def _setup_firewall(self, ri, fw): client = self._get_vyatta_client(ri.router) fw_cmd_list = [] # Create firewall fw_name = vyatta_utils.get_firewall_name(ri, fw) fw_cmd_list.append( vyatta_client.SetCmd(FW_NAME.format(parse.quote_plus(fw_name)))) if fw.get('description'): fw_cmd_list.append( vyatta_client.SetCmd( FW_DESCRIPTION.format(parse.quote_plus(fw_name), parse.quote_plus( fw['description'])))) # Set firewall state policy fw_cmd_list.append(vyatta_client.SetCmd(FW_ESTABLISHED_ACCEPT)) fw_cmd_list.append(vyatta_client.SetCmd(FW_RELATED_ACCEPT)) # Create firewall rules rule_num = 0 for rule in fw['firewall_rule_list']: if not rule['enabled']: continue if rule['ip_version'] == 4: rule_num += 1 fw_cmd_list += self._set_firewall_rule(fw_name, rule_num, rule) else: LOG.warning(_LW("IPv6 rules are not supported.")) # Configure router zones zone_cmd_list = vyatta_utils.get_zone_cmds(client, ri, fw_name) client.exec_cmd_batch(fw_cmd_list + zone_cmd_list)
def _setup_firewall(self, ri, fw): client = self._get_vyatta_client(ri.router) fw_cmd_list = [] # Create firewall fw_name = vyatta_utils.get_firewall_name(ri, fw) fw_cmd_list.append( vyatta_client.SetCmd( FW_NAME.format(parse.quote_plus(fw_name)))) if fw.get('description'): fw_cmd_list.append(vyatta_client.SetCmd( FW_DESCRIPTION.format( parse.quote_plus(fw_name), parse.quote_plus(fw['description'])))) # Set firewall state policy fw_cmd_list.append(vyatta_client.SetCmd(FW_ESTABLISHED_ACCEPT)) fw_cmd_list.append(vyatta_client.SetCmd(FW_RELATED_ACCEPT)) # Create firewall rules rule_num = 0 for rule in fw['firewall_rule_list']: if not rule['enabled']: continue if rule['ip_version'] == 4: rule_num += 1 fw_cmd_list += self._set_firewall_rule(fw_name, rule_num, rule) else: LOG.warn(_LW("IPv6 rules are not supported.")) # Configure router zones zone_cmd_list = vyatta_utils.get_zone_cmds(client, ri, fw_name) client.exec_cmd_batch(fw_cmd_list + zone_cmd_list)
def process_router(self, ri): LOG.debug("VyattaFirewallAgent:: process_router() called") ctx = context.Context(None, ri.router['tenant_id']) client = self._vyatta_clients_pool.get_by_db_lookup( ri.router['id'], ctx) fw_list = self.fwplugin_rpc.get_firewalls_for_tenant(ctx) if fw_list: zone_cmds = [] for fw in fw_list: if ri.router['id'] in fw['router_ids']: fw_name = vyatta_utils.get_firewall_name(ri, fw) zone_cmds.extend(vyatta_utils.get_zone_cmds(client, ri, fw_name)) client.exec_cmd_batch(zone_cmds)
def test_get_zone_cmds(self): firewall_name = 'fake_firewall0' eth_iface = 'eth0' fake_api = mock.NonCallableMock() fake_api.get_ethernet_if_id.return_value = eth_iface mac_address = '00:00:00:00:00:00' fake_apply_rule = mock.NonCallableMock() fake_apply_rule.router = { 'gw_port': { 'mac_address': mac_address }, l3_constants.INTERFACE_KEY: [{ 'mac_address': mac_address }] } trusted_zone_name = vyatta_utils.get_trusted_zone_name(fake_apply_rule) untrusted_zone_name = vyatta_utils.get_untrusted_zone_name( fake_apply_rule) cmds_actual = vyatta_utils.get_zone_cmds(fake_api, fake_apply_rule, firewall_name) cmds_expect = [ vyatta_client.DeleteCmd('zone-policy'), vyatta_client.SetCmd( vyatta_utils.ZONE_INTERFACE_CMD.format(trusted_zone_name, eth_iface)), vyatta_client.SetCmd( vyatta_utils.ZONE_INTERFACE_CMD.format(untrusted_zone_name, eth_iface)), vyatta_client.SetCmd( vyatta_utils.ZONE_FIREWALL_CMD.format( trusted_zone_name, untrusted_zone_name, parse.quote_plus(firewall_name))), vyatta_client.SetCmd( vyatta_utils.ZONE_FIREWALL_CMD.format( untrusted_zone_name, trusted_zone_name, parse.quote_plus(firewall_name))), ] self.assertEqual(cmds_expect, cmds_actual) fake_api.get_ethernet_if_id.assert_has_calls([ mock.call(mac_address), mock.call(mac_address), ])
def test_get_zone_cmds(self): firewall_name = 'fake_firewall0' eth_iface = 'eth0' fake_api = mock.NonCallableMock() fake_api.get_ethernet_if_id.return_value = eth_iface mac_address = '00:00:00:00:00:00' fake_apply_rule = mock.NonCallableMock() fake_apply_rule.router = { 'gw_port': { 'mac_address': mac_address}, l3_constants.INTERFACE_KEY: [{ 'mac_address': mac_address}] } trusted_zone_name = vyatta_utils.get_trusted_zone_name( fake_apply_rule) untrusted_zone_name = vyatta_utils.get_untrusted_zone_name( fake_apply_rule) cmds_actual = vyatta_utils.get_zone_cmds( fake_api, fake_apply_rule, firewall_name) cmds_expect = [ vyatta_client.DeleteCmd('zone-policy'), vyatta_client.SetCmd( vyatta_utils.ZONE_INTERFACE_CMD.format( trusted_zone_name, eth_iface)), vyatta_client.SetCmd( vyatta_utils.ZONE_INTERFACE_CMD.format( untrusted_zone_name, eth_iface)), vyatta_client.SetCmd( vyatta_utils.ZONE_FIREWALL_CMD.format( trusted_zone_name, untrusted_zone_name, parse.quote_plus(firewall_name))), vyatta_client.SetCmd( vyatta_utils.ZONE_FIREWALL_CMD.format( untrusted_zone_name, trusted_zone_name, parse.quote_plus(firewall_name))), ] self.assertEqual(cmds_expect, cmds_actual) fake_api.get_ethernet_if_id.assert_has_calls([ mock.call(mac_address), mock.call(mac_address), ])
def sync_firewall_zones(resource, event, l3_agent, **kwargs): LOG.debug('VyattaFirewallService:: sync_firewall_zones() called') ri = kwargs['router'] ctx = context.Context(None, ri.router['tenant_id']) client = l3_agent._vyatta_clients_pool.get_by_db_lookup( ri.router['id'], ctx) fw_list = l3_agent.fwplugin_rpc.get_firewalls_for_tenant(ctx) if fw_list: zone_cmds = [] for fw in fw_list: if ri.router['id'] in fw['router_ids']: fw_name = vyatta_utils.get_firewall_name(ri, fw) zone_cmds.extend( vyatta_utils.get_zone_cmds(client, ri, fw_name)) client.exec_cmd_batch(zone_cmds)
def sync_firewall_zones(resource, event, l3_agent, **kwargs): LOG.debug('VyattaFirewallService:: sync_firewall_zones() called') ri = kwargs['router'] ctx = context.Context(None, ri.router['tenant_id']) client = l3_agent._vyatta_clients_pool.get_by_db_lookup( ri.router['id'], ctx) fw_list = l3_agent.fwplugin_rpc.get_firewalls_for_tenant(ctx) if fw_list: zone_cmds = [] for fw in fw_list: if ri.router['id'] in fw['router_ids']: fw_name = vyatta_utils.get_firewall_name(ri, fw) zone_cmds.extend(vyatta_utils.get_zone_cmds(client, ri, fw_name)) client.exec_cmd_batch(zone_cmds)