Browse Source

NSXv: Cleanup redundant FW rules from VDR

Change-Id: Ida99b5793e9537b581e562fa329d0dc880fc3621
changes/80/679080/1
Kobi Samoray 1 month ago
parent
commit
24554883a3

+ 7
- 1
vmware_nsx/plugins/nsx_v/plugin.py View File

@@ -4246,6 +4246,12 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
4246 4246
         the NSX (in case of distributed router it can be plr or tlr)
4247 4247
         """
4248 4248
         fw_rules = []
4249
+        distributed = False
4250
+        if router_db:
4251
+            nsx_attr = router_db.get('nsx_attributes', {})
4252
+            distributed = (
4253
+                nsx_attr.get('distributed', False) if nsx_attr else False)
4254
+
4249 4255
         edge_id = self._get_edge_id_by_rtr_id(context, router_id)
4250 4256
 
4251 4257
         # Add FW rule/s to open subnets firewall flows and static routes
@@ -4258,7 +4264,7 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
4258 4264
             fw_rules.extend(subnet_rules)
4259 4265
 
4260 4266
         # If metadata service is enabled, block access to inter-edge network
4261
-        if self.metadata_proxy_handler:
4267
+        if self.metadata_proxy_handler and not distributed:
4262 4268
             fw_rules += nsx_v_md_proxy.get_router_fw_rules()
4263 4269
 
4264 4270
         # Add FWaaS rules if FWaaS is enabled

+ 28
- 0
vmware_nsx/shell/admin/plugins/nsxv/resources/routers.py View File

@@ -28,6 +28,7 @@ from vmware_nsx.common import locking
28 28
 from vmware_nsx.db import nsxv_db
29 29
 from vmware_nsx.extensions import routersize
30 30
 from vmware_nsx.plugins.nsx_v import availability_zones as nsx_az
31
+from vmware_nsx.plugins.nsx_v import md_proxy
31 32
 from vmware_nsx.plugins.nsx_v.vshield import edge_utils
32 33
 from vmware_nsx.plugins.nsx_v.vshield import vcns_driver
33 34
 
@@ -192,6 +193,9 @@ def migrate_distributed_routers_dhcp(resource, event, trigger, **kwargs):
192 193
     context = n_context.get_admin_context()
193 194
     nsxv = utils.get_nsxv_client()
194 195
     with utils.NsxVPluginWrapper() as plugin:
196
+        nsxv_manager = vcns_driver.VcnsDriver(
197
+            edge_utils.NsxVCallbacks(plugin))
198
+        edge_manager = edge_utils.EdgeManager(nsxv_manager, plugin)
195 199
         routers = plugin.get_routers(context)
196 200
         for router in routers:
197 201
             if router.get('distributed', False):
@@ -209,6 +213,30 @@ def migrate_distributed_routers_dhcp(resource, event, trigger, **kwargs):
209 213
 
210 214
                         nsxv.update_routes(edge_id, route_obj)
211 215
 
216
+                        _update_vdr_fw_config(nsxv, edge_id)
217
+                        plr_id = edge_manager.get_plr_by_tlr_id(context,
218
+                                                                router['id'])
219
+
220
+                        if plr_id:
221
+                            binding = nsxv_db.get_nsxv_router_binding(
222
+                                context.session, plr_id)
223
+                            if binding:
224
+                                _update_vdr_fw_config(nsxv, binding['edge_id'])
225
+
226
+
227
+def _update_vdr_fw_config(nsxv, edge_id):
228
+    fw_config = nsxv.get_firewall(edge_id)[1]
229
+
230
+    md_rule_names = [rule['name'] for rule in md_proxy.get_router_fw_rules()]
231
+
232
+    fw_rules = fw_config.get('firewallRules', {}).get('firewallRules', [])
233
+    if fw_rules:
234
+        fw_rules = [rule for rule in fw_rules
235
+                    if rule['name'] not in md_rule_names]
236
+
237
+        fw_config['firewallRules']['firewallRules'] = fw_rules
238
+        nsxv.update_firewall(edge_id, fw_config)
239
+
212 240
 
213 241
 def is_router_conflicting_on_edge(context, driver, router_id):
214 242
     edge_id = edge_utils.get_router_edge_id(context, router_id)

+ 3
- 0
vmware_nsx/tests/unit/nsx_v/test_plugin.py View File

@@ -4186,6 +4186,9 @@ class TestVdrTestCase(L3NatTest, L3NatTestCaseBase,
4186 4186
         self._default_tenant_id = self._tenant_id
4187 4187
         self._router_tenant_id = 'test-router-tenant'
4188 4188
 
4189
+    def _get_md_proxy_fw_rules(self):
4190
+        return []
4191
+
4189 4192
     @mock.patch.object(edge_utils.EdgeManager,
4190 4193
                        'update_interface_addr')
4191 4194
     def test_router_update_gateway_with_different_external_subnet(self, mock):

Loading…
Cancel
Save