Merge "Set default rp_filter for NSXv 6.2"
This commit is contained in:
commit
4a18fb82a4
|
@ -349,6 +349,10 @@ class RouterDistributedDriver(router_driver.RouterBaseDriver):
|
|||
# Detach network from VDR-dedicated DHCP Edge
|
||||
vdr_dhcp_binding = nsxv_db.get_vdr_dhcp_binding_by_vdr(
|
||||
context.session, router_id)
|
||||
|
||||
self.edge_manager.reset_sysctl_rp_filter_for_vdr_dhcp(
|
||||
context, vdr_dhcp_binding['dhcp_edge_id'], network_id)
|
||||
|
||||
self.edge_manager.remove_network_from_dhcp_edge(
|
||||
context, network_id, vdr_dhcp_binding['dhcp_edge_id'])
|
||||
|
||||
|
|
|
@ -43,9 +43,9 @@ from vmware_nsx.neutron.plugins.vmware.vshield.tasks import tasks
|
|||
from vmware_nsx.neutron.plugins.vmware.vshield import vcns
|
||||
|
||||
WORKER_POOL_SIZE = 8
|
||||
RP_FILTER_PROPERTY_OFF = 'sysctl.net.ipv4.conf.all.rp_filter=0'
|
||||
LOG = logging.getLogger(__name__)
|
||||
RP_FILTER_PROPERTY_OFF_TEMPLATE = 'sysctl.net.ipv4.conf.%s.rp_filter=%s'
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
_uuid = uuidutils.generate_uuid
|
||||
|
||||
|
||||
|
@ -913,8 +913,6 @@ class EdgeManager(object):
|
|||
self.plugin.setup_dhcp_edge_fw_rules(
|
||||
context, self.plugin, resource_id)
|
||||
|
||||
self.nsxv_manager.vcns.set_system_control(
|
||||
dhcp_edge_id, RP_FILTER_PROPERTY_OFF)
|
||||
nsxv_db.add_vdr_dhcp_binding(context.session, vdr_router_id,
|
||||
str(resource_id), dhcp_edge_id)
|
||||
|
||||
|
@ -923,6 +921,59 @@ class EdgeManager(object):
|
|||
self.update_dhcp_edge_service(
|
||||
context, network_id, address_groups=address_groups)
|
||||
|
||||
self.set_sysctl_rp_filter_for_vdr_dhcp(
|
||||
context, dhcp_edge_id, network_id)
|
||||
|
||||
def _get_sub_interface_id(self, context, edge_id, network_id):
|
||||
vnic_binding = nsxv_db.get_edge_vnic_binding(
|
||||
context.session, edge_id, network_id)
|
||||
|
||||
if vnic_binding:
|
||||
_, vnic_config = self.nsxv_manager.get_interface(
|
||||
edge_id, vnic_binding.vnic_index)
|
||||
sub_iface_dict = vnic_config.get('subInterfaces')
|
||||
if sub_iface_dict:
|
||||
sub_interfaces = sub_iface_dict.get('subInterfaces', [])
|
||||
|
||||
for sub_interface in sub_interfaces:
|
||||
if sub_interface['tunnelId'] == vnic_binding.tunnel_index:
|
||||
return sub_interface['index']
|
||||
|
||||
def set_sysctl_rp_filter_for_vdr_dhcp(self, context, edge_id, network_id):
|
||||
|
||||
vnic_index = self._get_sub_interface_id(context, edge_id, network_id)
|
||||
if vnic_index:
|
||||
vnic_id = 'vNic_%d' % vnic_index
|
||||
with locking.LockManager.get_lock(
|
||||
str(edge_id), lock_file_prefix='nsxv-dhcp-config-',
|
||||
external=True):
|
||||
sysctl_props = []
|
||||
h, sysctl = self.nsxv_manager.vcns.get_system_control(edge_id)
|
||||
if sysctl:
|
||||
sysctl_props = sysctl['property']
|
||||
sysctl_props.append(
|
||||
RP_FILTER_PROPERTY_OFF_TEMPLATE % (vnic_id, '0'))
|
||||
self.nsxv_manager.vcns.set_system_control(
|
||||
edge_id, sysctl_props)
|
||||
|
||||
def reset_sysctl_rp_filter_for_vdr_dhcp(self, context, edge_id,
|
||||
network_id):
|
||||
vnic_index = self._get_sub_interface_id(context, edge_id, network_id)
|
||||
if vnic_index:
|
||||
vnic_id = 'vNic_%d' % vnic_index
|
||||
with locking.LockManager.get_lock(
|
||||
str(edge_id), lock_file_prefix='nsxv-dhcp-config-',
|
||||
external=True):
|
||||
h, sysctl = self.nsxv_manager.vcns.get_system_control(edge_id)
|
||||
if sysctl:
|
||||
sysctl_props = sysctl['property']
|
||||
sysctl_props.remove(
|
||||
RP_FILTER_PROPERTY_OFF_TEMPLATE % (vnic_id, '0'))
|
||||
sysctl_props.append(
|
||||
RP_FILTER_PROPERTY_OFF_TEMPLATE % (vnic_id, '1'))
|
||||
self.nsxv_manager.vcns.set_system_control(
|
||||
edge_id, sysctl_props)
|
||||
|
||||
def get_plr_by_tlr_id(self, context, router_id):
|
||||
lswitch_id = nsxv_db.get_nsxv_router_binding(
|
||||
context.session, router_id).lswitch_id
|
||||
|
|
|
@ -567,12 +567,15 @@ class Vcns(object):
|
|||
|
||||
payload = {
|
||||
'featureType': 'systemcontrol',
|
||||
'property': [
|
||||
prop
|
||||
]
|
||||
'property': prop
|
||||
}
|
||||
return self.do_request(HTTP_PUT, uri, payload, decode=True)
|
||||
|
||||
def get_system_control(self, edge_id):
|
||||
uri = self._build_uri_path(edge_id, SYSCTL_SERVICE)
|
||||
|
||||
return self.do_request(HTTP_GET, uri)
|
||||
|
||||
@retry_upon_exception(exceptions.RequestBad)
|
||||
def create_spoofguard_policy(self, enforcement_point, name, enable):
|
||||
uri = '%s/policies/' % SPOOFGUARD_PREFIX
|
||||
|
|
Loading…
Reference in New Issue