def _setup_firewall(self, ri, fw):
client = self._get_vyatta_client(ri.router)
fw_cmd_list = []
# Create firewall
fw_name = vyatta_utils.get_firewall_name(ri, fw)
fw_cmd_list.append(
vyatta_client.SetCmd(FW_NAME.format(parse.quote_plus(fw_name))))
if fw.get('description'):
fw_cmd_list.append(
vyatta_client.SetCmd(
FW_DESCRIPTION.format(parse.quote_plus(fw_name),
parse.quote_plus(
fw['description']))))
# Set firewall state policy
fw_cmd_list.append(vyatta_client.SetCmd(FW_ESTABLISHED_ACCEPT))
fw_cmd_list.append(vyatta_client.SetCmd(FW_RELATED_ACCEPT))
# Create firewall rules
rule_num = 0
for rule in fw['firewall_rule_list']:
if not rule['enabled']:
continue
if rule['ip_version'] == 4:
rule_num += 1
fw_cmd_list += self._set_firewall_rule(fw_name, rule_num, rule)
else:
LOG.warning(_LW("IPv6 rules are not supported."))
# Configure router zones
zone_cmd_list = vyatta_utils.get_zone_cmds(client, ri, fw_name)
client.exec_cmd_batch(fw_cmd_list + zone_cmd_list)
def _setup_firewall(self, ri, fw):
client = self._get_vyatta_client(ri.router)
fw_cmd_list = []
# Create firewall
fw_name = vyatta_utils.get_firewall_name(ri, fw)
fw_cmd_list.append(
vyatta_client.SetCmd(
FW_NAME.format(parse.quote_plus(fw_name))))
if fw.get('description'):
fw_cmd_list.append(vyatta_client.SetCmd(
FW_DESCRIPTION.format(
parse.quote_plus(fw_name),
parse.quote_plus(fw['description']))))
# Set firewall state policy
fw_cmd_list.append(vyatta_client.SetCmd(FW_ESTABLISHED_ACCEPT))
fw_cmd_list.append(vyatta_client.SetCmd(FW_RELATED_ACCEPT))
# Create firewall rules
rule_num = 0
for rule in fw['firewall_rule_list']:
if not rule['enabled']:
continue
if rule['ip_version'] == 4:
rule_num += 1
fw_cmd_list += self._set_firewall_rule(fw_name, rule_num, rule)
else:
LOG.warn(_LW("IPv6 rules are not supported."))
# Configure router zones
zone_cmd_list = vyatta_utils.get_zone_cmds(client, ri, fw_name)
client.exec_cmd_batch(fw_cmd_list + zone_cmd_list)
def process_router(self, ri):
LOG.debug("VyattaFirewallAgent:: process_router() called")
ctx = context.Context(None, ri.router['tenant_id'])
client = self._vyatta_clients_pool.get_by_db_lookup(
ri.router['id'], ctx)
fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx)
if fw_list:
zone_cmds = []
for fw in fw_list:
if ri.router['id'] in fw['router_ids']:
fw_name = vyatta_utils.get_firewall_name(ri, fw)
zone_cmds.extend(vyatta_utils.get_zone_cmds(client, ri,
fw_name))
client.exec_cmd_batch(zone_cmds)
def test_get_zone_cmds(self):
firewall_name = 'fake_firewall0'
eth_iface = 'eth0'
fake_api = mock.NonCallableMock()
fake_api.get_ethernet_if_id.return_value = eth_iface
mac_address = '00:00:00:00:00:00'
fake_apply_rule = mock.NonCallableMock()
fake_apply_rule.router = {
'gw_port': {
'mac_address': mac_address
},
l3_constants.INTERFACE_KEY: [{
'mac_address': mac_address
}]
}
trusted_zone_name = vyatta_utils.get_trusted_zone_name(fake_apply_rule)
untrusted_zone_name = vyatta_utils.get_untrusted_zone_name(
fake_apply_rule)
cmds_actual = vyatta_utils.get_zone_cmds(fake_api, fake_apply_rule,
firewall_name)
cmds_expect = [
vyatta_client.DeleteCmd('zone-policy'),
vyatta_client.SetCmd(
vyatta_utils.ZONE_INTERFACE_CMD.format(trusted_zone_name,
eth_iface)),
vyatta_client.SetCmd(
vyatta_utils.ZONE_INTERFACE_CMD.format(untrusted_zone_name,
eth_iface)),
vyatta_client.SetCmd(
vyatta_utils.ZONE_FIREWALL_CMD.format(
trusted_zone_name, untrusted_zone_name,
parse.quote_plus(firewall_name))),
vyatta_client.SetCmd(
vyatta_utils.ZONE_FIREWALL_CMD.format(
untrusted_zone_name, trusted_zone_name,
parse.quote_plus(firewall_name))),
]
self.assertEqual(cmds_expect, cmds_actual)
fake_api.get_ethernet_if_id.assert_has_calls([
mock.call(mac_address),
mock.call(mac_address),
])
def test_get_zone_cmds(self):
firewall_name = 'fake_firewall0'
eth_iface = 'eth0'
fake_api = mock.NonCallableMock()
fake_api.get_ethernet_if_id.return_value = eth_iface
mac_address = '00:00:00:00:00:00'
fake_apply_rule = mock.NonCallableMock()
fake_apply_rule.router = {
'gw_port': {
'mac_address': mac_address},
l3_constants.INTERFACE_KEY: [{
'mac_address': mac_address}]
}
trusted_zone_name = vyatta_utils.get_trusted_zone_name(
fake_apply_rule)
untrusted_zone_name = vyatta_utils.get_untrusted_zone_name(
fake_apply_rule)
cmds_actual = vyatta_utils.get_zone_cmds(
fake_api, fake_apply_rule, firewall_name)
cmds_expect = [
vyatta_client.DeleteCmd('zone-policy'),
vyatta_client.SetCmd(
vyatta_utils.ZONE_INTERFACE_CMD.format(
trusted_zone_name, eth_iface)),
vyatta_client.SetCmd(
vyatta_utils.ZONE_INTERFACE_CMD.format(
untrusted_zone_name, eth_iface)),
vyatta_client.SetCmd(
vyatta_utils.ZONE_FIREWALL_CMD.format(
trusted_zone_name, untrusted_zone_name,
parse.quote_plus(firewall_name))),
vyatta_client.SetCmd(
vyatta_utils.ZONE_FIREWALL_CMD.format(
untrusted_zone_name, trusted_zone_name,
parse.quote_plus(firewall_name))),
]
self.assertEqual(cmds_expect, cmds_actual)
fake_api.get_ethernet_if_id.assert_has_calls([
mock.call(mac_address),
mock.call(mac_address),
])
def sync_firewall_zones(resource, event, l3_agent, **kwargs):
LOG.debug('VyattaFirewallService:: sync_firewall_zones() called')
ri = kwargs['router']
ctx = context.Context(None, ri.router['tenant_id'])
client = l3_agent._vyatta_clients_pool.get_by_db_lookup(
ri.router['id'], ctx)
fw_list = l3_agent.fwplugin_rpc.get_firewalls_for_tenant(ctx)
if fw_list:
zone_cmds = []
for fw in fw_list:
if ri.router['id'] in fw['router_ids']:
fw_name = vyatta_utils.get_firewall_name(ri, fw)
zone_cmds.extend(
vyatta_utils.get_zone_cmds(client, ri, fw_name))
client.exec_cmd_batch(zone_cmds)
def sync_firewall_zones(resource, event, l3_agent, **kwargs):
LOG.debug('VyattaFirewallService:: sync_firewall_zones() called')
ri = kwargs['router']
ctx = context.Context(None, ri.router['tenant_id'])
client = l3_agent._vyatta_clients_pool.get_by_db_lookup(
ri.router['id'], ctx)
fw_list = l3_agent.fwplugin_rpc.get_firewalls_for_tenant(ctx)
if fw_list:
zone_cmds = []
for fw in fw_list:
if ri.router['id'] in fw['router_ids']:
fw_name = vyatta_utils.get_firewall_name(ri, fw)
zone_cmds.extend(vyatta_utils.get_zone_cmds(client, ri,
fw_name))
client.exec_cmd_batch(zone_cmds)
