def _check_ikepolicy_ipsecpolicy_allowed(self, ikepolicy, ipsecpolicy): """Check whether ikepolicy and ipsecpolicy are allowed on vshield edge. Some IPsec VPN configurations and features are configured by default or not supported on vshield edge. """ # Check validation of IKEPolicy. if ikepolicy['ike_version'] != 'v1': msg = _("Unsupported ike_version: %s! Only 'v1' ike version is " "supported on vshield Edge!") % ikepolicy['ike_version'] LOG.warning(msg) raise vcns_exc.VcnsBadRequest(resource='ikepolicy', msg=msg) # In VSE, Phase 1 and Phase 2 share the same encryption_algorithm # and authentication algorithms setting. At present, just record the # discrepancy error in log and take ipsecpolicy to do configuration. if (ikepolicy['auth_algorithm'] != ipsecpolicy['auth_algorithm'] or ikepolicy['encryption_algorithm'] != ipsecpolicy['encryption_algorithm'] or ikepolicy['pfs'] != ipsecpolicy['pfs']): msg = _("IKEPolicy and IPsecPolicy should have consistent " "auth_algorithm, encryption_algorithm and pfs for VSE!") LOG.warning(msg) # Check whether encryption_algorithm is allowed. encryption_algorithm = ENCRYPTION_ALGORITHM_MAP.get( ipsecpolicy.get('encryption_algorithm'), None) if not encryption_algorithm: msg = _("Unsupported encryption_algorithm: %s! '3des', " "'aes-128' and 'aes-256' are supported on VSE right now." ) % ipsecpolicy['encryption_algorithm'] LOG.warning(msg) raise vcns_exc.VcnsBadRequest(resource='ipsecpolicy', msg=msg) # Check whether pfs is allowed. if not PFS_MAP.get(ipsecpolicy['pfs']): msg = _("Unsupported pfs: %s! 'group2' and 'group5' " "are supported on VSE right now.") % ipsecpolicy['pfs'] LOG.warning(msg) raise vcns_exc.VcnsBadRequest(resource='ipsecpolicy', msg=msg) # Check whether transform protocol is allowed. if ipsecpolicy['transform_protocol'] not in TRANSFORM_PROTOCOL_ALLOWED: msg = _("Unsupported transform protocol: %s! 'esp' is supported " "by default on VSE right now." ) % ipsecpolicy['transform_protocol'] LOG.warning(msg) raise vcns_exc.VcnsBadRequest(resource='ipsecpolicy', msg=msg) # Check whether encapsulation mode is allowed. if ipsecpolicy['encapsulation_mode'] not in ENCAPSULATION_MODE_ALLOWED: msg = _("Unsupported encapsulation mode: %s! 'tunnel' is " "supported by default on VSE right now." ) % ipsecpolicy['encapsulation_mode'] LOG.warning(msg) raise vcns_exc.VcnsBadRequest(resource='ipsecpolicy', msg=msg)
def _convert_app_profile(self, name, sess_persist, protocol): vcns_app_profile = { 'insertXForwardedFor': False, 'name': name, 'serverSslEnabled': False, 'sslPassthrough': False, 'template': protocol, } # Since SSL Termination is not supported right now, so just use # sslPassthrough mehtod if the protocol is HTTPS. if protocol == lb_constants.PROTOCOL_HTTPS: vcns_app_profile['sslPassthrough'] = True if sess_persist.get('type'): # If protocol is not HTTP, only sourceip is supported if (protocol != lb_constants.PROTOCOL_HTTP and sess_persist['type'] != ( lb_constants.SESSION_PERSISTENCE_SOURCE_IP)): msg = (_("Invalid %(protocol)s persistence method: %(type)s") % {'protocol': protocol, 'type': sess_persist['type']}) raise vcns_exc.VcnsBadRequest(resource='sess_persist', msg=msg) persistence = { 'method': SESSION_PERSISTENCE_METHOD_MAP.get( sess_persist['type'])} if sess_persist['type'] in SESSION_PERSISTENCE_COOKIE_MAP: if sess_persist.get('cookie_name'): persistence['cookieName'] = sess_persist['cookie_name'] else: persistence['cookieName'] = 'default_cookie_name' persistence['cookieMode'] = SESSION_PERSISTENCE_COOKIE_MAP.get( sess_persist['type']) vcns_app_profile['persistence'] = persistence return vcns_app_profile
def _convert_firewall_action(self, action): if action == constants.FWAAS_ALLOW: return VSE_FWAAS_ALLOW elif action == constants.FWAAS_DENY: return VSE_FWAAS_DENY else: msg = _("Invalid action value %s in a firewall rule") % action raise vcns_exc.VcnsBadRequest(resource='firewall_rule', msg=msg)
def _restore_firewall_action(self, action): if action == VSE_FWAAS_ALLOW: return constants.FWAAS_ALLOW elif action == VSE_FWAAS_DENY: return constants.FWAAS_DENY else: msg = (_("Invalid action value %s in " "a vshield firewall rule") % action) raise vcns_exc.VcnsBadRequest(resource='firewall_rule', msg=msg)
def insert_rule(self, context, rule_info, edge_id, fwr): if rule_info.get('insert_before'): self._add_rule_above(context, rule_info['insert_before'], edge_id, fwr) elif rule_info.get('insert_after'): self._add_rule_below(context, rule_info['insert_after'], edge_id, fwr) else: msg = _("Can't execute insert rule operation " "without reference rule_id") raise vcns_exc.VcnsBadRequest(resource='firewall_rule', msg=msg)