def _decide_service(self, sg_rule):
l4_protocol = self._get_l4_protocol_name(sg_rule['protocol'])
if l4_protocol in [consts.TCP, consts.UDP]:
# If port_range_min is not specified then we assume all ports are
# matched, relying on neutron to perform validation.
if sg_rule['port_range_min'] is None:
destination_ports = []
elif sg_rule['port_range_min'] != sg_rule['port_range_max']:
# NSX API requires a non-empty range (e.g - '22-23')
destination_ports = ['%(port_range_min)s-%(port_range_max)s'
% sg_rule]
else:
destination_ports = ['%(port_range_min)s' % sg_rule]
return self.get_nsservice(
consts.L4_PORT_SET_NSSERVICE,
l4_protocol=l4_protocol,
source_ports=[],
destination_ports=destination_ports)
elif l4_protocol == consts.ICMPV4:
# Validate the icmp type & code
icmp_type = sg_rule['port_range_min']
icmp_code = sg_rule['port_range_max']
icmp_strict = self.nsxlib.feature_supported(
consts.FEATURE_ICMP_STRICT)
if icmp_type:
if (icmp_strict and icmp_type not in
constants.IPV4_ICMP_STRICT_TYPES):
raise exceptions.InvalidInput(
operation='create_rule',
arg_val=icmp_type,
arg_name='icmp_type')
if icmp_type not in constants.IPV4_ICMP_TYPES:
raise exceptions.InvalidInput(
operation='create_rule',
arg_val=icmp_type,
arg_name='icmp_type')
if (icmp_code and icmp_strict and icmp_code not in constants.
IPV4_ICMP_STRICT_TYPES[icmp_type]):
raise exceptions.InvalidInput(
operation='create_rule',
arg_val=icmp_code,
arg_name='icmp_code for this icmp_type')
if (icmp_code and icmp_code not in
constants.IPV4_ICMP_TYPES[icmp_type]):
raise exceptions.InvalidInput(
operation='create_rule',
arg_val=icmp_code,
arg_name='icmp_code for this icmp_type')
return self.get_nsservice(
consts.ICMP_TYPE_NSSERVICE,
protocol=l4_protocol,
icmp_type=icmp_type,
icmp_code=icmp_code)
elif l4_protocol is not None:
return self.get_nsservice(
consts.IP_PROTOCOL_NSSERVICE,
protocol_number=l4_protocol)
def validate_icmp_params(icmp_type, icmp_code, icmp_version=4, strict=False):
if icmp_version != 4:
# ICMPv6 is currently not supported
return
if icmp_type:
if (strict and icmp_type not in constants.IPV4_ICMP_STRICT_TYPES):
raise nsxlib_exceptions.InvalidInput(operation='create_rule',
arg_val=icmp_type,
arg_name='icmp_type')
if icmp_type not in constants.IPV4_ICMP_TYPES:
raise nsxlib_exceptions.InvalidInput(operation='create_rule',
arg_val=icmp_type,
arg_name='icmp_type')
if (icmp_code and strict and icmp_code
not in constants.IPV4_ICMP_STRICT_TYPES[icmp_type]):
raise nsxlib_exceptions.InvalidInput(
operation='create_rule',
arg_val=icmp_code,
arg_name='icmp_code for this icmp_type')
if (icmp_code
and icmp_code not in constants.IPV4_ICMP_TYPES[icmp_type]):
raise nsxlib_exceptions.InvalidInput(
operation='create_rule',
arg_val=icmp_code,
arg_name='icmp_code for this icmp_type')
def _build_args(body,
display_name=None,
description=None,
tags=None,
resource_type=None,
**kwargs):
if display_name:
body['display_name'] = display_name
if description:
body['description'] = description
if tags:
body['tags'] = tags
if resource_type == PersistenceProfileTypes.COOKIE:
body['resource_type'] = resource_type
extra_args = [
'cookie_domain', 'cookie_fallback', 'cookie_garble',
'cookie_mode', 'cookie_name', 'cookie_path', 'cookie_time'
]
return utils.build_extra_args(body, extra_args, **kwargs)
elif resource_type == PersistenceProfileTypes.SOURCE_IP:
body['resource_type'] = resource_type
extra_args = [
'ha_persistence_mirroring_enabled', 'purge', 'timeout'
]
return utils.build_extra_args(body, extra_args, **kwargs)
else:
raise nsxlib_exc.InvalidInput(
operation='create_persistence_profile',
arg_val=resource_type,
arg_name='resource_type')
def _build_args(body,
display_name=None,
description=None,
tags=None,
resource_type=None,
**kwargs):
if display_name:
body['display_name'] = display_name
if description:
body['description'] = description
if tags:
body['tags'] = tags
if resource_type is None:
return body
if resource_type == ApplicationProfileTypes.HTTP:
body['resource_type'] = resource_type
extra_args = [
'http_redirect_to', 'http_redirect_to_https', 'ntlm',
'request_header_size', 'x_forwarded_for', 'idle_timeout'
]
return utils.build_extra_args(body, extra_args, **kwargs)
elif (resource_type == ApplicationProfileTypes.FAST_TCP
or resource_type == ApplicationProfileTypes.FAST_UDP):
body['resource_type'] = resource_type
extra_args = ['ha_flow_mirroring_enabled', 'idle_timeout']
return utils.build_extra_args(body, extra_args, **kwargs)
else:
raise nsxlib_exc.InvalidInput(
operation='create_application_profile',
arg_val=resource_type,
arg_name='resource_type')
def _build_args(body,
display_name=None,
description=None,
tags=None,
resource_type=None,
**kwargs):
if display_name:
body['display_name'] = display_name
if description:
body['description'] = description
if tags:
body['tags'] = tags
if resource_type == MonitorTypes.HTTP:
body['resource_type'] = resource_type
extra_args = [
'fall_count', 'interval', 'monitor_port', 'request_body',
'request_method', 'request_url', 'request_version',
'response_body', 'response_status_codes', 'rise_count',
'timeout'
]
return utils.build_extra_args(body, extra_args, **kwargs)
elif resource_type == MonitorTypes.HTTPS:
body['resource_type'] = resource_type
extra_args = [
'certificate_chain_depth', 'ciphers', 'client_certificate_id',
'fall_count', 'interval', 'monitor_port', 'protocols',
'request_body', 'request_method', 'request_url',
'request_version', 'response_body', 'response_status_codes',
'rise_count', 'server_auth', 'server_auth_ca_ids',
'server_auth_crl_ids', 'timeout'
]
return utils.build_extra_args(body, extra_args, **kwargs)
elif resource_type == MonitorTypes.ICMP:
body['resource_type'] = resource_type
extra_args = [
'data_length', 'fall_count', 'interval', 'monitor_port',
'rise_count', 'timeout'
]
return utils.build_extra_args(body, extra_args, **kwargs)
elif resource_type == MonitorTypes.PASSIVE:
body['resource_type'] = resource_type
extra_args = ['max_fails', 'timeout']
return utils.build_extra_args(body, extra_args, **kwargs)
elif (resource_type == MonitorTypes.TCP
or resource_type == MonitorTypes.UDP):
body['resource_type'] = resource_type
extra_args = [
'fall_count', 'interval', 'monitor_port', 'receive',
'rise_count', 'send', 'timeout'
]
return utils.build_extra_args(body, extra_args, **kwargs)
else:
raise nsxlib_exc.InvalidInput(operation='create_monitor',
arg_val=resource_type,
arg_name='resource_type')
def _validate_nat_rule_action(self, action):
if not action:
return
if action in ['SNAT', 'DNAT', 'NO_NAT', 'REFLEXIVE']:
# legal values for all NSX versions
return
if (action not in ['NO_SNAT', 'NO_DNAT']
or (self.nsxlib and not self.nsxlib.feature_supported(
nsx_constants.FEATURE_NO_DNAT_NO_SNAT))):
raise exceptions.InvalidInput(operation="Create/Update NAT rule",
arg_val=action,
arg_name='action')
def _add_rule_in_position(self, body, lb_rule, position):
lb_rules = body.get('rules', [])
if position < 0:
lb_rules.append(lb_rule)
elif position <= len(lb_rules):
lb_rules.insert(position, lb_rule)
else:
raise nsxlib_exc.InvalidInput(operation='Insert rule in position',
arg_val=position,
arg_name='position')
return lb_rules
def create_identity(self, name, cert_id,
node_id, permission_group):
# Validate permission group before sending to server
if permission_group not in USER_GROUP_TYPES:
raise nsxlib_exc.InvalidInput(
operation='create_identity',
arg_val=permission_group,
arg_name='permission_group')
body = {'name': name, 'certificate_id': cert_id,
'node_id': node_id, 'permission_group': permission_group,
'is_protected': True}
self.client.create(ID_SECTION, body)
def create(self,
cidr,
allocation_ranges=None,
display_name=None,
description=None,
gateway_ip=None,
dns_nameservers=None,
tags=None):
"""Create an IpPool.
Arguments:
cidr: (required)
allocation_ranges: (optional) a list of dictionaries, each with
'start' and 'end' keys, and IP values.
If None: the cidr will be used to create the ranges,
excluding the gateway.
display_name: (optional)
description: (optional)
gateway_ip: (optional)
dns_nameservers: (optional) list of addresses
"""
if not cidr:
raise exceptions.InvalidInput(operation="IP Pool create",
arg_name="cidr",
arg_val=cidr)
if not allocation_ranges:
# generate ranges from (cidr - gateway)
allocation_ranges = self._generate_ranges(cidr, gateway_ip)
subnet = {"allocation_ranges": allocation_ranges, "cidr": cidr}
if gateway_ip:
subnet["gateway_ip"] = gateway_ip
if dns_nameservers:
subnet["dns_nameservers"] = dns_nameservers
body = {"subnets": [subnet]}
if description:
body["description"] = description
if display_name:
body["display_name"] = display_name
if tags:
body['tags'] = tags
return self.client.create(self.get_path(), body=body)
def get_l4_protocol_name(protocol_number):
if protocol_number is None:
return
protocol_number = constants.IP_PROTOCOL_MAP.get(protocol_number,
protocol_number)
try:
protocol_number = int(protocol_number)
except ValueError:
raise nsxlib_exceptions.InvalidInput(operation='create_rule',
arg_val=protocol_number,
arg_name='protocol')
if protocol_number == 6:
return nsx_constants.TCP
elif protocol_number == 17:
return nsx_constants.UDP
elif protocol_number == 1:
return nsx_constants.ICMPV4
else:
return protocol_number
def create(self,
display_name,
edge_cluster_id,
tags,
edge_cluster_member_indexes=None,
failover_mode=None):
"""Create a bridge endpoint profile on the backend.
Create a bridge endpoint profile for a given edge cluster.
:param display_name: name of the bridge endpoint profile
:param edge_cluster_id: identifier of the edge cluster this profile
should be associated with.
:param tags: tags for the newly created resource.
:param edge_cluster_member_indexes: iterable of integers specifying
edge cluster members where the
bridge endpoints will be created
:param failover_mode: failover mode for the profile. Could be either
PREEMPTIVE or NON_PREEMPTIVE.
"""
tags = tags or []
body = {'display_name': display_name, 'tags': tags}
if failover_mode:
body['failover_mode'] = failover_mode
if edge_cluster_member_indexes:
# Test for a list of integers
try:
member_indexes = [
int(member_idx)
for member_idx in edge_cluster_member_indexes
]
body['edge_cluster_member_indexes'] = member_indexes
except (TypeError, ValueError) as e:
LOG.Error("Invalid values for member indexes: %s", e)
raise exceptions.InvalidInput(
operation='Create BridgeEndpointProfile',
arg_val=edge_cluster_member_indexes,
arg_name='edge_cluster_member_indexes')
return self.client.create(self.get_path(), body)
def create(self,
display_name,
transport_zone_id,
tags,
replication_mode=nsx_constants.MTEP,
admin_state=True,
vlan_id=None,
ip_pool_id=None,
mac_pool_id=None,
description=None,
trunk_vlan_range=None):
operation = "Create logical switch"
if display_name:
display_name = utils.escape_display_name(display_name)
# TODO(salv-orlando): Validate Replication mode and admin_state
# NOTE: These checks might be moved to the API client library if one
# that performs such checks in the client is available
body = {
'transport_zone_id': transport_zone_id,
'replication_mode': replication_mode,
'display_name': display_name,
'tags': tags
}
if admin_state:
body['admin_state'] = nsx_constants.ADMIN_STATE_UP
else:
body['admin_state'] = nsx_constants.ADMIN_STATE_DOWN
if trunk_vlan_range:
failed = False
if (self.nsxlib and self.nsxlib.feature_supported(
nsx_constants.FEATURE_TRUNK_VLAN)):
if vlan_id is not None:
failed = True
LOG.error(
"Failed to create logical switch %(name)s with "
"trunk vlan: vlan id %(vlan)s is used.", {
'name': display_name,
'vlan': vlan_id
})
elif (len(trunk_vlan_range) != 2
or trunk_vlan_range[0] > trunk_vlan_range[1]):
failed = True
LOG.error(
"Failed to create logical switch %(name)s with "
"trunk vlan: illegal range (%(trunk)s) is used.", {
'name': display_name,
'trunk': trunk_vlan_range
})
else:
body['vlan_trunk_spec'] = {
'vlan_ranges': [{
'start': trunk_vlan_range[0],
'end': trunk_vlan_range[1]
}]
}
else:
LOG.error(
"Failed to create logical switch %s with trunk "
"vlan: this feature is not supported.", display_name)
failed = True
if failed:
raise exceptions.InvalidInput(operation=operation,
arg_val=trunk_vlan_range,
arg_name='trunk_vlan_range')
elif vlan_id:
body['vlan'] = vlan_id
if ip_pool_id:
body['ip_pool_id'] = ip_pool_id
if mac_pool_id:
body['mac_pool_id'] = mac_pool_id
if description is not None:
body['description'] = description
return self.client.create(self.get_path(), body)
