def defer_apply(self):
"""Defer apply context."""
self.defer_apply_on()
try:
yield
finally:
try:
self.defer_apply_off()
except EbTablesApplyException:
# already in the format we want, just reraise
raise
except Exception:
msg = _('Failure applying ebtables rules')
LOG.exception(msg)
raise EbTablesApplyException(msg)
def _apply(self):
lock_name = 'ebtables'
if self.namespace:
lock_name += '-' + self.namespace
with lockutils.lock(lock_name, runtime.SYNCHRONIZED_PREFIX, True):
first = self._apply_synchronized()
if not cfg.CONF.AGENT.debug_iptables_rules:
return first
second = self._apply_synchronized()
if second:
msg = (_("Ebtables Rules did not converge. Diff: %s") %
'\n'.join(second))
LOG.error(msg)
raise EbTablesApplyException(msg)
return first
def add_rule(self, chain, rule, wrap=True, top=False, tag=None,
comment=None):
"""Add a rule to the table.
This is just like what you'd feed to ebtables, just without
the '-A <chain name>' bit at the start.
However, if you need to jump to one of your wrapped chains,
prepend its name with a '$' which will ensure the wrapping
is applied correctly.
"""
chain = get_chain_name(chain, wrap)
if wrap and chain not in self.chains:
raise LookupError(_('Unknown chain: %r') % chain)
if '$' in rule:
rule = ' '.join(
self._wrap_target_chain(e, wrap) for e in rule.split(' '))
self.rules.append(EbtablesRule(chain, rule, wrap, top, self.wrap_name,
tag, comment))
class InvalidNetworkType(qexception.Invalid):
message = _("The specified network %(network_id)s is not a flat network")
class NotAuthorizedToEditRule(qexception.NotAuthorized):
message = _(
"The specified network %(network_id)s does not belong to you or you are not an admin"
)
class IsoflatRuleNotFound(qexception.NotFound):
message = _("Isoflat rule %(rule_id)s does not exist")
def _parse_bridge_mappings(bridge_mappings, unique_values=True):
try:
return helpers.parse_mappings(bridge_mappings, unique_values)
except ValueError as e:
raise ValueError(_("Parsing bridge_mappings failed: %s.") % e)
from neutron_lib.utils import helpers
from oslo_config import cfg
from oslo_log import log as logging
from neutron_isoflat._i18n import _
from neutron_isoflat.common import constants
from neutron_isoflat.services.isoflat.agents.firewall.linux import firewall
LOG = logging.getLogger(__name__)
OPTS = [
cfg.StrOpt(
'firewall_driver',
default='ebtables',
help=
_('Class name of the firewall driver Isoflat uses to filter flat network traffic.'
)),
cfg.ListOpt('bridge_mappings',
default=constants.DEFAULT_BRIDGE_MAPPINGS,
help=_(
"Comma-separated list of <physical_network>:<bridge> "
"tuples mapping physical network names to the agent's "
"node-specific Open vSwitch/Linux bridge names to be used "
"for flat networks. The length of bridge "
"names should be no more than 11. Each bridge must "
"exist, and should have a physical network interface "
"configured as a port. All physical networks "
"configured on the server should have mappings to "
"appropriate bridges on each agent. "
"Note: If you remove a bridge from this "
"mapping, make sure to disconnect it from the "
"integration bridge as it won't be managed by the "