def construct_security_group(project): security_group = vnc_api.SecurityGroup(name=VNC_VCENTER_DEFAULT_SG, parent_obj=project) security_group_entry = vnc_api.PolicyEntriesType() ingress_rule = vnc_api.PolicyRuleType( rule_uuid=str(uuid4()), direction='>', protocol='any', src_addresses=[vnc_api.AddressType( security_group=':'.join(VNC_VCENTER_DEFAULT_SG_FQN))], src_ports=[vnc_api.PortType(0, 65535)], dst_addresses=[vnc_api.AddressType(security_group='local')], dst_ports=[vnc_api.PortType(0, 65535)], ethertype='IPv4', ) egress_rule = vnc_api.PolicyRuleType( rule_uuid=str(uuid4()), direction='>', protocol='any', src_addresses=[vnc_api.AddressType(security_group='local')], src_ports=[vnc_api.PortType(0, 65535)], dst_addresses=[vnc_api.AddressType(subnet=vnc_api.SubnetType('0.0.0.0', 0))], dst_ports=[vnc_api.PortType(0, 65535)], ethertype='IPv4', ) security_group_entry.add_policy_rule(ingress_rule) security_group_entry.add_policy_rule(egress_rule) security_group.set_security_group_entries(security_group_entry) return security_group
def _get_rule(ingress, sg, prefix, ethertype): sgr_uuid = str(uuid.uuid4()) if sg: addr = vnc_api.AddressType( security_group=proj_obj.get_fq_name_str() + ':' + sg) elif prefix: addr = vnc_api.AddressType( subnet=vnc_api.SubnetType(prefix, 0)) local_addr = vnc_api.AddressType(security_group='local') if ingress: src_addr = addr dst_addr = local_addr else: src_addr = local_addr dst_addr = addr rule = vnc_api.PolicyRuleType( rule_uuid=sgr_uuid, direction='>', protocol='any', src_addresses=[src_addr], src_ports=[vnc_api.PortType(0, 65535)], dst_addresses=[dst_addr], dst_ports=[vnc_api.PortType(0, 65535)], ethertype=ethertype) return rule
def create_NetworkPolicy(policy_name, left_network_name, right_network_name, vnc, domain, project_name): """ FUNCTION TO CREATE NETWORK POLICY """ project = vnc.project_read(fq_name=[domain, project_name]) rule = vnc_api.PolicyRuleType( direction='<>', protocol='any', action_list=vnc_api.ActionListType(simple_action='pass'), src_addresses=[vnc_api.AddressType(virtual_network=left_network_name)], src_ports=[vnc_api.PortType(start_port=-1, end_port=-1)], dst_addresses=[ vnc_api.AddressType(virtual_network=right_network_name) ], dst_ports=[vnc_api.PortType(start_port=-1, end_port=-1)]) policy = vnc_api.NetworkPolicy( name=policy_name, parent_obj=project, network_policy_entries=vnc_api.PolicyEntriesType([rule])) vnc.network_policy_create(policy) print 'Policy "{}" created between "{}" & "{}"\n'.format( policy_name, left_network_name, right_network_name)
def _security_group_rule_neutron_to_vnc(self, sgr_q): port_min = 0 port_max = 65535 if sgr_q['port_range_min'] is not None: port_min = sgr_q['port_range_min'] if sgr_q['port_range_max'] is not None: port_max = sgr_q['port_range_max'] endpt = [vnc_api.AddressType(security_group='any')] if sgr_q['remote_ip_prefix']: cidr = sgr_q['remote_ip_prefix'].split('/') pfx = cidr[0] pfx_len = int(cidr[1]) endpt = [vnc_api.AddressType( subnet=vnc_api.SubnetType(pfx, pfx_len))] elif sgr_q['remote_group_id']: try: sg_obj = sg_handler.SecurityGroupHandler( self._vnc_lib).get_sg_obj(id=sgr_q['remote_group_id']) except vnc_exc.NoIdError: self._raise_contrail_exception('SecurityGroupNotFound', id=sgr_q['remote_group_id'], resource='security_group_rule') if sgr_q.get('tenant_id') and ( sg_obj.parent_uuid != sgr_q['tenant_id']): self._raise_contrail_exception("NotFound") endpt = [vnc_api.AddressType( security_group=sg_obj.get_fq_name_str())] if sgr_q['direction'] == 'ingress': dir = '>' local = endpt remote = [vnc_api.AddressType(security_group='local')] else: dir = '>' remote = endpt local = [vnc_api.AddressType(security_group='local')] if not sgr_q['protocol']: sgr_q['protocol'] = 'any' if not sgr_q['remote_ip_prefix'] and not sgr_q['remote_group_id']: if not sgr_q['ethertype']: sgr_q['ethertype'] = 'IPv4' sgr_uuid = str(uuid.uuid4()) if 'id' not in sgr_q else sgr_q['id'] rule = vnc_api.PolicyRuleType( rule_uuid=sgr_uuid, direction=dir, protocol=sgr_q['protocol'], src_addresses=local, src_ports=[vnc_api.PortType(0, 65535)], dst_addresses=remote, dst_ports=[vnc_api.PortType(port_min, port_max)], ethertype=sgr_q['ethertype']) return rule
def create_networkpolicy(self, policy_name, vn1_name, vn2_name, action): print "Create network policy %s between %s <---> %s" % ( policy_name, vn1_name, vn2_name) project = self._vnc_lib.project_read( fq_name=[self._domain, self._tenant_name]) rule = vnc_api.PolicyRuleType( direction='<>', protocol='any', action_list=vnc_api.ActionListType(simple_action=action), src_addresses=[vnc_api.AddressType(virtual_network=vn1_name)], src_ports=[vnc_api.PortType(start_port=-1, end_port=-1)], dst_addresses=[vnc_api.AddressType(virtual_network=vn2_name)], dst_ports=[vnc_api.PortType(start_port=-1, end_port=-1)]) policy = vnc_api.NetworkPolicy( name=policy_name, parent_obj=project, network_policy_entries=vnc_api.PolicyEntriesType([rule])) self._vnc_lib.network_policy_create(policy)
destination_port = "-1" else: destination_port = raw_input('Destination Port number -> ') vnc = vnc_api.VncApi(username="******", password="******", tenant_name="admin", api_server_host="CONTRAIL_IP") tenant = vnc.project_read(fq_name=['default-domain', tenant_name]) #create policy rule = vnc_api.PolicyRuleType( direction='<>', protocol=policy_protocol, action_list=vnc_api.ActionListType(simple_action=policy_action), src_addresses=[vnc_api.AddressType(virtual_network=source_network)], src_ports=[vnc_api.PortType(start_port=source_port, end_port=source_port)], dst_addresses=[vnc_api.AddressType(virtual_network=destination_network)], dst_ports=[ vnc_api.PortType(start_port=destination_port, end_port=destination_port) ]) policy = vnc_api.NetworkPolicy( name=policy_name, parent_obj=tenant, network_policy_entries=vnc_api.PolicyEntriesType([rule])) vnc.network_policy_create(policy) #add the policy to each network policy = vnc.network_policy_read( fq_name=['default-domain', tenant_name, policy_name])
auth_port=auth_port, auth_url=urlparts.path + '/tokens', ) net1 = vnc_lib.virtual_network_read(id=args.net1_uuid) net2 = vnc_lib.virtual_network_read(id=args.net2_uuid) pol1 = vnc_api.NetworkPolicy( 'policy-%s-%s-any' % (net1.name, net2.name), network_policy_entries=vnc_api.PolicyEntriesType([ vnc_api.PolicyRuleType( direction='<>', action_list=vnc_api.ActionListType(simple_action='pass'), protocol='any', src_addresses=[ vnc_api.AddressType(virtual_network=net1.get_fq_name_str()) ], src_ports=[vnc_api.PortType(-1, -1)], dst_addresses=[ vnc_api.AddressType(virtual_network=net2.get_fq_name_str()) ], dst_ports=[vnc_api.PortType(-1, -1)]) ]), parent_obj=vnc_lib.project_read(fq_name=net1.get_parent_fq_name())) vnc_lib.network_policy_create(pol1) net1.add_network_policy( pol1, vnc_api.VirtualNetworkPolicyType(sequence=vnc_api.SequenceType(0, 0))) vnc_lib.virtual_network_update(net1) net2.add_network_policy(
from vnc_api import vnc_api vnc_lib = vnc_api.VncApi(api_server_host='10.10.7.149') vn_blue_obj = vnc_api.VirtualNetwork('vn-blue') vn_blue_obj.add_network_ipam(vnc_api.NetworkIpam(),vnc_api.VnSubnetsType([vnc_api.IpamSubnetType(subnet = vnc_api.SubnetType('10.0.2.0', 24))])) vnc_lib.virtual_network_create(vn_blue_obj) vn_red_obj = vnc_api.VirtualNetwork('vn-red') vn_red_obj.add_network_ipam(vnc_api.NetworkIpam(),vnc_api.VnSubnetsType([vnc_api.IpamSubnetType(subnet = vnc_api.SubnetType('10.0.3.0', 24))])) vnc_lib.virtual_network_create(vn_red_obj) policy_obj = vnc_api.NetworkPolicy('policy-red-blue',network_policy_entries = vnc_api.PolicyEntriesType([vnc_api.PolicyRuleType(direction='<>',action_list = vnc_api.ActionListType(simple_action='pass'), protocol = 'tcp',src_addresses = [vnc_api.AddressType(virtual_network = vn_blue_obj.get_fq_name_str())], src_ports = [vnc_api.PortType(-1, -1)],dst_addresses = [vnc_api.AddressType(virtual_network = vn_red_obj.get_fq_name_str())], dst_ports = [vnc_api.PortType(80, 80)])])) vnc_lib.network_policy_create(policy_obj) vn_blue_obj.add_network_policy(policy_obj, vnc_api.VirtualNetworkPolicyType(sequence=vnc_api.SequenceType(0, 0))) vn_red_obj.add_network_policy(policy_obj, vnc_api.VirtualNetworkPolicyType(sequence=vnc_api.SequenceType(0, 0))) vnc_lib.virtual_network_update(vn_blue_obj) vnc_lib.virtual_network_update(vn_red_obj) print vnc_lib.virtual_network_read(id = vn_blue_obj.uuid) print vnc_lib.virtual_networks_list()
def _security_group_rule_neutron_to_vnc(self, sgr_q): from neutron_plugin_contrail.plugins.opencontrail.vnc_client.sg_res_handler import SecurityGroupHandler # default port values if sgr_q['protocol'] in (constants.PROTO_NAME_ICMP, str(constants.PROTO_NUM_ICMP)): port_min = None port_max = None else: port_min = 0 port_max = 65535 if sgr_q['port_range_min'] is not None: port_min = sgr_q['port_range_min'] if sgr_q['port_range_max'] is not None: port_max = sgr_q['port_range_max'] if sgr_q['remote_ip_prefix'] and sgr_q['remote_group_id']: self._raise_contrail_exception("BadRequest", msg="Can't set remote_ip_prefix with remote_group_id", resource="security_group_rule") endpt = [vnc_api.AddressType(security_group='any')] if sgr_q['remote_ip_prefix']: cidr = sgr_q['remote_ip_prefix'].split('/') pfx = cidr[0] pfx_len = int(cidr[1]) endpt = [vnc_api.AddressType( subnet=vnc_api.SubnetType(pfx, pfx_len))] elif sgr_q['remote_group_id']: try: sg_obj = SecurityGroupHandler( self._vnc_lib).get_sg_obj(id=sgr_q['remote_group_id']) except vnc_exc.NoIdError: self._raise_contrail_exception('SecurityGroupNotFound', id=sgr_q['remote_group_id'], resource='security_group_rule') if sgr_q.get('tenant_id') and ( sg_obj.parent_uuid != self._project_id_neutron_to_vnc(sgr_q['tenant_id'])): self._raise_contrail_exception("NotFound") endpt = [vnc_api.AddressType( security_group=sg_obj.get_fq_name_str())] if sgr_q['direction'] == 'ingress': _dir = '>' local = endpt remote = [vnc_api.AddressType(security_group='local')] else: _dir = '>' remote = endpt local = [vnc_api.AddressType(security_group='local')] if not sgr_q['protocol']: sgr_q['protocol'] = 'any' if not sgr_q['remote_ip_prefix'] and not sgr_q['remote_group_id']: if not sgr_q['ethertype']: sgr_q['ethertype'] = 'IPv4' sgr_uuid = str(uuid.uuid4()) if 'id' not in sgr_q else sgr_q['id'] rule = vnc_api.PolicyRuleType( rule_uuid=sgr_uuid, direction=_dir, protocol=sgr_q['protocol'], src_addresses=local, src_ports=[vnc_api.PortType(0, 65535)], dst_addresses=remote, dst_ports=[vnc_api.PortType(port_min, port_max)], ethertype=sgr_q['ethertype']) return rule