_address(ri, fw, rule, addrs, False) policy = va_utils.get_firewall_policy_name(ri, fw, rule) z0 = va_utils.get_trusted_zone_name(ri) z1 = va_utils.get_untrusted_zone_name(ri) body = self._make_policy(policy + '_0', rule, z0, z0, s_addr, d_addr, service) self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body) body = self._make_policy(policy + '_1', rule, z0, z1, s_addr, d_addr, service) self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body) body = self._make_policy(policy + '_2', rule, z1, z0, s_addr, d_addr, service) self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body) self.rest.commit() else: LOG.warning(_LW("Unsupported IP version rule."))
def _query(self, query_type, query_data): result = nfct.nfct_query(self.conntrack_handler, query_type, query_data) if result == nl_constants.NFCT_CB_FAILURE: LOG.warning(_LW("Netlink query failed"))