def _delete_fwr_service(self, context, vdom, **fwr):
LOG.debug("# _delete_fwr_service() fwr=%(fwr)s", {'fwr': fwr})
if fwr['protocol'] in ['any', None] and \
not fwr['destination_port'] and not fwr['source_port']:
return None
else:
return utils.delete_fwservice(
self, context, vdom=vdom, name=fwr['id'])
def _delete_fwr_service(self, context, vdom, **fwr):
LOG.debug("# _delete_fwr_service() fwr=%(fwr)s", {'fwr': fwr})
if fwr['protocol'] in ['any', None] and \
not fwr['destination_port'] and not fwr['source_port']:
return None
else:
return utils.delete_fwservice(
self, context, vdom=vdom, name=fwr['id'])
def _update_firewall_rule(self, context, id, firewall_rule):
LOG.debug("# _add_firewall_rule() called")
fwps_int = fortinet_db.Fortinet_FW_Rule_Association.query_all(
context, fwr_id=id, type=constants.TYPE_INT)
fwps_ext = fortinet_db.Fortinet_FW_Rule_Association.query_all(
context, fwr_id=id, type=constants.TYPE_EXT)
if fwps_ext and fwps_int:
fwps = fwps_int + fwps_ext
else:
fwps = fwps_int or fwps_ext
if not fwps:
return
firewall_rule.setdefault('id', id)
srcaddr = self._make_fortinet_fwaddress_dict(
place='source_ip_address', **firewall_rule)
dstaddr = self._make_fortinet_fwaddress_dict(
place='destination_ip_address', **firewall_rule)
service = self._make_fortinet_fwservice_dict(**firewall_rule)
action = self._get_fwr_action(**firewall_rule)
profiles = self._get_fwp_profiles(action)
for fwp in fwps_int:
vdom = fwp.fortinet_policy.vdom
if service['name'] != 'ALL':
utils.set_fwservice(self, context, vdom=vdom, **service)
if srcaddr['name'] != 'all':
utils.set_fwaddress(self, context, vdom=vdom, **srcaddr)
if dstaddr['name'] != 'all':
utils.set_fwaddress(self, context, vdom=vdom, **dstaddr)
# check whether related firewall policies need to update
fwp = fwps_int[0].fortinet_policy
name = firewall_rule.setdefault('name', fwp.comments)
if fwp.srcaddr == srcaddr['name'] and fwp.action == action and \
fwp.dstaddr == dstaddr['name'] and fwp.service == service['name']:
return
if action in ['accept']:
for fwp in fwps:
fortinet_fwp = utils.set_fwpolicy(self, context,
id=fwp.fortinet_pid,
srcaddr=srcaddr['name'],
dstaddr=dstaddr['name'],
service=service['name'],
action=action,
comments=name,
**profiles)
if not fwps_ext:
inf_int, inf_ext = utils.get_vlink_intf(
self, context, vdom=fortinet_fwp.vdom)
utils.add_fwaas_subpolicy(self, context,
before=fortinet_fwp.edit_id,
vdom=fortinet_fwp.vdom,
srcaddr=srcaddr['name'],
dstaddr=dstaddr['name'],
dstintf=inf_int,
nat='enable',
service=service['name'],
action=action,
comments=name,
fwr_id=id,
type=constants.TYPE_EXT,
**profiles)
elif action in ['deny']:
for fwp_ext in fwps_ext:
utils.delete_fwaas_subpolicy(self, context,
fwr_id=fwp_ext.fwr_id,
fortinet_pid=fwp_ext.fortinet_pid)
for fwp in fwps_int:
utils.set_fwpolicy(self, context,
id=fwp.fortinet_pid,
srcaddr=srcaddr['name'],
dstaddr=dstaddr['name'],
service=service['name'],
action=action,
comments=name,
**profiles)
for fwp in fwps_int:
vdom = fwp.fortinet_policy.vdom
if service['name'] == 'ALL':
#delete all old services if exist
utils.delete_fwservice(self, context, vdom=vdom, name=id)
if srcaddr['name'] == 'all':
name = constants.PREFIX['source_ip_address'] + id
utils.delete_fwaddress(self, context, vdom=vdom, name=name)
if dstaddr['name'] == 'all':
name = constants.PREFIX['destination_ip_address'] + id
utils.delete_fwaddress(self, context, vdom=vdom, name=name)
def _update_firewall_rule(self, context, id, firewall_rule):
LOG.debug("# _add_firewall_rule() called")
fwps_int = fortinet_db.Fortinet_FW_Rule_Association.query_all(
context, fwr_id=id, type=constants.TYPE_INT)
fwps_ext = fortinet_db.Fortinet_FW_Rule_Association.query_all(
context, fwr_id=id, type=constants.TYPE_EXT)
if fwps_ext and fwps_int:
fwps = fwps_int + fwps_ext
else:
fwps = fwps_int or fwps_ext
if not fwps:
return
firewall_rule.setdefault('id', id)
srcaddr = self._make_fortinet_fwaddress_dict(
place='source_ip_address', **firewall_rule)
dstaddr = self._make_fortinet_fwaddress_dict(
place='destination_ip_address', **firewall_rule)
service = self._make_fortinet_fwservice_dict(**firewall_rule)
action = self._get_fwr_action(**firewall_rule)
profiles = self._get_fwp_profiles(action)
for fwp in fwps_int:
vdom = fwp.fortinet_policy.vdom
if service['name'] != 'ALL':
utils.set_fwservice(self, context, vdom=vdom, **service)
if srcaddr['name'] != 'all':
utils.set_fwaddress(self, context, vdom=vdom, **srcaddr)
if dstaddr['name'] != 'all':
utils.set_fwaddress(self, context, vdom=vdom, **dstaddr)
# check whether related firewall policies need to update
fwp = fwps_int[0].fortinet_policy
name = firewall_rule.setdefault('name', fwp.comments)
if fwp.srcaddr == srcaddr['name'] and fwp.action == action and \
fwp.dstaddr == dstaddr['name'] and fwp.service == service['name']:
return
if action in ['accept']:
for fwp in fwps:
fortinet_fwp = utils.set_fwpolicy(self, context,
id=fwp.fortinet_pid,
srcaddr=srcaddr['name'],
dstaddr=dstaddr['name'],
service=service['name'],
action=action,
comments=name,
**profiles)
if not fwps_ext:
inf_int, inf_ext = utils.get_vlink_intf(
self, context, vdom=fortinet_fwp.vdom)
utils.add_fwaas_subpolicy(self, context,
before=fortinet_fwp.edit_id,
vdom=fortinet_fwp.vdom,
srcaddr=srcaddr['name'],
dstaddr=dstaddr['name'],
dstintf=inf_int,
nat='enable',
service=service['name'],
action=action,
comments=name,
fwr_id=id,
type=constants.TYPE_EXT,
**profiles)
elif action in ['deny']:
for fwp_ext in fwps_ext:
utils.delete_fwaas_subpolicy(self, context,
fwr_id=fwp_ext.fwr_id,
fortinet_pid=fwp_ext.fortinet_pid)
for fwp in fwps_int:
utils.set_fwpolicy(self, context,
id=fwp.fortinet_pid,
srcaddr=srcaddr['name'],
dstaddr=dstaddr['name'],
service=service['name'],
action=action,
comments=name,
**profiles)
for fwp in fwps_int:
vdom = fwp.fortinet_policy.vdom
if service['name'] == 'ALL':
#delete all old services if exist
utils.delete_fwservice(self, context, vdom=vdom, name=id)
if srcaddr['name'] == 'all':
name = constants.PREFIX['source_ip_address'] + id
utils.delete_fwaddress(self, context, vdom=vdom, name=name)
if dstaddr['name'] == 'all':
name = constants.PREFIX['destination_ip_address'] + id
utils.delete_fwaddress(self, context, vdom=vdom, name=name)
