NSX|P Add priorities to NAT rules
Tier1 router NAT rules should be ordered so FIP rules will be evaluated before GW rules. The 'USER' section rules priorities should be larger than 1023. Change-Id: Ie1f5fee5174aae0ef02b71dbe2f88a50fb83c944
This commit is contained in:
parent
17759dba87
commit
a90ae35a37
|
@ -88,6 +88,10 @@ NO_SEG_SECURITY_PROFILE_UUID = 'neutron-no-segment-security-profile'
|
|||
SEG_SECURITY_PROFILE_UUID = (
|
||||
policy_defs.SegmentSecurityProfileDef.DEFAULT_PROFILE)
|
||||
|
||||
# Priorities for NAT rules: (FIP specific rules should come before GW rules)
|
||||
NAT_RULE_PRIORITY_FIP = 2000
|
||||
NAT_RULE_PRIORITY_GW = 3000
|
||||
|
||||
|
||||
@resource_extend.has_resource_extenders
|
||||
class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
||||
|
@ -888,7 +892,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
|||
router_id,
|
||||
nat_rule_id=self._get_snat_rule_id(subnet),
|
||||
action=policy_constants.NAT_ACTION_SNAT,
|
||||
#sequence_number=GW_NAT_PRI # TODO(asarfaty) handle priorities
|
||||
sequence_number=NAT_RULE_PRIORITY_GW,
|
||||
translated_network=gw_ip,
|
||||
source_network=subnet['cidr'],
|
||||
firewall_match=policy_constants.NAT_FIREWALL_MATCH_INTERNAL)
|
||||
|
@ -907,7 +911,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
|||
router_id,
|
||||
nat_rule_id=self._get_no_dnat_rule_id(subnet),
|
||||
action=policy_constants.NAT_ACTION_NO_DNAT,
|
||||
#sequence_number=GW_NAT_PRI # TODO(asarfaty) handle priorities
|
||||
sequence_number=NAT_RULE_PRIORITY_GW,
|
||||
destination_network=subnet['cidr'],
|
||||
firewall_match=policy_constants.NAT_FIREWALL_MATCH_BYPASS)
|
||||
|
||||
|
@ -1271,6 +1275,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
|||
action=policy_constants.NAT_ACTION_SNAT,
|
||||
translated_network=ext_ip,
|
||||
source_network=int_ip,
|
||||
sequence_number=NAT_RULE_PRIORITY_FIP,
|
||||
firewall_match=policy_constants.NAT_FIREWALL_MATCH_INTERNAL)
|
||||
self.nsxpolicy.tier1_nat_rule.create_or_overwrite(
|
||||
'dnat for fip %s' % fip_id,
|
||||
|
@ -1279,6 +1284,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
|||
action=policy_constants.NAT_ACTION_DNAT,
|
||||
translated_network=int_ip,
|
||||
destination_network=ext_ip,
|
||||
sequence_number=NAT_RULE_PRIORITY_FIP,
|
||||
firewall_match=policy_constants.NAT_FIREWALL_MATCH_INTERNAL)
|
||||
|
||||
def _delete_fip_nat_rules(self, tier1_id, fip_id):
|
||||
|
|
Loading…
Reference in New Issue