NSX|P Add priorities to NAT rules

Tier1 router NAT rules should be ordered so FIP rules will be evaluated before GW rules. The 'USER' section rules priorities should be larger than 1023. Change-Id: Ie1f5fee5174aae0ef02b71dbe2f88a50fb83c944
2019-01-07 14:01:01 +02:00 · 2019-01-07 14:01:01 +02:00 · a90ae35a37
parent 17759dba87
commit a90ae35a37
1 changed files with 8 additions and 2 deletions
--- a/vmware_nsx/plugins/nsx_p/plugin.py
+++ b/vmware_nsx/plugins/nsx_p/plugin.py
@ -88,6 +88,10 @@ NO_SEG_SECURITY_PROFILE_UUID = 'neutron-no-segment-security-profile'
 SEG_SECURITY_PROFILE_UUID = (
    policy_defs.SegmentSecurityProfileDef.DEFAULT_PROFILE)

+# Priorities for NAT rules: (FIP specific rules should come before GW rules)
+NAT_RULE_PRIORITY_FIP = 2000
+NAT_RULE_PRIORITY_GW = 3000
+

@resource_extend.has_resource_extenders
 class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
@ -888,7 +892,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
            router_id,
            nat_rule_id=self._get_snat_rule_id(subnet),
            action=policy_constants.NAT_ACTION_SNAT,
-            #sequence_number=GW_NAT_PRI # TODO(asarfaty) handle priorities
+            sequence_number=NAT_RULE_PRIORITY_GW,
            translated_network=gw_ip,
            source_network=subnet['cidr'],
            firewall_match=policy_constants.NAT_FIREWALL_MATCH_INTERNAL)
@ -907,7 +911,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
            router_id,
            nat_rule_id=self._get_no_dnat_rule_id(subnet),
            action=policy_constants.NAT_ACTION_NO_DNAT,
-            #sequence_number=GW_NAT_PRI # TODO(asarfaty) handle priorities
+            sequence_number=NAT_RULE_PRIORITY_GW,
            destination_network=subnet['cidr'],
            firewall_match=policy_constants.NAT_FIREWALL_MATCH_BYPASS)

@ -1271,6 +1275,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
            action=policy_constants.NAT_ACTION_SNAT,
            translated_network=ext_ip,
            source_network=int_ip,
+            sequence_number=NAT_RULE_PRIORITY_FIP,
            firewall_match=policy_constants.NAT_FIREWALL_MATCH_INTERNAL)
        self.nsxpolicy.tier1_nat_rule.create_or_overwrite(
            'dnat for fip %s' % fip_id,
@ -1279,6 +1284,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
            action=policy_constants.NAT_ACTION_DNAT,
            translated_network=int_ip,
            destination_network=ext_ip,
+            sequence_number=NAT_RULE_PRIORITY_FIP,
            firewall_match=policy_constants.NAT_FIREWALL_MATCH_INTERNAL)

    def _delete_fip_nat_rules(self, tier1_id, fip_id):