def construct_security_group(project):
security_group = vnc_api.SecurityGroup(name=VNC_VCENTER_DEFAULT_SG,
parent_obj=project)
security_group_entry = vnc_api.PolicyEntriesType()
ingress_rule = vnc_api.PolicyRuleType(
rule_uuid=str(uuid4()),
direction='>',
protocol='any',
src_addresses=[vnc_api.AddressType(
security_group=':'.join(VNC_VCENTER_DEFAULT_SG_FQN))],
src_ports=[vnc_api.PortType(0, 65535)],
dst_addresses=[vnc_api.AddressType(security_group='local')],
dst_ports=[vnc_api.PortType(0, 65535)],
ethertype='IPv4',
)
egress_rule = vnc_api.PolicyRuleType(
rule_uuid=str(uuid4()),
direction='>',
protocol='any',
src_addresses=[vnc_api.AddressType(security_group='local')],
src_ports=[vnc_api.PortType(0, 65535)],
dst_addresses=[vnc_api.AddressType(subnet=vnc_api.SubnetType('0.0.0.0', 0))],
dst_ports=[vnc_api.PortType(0, 65535)],
ethertype='IPv4',
)
security_group_entry.add_policy_rule(ingress_rule)
security_group_entry.add_policy_rule(egress_rule)
security_group.set_security_group_entries(security_group_entry)
return security_group
def create_NetworkPolicy(policy_name, left_network_name, right_network_name,
vnc, domain, project_name):
""" FUNCTION TO CREATE NETWORK POLICY """
project = vnc.project_read(fq_name=[domain, project_name])
rule = vnc_api.PolicyRuleType(
direction='<>',
protocol='any',
action_list=vnc_api.ActionListType(simple_action='pass'),
src_addresses=[vnc_api.AddressType(virtual_network=left_network_name)],
src_ports=[vnc_api.PortType(start_port=-1, end_port=-1)],
dst_addresses=[
vnc_api.AddressType(virtual_network=right_network_name)
],
dst_ports=[vnc_api.PortType(start_port=-1, end_port=-1)])
policy = vnc_api.NetworkPolicy(
name=policy_name,
parent_obj=project,
network_policy_entries=vnc_api.PolicyEntriesType([rule]))
vnc.network_policy_create(policy)
print 'Policy "{}" created between "{}" & "{}"\n'.format(
policy_name, left_network_name, right_network_name)
def _create_no_rule_sg(self):
domain_obj = vnc_api.Domain(SG_NO_RULE_FQ_NAME[0])
proj_obj = vnc_api.Project(SG_NO_RULE_FQ_NAME[1], domain_obj)
sg_rules = vnc_api.PolicyEntriesType()
id_perms = vnc_api.IdPermsType(
enable=True,
description="Security group with no rules",
user_visible=False)
sg_obj = vnc_api.SecurityGroup(name=SG_NO_RULE_NAME,
parent_obj=proj_obj,
security_group_entries=sg_rules,
id_perms=id_perms)
self._resource_create(sg_obj)
return sg_obj
def _create_default_security_group(self, proj_obj):
def _get_rule(ingress, sg, prefix, ethertype):
sgr_uuid = str(uuid.uuid4())
if sg:
addr = vnc_api.AddressType(
security_group=proj_obj.get_fq_name_str() + ':' + sg)
elif prefix:
addr = vnc_api.AddressType(
subnet=vnc_api.SubnetType(prefix, 0))
local_addr = vnc_api.AddressType(security_group='local')
if ingress:
src_addr = addr
dst_addr = local_addr
else:
src_addr = local_addr
dst_addr = addr
rule = vnc_api.PolicyRuleType(
rule_uuid=sgr_uuid,
direction='>',
protocol='any',
src_addresses=[src_addr],
src_ports=[vnc_api.PortType(0, 65535)],
dst_addresses=[dst_addr],
dst_ports=[vnc_api.PortType(0, 65535)],
ethertype=ethertype)
return rule
rules = [
_get_rule(True, 'default', None, 'IPv4'),
_get_rule(True, 'default', None, 'IPv6'),
_get_rule(False, None, '0.0.0.0', 'IPv4'),
_get_rule(False, None, '::', 'IPv6')
]
sg_rules = vnc_api.PolicyEntriesType(rules)
# create security group
id_perms = vnc_api.IdPermsType(enable=True,
description='Default security group')
sg_obj = vnc_api.SecurityGroup(name='default',
parent_obj=proj_obj,
id_perms=id_perms,
security_group_entries=sg_rules)
self._vnc_lib.security_group_create(sg_obj)
return sg_obj.uuid
def create_networkpolicy(self, policy_name, vn1_name, vn2_name, action):
print "Create network policy %s between %s <---> %s" % (
policy_name, vn1_name, vn2_name)
project = self._vnc_lib.project_read(
fq_name=[self._domain, self._tenant_name])
rule = vnc_api.PolicyRuleType(
direction='<>',
protocol='any',
action_list=vnc_api.ActionListType(simple_action=action),
src_addresses=[vnc_api.AddressType(virtual_network=vn1_name)],
src_ports=[vnc_api.PortType(start_port=-1, end_port=-1)],
dst_addresses=[vnc_api.AddressType(virtual_network=vn2_name)],
dst_ports=[vnc_api.PortType(start_port=-1, end_port=-1)])
policy = vnc_api.NetworkPolicy(
name=policy_name,
parent_obj=project,
network_policy_entries=vnc_api.PolicyEntriesType([rule]))
self._vnc_lib.network_policy_create(policy)
def _security_group_rule_create(self, sg_id, sg_rule, project_id):
sghandler = sg_handler.SecurityGroupHandler(self._vnc_lib)
try:
sg_vnc = sghandler.get_sg_obj(id=sg_id)
except vnc_exc.NoIdError:
self._raise_contrail_exception('SecurityGroupNotFound',
id=sg_id,
resource='security_group')
if project_id and sg_vnc.parent_uuid != self._project_id_neutron_to_vnc(
project_id):
self._raise_contrail_exception('NotFound')
rules = sg_vnc.get_security_group_entries()
if rules is None:
rules = vnc_api.PolicyEntriesType([sg_rule])
else:
rules.add_policy_rule(sg_rule)
sg_vnc.set_security_group_entries(rules)
try:
sghandler.resource_update_obj(sg_vnc)
except vnc_exc.PermissionDenied as e:
self._raise_contrail_exception('BadRequest',
resource='security_group_rule',
msg=str(e))
except vnc_exc.BadRequest as e:
self._raise_contrail_exception('BadRequest',
resource='security_group_rule',
msg=str(e.content))
except vnc_exc.RefsExistError as e:
try:
rule_uuid = str(e).split(':')[1].strip()
except IndexError:
rule_uuid = None
self._raise_contrail_exception('SecurityGroupRuleExists',
resource='security_group_rule',
id=rule_uuid)
return
def _security_group_rule_create(self, sg_id, sg_rule, project_id):
sghandler = sg_handler.SecurityGroupHandler(self._vnc_lib)
try:
sg_vnc = sghandler.get_sg_obj(id=sg_id)
except vnc_exc.NoIdError:
self._raise_contrail_exception('SecurityGroupNotFound', id=sg_id,
resource='security_group')
if project_id and sg_vnc.parent_uuid != project_id:
self._raise_contrail_exception('NotFound')
rules = sg_vnc.get_security_group_entries()
if rules is None:
rules = vnc_api.PolicyEntriesType([sg_rule])
else:
rules.add_policy_rule(sg_rule)
sg_vnc.set_security_group_entries(rules)
try:
sghandler.resource_update_obj(sg_vnc)
except vnc_exc.PermissionDenied as e:
self._raise_contrail_exception(
'BadRequest',
resource='security_group_rule', msg=str(e))
return
rule = vnc_api.PolicyRuleType(
direction='<>',
protocol=policy_protocol,
action_list=vnc_api.ActionListType(simple_action=policy_action),
src_addresses=[vnc_api.AddressType(virtual_network=source_network)],
src_ports=[vnc_api.PortType(start_port=source_port, end_port=source_port)],
dst_addresses=[vnc_api.AddressType(virtual_network=destination_network)],
dst_ports=[
vnc_api.PortType(start_port=destination_port,
end_port=destination_port)
])
policy = vnc_api.NetworkPolicy(
name=policy_name,
parent_obj=tenant,
network_policy_entries=vnc_api.PolicyEntriesType([rule]))
vnc.network_policy_create(policy)
#add the policy to each network
policy = vnc.network_policy_read(
fq_name=['default-domain', tenant_name, policy_name])
policy_type = vnc_api.VirtualNetworkPolicyType(
sequence=vnc_api.SequenceType(major=0, minor=0))
vn = vnc.virtual_network_read(
fq_name=['default-domain', tenant_name, source_network])
vn.add_network_policy(ref_obj=policy, ref_data=policy_type)
vnc.virtual_network_update(vn)
vn = vnc.virtual_network_read(
fq_name=['default-domain', tenant_name, destination_network])
vn.add_network_policy(ref_obj=policy, ref_data=policy_type)
vnc.virtual_network_update(vn)
auth_port=auth_port,
auth_url=urlparts.path + '/tokens',
)
net1 = vnc_lib.virtual_network_read(id=args.net1_uuid)
net2 = vnc_lib.virtual_network_read(id=args.net2_uuid)
pol1 = vnc_api.NetworkPolicy(
'policy-%s-%s-any' % (net1.name, net2.name),
network_policy_entries=vnc_api.PolicyEntriesType([
vnc_api.PolicyRuleType(
direction='<>',
action_list=vnc_api.ActionListType(simple_action='pass'),
protocol='any',
src_addresses=[
vnc_api.AddressType(virtual_network=net1.get_fq_name_str())
],
src_ports=[vnc_api.PortType(-1, -1)],
dst_addresses=[
vnc_api.AddressType(virtual_network=net2.get_fq_name_str())
],
dst_ports=[vnc_api.PortType(-1, -1)])
]),
parent_obj=vnc_lib.project_read(fq_name=net1.get_parent_fq_name()))
vnc_lib.network_policy_create(pol1)
net1.add_network_policy(
pol1,
vnc_api.VirtualNetworkPolicyType(sequence=vnc_api.SequenceType(0, 0)))
vnc_lib.virtual_network_update(net1)
net2.add_network_policy(
from vnc_api import vnc_api
vnc_lib = vnc_api.VncApi(api_server_host='10.10.7.149')
vn_blue_obj = vnc_api.VirtualNetwork('vn-blue')
vn_blue_obj.add_network_ipam(vnc_api.NetworkIpam(),vnc_api.VnSubnetsType([vnc_api.IpamSubnetType(subnet = vnc_api.SubnetType('10.0.2.0', 24))]))
vnc_lib.virtual_network_create(vn_blue_obj)
vn_red_obj = vnc_api.VirtualNetwork('vn-red')
vn_red_obj.add_network_ipam(vnc_api.NetworkIpam(),vnc_api.VnSubnetsType([vnc_api.IpamSubnetType(subnet = vnc_api.SubnetType('10.0.3.0', 24))]))
vnc_lib.virtual_network_create(vn_red_obj)
policy_obj = vnc_api.NetworkPolicy('policy-red-blue',network_policy_entries = vnc_api.PolicyEntriesType([vnc_api.PolicyRuleType(direction='<>',action_list = vnc_api.ActionListType(simple_action='pass'), protocol = 'tcp',src_addresses = [vnc_api.AddressType(virtual_network = vn_blue_obj.get_fq_name_str())], src_ports = [vnc_api.PortType(-1, -1)],dst_addresses = [vnc_api.AddressType(virtual_network = vn_red_obj.get_fq_name_str())], dst_ports = [vnc_api.PortType(80, 80)])]))
vnc_lib.network_policy_create(policy_obj)
vn_blue_obj.add_network_policy(policy_obj, vnc_api.VirtualNetworkPolicyType(sequence=vnc_api.SequenceType(0, 0)))
vn_red_obj.add_network_policy(policy_obj, vnc_api.VirtualNetworkPolicyType(sequence=vnc_api.SequenceType(0, 0)))
vnc_lib.virtual_network_update(vn_blue_obj)
vnc_lib.virtual_network_update(vn_red_obj)
print vnc_lib.virtual_network_read(id = vn_blue_obj.uuid)
print vnc_lib.virtual_networks_list()
