def create_cascaded_policy_with_rules(self, ctx, cascading_policy_id,
rules_id):
rules_id_list = []
LOG.debug(_("firewall_rules_map:%s"), self.firewall_rules_map)
for rule_id in rules_id:
rule_name = self._get_cascaded_rule_name(rule_id)
cascaded_rule = self.firewall_rules_map.get(rule_name, None)
rules_id_list.append(cascaded_rule['id'])
fwp_info = self.list_cascading_policy_by_id(ctx, cascading_policy_id)
policy_req = self.get_policy_req(fwp_info, rules_id_list)
policy_ret = self.csd_client('create_firewall_policy', policy_req)
if (not policy_ret
or (policy_ret and (not policy_ret.get('firewall_policy')))):
LOG.error(
_("cascaded firewall policy created failed, "
"cascading policy id:%s"), fwp_info)
raise fw_ext.FirewallInternalDriverError("Create cascaded policy")
LOG.debug(_('Create cascaded policy with rules, Response:%s'),
str(policy_ret))
return policy_ret
def apply_default_policy(self, agent_mode, apply_list, firewall):
LOG.debug('Applying firewall %(fw_id)s for tenant %(tid)s)', {
'fw_id': firewall['id'],
'tid': firewall['tenant_id']
})
fwid = firewall['id']
try:
for router_info in apply_list:
ipt_if_prefix_list = self._get_ipt_mgrs_with_if_prefix(
agent_mode, router_info)
for ipt_if_prefix in ipt_if_prefix_list:
# the following only updates local memory; no hole in FW
ipt_mgr = ipt_if_prefix['ipt']
self._remove_chains(fwid, ipt_mgr)
self._remove_default_chains(ipt_mgr)
# create default 'DROP ALL' policy chain
self._add_default_policy_chain_v4v6(ipt_mgr)
self._enable_policy_chain(fwid, ipt_if_prefix)
# apply the changes immediately (no defer in firewall path)
ipt_mgr.defer_apply_off()
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
LOG.exception(
_LE("Failed to apply default policy on firewall: %s"), fwid)
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def apply_default_policy(self, apply_list, firewall):
LOG.debug(_('Applying firewall %(fw_id)s for tenant %(tid)s)'), {
'fw_id': firewall['id'],
'tid': firewall['tenant_id']
})
fwid = firewall['id']
try:
for router_info in apply_list:
ipt_mgr = router_info.iptables_manager
# the following only updates local memory; no hole in FW
self._remove_chains(fwid, ipt_mgr)
self._remove_default_chains(ipt_mgr)
# create default 'DROP ALL' policy chain
self._add_default_policy_chain_v4v6(ipt_mgr)
self._enable_policy_chain(fwid, ipt_mgr)
# apply the changes
ipt_mgr.apply()
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
LOG.exception(_("Failed to apply default policy on firewall: %s"),
fwid)
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def create_firewall(self, agent_mode, apply_list, firewall):
LOG.debug(_('ngfw create_firewall (%s)'), firewall)
firewall['created'] = True
exec_result = self.update_firewall(agent_mode, apply_list, firewall)
if not exec_result:
LOG.error(_('create_firewall raise FirewallInternalDriverError'))
raise fw_ext.FirewallInternalDriverError()
return exec_result
def delete_firewall(self, agent_mode, apply_list, firewall):
LOG.debug(_("ngfw delete_firewall (%s)"), firewall)
firewall['deleted'] = True
exec_result = self.apply_default_policy(agent_mode, apply_list,
firewall)
if not exec_result:
LOG.error(_('delete_firewall raise FirewallInternalDriverError'))
raise fw_ext.FirewallInternalDriverError()
return exec_result
def update_firewall(self, apply_list, firewall):
LOG.debug(_('Updating firewall %(fw_id)s for tenant %(tid)s)'),
{'fw_id': firewall['id'], 'tid': firewall['tenant_id']})
try:
if firewall['admin_state_up']:
self._setup_firewall(apply_list, firewall)
else:
self.apply_default_policy(apply_list, firewall)
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
LOG.exception(_("Failed to update firewall: %s"), firewall['id'])
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def delete_firewall(self, apply_list, firewall):
LOG.debug(_('Deleting firewall %(fw_id)s for tenant %(tid)s)'),
{'fw_id': firewall['id'], 'tid': firewall['tenant_id']})
fwid = firewall['id']
try:
for router_info in apply_list:
ipt_mgr = router_info.iptables_manager
self._remove_chains(fwid, ipt_mgr)
self._remove_default_chains(ipt_mgr)
ipt_mgr.apply()
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
LOG.exception(_("Failed to delete firewall: %s"), fwid)
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
def update_firewall(self, agent_mode, apply_list, firewall):
LOG.debug(_("ngfw update_firewall (%s)"), firewall)
if firewall['admin_state_up']:
exec_result = self._update_firewall(apply_list, firewall)
else:
exec_result = self.apply_default_policy(agent_mode, apply_list,
firewall)
if not exec_result:
LOG.error(_('update_firewall raise FirewallInternalDriverError'))
raise fw_ext.FirewallInternalDriverError()
return exec_result
def create_cascaded_rule(self, rule):
rule_req = self.get_rule_req(rule)
rule_ret = self.csd_client('create_firewall_rule', rule_req)
if (not rule_ret
or (rule_ret and (not rule_ret.get('firewall_rule')))):
LOG.error(
_("cascaded firewall rule created failed, "
"cascading rule id:%s"), rule)
raise fw_ext.FirewallInternalDriverError("Create rule")
LOG.debug(_('Create cascaded rule, Response:%s'), str(rule_ret))
cascaded_rule_name = self._get_cascaded_rule_name(rule['id'])
self.firewall_rules_map[cascaded_rule_name] = rule_ret.get(
'firewall_rule')
return
def _create_cascaded_firewall(self, ctx, fw):
fwp_id = fw['firewall_policy_id']
cacaded_fwp_info = self._get_cascaded_policy_info(fwp_id)
cacaded_fwp_id = cacaded_fwp_info['id']
firewall_req = self.get_firewall_req(fw, cacaded_fwp_id)
fw_ret = self.csd_client('create_firewall', firewall_req)
if (not fw_ret or (fw_ret and (not fw_ret.get('firewall')))):
LOG.error(
_("cascaded firewall created failed, "
"cascading firewall id:%s"), fw)
raise fw_ext.FirewallInternalDriverError(
"Create cascaded firewall")
LOG.debug(_('Create cascaded fw, Response:%s'), str(fw_ret))
return
def delete_firewall(self, agent_mode, apply_list, firewall):
LOG.debug('Deleting firewall %(fw_id)s for tenant %(tid)s)', {
'fw_id': firewall['id'],
'tid': firewall['tenant_id']
})
fwid = firewall['id']
try:
for router_info in apply_list:
ipt_if_prefix_list = self._get_ipt_mgrs_with_if_prefix(
agent_mode, router_info)
for ipt_if_prefix in ipt_if_prefix_list:
ipt_mgr = ipt_if_prefix['ipt']
self._remove_chains(fwid, ipt_mgr)
self._remove_default_chains(ipt_mgr)
# apply the changes immediately (no defer in firewall path)
ipt_mgr.defer_apply_off()
except (LookupError, RuntimeError):
# catch known library exceptions and raise Fwaas generic exception
LOG.exception(_LE("Failed to delete firewall: %s"), fwid)
raise fw_ext.FirewallInternalDriverError(driver=FWAAS_DRIVER_NAME)
