def _allocate_fabric_snat_port_translation_pools(self):
global_vrouter_fq_name = \
['default-global-system-config', 'default-global-vrouter-config']
count = 0
while True:
try:
global_vrouter_obj = \
self.vnc_lib.global_vrouter_config_read(
fq_name=global_vrouter_fq_name)
break
except NoIdError:
if count == 20:
return
time.sleep(3)
count += 1
port_count = 1024
start_port = 56000
end_port = start_port + port_count - 1
snat_port_range = PortType(start_port=start_port, end_port=end_port)
port_pool_tcp = PortTranslationPool(protocol="tcp",
port_range=snat_port_range)
start_port = end_port + 1
end_port = start_port + port_count - 1
snat_port_range = PortType(start_port=start_port, end_port=end_port)
port_pool_udp = PortTranslationPool(protocol="udp",
port_range=snat_port_range)
port_pools = PortTranslationPools([port_pool_tcp, port_pool_udp])
global_vrouter_obj.set_port_translation_pools(port_pools)
try:
self.vnc_lib.global_vrouter_config_update(global_vrouter_obj)
except NoIdError:
pass
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
if ':' not in sg:
sg_fq_name = proj_obj.get_fq_name_str() + ':' + sg
else:
sg_fq_name = sg
addr = AddressType(security_group=sg_fq_name)
elif prefix:
addr = AddressType(subnet=SubnetType(prefix, 0))
local_addr = AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = PolicyRuleType(rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[PortType(0, 65535)],
ethertype=ethertype)
return rule
def _create_policy_entry(self, src_vn_obj, dst_vn_obj):
return PolicyRuleType(
direction='<>',
action_list=ActionListType(simple_action='pass'),
protocol='any',
src_addresses=[
AddressType(virtual_network=src_vn_obj.get_fq_name_str())
],
src_ports=[PortType(-1, -1)],
dst_addresses=[
AddressType(virtual_network=dst_vn_obj.get_fq_name_str())
],
dst_ports=[PortType(-1, -1)])
def policy_to_acl_rule(self, prule):
ingress_acl_rule_list = []
egress_acl_rule_list = []
rule_uuid = prule.get_rule_uuid()
ethertype = prule.ethertype
arule_proto = self.protocol_policy_to_acl(prule.protocol, ethertype)
if arule_proto is None:
# TODO log unknown protocol
return (ingress_acl_rule_list, egress_acl_rule_list)
acl_rule_list = None
for saddr in prule.src_addresses:
saddr_match = copy.deepcopy(saddr)
if not self._convert_security_group_name_to_id(saddr_match):
continue
if saddr.security_group == 'local':
saddr_match.security_group = None
acl_rule_list = egress_acl_rule_list
# If no src port is specified, assume 0-65535
for sp in prule.src_ports or [PortType()]:
for daddr in prule.dst_addresses:
daddr_match = copy.deepcopy(daddr)
if not self._convert_security_group_name_to_id(
daddr_match):
continue
if daddr.security_group == 'local':
daddr_match.security_group = None
acl_rule_list = ingress_acl_rule_list
if acl_rule_list is None:
self._logger.error("SG rule must have either source "
"or destination as 'local': " +
self.name)
continue
# If no dst port is specified, assume 0-65535
for dp in prule.dst_ports or [PortType()]:
action = ActionListType(simple_action='pass')
match = MatchConditionType(arule_proto,
saddr_match, sp,
daddr_match, dp,
ethertype)
acl = AclRuleType(match, action, rule_uuid)
acl_rule_list.append(acl)
# end for dp
# end for daddr
# end for sp
# end for saddr
return (ingress_acl_rule_list, egress_acl_rule_list)
def add_properties(self, props):
left_vn_str, right_vn_str = self.get_virtual_networks(props)
ret = (self.auto_policy == props.auto_policy)
if (left_vn_str, right_vn_str) != (self.left_vn_str,
self.right_vn_str):
self.left_vn_str = left_vn_str
self.right_vn_str = right_vn_str
ret = True
if not props.auto_policy:
self.delete_properties()
return ret
self.auto_policy = True
if (not self.left_vn_str or not self.right_vn_str):
self._logger.error(
"%s: route table next hop service instance must "
"have left and right virtual networks" % self.name)
self.delete_properties()
return ret
policy_name = "_internal_" + self.name
addr1 = AddressType(virtual_network=self.left_vn_str)
addr2 = AddressType(virtual_network=self.right_vn_str)
action_list = ActionListType(apply_service=[self.name])
prule = PolicyRuleType(direction="<>",
protocol="any",
src_addresses=[addr1],
dst_addresses=[addr2],
src_ports=[PortType()],
dst_ports=[PortType()],
action_list=action_list)
pentry = PolicyEntriesType([prule])
policy_obj = NetworkPolicy(policy_name, network_policy_entries=pentry)
policy = ResourceBaseST.get_obj_type_map().get(
'network_policy').locate(policy_name, policy_obj)
policy.virtual_networks = set([self.left_vn_str, self.right_vn_str])
policy.set_internal()
vn1 = ResourceBaseST.get_obj_type_map().get('virtual_network').get(
self.left_vn_str)
if vn1:
vn1.add_policy(policy_name)
vn2 = ResourceBaseST.get_obj_type_map().get('virtual_network').get(
self.right_vn_str)
if vn2:
vn2.add_policy(policy_name)
def _get_ingress_sg_rule(self, src_sg_fq_name, dst_port):
sgr_uuid = 1
src_addr = AddressType(security_group=':'.join(src_sg_fq_name))
dst_addr = AddressType(security_group='local')
proto = dst_port['protocol'].lower()
rule = PolicyRuleType(rule_uuid=sgr_uuid,
direction='>',
protocol=proto,
src_addresses=[src_addr],
src_ports=[PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[
PortType(int(dst_port['start_port']),
int(dst_port['end_port']))
],
ethertype='IPv4')
return rule
def gen_network_policy_entries():
""" Returns a configured vnc_api.gen.resource_xsd.PolicyEntriesType
Filled with ActionListType and PolicyEntriesType.
"""
src_port = PortType(start_port=-1, end_port=-1)
dst_port = PortType(start_port=-1, end_port=-1)
src_address = AddressType(virtual_network='any')
dst_address = AddressType(virtual_network='any')
action = ActionListType(simple_action='pass')
rule = PolicyRuleType(protocol='any',
direction='<>',
src_ports=[src_port],
src_addresses=[src_address],
dst_ports=[dst_port],
dst_addresses=[dst_address],
action_list=action)
entry = PolicyEntriesType(policy_rule=[rule])
return entry
and rule.get_protocol() == 'any'):
print "Default Egress rule exists in project %s" % proj_obj.name
egress_rule_exists = True
if ingress_rule_exists:
break
sgr_uuid = str(uuid.uuid4())
ingress_rule = PolicyRuleType(
rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[
AddressType(security_group=proj_obj.get_fq_name_str() +
':' + 'default')
],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(security_group='local')],
dst_ports=[PortType(0, 65535)])
if not ingress_rule_exists:
print "Default Ingress rule doesn't exists in project %s" % proj_obj.name
sg_rules.add_policy_rule(ingress_rule)
sgr_uuid = str(uuid.uuid4())
egress_rule = PolicyRuleType(
rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[AddressType(security_group='local')],
src_ports=[PortType(0, 65535)],
dst_addresses=[AddressType(subnet=SubnetType('0.0.0.0', 0))],
def recreate_vrf_assign_table(self):
if not (self.is_left() or self.is_right()):
self._set_vrf_assign_table(None)
return
vn = ResourceBaseST.get_obj_type_map().get('virtual_network').get(
self.virtual_network)
if vn is None:
self._set_vrf_assign_table(None)
return
vm_pt_list = self.get_virtual_machine_or_port_tuple()
if not vm_pt_list:
self._set_vrf_assign_table(None)
return
policy_rule_count = 0
vrf_table = VrfAssignTableType()
for vm_pt in vm_pt_list:
smode = vm_pt.get_service_mode()
if smode not in ['in-network', 'in-network-nat']:
self._set_vrf_assign_table(None)
return
ip_list = []
for ip_name in self.instance_ips:
ip = ResourceBaseST.get_obj_type_map().get('instance_ip').get(
ip_name)
if ip and ip.instance_ip_address:
ip_list.append((ip.ip_version, ip.instance_ip_address))
for ip_name in self.floating_ips:
ip = ResourceBaseST.get_obj_type_map().get('floating_ip').get(
ip_name)
if ip and ip.floating_ip_address:
ip_list.append((ip.ip_version, ip.floating_ip_address))
for ip_name in self.alias_ips:
ip = ResourceBaseST.get_obj_type_map().get('alias_ip').get(
ip_name)
if ip and ip.alias_ip_address:
ip_list.append((ip.ip_version, ip.alias_ip_address))
for (ip_version, ip_address) in ip_list:
if ip_version == 6:
address = AddressType(subnet=SubnetType(ip_address, 128))
else:
address = AddressType(subnet=SubnetType(ip_address, 32))
mc = MatchConditionType(src_address=address,
protocol='any',
src_port=PortType(),
dst_port=PortType())
vrf_rule = VrfAssignRuleType(
match_condition=mc,
routing_instance=vn._default_ri_name,
ignore_acl=False)
vrf_table.add_vrf_assign_rule(vrf_rule)
si_name = vm_pt.service_instance
for service_chain_list in vn.service_chains.values():
for service_chain in service_chain_list:
if not service_chain.created:
continue
service_list = service_chain.service_list
if si_name not in service_chain.service_list:
continue
if ((si_name == service_list[0] and self.is_left()) or
(si_name == service_list[-1] and self.is_right())):
# Do not generate VRF assign rules for 'book-ends'
continue
ri_name = vn.get_service_name(service_chain.name, si_name)
for sp in service_chain.sp_list:
for dp in service_chain.dp_list:
if self.is_left():
mc = MatchConditionType(
src_port=dp,
dst_port=sp,
protocol=service_chain.protocol)
else:
mc = MatchConditionType(
src_port=sp,
dst_port=dp,
protocol=service_chain.protocol)
vrf_rule = VrfAssignRuleType(
match_condition=mc,
routing_instance=ri_name,
ignore_acl=True)
vrf_table.add_vrf_assign_rule(vrf_rule)
policy_rule_count += 1
# end for dp
# end for sp
# end for service_chain
# end for service_chain_list
# end for vm_pt_list
if policy_rule_count == 0:
vrf_table = None
self._set_vrf_assign_table(vrf_table)
