def update_firewall(self, context, id, firewall):
with self.db_lock_by_firewall(context, id):
if firewall['firewall'].get('firewall_policy_id'):
self._lock_policy(context.session,
firewall['firewall']['firewall_policy_id'])
original_fw = self.get_firewall(context, id)
original_l3domains = self.l3domain_ids_by_policy_id(
context, original_fw['firewall_policy_id'])
updated_fw = super(NuageFWaaSPlugin, self).update_firewall(
context, id, firewall)
policy_updated = (original_fw['firewall_policy_id'] !=
updated_fw['firewall_policy_id'])
with utils.rollback() as on_exc:
if policy_updated:
self.nuageclient.update_firewall(self.enterprise_id,
original_fw,
[])
on_exc(self.nuageclient.update_firewall,
self.enterprise_id, original_fw, original_l3domains)
l3domain_ids = self.l3domain_ids_by_policy_id(
context, updated_fw['firewall_policy_id'])
self.nuageclient.update_firewall(
self.enterprise_id, updated_fw, l3domain_ids)
self._update_firewall_status(context, updated_fw)
return updated_fw
def update_firewall(self, context, id, firewall):
with self.db_lock_by_firewall(context, id):
if firewall['firewall'].get('firewall_policy_id'):
self._lock_policy(context.session,
firewall['firewall']['firewall_policy_id'])
original_fw = self.get_firewall(context, id)
original_l3domains = self.l3domain_ids_by_policy_id(
context, original_fw['firewall_policy_id'])
updated_fw = super(NuageFWaaSPlugin,
self).update_firewall(context, id, firewall)
policy_updated = (original_fw['firewall_policy_id'] !=
updated_fw['firewall_policy_id'])
with utils.rollback() as on_exc:
if policy_updated:
l3domains_ids_old_policy = self.l3domain_ids_by_policy_id(
context, original_fw['firewall_policy_id'])
self.vsdclient.update_firewall(self.enterprise_id,
original_fw,
l3domains_ids_old_policy)
on_exc(self.vsdclient.update_firewall, self.enterprise_id,
original_fw, original_l3domains)
l3domains_ids_new_policy = self.l3domain_ids_by_policy_id(
context, updated_fw['firewall_policy_id'])
self.vsdclient.update_firewall(self.enterprise_id, updated_fw,
l3domains_ids_new_policy)
self._update_firewall_status(context, updated_fw)
return updated_fw
def _create_policygroup(self, context, security_group_id, vsd_subnet):
security_group = self.core_plugin.get_security_group(
context, security_group_id)
# pop rules, make empty policygroup first
security_group_rules = security_group.pop('security_group_rules')
try:
policy_group = self.vsdclient.create_security_group(
vsd_subnet, security_group)
except restproxy.RESTProxyError as e:
if e.vsd_code == restproxy.REST_PG_EXISTS_ERR_CODE:
# PG is being concurrently created
external_id = cms_id_helper.get_vsd_external_id(
security_group_id)
policygroups = self.get_policygroups(external_id, vsd_subnet)
return policygroups[0]
else:
raise
# Before creating rules, we might have to make other policygroups first
# if the rule uses remote_group_id to have rule related to other PG.
with nuage_utils.rollback() as on_exc:
on_exc(self.vsdclient.delete_nuage_policy_group,
policy_group['ID'])
remote_sg_ids = []
for rule in security_group_rules:
remote_sg_id = rule.get('remote_group_id')
if remote_sg_id and remote_sg_id not in remote_sg_ids:
remote_sg_ids.append(remote_sg_id)
self._find_or_create_policygroup(context, remote_sg_id,
vsd_subnet)
self.vsdclient.create_security_group_rules(policy_group,
security_group_rules)
return policy_group
def _enable_rule(self, context, fw_rule):
with utils.rollback() as on_exc:
vsd_rule = self.vsdclient.create_firewall_rule(
self.enterprise_id, fw_rule)
on_exc(self.vsdclient.delete_vsd_firewallrule, vsd_rule['ID'])
if fw_rule['firewall_policy_id']:
self._update_policy_rules(context,
fw_rule['firewall_policy_id'])
def _enable_rule(self, context, fw_rule):
with utils.rollback() as on_exc:
vsd_rule = self.nuageclient.create_firewall_rule(
self.enterprise_id, fw_rule)
on_exc(self.nuageclient.delete_vsd_firewallrule, vsd_rule['ID'])
if fw_rule['firewall_policy_id']:
self._update_policy_rules(context,
fw_rule['firewall_policy_id'])
def _disable_rule(self, context, fw_rule, id):
with utils.rollback() as on_exc:
if fw_rule['firewall_policy_id']:
self.vsdclient.remove_rule(self.enterprise_id,
fw_rule['firewall_policy_id'],
{'firewall_rule_id': id})
on_exc(self._update_policy_rules, context,
fw_rule['firewall_policy_id'])
self.vsdclient.delete_firewall_rule(self.enterprise_id, id)
def _disable_rule(self, context, fw_rule, id):
with utils.rollback() as on_exc:
if fw_rule['firewall_policy_id']:
self.nuageclient.remove_rule(self.enterprise_id,
fw_rule['firewall_policy_id'],
{'firewall_rule_id': id})
on_exc(self._update_policy_rules,
context, fw_rule['firewall_policy_id'])
self.nuageclient.delete_firewall_rule(self.enterprise_id, id)
def create_flow_classifier(self, context, flow_classifier):
flow_classifier_dict = flow_classifier['flow_classifier']
vlan_min_specified = (flow_classifier_dict.get('vlan_range_min') is not
lib_constants.ATTR_NOT_SPECIFIED)
vlan_max_specified = (flow_classifier_dict.get('vlan_range_max') is not
lib_constants.ATTR_NOT_SPECIFIED)
if vlan_min_specified or vlan_max_specified:
vlan_min_value = flow_classifier_dict.get('vlan_range_min')
vlan_max_value = flow_classifier_dict.get('vlan_range_max')
if (vlan_min_specified and vlan_max_specified and
vlan_min_value != vlan_max_value):
msg = ("Currently nuage only supports flow classifier where,"
" the minimum and maximum VLAN range values are equal.")
raise nuage_exc.NuageBadRequest(msg=msg)
flow_classifier['flow_classifier']['l7_parameters'] = {
'vlan_range_min': vlan_min_value,
'vlan_range_max': vlan_max_value
}
src_prt_details, dst_prt_details = self._validate_flow_classifier(
context,
flow_classifier_dict)
with db_api.CONTEXT_WRITER.using(context):
fc_db = (nuage_flowclassifier_db.NuageFlowClassifierDbPlugin.
create_flow_classifier(self, context, flow_classifier))
with nuage_utils.rollback() as on_exc:
on_exc(super(
NuageFlowClassifierPlugin, self).delete_flow_classifier,
context, fc_db['id'])
src_prt_details['externalID'] = 'fc' + '_' + src_prt_details['id']
dst_prt_details['externalID'] = 'fc' + '_' + dst_prt_details['id']
l2dom_id, l3subnet_id, rtr_id = (
self.get_logical_port_subnet_mapping(context, src_prt_details))
self._create_nuage_flow_classifier(on_exc,
l2dom_id,
l3subnet_id,
rtr_id,
src_prt_details)
if src_prt_details['id'] != dst_prt_details['id']:
self._create_nuage_flow_classifier(on_exc,
l2dom_id,
l3subnet_id,
rtr_id,
dst_prt_details)
return fc_db
def _create_policygroup(self, context, security_group_id, vsd_subnet):
security_group = self.core_plugin.get_security_group(
context, security_group_id)
# pop rules, make empty policygroup first
security_group_rules = security_group.pop('security_group_rules')
policy_group = self.vsdclient.create_security_group(
vsd_subnet, security_group)
# Before creating rules, we might have to make other policygroups first
# if the rule uses remote_group_id to have rule related to other PG.
with nuage_utils.rollback() as on_exc:
on_exc(self.vsdclient.delete_nuage_policy_group,
policy_group['ID'])
remote_sg_ids = []
for rule in security_group_rules:
remote_sg_id = rule.get('remote_group_id')
if remote_sg_id and remote_sg_id not in remote_sg_ids:
remote_sg_ids.append(remote_sg_id)
self._find_or_create_policygroup(context, remote_sg_id,
vsd_subnet)
self.vsdclient.create_security_group_rules(policy_group,
security_group_rules)
return policy_group
def _process_port_security_groups(self,
db_context,
vport,
domain_id,
domain_type,
added_sg_ids,
removed_sg_ids,
pg_type,
netpartition_id,
vsd_managed=False):
# In VSD managed subnets we disregard the sg_rules of a sg
if netpartition_id:
domain_enterprise_mapping = {domain_id: netpartition_id}
else:
domain_enterprise_mapping = {}
# domainID -> {'ingress': ACL_ID, 'egress': ACL_ID}
domain_acl_mapping = collections.defaultdict(lambda: {
'ingress': None,
'egress': None
})
# domainID -> SG_ID -> PG
domain_sg_pg_mapping = collections.defaultdict(dict)
analysed_securitygroup_ids = set()
sgs = []
for sg_id in added_sg_ids:
if sg_id == vsd_constants.NUAGE_PLCY_GRP_ALLOW_ALL:
# Handle PG allow all
suffix = '_HARDWARE' if pg_type == constants.HARDWARE else ''
sg_rules = [{
'id': vsd_constants.NUAGE_PLCY_GRP_ALLOW_ALL,
'ethertype': ethertype,
'direction': direction
} for ethertype in
[neutron_constants.IPv4, neutron_constants.IPv6]
for direction in neutron_constants.VALID_DIRECTIONS
]
sg = {
'id': vsd_constants.NUAGE_PLCY_GRP_ALLOW_ALL,
'name': vsd_constants.NUAGE_PLCY_GRP_ALLOW_ALL + suffix,
'security_group_rules': sg_rules,
'stateful': False
}
sgs.append(sg)
elif not vsd_managed:
# consider all sg_rules in an os managed subnet
sgs_to_add = nuage_utils.collect_all_remote_security_groups(
self.core_plugin, db_context, sg_id,
analysed_securitygroup_ids)
sgs.extend(sgs_to_add)
else:
# Ignore sg_rules in vsd managed subnet
sg = self.core_plugin.get_security_group(db_context, sg_id)
sg['security_group_rules'] = []
sgs.append(sg)
with nuage_utils.rollback() as on_exception:
# Create PGs & ensure HW deny all rule
self.vsdclient.find_create_security_groups(
sgs,
domain_type,
domain_id,
domain_enterprise_mapping,
domain_sg_pg_mapping,
domain_acl_mapping,
on_exception,
pg_type=pg_type,
allow_non_ip=config.default_allow_non_ip_enabled())
# Add & remove PGs to vPort
# We cannot simply override the PG on the vPort
if vport:
added_pgs = [
domain_sg_pg_mapping[domain_id][sg_id]['ID']
for sg_id in added_sg_ids
]
self.vsdclient.find_security_groups_in_domain(
removed_sg_ids,
domain_type,
domain_id,
domain_sg_pg_mapping,
pg_type=pg_type)
removed_pgs = [
domain_sg_pg_mapping[domain_id][sg_id]['ID']
for sg_id in removed_sg_ids
]
self.vsdclient.update_vport_policygroups(
vport['ID'],
add_policygroups=added_pgs,
remove_policygroups=removed_pgs)
return domain_sg_pg_mapping
def create_nuage_external_security_group_rule(
self, context, nuage_external_security_group_rule):
rule = nuage_external_security_group_rule[
'nuage_external_security_group_rule']
self.get_port_attributes_plugin()._validate_redirect_target_port_range(
rule)
filters = {'external': 'true'}
# External group id: External Security Group
ext_pg = self.vsdclient.get_policygroup(
rule['remote_external_group_id'], required=True, **filters)
# Origin Group id: Neutron security group
try:
sg = self.core_plugin.get_security_group(context,
rule['origin_group_id'])
except n_exc.NotFound:
raise nuage_exc.NuageBadRequest(msg="Could not find Securitygroup "
"for external security group rule")
domain_enterprise_mapping = {}
# domainID -> {'ingress': ACL_ID, 'egress': ACL_ID}
domain_acl_mapping = collections.defaultdict(lambda: {
'ingress': None,
'egress': None
})
# domainID -> SG_ID -> PG
domain_sg_pg_mapping = collections.defaultdict(dict)
with nuage_utils.rollback() as on_exception:
self.vsdclient.find_create_security_groups(
[sg],
ext_pg['parentType'],
ext_pg['parentID'],
domain_enterprise_mapping,
domain_sg_pg_mapping,
domain_acl_mapping,
on_exception,
pg_type=vsd_constants.SOFTWARE,
allow_non_ip=config.default_allow_non_ip_enabled())
domain_id = ext_pg['parentID']
domain_type = ext_pg['parentType']
pg_for_rule = domain_sg_pg_mapping[ext_pg['parentID']][
sg['id']]['ID']
# Reverse direction for the rule, as here it means VSD direction
vsd_direction = rule['direction']
rule['direction'] = vsd_constants.DIRECTIONS_OS_VSD[vsd_direction]
acl_entry = self.vsdclient.calculate_acl_entries(
sg_rule=rule,
pg_id=pg_for_rule,
domain_type=domain_type,
domain_id=domain_id,
stateful=True,
domain_enterprise_mapping=domain_enterprise_mapping,
sg_pg_mapping=domain_sg_pg_mapping[domain_id])[0]
acl_entry['externalID'] = ext_pg['externalID']
acl_entry = self.vsdclient.create_acl_entry(
acl_entry, domain_type, domain_id, domain_acl_mapping,
on_exception)
# Reverse direction for the rule, as here it means VSD direction
acl_entry['direction'] = vsd_direction
acl_entry['origin_group_id'] = pg_for_rule
acl_entry['remote_group_id'] = rule['remote_external_group_id']
return self._make_external_security_group_rule_dict(acl_entry,
context=context)
