openstack/nova
Code Issues Proposed changes
bcc88d4cad
nova/nova/virt/xenapi/firewall.py
Hans Lindgren c5e2d4b6b4 Remove unused provider firewall rules functionality in nova 
Provider firewall rules functionality is not in use and hasn't been
for a very long time. The api for this was removed in [1] and db api
methods for adding/removing rows in the associated db table have not
been used since.

Stop refreshing those rules as it is essentially a no-op and indeed a
costly one that includes a rpc round trip to the conductor to get
back an always empty db result. This should have a positive impact on
instance boot performance since the conductor call happens to live
inside an externally syncronized block of code.

Removes related compute rpcapi/manager code that were missed in a
recent cleanup[2]. Since this functionality hasn't been in use since
Havana timeframe(!), it should be fairly safe to remove without first
deprecating it.

Also removes the now unused virtapi method provider_fw_rule_get_all()
and the virtapi itself from virt firewall driver initialization.

[1] Commit: 62d5fae8d1
[2] Commit: e6f7d80417

Change-Id: Ifbb2514b9bc1445eaa07dcfe172c7405fd1a58f7
Partial-Bug: #1016633
2016-02-01 15:50:04 +01:00

57 lines
2.4 KiB
Python
Raw Blame History

# Copyright 2010 United States Government as represented by the
# Administrator of the National Aeronautics and Space Administration.
# All Rights Reserved.
# Copyright (c) 2010 Citrix Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_serialization import jsonutils
from nova.virt import firewall
class Dom0IptablesFirewallDriver(firewall.IptablesFirewallDriver):
"""Dom0IptablesFirewallDriver class
This class provides an implementation for nova.virt.Firewall
using iptables. This class is meant to be used with the xenapi
backend and uses xenapi plugin to enforce iptables rules in dom0.
"""
def _plugin_execute(self, *cmd, **kwargs):
# Prepare arguments for plugin call
args = {}
args.update(map(lambda x: (x, str(kwargs[x])), kwargs))
args['cmd_args'] = jsonutils.dumps(cmd)
ret = self._session.call_plugin('xenhost', 'iptables_config', args)
json_ret = jsonutils.loads(ret)
return (json_ret['out'], json_ret['err'])
def __init__(self, xenapi_session=None, **kwargs):
from nova.network import linux_net
super(Dom0IptablesFirewallDriver, self).__init__(**kwargs)
self._session = xenapi_session
# Create IpTablesManager with executor through plugin
self.iptables = linux_net.IptablesManager(self._plugin_execute)
self.iptables.ipv4['filter'].add_chain('sg-fallback')
self.iptables.ipv4['filter'].add_rule('sg-fallback', '-j DROP')
self.iptables.ipv6['filter'].add_chain('sg-fallback')
self.iptables.ipv6['filter'].add_rule('sg-fallback', '-j DROP')
def _build_tcp_udp_rule(self, rule, version):
if rule.from_port == rule.to_port:
return ['--dport', '%s' % (rule.from_port,)]
else:
# No multiport needed for XS!
return ['--dport', '%s:%s' % (rule.from_port,
rule.to_port)]
View Git Blame Copy Permalink