def add_vlan_iface(self, device_sn, iface_dict):
"""Add VLAN interface to specified device.
@param device_sn: PAN device serial number
@param iface_dict: dict with VLAN interface info. Contains:
- 'port_id': Neutron port id
- 'ip_address': ip address allocated for this interface
- 'cidr': interface subnet in cidr notation
- 'segmentation_id': vlan tag
@return: None
"""
params = copy.deepcopy(self._params)
params['serial'] = device_sn
xml_api = xapi.PanXapi(**params)
vlan_ifaces = self._list_vlan_interfaces(xml_api)
device_cnt = len(vlan_ifaces)
vlan_iface_name = "ethernet1/2.%d" % (device_cnt + 1)
self._add_vlan_iface(xml_api, vlan_iface_name, iface_dict)
self._set_router_iface(xml_api, vlan_iface_name)
self._set_security_zone_iface(xml_api,
vlan_iface_name,
cfg.CONF.pan_dev_internal_security_zone)
def register_ip_address(self, device_sn, ip_address, tags):
params = copy.deepcopy(self._params)
params['serial'] = device_sn
xml_api = xapi.PanXapi(**params)
xml_tags = ""
tags.sort()
for tag in tags:
xml_tag = "<member>%s</member>" % tag
xml_tags += xml_tag
cmd = ("<uid-message>"
"<version>2.0</version>"
"<type>update</type>"
"<payload>"
"<register>"
"<entry ip=\"%s\">"
"<tag>"
"%s"
"</tag>"
"</entry>"
"</register>"
"</payload>"
"</uid-message>" % (ip_address, xml_tags))
try:
xml_api.user_id(cmd)
except xapi.PanXapiError as e:
if 'already exists, ignore' in e.msg.lower():
pass
else:
raise
def list_devices(self):
"""Get list of PAN devices in specified (in the config file)
device group.
@return: list of devices serial numbers
"""
xml_api = xapi.PanXapi(**self._params)
return [item['name'] for item in self._list_group_devices(xml_api)]
def remove_device_tags(self, device_sn, tags):
"""Remove tags from device.
@param device_sn: PAN device serial number
@param tags: list of tags
@return: None
"""
xml_api = xapi.PanXapi(**self._params)
for tag in tags:
self._remove_device_tag(xml_api, device_sn, tag)
def add_device_tags(self, device_sn, tags):
"""Add tags to specified device.
@param device_sn: PAN device serial number
@param tags: list of tags
@return: None
"""
xml_api = xapi.PanXapi(**self._params)
for tag in tags:
self._add_device_tag(xml_api, device_sn, tag)
def add_external_nat(self, device_sn, ip_dict):
"""Add external NAT rule to allow internet access from Nova instances.
@param device_sn: PAN device serial number
@param ip_dict: dict with ip address info. Contains:
- 'ip_address': ip address allocated for this interface
- 'cidr': interface subnet in cidr notation
@return: None
"""
ip = ip_dict['ip_address'] + '/' + ip_dict['cidr'].split('/')[1]
params = copy.deepcopy(self._params)
params['serial'] = device_sn
xml_api = xapi.PanXapi(**params)
# If the source (internal) zone doesn't exist, create it
sz_xpath = ("/config/devices/entry[@name='localhost.localdomain']"
"/vsys/entry[@name='vsys1']/zone/entry[@name='%s']"
% cfg.CONF.pan_dev_internal_security_zone)
try:
xml_api.show(sz_xpath)
except xapi.PanXapiError as e:
if e.msg.lower() == 'no such node':
element = "<network><layer3/></network>"
xml_api.set(sz_xpath, element)
else:
raise
xpath = ("/config/devices/entry[@name='localhost.localdomain']/vsys"
"/entry[@name='vsys1']/rulebase/nat/rules")
element = (
"<entry name='OpenStack'>"
"<source-translation>"
"<dynamic-ip-and-port>"
"<interface-address>"
"<ip>%(ip)s</ip>"
"<interface>ethernet1/1</interface>"
"</interface-address>"
"</dynamic-ip-and-port>"
"</source-translation>"
"<to><member>%(destination_zone)s</member></to>"
"<from><member>%(source_zone)s</member></from>"
"<source><member>any</member></source>"
"<destination><member>any</member></destination>"
"<service>any</service>"
"<nat-type>ipv4</nat-type>"
"</entry>" %
{'ip': ip,
'source_zone': cfg.CONF.pan_dev_internal_security_zone,
'destination_zone': cfg.CONF.pan_dev_external_security_zone}
)
xml_api.set(xpath, element)
def commit_configuration(self, device_sn=None):
"""Commit candidate configuration to Panorama or specified device.
@param device_sn: PAN device serial number
@return: None
"""
c = commit.PanCommit()
params = copy.deepcopy(self._params)
params['use_get'] = True
if device_sn:
params['serial'] = device_sn
xml_api = xapi.PanXapi(**params)
xml_api.commit(cmd=c.cmd(), sync=True)
def remove_external_nat(self, device_sn):
"""Remove external NAT rule to deny internet access for Nova instances.
@param device_sn: PAN device serial number
@return: None
"""
params = copy.deepcopy(self._params)
params['serial'] = device_sn
xml_api = xapi.PanXapi(**params)
xpath = ("/config/devices/entry[@name='localhost.localdomain']/vsys"
"/entry[@name='vsys1']/rulebase/nat/rules"
"/entry[@name='OpenStack']")
xml_api.delete(xpath)
def unregister_ip_address(self, device_sn, ip_address):
params = copy.deepcopy(self._params)
params['serial'] = device_sn
xml_api = xapi.PanXapi(**params)
cmd = ("<uid-message>"
"<version>2.0</version>"
"<type>update</type>"
"<payload>"
"<unregister>"
"<entry ip=\"%s\">"
"</entry>"
"</unregister>"
"</payload>"
"</uid-message>" % ip_address)
xml_api.user_id(cmd)
def remove_external_ip(self, device_sn):
"""Remove ip address from the device external interface.
@param device_sn: PAN device serial number
@return: None
"""
params = copy.deepcopy(self._params)
params['serial'] = device_sn
xml_api = xapi.PanXapi(**params)
iface_name = 'ethernet1/1'
self._clear_router_iface(xml_api, iface_name)
if cfg.CONF.pan_dev_default_route_next_hop:
self._clear_default_route(xml_api)
self._clear_security_zone_iface(
xml_api,
iface_name,
cfg.CONF.pan_dev_external_security_zone)
self._clear_management_profile(xml_api, iface_name)
self._remove_external_ip(xml_api)
def add_external_ip(self, device_sn, ip_dict):
"""Add ip address to the device external interface.
@param device_sn: PAN device serial number
@param ip_dict: dict with ip address info. Contains:
- 'ip_address': ip address allocated for this interface
- 'cidr': interface subnet in cidr notation
@return: None
"""
params = copy.deepcopy(self._params)
params['serial'] = device_sn
xml_api = xapi.PanXapi(**params)
iface_name = 'ethernet1/1'
self._add_external_ip(xml_api, ip_dict)
self._set_router_iface(xml_api, iface_name)
if cfg.CONF.pan_dev_default_route_next_hop:
self._set_default_route(xml_api)
self._set_security_zone_iface(xml_api,
iface_name,
cfg.CONF.pan_dev_external_security_zone)
self._set_management_profile(xml_api, iface_name)
def remove_vlan_iface(self, device_sn, iface_dict):
"""Remove VLAN interface from specified device.
@param device_sn: PAN device serial number
@param iface_dict: dict with VLAN interface info. Contains:
- 'port_id': Neutron port id
@return: None
"""
params = copy.deepcopy(self._params)
params['serial'] = device_sn
xml_api = xapi.PanXapi(**params)
vlan_ifaces = self._list_vlan_interfaces(xml_api)
vlan_iface = next((item for item in vlan_ifaces
if iface_dict['port_id'] in item["comment"]), None)
if vlan_iface:
self._clear_router_iface(xml_api, vlan_iface['name'])
self._clear_security_zone_iface(
xml_api,
vlan_iface['name'],
cfg.CONF.pan_dev_internal_security_zone)
self._remove_vlan_iface(xml_api, vlan_iface['name'])
