def create_firewall_rule_allow_all(cls,
rule_name,
labels_dict,
src_labels_dict=None):
if not cls.cluster_aps_uuid:
raise Exception("Cluster Application Policy Set not available.")
# Get parent object for this firewall policy.
aps_obj = cls.vnc_lib.application_policy_set_read(
id=cls.cluster_aps_uuid)
try:
pm_obj = cls.vnc_lib.policy_management_read(
fq_name=aps_obj.get_parent_fq_name())
except NoIdError:
raise
tags = VncSecurityPolicy.get_tags_fn(labels_dict, True)
if src_labels_dict:
src_tags = VncSecurityPolicy.get_tags_fn(src_labels_dict, True)
else:
src_tags = None
protocol = FWDefaultProtoPort.PROTOCOL.value
port_start = FWDefaultProtoPort.START_PORT.value
port_end = FWDefaultProtoPort.END_PORT.value
action = FWSimpleAction.PASS.value
ep1 = FWRuleEndpoint.get(src_tags)
ep2 = FWRuleEndpoint.get(tags)
service = FWService.get(protocol,
dst_start_port=port_start,
dst_end_port=port_end)
rule = FirewallRule(name='%s' % rule_name,
parent_obj=pm_obj,
action_list=action,
service=service,
endpoint_1=ep1,
endpoint_2=ep2,
direction=FWDirection.TO.value)
try:
rule_uuid = cls.vnc_lib.firewall_rule_create(rule)
except RefsExistError:
cls.vnc_lib.firewall_rule_update(rule)
rule_uuid = rule.get_uuid()
rule_obj = cls.vnc_lib.firewall_rule_read(id=rule_uuid)
FirewallRuleKM.locate(rule_uuid)
return rule_uuid
def create_firewall_rule_egress_deny_all(cls, name, namespace, tags):
if not cls.cluster_aps_uuid:
raise Exception("Cluster Application Policy Set not available.")
# Get parent object for this firewall policy.
aps_obj = cls.vnc_lib.application_policy_set_read(
id=cls.cluster_aps_uuid)
try:
pm_obj = cls.vnc_lib.policy_management_read(
fq_name=aps_obj.get_parent_fq_name())
except NoIdError:
raise
rule_name = "-".join([FWRule.get_egress_rule_name(name, namespace),
"default-deny-all"])
protocol = FWDefaultProtoPort.PROTOCOL.value
port_start = FWDefaultProtoPort.START_PORT.value
port_end = FWDefaultProtoPort.END_PORT.value
action = FWSimpleAction.DENY.value
ep1 = FWRuleEndpoint.get(tags)
ep2 = FWRuleEndpoint.get()
service=FWService.get(protocol,
dst_start_port=port_start,
dst_end_port=port_end)
rule = FirewallRule(
name='%s' % rule_name,
parent_obj=pm_obj,
action_list=action,
service=service,
endpoint_1=ep1,
endpoint_2=ep2,
direction=FWDirection.TO.value
)
try:
rule_uuid = cls.vnc_lib.firewall_rule_create(rule)
except RefsExistError:
cls.vnc_lib.firewall_rule_update(rule)
rule_uuid = rule.get_uuid()
FirewallRuleKM.locate(rule_uuid)
return rule_uuid
def get_firewall_rule_uuid(cls, rule_name):
if not cls.cluster_aps_uuid:
raise Exception("Cluster Application Policy Set not available.")
aps = ApplicationPolicySetKM.locate(cls.cluster_aps_uuid)
pm = PolicyManagementKM.locate(aps.parent_uuid)
rule_fq_name = pm.fq_name + [rule_name]
rule_uuid = FirewallRuleKM.get_fq_name_to_uuid(rule_fq_name)
return rule_uuid
def create_firewall_policy(cls,
name,
namespace,
spec,
tag_last=False,
is_global=False,
k8s_uuid=None):
if not cls.cluster_aps_uuid:
raise Exception("Cluster Application Policy Set not available.")
# Get parent object for this firewall policy.
aps_obj = cls.vnc_lib.application_policy_set_read(
id=cls.cluster_aps_uuid)
try:
pm_obj = cls.vnc_lib.policy_management_read(
fq_name=aps_obj.get_parent_fq_name())
except NoIdError:
raise
fw_policy_obj = FirewallPolicy(
cls.get_firewall_policy_name(name, namespace, is_global), pm_obj)
custom_ann_kwargs = {}
custom_ann_kwargs['k8s_uuid'] = k8s_uuid
curr_fw_policy = None
fw_rules_del_candidates = set()
# If this firewall policy already exists, get its uuid.
fw_policy_uuid = VncSecurityPolicy.get_firewall_policy_uuid(
name, namespace, is_global)
if fw_policy_uuid:
#
# FW policy exists.
# Check for modidifcation to its spec.
# If not modifications are found, return the uuid of policy.
#
curr_fw_policy = FirewallPolicyKM.locate(fw_policy_uuid)
if curr_fw_policy and curr_fw_policy.spec:
if curr_fw_policy.spec == json.dumps(spec):
# Input spec is same as existing spec. Nothing to do.
# Just return the uuid.
return fw_policy_uuid
# Get the current firewall rules on this policy.
# All rules are delete candidates as any of them could have
# changed.
fw_rules_del_candidates = curr_fw_policy.firewall_rules
# Annotate the FW policy object with input spec.
# This will be used later to identify and validate subsequent modify
# or add (i.e post restart) events.
custom_ann_kwargs['spec'] = json.dumps(spec)
# Check if we are being asked to place this firewall policy in the end
# of fw policy list in its Application Policy Set.
# If yes, tag accordingly.
if tag_last:
custom_ann_kwargs['tail'] = "True"
# Parse input spec and construct the list of rules for this FW policy.
fw_rules = []
deny_all_rule_uuid = None
egress_deny_all_rule_uuid = None
if spec is not None:
fw_rules, deny_all_rule_uuid, egress_deny_all_rule_uuid =\
FWRule.parser(name, namespace, pm_obj, spec)
for rule in fw_rules:
try:
rule_uuid = cls.vnc_lib.firewall_rule_create(rule)
except RefsExistError:
cls.vnc_lib.firewall_rule_update(rule)
rule_uuid = rule.get_uuid()
# The rule is in use and needs to stay.
# Remove it from delete candidate collection.
if fw_rules_del_candidates and\
rule_uuid in fw_rules_del_candidates:
fw_rules_del_candidates.remove(rule_uuid)
rule_obj = cls.vnc_lib.firewall_rule_read(id=rule_uuid)
FirewallRuleKM.locate(rule_uuid)
fw_policy_obj.add_firewall_rule(
rule_obj, cls.construct_sequence_number(fw_rules.index(rule)))
if deny_all_rule_uuid:
VncSecurityPolicy.add_firewall_rule(
VncSecurityPolicy.deny_all_fw_policy_uuid, deny_all_rule_uuid)
custom_ann_kwargs['deny_all_rule_uuid'] = deny_all_rule_uuid
if egress_deny_all_rule_uuid:
VncSecurityPolicy.add_firewall_rule(
VncSecurityPolicy.deny_all_fw_policy_uuid,
egress_deny_all_rule_uuid)
custom_ann_kwargs['egress_deny_all_rule_uuid'] =\
egress_deny_all_rule_uuid
FirewallPolicyKM.add_annotations(
VncSecurityPolicy.vnc_security_policy_instance, fw_policy_obj,
namespace, name, None, **custom_ann_kwargs)
try:
fw_policy_uuid = cls.vnc_lib.firewall_policy_create(fw_policy_obj)
except RefsExistError:
# Remove existing firewall rule refs on this fw policy.
# Once existing firewall rules are remove, firewall policy will
# be updated with rules correspoinding to current input spec.
for rule in fw_rules_del_candidates:
cls.delete_firewall_rule(fw_policy_uuid, rule)
cls.vnc_lib.firewall_policy_update(fw_policy_obj)
fw_policy_uuid = fw_policy_obj.get_uuid()
fw_policy_obj = cls.vnc_lib.firewall_policy_read(id=fw_policy_uuid)
FirewallPolicyKM.locate(fw_policy_uuid)
return fw_policy_uuid
def create_firewall_policy(cls, name, namespace, spec, tag_last=False,
is_global=False):
if not cls.cluster_aps_uuid:
raise Exception("Cluster Application Policy Set not available.")
# Get parent object for this firewall policy.
aps_obj = cls.vnc_lib.application_policy_set_read(
id=cls.cluster_aps_uuid)
try:
pm_obj = cls.vnc_lib.policy_management_read(
fq_name=aps_obj.get_parent_fq_name())
except NoIdError:
raise
fw_policy_obj = FirewallPolicy(
cls.get_firewall_policy_name(name, namespace, is_global), pm_obj)
custom_ann_kwargs = {}
if tag_last:
custom_ann_kwargs['tail'] = "True"
# Parse input spec and construct the list of rules for this FW policy.
fw_rules = []
deny_all_rule_uuid = None
if spec is not None:
fw_rules, deny_all_rule_uuid = FWRule.parser(name, namespace,
pm_obj, spec)
for rule in fw_rules:
try:
rule_uuid = cls.vnc_lib.firewall_rule_create(rule)
except RefsExistError:
cls.vnc_lib.firewall_rule_update(rule)
rule_uuid = rule.get_uuid()
rule_obj = cls.vnc_lib.firewall_rule_read(id=rule_uuid)
FirewallRuleKM.locate(rule_uuid)
#FirewallSequence(
# sequence=cls.construct_sequence_number(fw_rules.index(rule)))
fw_policy_obj.add_firewall_rule(rule_obj,
cls.construct_sequence_number(fw_rules.index(rule)))
if deny_all_rule_uuid:
VncSecurityPolicy.add_firewall_rule(
VncSecurityPolicy.deny_all_fw_policy_uuid, deny_all_rule_uuid)
custom_ann_kwargs['deny_all_rule_uuid'] = deny_all_rule_uuid
FirewallPolicyKM.add_annotations(
VncSecurityPolicy.vnc_security_policy_instance,
fw_policy_obj, namespace, name, None, **custom_ann_kwargs)
try:
fw_policy_uuid = cls.vnc_lib.firewall_policy_create(fw_policy_obj)
except RefsExistError:
cls.vnc_lib.firewall_policy_update(fw_policy_obj)
fw_policy_uuid = fw_policy_obj.get_uuid()
fw_policy_obj = cls.vnc_lib.firewall_policy_read(id=fw_policy_uuid)
FirewallPolicyKM.locate(fw_policy_uuid)
return fw_policy_uuid