def _update_subnets_and_dnat_firewall_on_routers(self, context, target_router_id, router_ids, allow_external=True): fake_fw_rules = [] for router_id in router_ids: router_qry = context.session.query(l3_db_models.Router) router = router_qry.filter_by(id=router_id).one() subnet_cidrs = self.plugin._find_router_subnets_cidrs( context, router['id']) routes = self.plugin._get_extra_routes_by_router_id( context, router['id']) subnet_cidrs.extend([route['destination'] for route in routes]) if subnet_cidrs: # Add fw rule to open subnets firewall flows and static routes # relative flows fake_subnet_fw_rule = { 'name': 'Subnet Rule', 'action': 'allow', 'enabled': True, 'source_ip_address': subnet_cidrs, 'destination_ip_address': subnet_cidrs} fake_fw_rules.append(fake_subnet_fw_rule) _, dnat_rules = self.plugin._get_nat_rules(context, router) dnat_cidrs = [rule['dst'] for rule in dnat_rules] if dnat_cidrs: # Fake fw rule to open dnat firewall flows fake_dnat_fw_rule = { 'name': 'DNAT Rule', 'action': 'allow', 'enabled': True, 'destination_ip_address': dnat_cidrs} fake_fw_rules.append(fake_dnat_fw_rule) # Add rule for not NAT-ed allocation pools alloc_pool_rule = self.plugin._get_allocation_pools_fw_rule( context, router) if alloc_pool_rule: fake_fw_rules.append(alloc_pool_rule) # Add no-snat rules nosnat_fw_rules = self.plugin._get_nosnat_subnets_fw_rules( context, router) fake_fw_rules.extend(nosnat_fw_rules) # If metadata service is enabled, block access to inter-edge network if self.plugin.metadata_proxy_handler: fake_fw_rules += ( nsx_v_md_proxy.get_router_fw_rules()) # TODO(asarfaty): Add fwaas rules when fwaas supports shared routers fake_fw = {'firewall_rule_list': fake_fw_rules} edge_utils.update_firewall(self.nsx_v, context, target_router_id, fake_fw, allow_external=allow_external)
def _update_subnets_and_dnat_firewall_on_routers(self, context, target_router_id, router_ids, allow_external=True): fake_fw_rules = [] for router_id in router_ids: router_qry = context.session.query(l3_db.Router) router = router_qry.filter_by(id=router_id).one() subnet_cidrs = self.plugin._find_router_subnets_cidrs( context, router['id']) routes = self.plugin._get_extra_routes_by_router_id( context, router['id']) subnet_cidrs.extend([route['destination'] for route in routes]) if subnet_cidrs: # Fake fw rule to open subnets firewall flows and static routes # relative flows fake_subnet_fw_rule = { 'action': 'allow', 'enabled': True, 'source_ip_address': subnet_cidrs, 'destination_ip_address': subnet_cidrs } fake_fw_rules.append(fake_subnet_fw_rule) _, dnat_rules = self.plugin._get_nat_rules(context, router) dnat_cidrs = [rule['dst'] for rule in dnat_rules] if dnat_cidrs: # Fake fw rule to open dnat firewall flows fake_dnat_fw_rule = { 'action': 'allow', 'enabled': True, 'destination_ip_address': dnat_cidrs } fake_fw_rules.append(fake_dnat_fw_rule) nosnat_fw_rules = self.plugin._get_nosnat_subnets_fw_rules( context, router) fake_fw_rules.extend(nosnat_fw_rules) # If metadata service is enabled, block access to inter-edge network if self.plugin.metadata_proxy_handler: fake_fw_rules += (nsx_v_md_proxy.get_router_fw_rules()) # TODO(berlin): Add fw rules if fw service is supported fake_fw = {'firewall_rule_list': fake_fw_rules} edge_utils.update_firewall(self.nsx_v, context, target_router_id, fake_fw, allow_external=allow_external)
def _update_subnets_and_dnat_firewall_on_routers(self, context, target_router_id, router_ids, allow_external=True): fake_fw_rules = [] for router_id in router_ids: router_qry = context.session.query(l3_db.Router) router = router_qry.filter_by(id=router_id).one() subnet_cidrs = self.plugin._find_router_subnets_cidrs( context, router['id']) routes = self.plugin._get_extra_routes_by_router_id( context, router['id']) subnet_cidrs.extend([route['destination'] for route in routes]) if subnet_cidrs: # Fake fw rule to open subnets firewall flows and static routes # relative flows fake_subnet_fw_rule = { 'action': 'allow', 'enabled': True, 'source_ip_address': subnet_cidrs, 'destination_ip_address': subnet_cidrs} fake_fw_rules.append(fake_subnet_fw_rule) _, dnat_rules = self.plugin._get_nat_rules(context, router) dnat_cidrs = [rule['dst'] for rule in dnat_rules] if dnat_cidrs: # Fake fw rule to open dnat firewall flows fake_dnat_fw_rule = { 'action': 'allow', 'enabled': True, 'destination_ip_address': dnat_cidrs} fake_fw_rules.append(fake_dnat_fw_rule) nosnat_fw_rules = self.plugin._get_nosnat_subnets_fw_rules( context, router) fake_fw_rules.extend(nosnat_fw_rules) # If metadata service is enabled, block access to inter-edge network if self.plugin.metadata_proxy_handler: fake_fw_rules += ( nsx_v_md_proxy.get_router_fw_rules()) # TODO(berlin): Add fw rules if fw service is supported fake_fw = {'firewall_rule_list': fake_fw_rules} edge_utils.update_firewall(self.nsx_v, context, target_router_id, fake_fw, allow_external=allow_external)
def _update_subnets_and_dnat_firewall_on_routers(self, context, target_router_id, router_ids, allow_external=True): fw_rules = [] for router_id in router_ids: # Add FW rules per single router router_qry = context.session.query(l3_db_models.Router) router = router_qry.filter_by(id=router_id).one() # subnet rules to allow east-west traffic subnet_rules = self.plugin._get_subnet_fw_rules(context, router) if subnet_rules: fw_rules.extend(subnet_rules) # DNAT rules dnat_rule = self.plugin._get_dnat_fw_rule(context, router) if dnat_rule: fw_rules.append(dnat_rule) # Add rule for not NAT-ed allocation pools alloc_pool_rule = self.plugin._get_allocation_pools_fw_rule( context, router) if alloc_pool_rule: fw_rules.append(alloc_pool_rule) # Add no-snat rules nosnat_fw_rules = self.plugin._get_nosnat_subnets_fw_rules( context, router) fw_rules.extend(nosnat_fw_rules) # If metadata service is enabled, block access to inter-edge network if self.plugin.metadata_proxy_handler: fw_rules += nsx_v_md_proxy.get_router_fw_rules() # TODO(asarfaty): Add fwaas rules when fwaas supports shared routers fw = {'firewall_rule_list': fw_rules} edge_utils.update_firewall(self.nsx_v, context, target_router_id, fw, allow_external=allow_external)
def _setup_new_proxy_edge(self, rtr_ext_ip): # Use separate context per each as we use this in tread context context = neutron_context.get_admin_context() rtr_id = None try: rtr_name = 'metadata_proxy_router' if not self.az.is_default(): rtr_name = '%s-%s' % (rtr_name, self.az.name) router_data = { 'router': { 'name': rtr_name, 'admin_state_up': True, 'router_type': 'exclusive', 'availability_zone_hints': [self.az.name], 'tenant_id': nsxv_constants.INTERNAL_TENANT_ID}} rtr = self.nsxv_plugin.create_router( context, router_data, allow_metadata=False) rtr_id = rtr['id'] edge_id = self._get_edge_id_by_rtr_id(context, rtr_id) if not edge_id: LOG.error('No edge create for router - %s', rtr_id) if rtr_id: self.nsxv_plugin.delete_router(context, rtr_id) return self.nsxv_plugin.nsx_v.update_interface( rtr['id'], edge_id, vcns_const.EXTERNAL_VNIC_INDEX, self.az.mgt_net_moid, address=rtr_ext_ip, netmask=self.az.mgt_net_proxy_netmask, secondary=[]) port_data = { 'port': { 'network_id': self.internal_net, 'name': None, 'admin_state_up': True, 'device_id': rtr_id, 'device_owner': (constants.DEVICE_OWNER_NETWORK_PREFIX + 'md_interface'), 'fixed_ips': constants.ATTR_NOT_SPECIFIED, 'mac_address': constants.ATTR_NOT_SPECIFIED, 'port_security_enabled': False, 'tenant_id': nsxv_constants.INTERNAL_TENANT_ID}} port = self.nsxv_plugin.base_create_port(context, port_data) address_groups = self._get_address_groups( context, self.internal_net, rtr_id, is_proxy=True) edge_ip = port['fixed_ips'][0]['ip_address'] with locking.LockManager.get_lock(edge_id): edge_utils.update_internal_interface( self.nsxv_plugin.nsx_v, context, rtr_id, self.internal_net, address_groups) self._setup_metadata_lb(rtr_id, port['fixed_ips'][0]['ip_address'], cfg.CONF.nsxv.nova_metadata_port, cfg.CONF.nsxv.nova_metadata_port, cfg.CONF.nsxv.nova_metadata_ips, proxy_lb=True) firewall_rules = [ DEFAULT_EDGE_FIREWALL_RULE, { 'action': 'allow', 'enabled': True, 'source_ip_address': [INTERNAL_SUBNET]}] edge_utils.update_firewall( self.nsxv_plugin.nsx_v, context, rtr_id, {'firewall_rule_list': firewall_rules}, allow_external=False) if self.az.mgt_net_default_gateway: self.nsxv_plugin._update_routes( context, rtr_id, self.az.mgt_net_default_gateway) nsxv_db.create_nsxv_internal_edge( context.session, rtr_ext_ip, vcns_const.InternalEdgePurposes.INTER_EDGE_PURPOSE, rtr_id) return edge_ip except Exception as e: LOG.exception("Exception %s while creating internal edge " "for metadata service", e) ports = self.nsxv_plugin.get_ports( context, filters={'device_id': [rtr_id]}) for port in ports: self.nsxv_plugin.delete_port(context, port['id'], l3_port_check=True, nw_gw_port_check=True) nsxv_db.delete_nsxv_internal_edge( context.session, rtr_ext_ip) if rtr_id: self.nsxv_plugin.delete_router(context, rtr_id)
def _setup_new_proxy_edge(self, rtr_ext_ip): # Use separate context per each as we use this in tread context context = neutron_context.get_admin_context() rtr_id = None try: rtr_name = 'metadata_proxy_router' if not self.az.is_default(): rtr_name = '%s-%s' % (rtr_name, self.az.name) router_data = { 'router': { 'name': rtr_name, 'admin_state_up': True, 'router_type': 'exclusive', 'availability_zone_hints': [self.az.name], 'tenant_id': nsxv_constants.INTERNAL_TENANT_ID}} rtr = self.nsxv_plugin.create_router( context, router_data, allow_metadata=False) rtr_id = rtr['id'] edge_id = self._get_edge_id_by_rtr_id(context, rtr_id) if not edge_id: LOG.error('No edge create for router - %s', rtr_id) if rtr_id: self.nsxv_plugin.delete_router(context, rtr_id) return self.nsxv_plugin.nsx_v.update_interface( rtr['id'], edge_id, vcns_const.EXTERNAL_VNIC_INDEX, self.az.mgt_net_moid, address=rtr_ext_ip, netmask=self.az.mgt_net_proxy_netmask, secondary=[]) port_data = { 'port': { 'network_id': self.internal_net, 'name': None, 'admin_state_up': True, 'device_id': rtr_id, 'device_owner': (constants.DEVICE_OWNER_NETWORK_PREFIX + 'md_interface'), 'fixed_ips': constants.ATTR_NOT_SPECIFIED, 'mac_address': constants.ATTR_NOT_SPECIFIED, 'port_security_enabled': False, 'tenant_id': nsxv_constants.INTERNAL_TENANT_ID}} port = self.nsxv_plugin.base_create_port(context, port_data) address_groups = self._get_address_groups( context, self.internal_net, rtr_id, is_proxy=True) edge_ip = port['fixed_ips'][0]['ip_address'] with locking.LockManager.get_lock(edge_id): edge_utils.update_internal_interface( self.nsxv_plugin.nsx_v, context, rtr_id, self.internal_net, address_groups) self._setup_metadata_lb(rtr_id, port['fixed_ips'][0]['ip_address'], cfg.CONF.nsxv.nova_metadata_port, cfg.CONF.nsxv.nova_metadata_port, cfg.CONF.nsxv.nova_metadata_ips, proxy_lb=True) firewall_rules = [ DEFAULT_EDGE_FIREWALL_RULE, { 'action': 'allow', 'enabled': True, 'source_ip_address': [INTERNAL_SUBNET]}] edge_utils.update_firewall( self.nsxv_plugin.nsx_v, context, rtr_id, {'firewall_rule_list': firewall_rules}, allow_external=False) if self.az.mgt_net_default_gateway: self.nsxv_plugin._update_routes( context, rtr_id, self.az.mgt_net_default_gateway) nsxv_db.create_nsxv_internal_edge( context.session, rtr_ext_ip, vcns_const.InternalEdgePurposes.INTER_EDGE_PURPOSE, rtr_id) return edge_ip except Exception as e: LOG.exception("Exception %s while creating internal edge " "for metadata service", e) ports = self.nsxv_plugin.get_ports( context, filters={'device_id': [rtr_id]}) for port in ports: self.nsxv_plugin.delete_port(context, port['id'], l3_port_check=True, nw_gw_port_check=True, allow_delete_internal=True) nsxv_db.delete_nsxv_internal_edge( context.session, rtr_ext_ip) if rtr_id: self.nsxv_plugin.delete_router(context, rtr_id)
def _setup_new_proxy_edge(self, rtr_ext_ip): rtr_id = None try: router_data = { 'router': { 'name': 'metadata_proxy_router', 'admin_state_up': True, 'router_type': 'exclusive', 'tenant_id': None } } rtr = self.nsxv_plugin.create_router(self.context, router_data, allow_metadata=False) rtr_id = rtr['id'] edge_id = self._get_edge_id_by_rtr_id(rtr_id) self.nsxv_plugin.nsx_v.update_interface( rtr['id'], edge_id, vcns_const.EXTERNAL_VNIC_INDEX, cfg.CONF.nsxv.mgt_net_moid, address=rtr_ext_ip, netmask=cfg.CONF.nsxv.mgt_net_proxy_netmask, secondary=[]) port_data = { 'port': { 'network_id': self.internal_net, 'name': None, 'admin_state_up': True, 'device_id': rtr_id, 'device_owner': constants.DEVICE_OWNER_ROUTER_INTF, 'fixed_ips': constants.ATTR_NOT_SPECIFIED, 'mac_address': constants.ATTR_NOT_SPECIFIED, 'port_security_enabled': False, 'tenant_id': None } } port = self.nsxv_plugin.create_port(self.context, port_data) address_groups = self._get_address_groups(self.context, self.internal_net, rtr_id, is_proxy=True) edge_ip = port['fixed_ips'][0]['ip_address'] edge_utils.update_internal_interface(self.nsxv_plugin.nsx_v, self.context, rtr_id, self.internal_net, address_groups) self._setup_metadata_lb(rtr_id, port['fixed_ips'][0]['ip_address'], cfg.CONF.nsxv.nova_metadata_port, cfg.CONF.nsxv.nova_metadata_port, cfg.CONF.nsxv.nova_metadata_ips, proxy_lb=True) firewall_rules = [ DEFAULT_EDGE_FIREWALL_RULE, { 'action': 'allow', 'enabled': True, 'source_ip_address': [INTERNAL_SUBNET] } ] edge_utils.update_firewall(self.nsxv_plugin.nsx_v, self.context, rtr_id, {'firewall_rule_list': firewall_rules}, allow_external=False) if cfg.CONF.nsxv.mgt_net_default_gateway: self.nsxv_plugin._update_routes( self.context, rtr_id, cfg.CONF.nsxv.mgt_net_default_gateway) nsxv_db.create_nsxv_internal_edge( self.context.session, rtr_ext_ip, vcns_const.InternalEdgePurposes.INTER_EDGE_PURPOSE, rtr_id) return edge_ip except Exception as e: LOG.exception( _LE("Exception %s while creating internal edge " "for metadata service"), e) ports = self.nsxv_plugin.get_ports(self.context, filters={'device_id': [rtr_id]}) for port in ports: self.nsxv_plugin.delete_port(self.context, port['id'], l3_port_check=True, nw_gw_port_check=True) nsxv_db.delete_nsxv_internal_edge(self.context.session, rtr_ext_ip) if rtr_id: self.nsxv_plugin.delete_router(self.context, rtr_id)
def _setup_new_proxy_edge(self, rtr_ext_ip): rtr_id = None try: router_data = { 'router': { 'name': 'metadata_proxy_router', 'admin_state_up': True, 'router_type': 'exclusive', 'tenant_id': None}} rtr = self.nsxv_plugin.create_router( self.context, router_data, allow_metadata=False) rtr_id = rtr['id'] edge_id = self._get_edge_id_by_rtr_id(rtr_id) self.nsxv_plugin.nsx_v.update_interface( rtr['id'], edge_id, vcns_const.EXTERNAL_VNIC_INDEX, cfg.CONF.nsxv.mgt_net_moid, address=rtr_ext_ip, netmask=cfg.CONF.nsxv.mgt_net_proxy_netmask, secondary=[]) port_data = { 'port': { 'network_id': self.internal_net, 'name': None, 'admin_state_up': True, 'device_id': rtr_id, 'device_owner': constants.DEVICE_OWNER_ROUTER_INTF, 'fixed_ips': constants.ATTR_NOT_SPECIFIED, 'mac_address': constants.ATTR_NOT_SPECIFIED, 'port_security_enabled': False, 'tenant_id': None}} port = self.nsxv_plugin.create_port(self.context, port_data) address_groups = self._get_address_groups( self.context, self.internal_net, rtr_id, is_proxy=True) edge_ip = port['fixed_ips'][0]['ip_address'] edge_utils.update_internal_interface( self.nsxv_plugin.nsx_v, self.context, rtr_id, self.internal_net, address_groups) self._setup_metadata_lb(rtr_id, port['fixed_ips'][0]['ip_address'], cfg.CONF.nsxv.nova_metadata_port, cfg.CONF.nsxv.nova_metadata_port, cfg.CONF.nsxv.nova_metadata_ips, proxy_lb=True) firewall_rules = [ DEFAULT_EDGE_FIREWALL_RULE, { 'action': 'allow', 'enabled': True, 'source_ip_address': [INTERNAL_SUBNET]}] edge_utils.update_firewall( self.nsxv_plugin.nsx_v, self.context, rtr_id, {'firewall_rule_list': firewall_rules}, allow_external=False) if cfg.CONF.nsxv.mgt_net_default_gateway: self.nsxv_plugin._update_routes( self.context, rtr_id, cfg.CONF.nsxv.mgt_net_default_gateway) nsxv_db.create_nsxv_internal_edge( self.context.session, rtr_ext_ip, vcns_const.InternalEdgePurposes.INTER_EDGE_PURPOSE, rtr_id) return edge_ip except Exception as e: LOG.exception(_LE("Exception %s while creating internal edge " "for metadata service"), e) ports = self.nsxv_plugin.get_ports( self.context, filters={'device_id': [rtr_id]}) for port in ports: self.nsxv_plugin.delete_port(self.context, port['id'], l3_port_check=True, nw_gw_port_check=True) nsxv_db.delete_nsxv_internal_edge( self.context.session, rtr_ext_ip) if rtr_id: self.nsxv_plugin.delete_router(self.context, rtr_id)