def create_cascaded_policy_with_rules(self, ctx, cascading_policy_id, rules_id): rules_id_list = [] LOG.debug(_("firewall_rules_map:%s"), self.firewall_rules_map) for rule_id in rules_id: rule_name = self._get_cascaded_rule_name(rule_id) cascaded_rule = self.firewall_rules_map.get(rule_name, None) rules_id_list.append(cascaded_rule['id']) fwp_info = self.list_cascading_policy_by_id(ctx, cascading_policy_id) policy_req = self.get_policy_req(fwp_info, rules_id_list) policy_ret = self.csd_client('create_firewall_policy', policy_req) if (not policy_ret or (policy_ret and (not policy_ret.get('firewall_policy')))): LOG.error( _("cascaded firewall policy created failed, " "cascading policy id:%s"), fwp_info) raise fw_ext.FirewallInternalDriverError("Create cascaded policy") LOG.debug(_('Create cascaded policy with rules, Response:%s'), str(policy_ret)) return policy_ret
def apply_default_policy(self, agent_mode, apply_list, firewall): LOG.debug('Applying firewall %(fw_id)s for tenant %(tid)s)', { 'fw_id': firewall['id'], 'tid': firewall['tenant_id'] }) fwid = firewall['id'] try: for router_info in apply_list: ipt_if_prefix_list = self._get_ipt_mgrs_with_if_prefix( agent_mode, router_info) for ipt_if_prefix in ipt_if_prefix_list: # the following only updates local memory; no hole in FW ipt_mgr = ipt_if_prefix['ipt'] self._remove_chains(fwid, ipt_mgr) self._remove_default_chains(ipt_mgr) # create default 'DROP ALL' policy chain self._add_default_policy_chain_v4v6(ipt_mgr) self._enable_policy_chain(fwid, ipt_if_prefix) # apply the changes immediately (no defer in firewall path) ipt_mgr.defer_apply_off() except (LookupError, RuntimeError): # catch known library exceptions and raise Fwaas generic exception LOG.exception( _LE("Failed to apply default policy on firewall: %s"), fwid) raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def apply_default_policy(self, apply_list, firewall): LOG.debug(_('Applying firewall %(fw_id)s for tenant %(tid)s)'), { 'fw_id': firewall['id'], 'tid': firewall['tenant_id'] }) fwid = firewall['id'] try: for router_info in apply_list: ipt_mgr = router_info.iptables_manager # the following only updates local memory; no hole in FW self._remove_chains(fwid, ipt_mgr) self._remove_default_chains(ipt_mgr) # create default 'DROP ALL' policy chain self._add_default_policy_chain_v4v6(ipt_mgr) self._enable_policy_chain(fwid, ipt_mgr) # apply the changes ipt_mgr.apply() except (LookupError, RuntimeError): # catch known library exceptions and raise Fwaas generic exception LOG.exception(_("Failed to apply default policy on firewall: %s"), fwid) raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def create_firewall(self, agent_mode, apply_list, firewall): LOG.debug(_('ngfw create_firewall (%s)'), firewall) firewall['created'] = True exec_result = self.update_firewall(agent_mode, apply_list, firewall) if not exec_result: LOG.error(_('create_firewall raise FirewallInternalDriverError')) raise fw_ext.FirewallInternalDriverError() return exec_result
def delete_firewall(self, agent_mode, apply_list, firewall): LOG.debug(_("ngfw delete_firewall (%s)"), firewall) firewall['deleted'] = True exec_result = self.apply_default_policy(agent_mode, apply_list, firewall) if not exec_result: LOG.error(_('delete_firewall raise FirewallInternalDriverError')) raise fw_ext.FirewallInternalDriverError() return exec_result
def update_firewall(self, apply_list, firewall): LOG.debug(_('Updating firewall %(fw_id)s for tenant %(tid)s)'), {'fw_id': firewall['id'], 'tid': firewall['tenant_id']}) try: if firewall['admin_state_up']: self._setup_firewall(apply_list, firewall) else: self.apply_default_policy(apply_list, firewall) except (LookupError, RuntimeError): # catch known library exceptions and raise Fwaas generic exception LOG.exception(_("Failed to update firewall: %s"), firewall['id']) raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def delete_firewall(self, apply_list, firewall): LOG.debug(_('Deleting firewall %(fw_id)s for tenant %(tid)s)'), {'fw_id': firewall['id'], 'tid': firewall['tenant_id']}) fwid = firewall['id'] try: for router_info in apply_list: ipt_mgr = router_info.iptables_manager self._remove_chains(fwid, ipt_mgr) self._remove_default_chains(ipt_mgr) ipt_mgr.apply() except (LookupError, RuntimeError): # catch known library exceptions and raise Fwaas generic exception LOG.exception(_("Failed to delete firewall: %s"), fwid) raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def update_firewall(self, agent_mode, apply_list, firewall): LOG.debug(_("ngfw update_firewall (%s)"), firewall) if firewall['admin_state_up']: exec_result = self._update_firewall(apply_list, firewall) else: exec_result = self.apply_default_policy(agent_mode, apply_list, firewall) if not exec_result: LOG.error(_('update_firewall raise FirewallInternalDriverError')) raise fw_ext.FirewallInternalDriverError() return exec_result
def create_cascaded_rule(self, rule): rule_req = self.get_rule_req(rule) rule_ret = self.csd_client('create_firewall_rule', rule_req) if (not rule_ret or (rule_ret and (not rule_ret.get('firewall_rule')))): LOG.error( _("cascaded firewall rule created failed, " "cascading rule id:%s"), rule) raise fw_ext.FirewallInternalDriverError("Create rule") LOG.debug(_('Create cascaded rule, Response:%s'), str(rule_ret)) cascaded_rule_name = self._get_cascaded_rule_name(rule['id']) self.firewall_rules_map[cascaded_rule_name] = rule_ret.get( 'firewall_rule') return
def _create_cascaded_firewall(self, ctx, fw): fwp_id = fw['firewall_policy_id'] cacaded_fwp_info = self._get_cascaded_policy_info(fwp_id) cacaded_fwp_id = cacaded_fwp_info['id'] firewall_req = self.get_firewall_req(fw, cacaded_fwp_id) fw_ret = self.csd_client('create_firewall', firewall_req) if (not fw_ret or (fw_ret and (not fw_ret.get('firewall')))): LOG.error( _("cascaded firewall created failed, " "cascading firewall id:%s"), fw) raise fw_ext.FirewallInternalDriverError( "Create cascaded firewall") LOG.debug(_('Create cascaded fw, Response:%s'), str(fw_ret)) return
def delete_firewall(self, agent_mode, apply_list, firewall): LOG.debug('Deleting firewall %(fw_id)s for tenant %(tid)s)', { 'fw_id': firewall['id'], 'tid': firewall['tenant_id'] }) fwid = firewall['id'] try: for router_info in apply_list: ipt_if_prefix_list = self._get_ipt_mgrs_with_if_prefix( agent_mode, router_info) for ipt_if_prefix in ipt_if_prefix_list: ipt_mgr = ipt_if_prefix['ipt'] self._remove_chains(fwid, ipt_mgr) self._remove_default_chains(ipt_mgr) # apply the changes immediately (no defer in firewall path) ipt_mgr.defer_apply_off() except (LookupError, RuntimeError): # catch known library exceptions and raise Fwaas generic exception LOG.exception(_LE("Failed to delete firewall: %s"), fwid) raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)