c5e2d4b6b4
Provider firewall rules functionality is not in use and hasn't been for a very long time. The api for this was removed in [1] and db api methods for adding/removing rows in the associated db table have not been used since. Stop refreshing those rules as it is essentially a no-op and indeed a costly one that includes a rpc round trip to the conductor to get back an always empty db result. This should have a positive impact on instance boot performance since the conductor call happens to live inside an externally syncronized block of code. Removes related compute rpcapi/manager code that were missed in a recent cleanup[2]. Since this functionality hasn't been in use since Havana timeframe(!), it should be fairly safe to remove without first deprecating it. Also removes the now unused virtapi method provider_fw_rule_get_all() and the virtapi itself from virt firewall driver initialization. [1] Commit:62d5fae8d1
[2] Commit:e6f7d80417
Change-Id: Ifbb2514b9bc1445eaa07dcfe172c7405fd1a58f7 Partial-Bug: #1016633
57 lines
2.4 KiB
Python
57 lines
2.4 KiB
Python
# Copyright 2010 United States Government as represented by the
|
|
# Administrator of the National Aeronautics and Space Administration.
|
|
# All Rights Reserved.
|
|
# Copyright (c) 2010 Citrix Systems, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from oslo_serialization import jsonutils
|
|
|
|
from nova.virt import firewall
|
|
|
|
|
|
class Dom0IptablesFirewallDriver(firewall.IptablesFirewallDriver):
|
|
"""Dom0IptablesFirewallDriver class
|
|
|
|
This class provides an implementation for nova.virt.Firewall
|
|
using iptables. This class is meant to be used with the xenapi
|
|
backend and uses xenapi plugin to enforce iptables rules in dom0.
|
|
"""
|
|
def _plugin_execute(self, *cmd, **kwargs):
|
|
# Prepare arguments for plugin call
|
|
args = {}
|
|
args.update(map(lambda x: (x, str(kwargs[x])), kwargs))
|
|
args['cmd_args'] = jsonutils.dumps(cmd)
|
|
ret = self._session.call_plugin('xenhost', 'iptables_config', args)
|
|
json_ret = jsonutils.loads(ret)
|
|
return (json_ret['out'], json_ret['err'])
|
|
|
|
def __init__(self, xenapi_session=None, **kwargs):
|
|
from nova.network import linux_net
|
|
super(Dom0IptablesFirewallDriver, self).__init__(**kwargs)
|
|
self._session = xenapi_session
|
|
# Create IpTablesManager with executor through plugin
|
|
self.iptables = linux_net.IptablesManager(self._plugin_execute)
|
|
self.iptables.ipv4['filter'].add_chain('sg-fallback')
|
|
self.iptables.ipv4['filter'].add_rule('sg-fallback', '-j DROP')
|
|
self.iptables.ipv6['filter'].add_chain('sg-fallback')
|
|
self.iptables.ipv6['filter'].add_rule('sg-fallback', '-j DROP')
|
|
|
|
def _build_tcp_udp_rule(self, rule, version):
|
|
if rule.from_port == rule.to_port:
|
|
return ['--dport', '%s' % (rule.from_port,)]
|
|
else:
|
|
# No multiport needed for XS!
|
|
return ['--dport', '%s:%s' % (rule.from_port,
|
|
rule.to_port)]
|