def construct_security_group(project): security_group = vnc_api.SecurityGroup(name=VNC_VCENTER_DEFAULT_SG, parent_obj=project) security_group_entry = vnc_api.PolicyEntriesType() ingress_rule = vnc_api.PolicyRuleType( rule_uuid=str(uuid4()), direction='>', protocol='any', src_addresses=[vnc_api.AddressType( security_group=':'.join(VNC_VCENTER_DEFAULT_SG_FQN))], src_ports=[vnc_api.PortType(0, 65535)], dst_addresses=[vnc_api.AddressType(security_group='local')], dst_ports=[vnc_api.PortType(0, 65535)], ethertype='IPv4', ) egress_rule = vnc_api.PolicyRuleType( rule_uuid=str(uuid4()), direction='>', protocol='any', src_addresses=[vnc_api.AddressType(security_group='local')], src_ports=[vnc_api.PortType(0, 65535)], dst_addresses=[vnc_api.AddressType(subnet=vnc_api.SubnetType('0.0.0.0', 0))], dst_ports=[vnc_api.PortType(0, 65535)], ethertype='IPv4', ) security_group_entry.add_policy_rule(ingress_rule) security_group_entry.add_policy_rule(egress_rule) security_group.set_security_group_entries(security_group_entry) return security_group
def create_NetworkPolicy(policy_name, left_network_name, right_network_name, vnc, domain, project_name): """ FUNCTION TO CREATE NETWORK POLICY """ project = vnc.project_read(fq_name=[domain, project_name]) rule = vnc_api.PolicyRuleType( direction='<>', protocol='any', action_list=vnc_api.ActionListType(simple_action='pass'), src_addresses=[vnc_api.AddressType(virtual_network=left_network_name)], src_ports=[vnc_api.PortType(start_port=-1, end_port=-1)], dst_addresses=[ vnc_api.AddressType(virtual_network=right_network_name) ], dst_ports=[vnc_api.PortType(start_port=-1, end_port=-1)]) policy = vnc_api.NetworkPolicy( name=policy_name, parent_obj=project, network_policy_entries=vnc_api.PolicyEntriesType([rule])) vnc.network_policy_create(policy) print 'Policy "{}" created between "{}" & "{}"\n'.format( policy_name, left_network_name, right_network_name)
def _create_no_rule_sg(self): domain_obj = vnc_api.Domain(SG_NO_RULE_FQ_NAME[0]) proj_obj = vnc_api.Project(SG_NO_RULE_FQ_NAME[1], domain_obj) sg_rules = vnc_api.PolicyEntriesType() id_perms = vnc_api.IdPermsType( enable=True, description="Security group with no rules", user_visible=False) sg_obj = vnc_api.SecurityGroup(name=SG_NO_RULE_NAME, parent_obj=proj_obj, security_group_entries=sg_rules, id_perms=id_perms) self._resource_create(sg_obj) return sg_obj
def _create_default_security_group(self, proj_obj): def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: addr = vnc_api.AddressType( security_group=proj_obj.get_fq_name_str() + ':' + sg) elif prefix: addr = vnc_api.AddressType( subnet=vnc_api.SubnetType(prefix, 0)) local_addr = vnc_api.AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = vnc_api.PolicyRuleType( rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[vnc_api.PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[vnc_api.PortType(0, 65535)], ethertype=ethertype) return rule rules = [ _get_rule(True, 'default', None, 'IPv4'), _get_rule(True, 'default', None, 'IPv6'), _get_rule(False, None, '0.0.0.0', 'IPv4'), _get_rule(False, None, '::', 'IPv6') ] sg_rules = vnc_api.PolicyEntriesType(rules) # create security group id_perms = vnc_api.IdPermsType(enable=True, description='Default security group') sg_obj = vnc_api.SecurityGroup(name='default', parent_obj=proj_obj, id_perms=id_perms, security_group_entries=sg_rules) self._vnc_lib.security_group_create(sg_obj) return sg_obj.uuid
def create_networkpolicy(self, policy_name, vn1_name, vn2_name, action): print "Create network policy %s between %s <---> %s" % ( policy_name, vn1_name, vn2_name) project = self._vnc_lib.project_read( fq_name=[self._domain, self._tenant_name]) rule = vnc_api.PolicyRuleType( direction='<>', protocol='any', action_list=vnc_api.ActionListType(simple_action=action), src_addresses=[vnc_api.AddressType(virtual_network=vn1_name)], src_ports=[vnc_api.PortType(start_port=-1, end_port=-1)], dst_addresses=[vnc_api.AddressType(virtual_network=vn2_name)], dst_ports=[vnc_api.PortType(start_port=-1, end_port=-1)]) policy = vnc_api.NetworkPolicy( name=policy_name, parent_obj=project, network_policy_entries=vnc_api.PolicyEntriesType([rule])) self._vnc_lib.network_policy_create(policy)
def _security_group_rule_create(self, sg_id, sg_rule, project_id): sghandler = sg_handler.SecurityGroupHandler(self._vnc_lib) try: sg_vnc = sghandler.get_sg_obj(id=sg_id) except vnc_exc.NoIdError: self._raise_contrail_exception('SecurityGroupNotFound', id=sg_id, resource='security_group') if project_id and sg_vnc.parent_uuid != self._project_id_neutron_to_vnc( project_id): self._raise_contrail_exception('NotFound') rules = sg_vnc.get_security_group_entries() if rules is None: rules = vnc_api.PolicyEntriesType([sg_rule]) else: rules.add_policy_rule(sg_rule) sg_vnc.set_security_group_entries(rules) try: sghandler.resource_update_obj(sg_vnc) except vnc_exc.PermissionDenied as e: self._raise_contrail_exception('BadRequest', resource='security_group_rule', msg=str(e)) except vnc_exc.BadRequest as e: self._raise_contrail_exception('BadRequest', resource='security_group_rule', msg=str(e.content)) except vnc_exc.RefsExistError as e: try: rule_uuid = str(e).split(':')[1].strip() except IndexError: rule_uuid = None self._raise_contrail_exception('SecurityGroupRuleExists', resource='security_group_rule', id=rule_uuid) return
def _security_group_rule_create(self, sg_id, sg_rule, project_id): sghandler = sg_handler.SecurityGroupHandler(self._vnc_lib) try: sg_vnc = sghandler.get_sg_obj(id=sg_id) except vnc_exc.NoIdError: self._raise_contrail_exception('SecurityGroupNotFound', id=sg_id, resource='security_group') if project_id and sg_vnc.parent_uuid != project_id: self._raise_contrail_exception('NotFound') rules = sg_vnc.get_security_group_entries() if rules is None: rules = vnc_api.PolicyEntriesType([sg_rule]) else: rules.add_policy_rule(sg_rule) sg_vnc.set_security_group_entries(rules) try: sghandler.resource_update_obj(sg_vnc) except vnc_exc.PermissionDenied as e: self._raise_contrail_exception( 'BadRequest', resource='security_group_rule', msg=str(e)) return
rule = vnc_api.PolicyRuleType( direction='<>', protocol=policy_protocol, action_list=vnc_api.ActionListType(simple_action=policy_action), src_addresses=[vnc_api.AddressType(virtual_network=source_network)], src_ports=[vnc_api.PortType(start_port=source_port, end_port=source_port)], dst_addresses=[vnc_api.AddressType(virtual_network=destination_network)], dst_ports=[ vnc_api.PortType(start_port=destination_port, end_port=destination_port) ]) policy = vnc_api.NetworkPolicy( name=policy_name, parent_obj=tenant, network_policy_entries=vnc_api.PolicyEntriesType([rule])) vnc.network_policy_create(policy) #add the policy to each network policy = vnc.network_policy_read( fq_name=['default-domain', tenant_name, policy_name]) policy_type = vnc_api.VirtualNetworkPolicyType( sequence=vnc_api.SequenceType(major=0, minor=0)) vn = vnc.virtual_network_read( fq_name=['default-domain', tenant_name, source_network]) vn.add_network_policy(ref_obj=policy, ref_data=policy_type) vnc.virtual_network_update(vn) vn = vnc.virtual_network_read( fq_name=['default-domain', tenant_name, destination_network]) vn.add_network_policy(ref_obj=policy, ref_data=policy_type) vnc.virtual_network_update(vn)
auth_port=auth_port, auth_url=urlparts.path + '/tokens', ) net1 = vnc_lib.virtual_network_read(id=args.net1_uuid) net2 = vnc_lib.virtual_network_read(id=args.net2_uuid) pol1 = vnc_api.NetworkPolicy( 'policy-%s-%s-any' % (net1.name, net2.name), network_policy_entries=vnc_api.PolicyEntriesType([ vnc_api.PolicyRuleType( direction='<>', action_list=vnc_api.ActionListType(simple_action='pass'), protocol='any', src_addresses=[ vnc_api.AddressType(virtual_network=net1.get_fq_name_str()) ], src_ports=[vnc_api.PortType(-1, -1)], dst_addresses=[ vnc_api.AddressType(virtual_network=net2.get_fq_name_str()) ], dst_ports=[vnc_api.PortType(-1, -1)]) ]), parent_obj=vnc_lib.project_read(fq_name=net1.get_parent_fq_name())) vnc_lib.network_policy_create(pol1) net1.add_network_policy( pol1, vnc_api.VirtualNetworkPolicyType(sequence=vnc_api.SequenceType(0, 0))) vnc_lib.virtual_network_update(net1) net2.add_network_policy(
from vnc_api import vnc_api vnc_lib = vnc_api.VncApi(api_server_host='10.10.7.149') vn_blue_obj = vnc_api.VirtualNetwork('vn-blue') vn_blue_obj.add_network_ipam(vnc_api.NetworkIpam(),vnc_api.VnSubnetsType([vnc_api.IpamSubnetType(subnet = vnc_api.SubnetType('10.0.2.0', 24))])) vnc_lib.virtual_network_create(vn_blue_obj) vn_red_obj = vnc_api.VirtualNetwork('vn-red') vn_red_obj.add_network_ipam(vnc_api.NetworkIpam(),vnc_api.VnSubnetsType([vnc_api.IpamSubnetType(subnet = vnc_api.SubnetType('10.0.3.0', 24))])) vnc_lib.virtual_network_create(vn_red_obj) policy_obj = vnc_api.NetworkPolicy('policy-red-blue',network_policy_entries = vnc_api.PolicyEntriesType([vnc_api.PolicyRuleType(direction='<>',action_list = vnc_api.ActionListType(simple_action='pass'), protocol = 'tcp',src_addresses = [vnc_api.AddressType(virtual_network = vn_blue_obj.get_fq_name_str())], src_ports = [vnc_api.PortType(-1, -1)],dst_addresses = [vnc_api.AddressType(virtual_network = vn_red_obj.get_fq_name_str())], dst_ports = [vnc_api.PortType(80, 80)])])) vnc_lib.network_policy_create(policy_obj) vn_blue_obj.add_network_policy(policy_obj, vnc_api.VirtualNetworkPolicyType(sequence=vnc_api.SequenceType(0, 0))) vn_red_obj.add_network_policy(policy_obj, vnc_api.VirtualNetworkPolicyType(sequence=vnc_api.SequenceType(0, 0))) vnc_lib.virtual_network_update(vn_blue_obj) vnc_lib.virtual_network_update(vn_red_obj) print vnc_lib.virtual_network_read(id = vn_blue_obj.uuid) print vnc_lib.virtual_networks_list()