def update_firewall(self, context, id, firewall):
     with self.db_lock_by_firewall(context, id):
         if firewall['firewall'].get('firewall_policy_id'):
             self._lock_policy(context.session,
                               firewall['firewall']['firewall_policy_id'])
         original_fw = self.get_firewall(context, id)
         original_l3domains = self.l3domain_ids_by_policy_id(
             context, original_fw['firewall_policy_id'])
         updated_fw = super(NuageFWaaSPlugin, self).update_firewall(
             context, id, firewall)
         policy_updated = (original_fw['firewall_policy_id'] !=
                           updated_fw['firewall_policy_id'])
         with utils.rollback() as on_exc:
             if policy_updated:
                 self.nuageclient.update_firewall(self.enterprise_id,
                                                  original_fw,
                                                  [])
                 on_exc(self.nuageclient.update_firewall,
                        self.enterprise_id, original_fw, original_l3domains)
             l3domain_ids = self.l3domain_ids_by_policy_id(
                 context, updated_fw['firewall_policy_id'])
             self.nuageclient.update_firewall(
                 self.enterprise_id, updated_fw, l3domain_ids)
             self._update_firewall_status(context, updated_fw)
             return updated_fw
Пример #2
0
 def update_firewall(self, context, id, firewall):
     with self.db_lock_by_firewall(context, id):
         if firewall['firewall'].get('firewall_policy_id'):
             self._lock_policy(context.session,
                               firewall['firewall']['firewall_policy_id'])
         original_fw = self.get_firewall(context, id)
         original_l3domains = self.l3domain_ids_by_policy_id(
             context, original_fw['firewall_policy_id'])
         updated_fw = super(NuageFWaaSPlugin,
                            self).update_firewall(context, id, firewall)
         policy_updated = (original_fw['firewall_policy_id'] !=
                           updated_fw['firewall_policy_id'])
         with utils.rollback() as on_exc:
             if policy_updated:
                 l3domains_ids_old_policy = self.l3domain_ids_by_policy_id(
                     context, original_fw['firewall_policy_id'])
                 self.vsdclient.update_firewall(self.enterprise_id,
                                                original_fw,
                                                l3domains_ids_old_policy)
                 on_exc(self.vsdclient.update_firewall, self.enterprise_id,
                        original_fw, original_l3domains)
             l3domains_ids_new_policy = self.l3domain_ids_by_policy_id(
                 context, updated_fw['firewall_policy_id'])
             self.vsdclient.update_firewall(self.enterprise_id, updated_fw,
                                            l3domains_ids_new_policy)
             self._update_firewall_status(context, updated_fw)
             return updated_fw
Пример #3
0
    def _create_policygroup(self, context, security_group_id, vsd_subnet):
        security_group = self.core_plugin.get_security_group(
            context, security_group_id)
        # pop rules, make empty policygroup first
        security_group_rules = security_group.pop('security_group_rules')
        try:
            policy_group = self.vsdclient.create_security_group(
                vsd_subnet, security_group)
        except restproxy.RESTProxyError as e:
            if e.vsd_code == restproxy.REST_PG_EXISTS_ERR_CODE:
                # PG is being concurrently created
                external_id = cms_id_helper.get_vsd_external_id(
                    security_group_id)
                policygroups = self.get_policygroups(external_id, vsd_subnet)
                return policygroups[0]
            else:
                raise
        # Before creating rules, we might have to make other policygroups first
        # if the rule uses remote_group_id to have rule related to other PG.
        with nuage_utils.rollback() as on_exc:
            on_exc(self.vsdclient.delete_nuage_policy_group,
                   policy_group['ID'])
            remote_sg_ids = []
            for rule in security_group_rules:
                remote_sg_id = rule.get('remote_group_id')
                if remote_sg_id and remote_sg_id not in remote_sg_ids:
                    remote_sg_ids.append(remote_sg_id)
                    self._find_or_create_policygroup(context, remote_sg_id,
                                                     vsd_subnet)

            self.vsdclient.create_security_group_rules(policy_group,
                                                       security_group_rules)
        return policy_group
Пример #4
0
 def _enable_rule(self, context, fw_rule):
     with utils.rollback() as on_exc:
         vsd_rule = self.vsdclient.create_firewall_rule(
             self.enterprise_id, fw_rule)
         on_exc(self.vsdclient.delete_vsd_firewallrule, vsd_rule['ID'])
         if fw_rule['firewall_policy_id']:
             self._update_policy_rules(context,
                                       fw_rule['firewall_policy_id'])
 def _enable_rule(self, context, fw_rule):
     with utils.rollback() as on_exc:
         vsd_rule = self.nuageclient.create_firewall_rule(
             self.enterprise_id, fw_rule)
         on_exc(self.nuageclient.delete_vsd_firewallrule, vsd_rule['ID'])
         if fw_rule['firewall_policy_id']:
             self._update_policy_rules(context,
                                       fw_rule['firewall_policy_id'])
Пример #6
0
 def _disable_rule(self, context, fw_rule, id):
     with utils.rollback() as on_exc:
         if fw_rule['firewall_policy_id']:
             self.vsdclient.remove_rule(self.enterprise_id,
                                        fw_rule['firewall_policy_id'],
                                        {'firewall_rule_id': id})
             on_exc(self._update_policy_rules, context,
                    fw_rule['firewall_policy_id'])
         self.vsdclient.delete_firewall_rule(self.enterprise_id, id)
 def _disable_rule(self, context, fw_rule, id):
     with utils.rollback() as on_exc:
         if fw_rule['firewall_policy_id']:
             self.nuageclient.remove_rule(self.enterprise_id,
                                          fw_rule['firewall_policy_id'],
                                          {'firewall_rule_id': id})
             on_exc(self._update_policy_rules,
                    context, fw_rule['firewall_policy_id'])
         self.nuageclient.delete_firewall_rule(self.enterprise_id, id)
Пример #8
0
    def create_flow_classifier(self, context, flow_classifier):
        flow_classifier_dict = flow_classifier['flow_classifier']

        vlan_min_specified = (flow_classifier_dict.get('vlan_range_min') is not
                              lib_constants.ATTR_NOT_SPECIFIED)
        vlan_max_specified = (flow_classifier_dict.get('vlan_range_max') is not
                              lib_constants.ATTR_NOT_SPECIFIED)
        if vlan_min_specified or vlan_max_specified:
            vlan_min_value = flow_classifier_dict.get('vlan_range_min')
            vlan_max_value = flow_classifier_dict.get('vlan_range_max')
            if (vlan_min_specified and vlan_max_specified and
                    vlan_min_value != vlan_max_value):
                msg = ("Currently nuage only supports flow classifier where,"
                       " the minimum and maximum VLAN range values are equal.")
                raise nuage_exc.NuageBadRequest(msg=msg)
            flow_classifier['flow_classifier']['l7_parameters'] = {
                'vlan_range_min': vlan_min_value,
                'vlan_range_max': vlan_max_value
            }
        src_prt_details, dst_prt_details = self._validate_flow_classifier(
            context,
            flow_classifier_dict)
        with db_api.CONTEXT_WRITER.using(context):
            fc_db = (nuage_flowclassifier_db.NuageFlowClassifierDbPlugin.
                     create_flow_classifier(self, context, flow_classifier))
        with nuage_utils.rollback() as on_exc:
            on_exc(super(
                NuageFlowClassifierPlugin, self).delete_flow_classifier,
                context, fc_db['id'])
            src_prt_details['externalID'] = 'fc' + '_' + src_prt_details['id']
            dst_prt_details['externalID'] = 'fc' + '_' + dst_prt_details['id']
            l2dom_id, l3subnet_id, rtr_id = (
                self.get_logical_port_subnet_mapping(context, src_prt_details))
            self._create_nuage_flow_classifier(on_exc,
                                               l2dom_id,
                                               l3subnet_id,
                                               rtr_id,
                                               src_prt_details)
            if src_prt_details['id'] != dst_prt_details['id']:
                self._create_nuage_flow_classifier(on_exc,
                                                   l2dom_id,
                                                   l3subnet_id,
                                                   rtr_id,
                                                   dst_prt_details)
        return fc_db
    def _create_policygroup(self, context, security_group_id, vsd_subnet):
        security_group = self.core_plugin.get_security_group(
            context, security_group_id)
        # pop rules, make empty policygroup first
        security_group_rules = security_group.pop('security_group_rules')
        policy_group = self.vsdclient.create_security_group(
            vsd_subnet, security_group)

        # Before creating rules, we might have to make other policygroups first
        # if the rule uses remote_group_id to have rule related to other PG.
        with nuage_utils.rollback() as on_exc:
            on_exc(self.vsdclient.delete_nuage_policy_group,
                   policy_group['ID'])
            remote_sg_ids = []
            for rule in security_group_rules:
                remote_sg_id = rule.get('remote_group_id')
                if remote_sg_id and remote_sg_id not in remote_sg_ids:
                    remote_sg_ids.append(remote_sg_id)
                    self._find_or_create_policygroup(context, remote_sg_id,
                                                     vsd_subnet)

            self.vsdclient.create_security_group_rules(policy_group,
                                                       security_group_rules)
        return policy_group
    def _process_port_security_groups(self,
                                      db_context,
                                      vport,
                                      domain_id,
                                      domain_type,
                                      added_sg_ids,
                                      removed_sg_ids,
                                      pg_type,
                                      netpartition_id,
                                      vsd_managed=False):
        # In VSD managed subnets we disregard the sg_rules of a sg
        if netpartition_id:
            domain_enterprise_mapping = {domain_id: netpartition_id}
        else:
            domain_enterprise_mapping = {}
        # domainID -> {'ingress': ACL_ID, 'egress': ACL_ID}
        domain_acl_mapping = collections.defaultdict(lambda: {
            'ingress': None,
            'egress': None
        })
        # domainID -> SG_ID -> PG
        domain_sg_pg_mapping = collections.defaultdict(dict)

        analysed_securitygroup_ids = set()
        sgs = []
        for sg_id in added_sg_ids:
            if sg_id == vsd_constants.NUAGE_PLCY_GRP_ALLOW_ALL:
                # Handle PG allow all
                suffix = '_HARDWARE' if pg_type == constants.HARDWARE else ''
                sg_rules = [{
                    'id': vsd_constants.NUAGE_PLCY_GRP_ALLOW_ALL,
                    'ethertype': ethertype,
                    'direction': direction
                } for ethertype in
                            [neutron_constants.IPv4, neutron_constants.IPv6]
                            for direction in neutron_constants.VALID_DIRECTIONS
                            ]
                sg = {
                    'id': vsd_constants.NUAGE_PLCY_GRP_ALLOW_ALL,
                    'name': vsd_constants.NUAGE_PLCY_GRP_ALLOW_ALL + suffix,
                    'security_group_rules': sg_rules,
                    'stateful': False
                }
                sgs.append(sg)
            elif not vsd_managed:
                # consider all sg_rules in an os managed subnet
                sgs_to_add = nuage_utils.collect_all_remote_security_groups(
                    self.core_plugin, db_context, sg_id,
                    analysed_securitygroup_ids)
                sgs.extend(sgs_to_add)
            else:
                # Ignore sg_rules in vsd managed subnet
                sg = self.core_plugin.get_security_group(db_context, sg_id)
                sg['security_group_rules'] = []
                sgs.append(sg)

        with nuage_utils.rollback() as on_exception:
            # Create PGs & ensure HW deny all rule
            self.vsdclient.find_create_security_groups(
                sgs,
                domain_type,
                domain_id,
                domain_enterprise_mapping,
                domain_sg_pg_mapping,
                domain_acl_mapping,
                on_exception,
                pg_type=pg_type,
                allow_non_ip=config.default_allow_non_ip_enabled())

            # Add & remove PGs to vPort
            # We cannot simply override the PG on the vPort
            if vport:
                added_pgs = [
                    domain_sg_pg_mapping[domain_id][sg_id]['ID']
                    for sg_id in added_sg_ids
                ]
                self.vsdclient.find_security_groups_in_domain(
                    removed_sg_ids,
                    domain_type,
                    domain_id,
                    domain_sg_pg_mapping,
                    pg_type=pg_type)
                removed_pgs = [
                    domain_sg_pg_mapping[domain_id][sg_id]['ID']
                    for sg_id in removed_sg_ids
                ]
                self.vsdclient.update_vport_policygroups(
                    vport['ID'],
                    add_policygroups=added_pgs,
                    remove_policygroups=removed_pgs)
        return domain_sg_pg_mapping
Пример #11
0
    def create_nuage_external_security_group_rule(
            self, context, nuage_external_security_group_rule):

        rule = nuage_external_security_group_rule[
            'nuage_external_security_group_rule']
        self.get_port_attributes_plugin()._validate_redirect_target_port_range(
            rule)

        filters = {'external': 'true'}
        # External group id: External Security Group
        ext_pg = self.vsdclient.get_policygroup(
            rule['remote_external_group_id'], required=True, **filters)
        # Origin Group id: Neutron security group
        try:
            sg = self.core_plugin.get_security_group(context,
                                                     rule['origin_group_id'])
        except n_exc.NotFound:
            raise nuage_exc.NuageBadRequest(msg="Could not find Securitygroup "
                                            "for external security group rule")

        domain_enterprise_mapping = {}
        # domainID -> {'ingress': ACL_ID, 'egress': ACL_ID}
        domain_acl_mapping = collections.defaultdict(lambda: {
            'ingress': None,
            'egress': None
        })
        # domainID -> SG_ID -> PG
        domain_sg_pg_mapping = collections.defaultdict(dict)
        with nuage_utils.rollback() as on_exception:
            self.vsdclient.find_create_security_groups(
                [sg],
                ext_pg['parentType'],
                ext_pg['parentID'],
                domain_enterprise_mapping,
                domain_sg_pg_mapping,
                domain_acl_mapping,
                on_exception,
                pg_type=vsd_constants.SOFTWARE,
                allow_non_ip=config.default_allow_non_ip_enabled())
            domain_id = ext_pg['parentID']
            domain_type = ext_pg['parentType']
            pg_for_rule = domain_sg_pg_mapping[ext_pg['parentID']][
                sg['id']]['ID']
            # Reverse direction for the rule, as here it means VSD direction
            vsd_direction = rule['direction']
            rule['direction'] = vsd_constants.DIRECTIONS_OS_VSD[vsd_direction]
            acl_entry = self.vsdclient.calculate_acl_entries(
                sg_rule=rule,
                pg_id=pg_for_rule,
                domain_type=domain_type,
                domain_id=domain_id,
                stateful=True,
                domain_enterprise_mapping=domain_enterprise_mapping,
                sg_pg_mapping=domain_sg_pg_mapping[domain_id])[0]
            acl_entry['externalID'] = ext_pg['externalID']
            acl_entry = self.vsdclient.create_acl_entry(
                acl_entry, domain_type, domain_id, domain_acl_mapping,
                on_exception)

        # Reverse direction for the rule, as here it means VSD direction
        acl_entry['direction'] = vsd_direction
        acl_entry['origin_group_id'] = pg_for_rule
        acl_entry['remote_group_id'] = rule['remote_external_group_id']
        return self._make_external_security_group_rule_dict(acl_entry,
                                                            context=context)