def _decide_service(self, sg_rule): l4_protocol = self._get_l4_protocol_name(sg_rule['protocol']) if l4_protocol in [consts.TCP, consts.UDP]: # If port_range_min is not specified then we assume all ports are # matched, relying on neutron to perform validation. if sg_rule['port_range_min'] is None: destination_ports = [] elif sg_rule['port_range_min'] != sg_rule['port_range_max']: # NSX API requires a non-empty range (e.g - '22-23') destination_ports = ['%(port_range_min)s-%(port_range_max)s' % sg_rule] else: destination_ports = ['%(port_range_min)s' % sg_rule] return self.get_nsservice( consts.L4_PORT_SET_NSSERVICE, l4_protocol=l4_protocol, source_ports=[], destination_ports=destination_ports) elif l4_protocol == consts.ICMPV4: # Validate the icmp type & code icmp_type = sg_rule['port_range_min'] icmp_code = sg_rule['port_range_max'] icmp_strict = self.nsxlib.feature_supported( consts.FEATURE_ICMP_STRICT) if icmp_type: if (icmp_strict and icmp_type not in constants.IPV4_ICMP_STRICT_TYPES): raise exceptions.InvalidInput( operation='create_rule', arg_val=icmp_type, arg_name='icmp_type') if icmp_type not in constants.IPV4_ICMP_TYPES: raise exceptions.InvalidInput( operation='create_rule', arg_val=icmp_type, arg_name='icmp_type') if (icmp_code and icmp_strict and icmp_code not in constants. IPV4_ICMP_STRICT_TYPES[icmp_type]): raise exceptions.InvalidInput( operation='create_rule', arg_val=icmp_code, arg_name='icmp_code for this icmp_type') if (icmp_code and icmp_code not in constants.IPV4_ICMP_TYPES[icmp_type]): raise exceptions.InvalidInput( operation='create_rule', arg_val=icmp_code, arg_name='icmp_code for this icmp_type') return self.get_nsservice( consts.ICMP_TYPE_NSSERVICE, protocol=l4_protocol, icmp_type=icmp_type, icmp_code=icmp_code) elif l4_protocol is not None: return self.get_nsservice( consts.IP_PROTOCOL_NSSERVICE, protocol_number=l4_protocol)
def validate_icmp_params(icmp_type, icmp_code, icmp_version=4, strict=False): if icmp_version != 4: # ICMPv6 is currently not supported return if icmp_type: if (strict and icmp_type not in constants.IPV4_ICMP_STRICT_TYPES): raise nsxlib_exceptions.InvalidInput(operation='create_rule', arg_val=icmp_type, arg_name='icmp_type') if icmp_type not in constants.IPV4_ICMP_TYPES: raise nsxlib_exceptions.InvalidInput(operation='create_rule', arg_val=icmp_type, arg_name='icmp_type') if (icmp_code and strict and icmp_code not in constants.IPV4_ICMP_STRICT_TYPES[icmp_type]): raise nsxlib_exceptions.InvalidInput( operation='create_rule', arg_val=icmp_code, arg_name='icmp_code for this icmp_type') if (icmp_code and icmp_code not in constants.IPV4_ICMP_TYPES[icmp_type]): raise nsxlib_exceptions.InvalidInput( operation='create_rule', arg_val=icmp_code, arg_name='icmp_code for this icmp_type')
def _build_args(body, display_name=None, description=None, tags=None, resource_type=None, **kwargs): if display_name: body['display_name'] = display_name if description: body['description'] = description if tags: body['tags'] = tags if resource_type == PersistenceProfileTypes.COOKIE: body['resource_type'] = resource_type extra_args = [ 'cookie_domain', 'cookie_fallback', 'cookie_garble', 'cookie_mode', 'cookie_name', 'cookie_path', 'cookie_time' ] return utils.build_extra_args(body, extra_args, **kwargs) elif resource_type == PersistenceProfileTypes.SOURCE_IP: body['resource_type'] = resource_type extra_args = [ 'ha_persistence_mirroring_enabled', 'purge', 'timeout' ] return utils.build_extra_args(body, extra_args, **kwargs) else: raise nsxlib_exc.InvalidInput( operation='create_persistence_profile', arg_val=resource_type, arg_name='resource_type')
def _build_args(body, display_name=None, description=None, tags=None, resource_type=None, **kwargs): if display_name: body['display_name'] = display_name if description: body['description'] = description if tags: body['tags'] = tags if resource_type is None: return body if resource_type == ApplicationProfileTypes.HTTP: body['resource_type'] = resource_type extra_args = [ 'http_redirect_to', 'http_redirect_to_https', 'ntlm', 'request_header_size', 'x_forwarded_for', 'idle_timeout' ] return utils.build_extra_args(body, extra_args, **kwargs) elif (resource_type == ApplicationProfileTypes.FAST_TCP or resource_type == ApplicationProfileTypes.FAST_UDP): body['resource_type'] = resource_type extra_args = ['ha_flow_mirroring_enabled', 'idle_timeout'] return utils.build_extra_args(body, extra_args, **kwargs) else: raise nsxlib_exc.InvalidInput( operation='create_application_profile', arg_val=resource_type, arg_name='resource_type')
def _build_args(body, display_name=None, description=None, tags=None, resource_type=None, **kwargs): if display_name: body['display_name'] = display_name if description: body['description'] = description if tags: body['tags'] = tags if resource_type == MonitorTypes.HTTP: body['resource_type'] = resource_type extra_args = [ 'fall_count', 'interval', 'monitor_port', 'request_body', 'request_method', 'request_url', 'request_version', 'response_body', 'response_status_codes', 'rise_count', 'timeout' ] return utils.build_extra_args(body, extra_args, **kwargs) elif resource_type == MonitorTypes.HTTPS: body['resource_type'] = resource_type extra_args = [ 'certificate_chain_depth', 'ciphers', 'client_certificate_id', 'fall_count', 'interval', 'monitor_port', 'protocols', 'request_body', 'request_method', 'request_url', 'request_version', 'response_body', 'response_status_codes', 'rise_count', 'server_auth', 'server_auth_ca_ids', 'server_auth_crl_ids', 'timeout' ] return utils.build_extra_args(body, extra_args, **kwargs) elif resource_type == MonitorTypes.ICMP: body['resource_type'] = resource_type extra_args = [ 'data_length', 'fall_count', 'interval', 'monitor_port', 'rise_count', 'timeout' ] return utils.build_extra_args(body, extra_args, **kwargs) elif resource_type == MonitorTypes.PASSIVE: body['resource_type'] = resource_type extra_args = ['max_fails', 'timeout'] return utils.build_extra_args(body, extra_args, **kwargs) elif (resource_type == MonitorTypes.TCP or resource_type == MonitorTypes.UDP): body['resource_type'] = resource_type extra_args = [ 'fall_count', 'interval', 'monitor_port', 'receive', 'rise_count', 'send', 'timeout' ] return utils.build_extra_args(body, extra_args, **kwargs) else: raise nsxlib_exc.InvalidInput(operation='create_monitor', arg_val=resource_type, arg_name='resource_type')
def _validate_nat_rule_action(self, action): if not action: return if action in ['SNAT', 'DNAT', 'NO_NAT', 'REFLEXIVE']: # legal values for all NSX versions return if (action not in ['NO_SNAT', 'NO_DNAT'] or (self.nsxlib and not self.nsxlib.feature_supported( nsx_constants.FEATURE_NO_DNAT_NO_SNAT))): raise exceptions.InvalidInput(operation="Create/Update NAT rule", arg_val=action, arg_name='action')
def _add_rule_in_position(self, body, lb_rule, position): lb_rules = body.get('rules', []) if position < 0: lb_rules.append(lb_rule) elif position <= len(lb_rules): lb_rules.insert(position, lb_rule) else: raise nsxlib_exc.InvalidInput(operation='Insert rule in position', arg_val=position, arg_name='position') return lb_rules
def create_identity(self, name, cert_id, node_id, permission_group): # Validate permission group before sending to server if permission_group not in USER_GROUP_TYPES: raise nsxlib_exc.InvalidInput( operation='create_identity', arg_val=permission_group, arg_name='permission_group') body = {'name': name, 'certificate_id': cert_id, 'node_id': node_id, 'permission_group': permission_group, 'is_protected': True} self.client.create(ID_SECTION, body)
def create(self, cidr, allocation_ranges=None, display_name=None, description=None, gateway_ip=None, dns_nameservers=None, tags=None): """Create an IpPool. Arguments: cidr: (required) allocation_ranges: (optional) a list of dictionaries, each with 'start' and 'end' keys, and IP values. If None: the cidr will be used to create the ranges, excluding the gateway. display_name: (optional) description: (optional) gateway_ip: (optional) dns_nameservers: (optional) list of addresses """ if not cidr: raise exceptions.InvalidInput(operation="IP Pool create", arg_name="cidr", arg_val=cidr) if not allocation_ranges: # generate ranges from (cidr - gateway) allocation_ranges = self._generate_ranges(cidr, gateway_ip) subnet = {"allocation_ranges": allocation_ranges, "cidr": cidr} if gateway_ip: subnet["gateway_ip"] = gateway_ip if dns_nameservers: subnet["dns_nameservers"] = dns_nameservers body = {"subnets": [subnet]} if description: body["description"] = description if display_name: body["display_name"] = display_name if tags: body['tags'] = tags return self.client.create(self.get_path(), body=body)
def get_l4_protocol_name(protocol_number): if protocol_number is None: return protocol_number = constants.IP_PROTOCOL_MAP.get(protocol_number, protocol_number) try: protocol_number = int(protocol_number) except ValueError: raise nsxlib_exceptions.InvalidInput(operation='create_rule', arg_val=protocol_number, arg_name='protocol') if protocol_number == 6: return nsx_constants.TCP elif protocol_number == 17: return nsx_constants.UDP elif protocol_number == 1: return nsx_constants.ICMPV4 else: return protocol_number
def create(self, display_name, edge_cluster_id, tags, edge_cluster_member_indexes=None, failover_mode=None): """Create a bridge endpoint profile on the backend. Create a bridge endpoint profile for a given edge cluster. :param display_name: name of the bridge endpoint profile :param edge_cluster_id: identifier of the edge cluster this profile should be associated with. :param tags: tags for the newly created resource. :param edge_cluster_member_indexes: iterable of integers specifying edge cluster members where the bridge endpoints will be created :param failover_mode: failover mode for the profile. Could be either PREEMPTIVE or NON_PREEMPTIVE. """ tags = tags or [] body = {'display_name': display_name, 'tags': tags} if failover_mode: body['failover_mode'] = failover_mode if edge_cluster_member_indexes: # Test for a list of integers try: member_indexes = [ int(member_idx) for member_idx in edge_cluster_member_indexes ] body['edge_cluster_member_indexes'] = member_indexes except (TypeError, ValueError) as e: LOG.Error("Invalid values for member indexes: %s", e) raise exceptions.InvalidInput( operation='Create BridgeEndpointProfile', arg_val=edge_cluster_member_indexes, arg_name='edge_cluster_member_indexes') return self.client.create(self.get_path(), body)
def create(self, display_name, transport_zone_id, tags, replication_mode=nsx_constants.MTEP, admin_state=True, vlan_id=None, ip_pool_id=None, mac_pool_id=None, description=None, trunk_vlan_range=None): operation = "Create logical switch" if display_name: display_name = utils.escape_display_name(display_name) # TODO(salv-orlando): Validate Replication mode and admin_state # NOTE: These checks might be moved to the API client library if one # that performs such checks in the client is available body = { 'transport_zone_id': transport_zone_id, 'replication_mode': replication_mode, 'display_name': display_name, 'tags': tags } if admin_state: body['admin_state'] = nsx_constants.ADMIN_STATE_UP else: body['admin_state'] = nsx_constants.ADMIN_STATE_DOWN if trunk_vlan_range: failed = False if (self.nsxlib and self.nsxlib.feature_supported( nsx_constants.FEATURE_TRUNK_VLAN)): if vlan_id is not None: failed = True LOG.error( "Failed to create logical switch %(name)s with " "trunk vlan: vlan id %(vlan)s is used.", { 'name': display_name, 'vlan': vlan_id }) elif (len(trunk_vlan_range) != 2 or trunk_vlan_range[0] > trunk_vlan_range[1]): failed = True LOG.error( "Failed to create logical switch %(name)s with " "trunk vlan: illegal range (%(trunk)s) is used.", { 'name': display_name, 'trunk': trunk_vlan_range }) else: body['vlan_trunk_spec'] = { 'vlan_ranges': [{ 'start': trunk_vlan_range[0], 'end': trunk_vlan_range[1] }] } else: LOG.error( "Failed to create logical switch %s with trunk " "vlan: this feature is not supported.", display_name) failed = True if failed: raise exceptions.InvalidInput(operation=operation, arg_val=trunk_vlan_range, arg_name='trunk_vlan_range') elif vlan_id: body['vlan'] = vlan_id if ip_pool_id: body['ip_pool_id'] = ip_pool_id if mac_pool_id: body['mac_pool_id'] = mac_pool_id if description is not None: body['description'] = description return self.client.create(self.get_path(), body)