Merge "NSX|P: Change order of NAT and Edge Firewall rules"
This commit is contained in:
commit
eb93cd80f9
@ -638,6 +638,9 @@ NSX Policy Plugin
|
|||||||
|
|
||||||
nsxadmin -r routers -o update-tier0 --property old-tier0=<id> --property new-tier0=<id>
|
nsxadmin -r routers -o update-tier0 --property old-tier0=<id> --property new-tier0=<id>
|
||||||
|
|
||||||
|
- Update the firewall_match value in neutron nat rules with a new value. Should be used when firewall_match_internal_addr config changes::
|
||||||
|
|
||||||
|
nsxadmin -r routers -o update-nat-firewall-match --property firewall-match=external/internal
|
||||||
|
|
||||||
Client Certificate
|
Client Certificate
|
||||||
~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~
|
||||||
|
@ -542,6 +542,11 @@ nsx_p_opts = nsx_v3_and_p + [
|
|||||||
default=1.0,
|
default=1.0,
|
||||||
help=_("(Optional) Number of seconds to wait between attempts "
|
help=_("(Optional) Number of seconds to wait between attempts "
|
||||||
"for a resource to be realized")),
|
"for a resource to be realized")),
|
||||||
|
cfg.BoolOpt('firewall_match_internal_addr',
|
||||||
|
default=True,
|
||||||
|
help=_("If True, edge firewall rules will match internal "
|
||||||
|
"addresses. Else they will match the external "
|
||||||
|
"addresses")),
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
@ -1493,6 +1493,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
|||||||
gw_address_scope):
|
gw_address_scope):
|
||||||
return
|
return
|
||||||
|
|
||||||
|
firewall_match = self._get_nat_firewall_match()
|
||||||
self.nsxpolicy.tier1_nat_rule.create_or_overwrite(
|
self.nsxpolicy.tier1_nat_rule.create_or_overwrite(
|
||||||
'snat for subnet %s' % subnet['id'],
|
'snat for subnet %s' % subnet['id'],
|
||||||
router_id,
|
router_id,
|
||||||
@ -1501,7 +1502,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
|||||||
sequence_number=NAT_RULE_PRIORITY_GW,
|
sequence_number=NAT_RULE_PRIORITY_GW,
|
||||||
translated_network=gw_ip,
|
translated_network=gw_ip,
|
||||||
source_network=subnet['cidr'],
|
source_network=subnet['cidr'],
|
||||||
firewall_match=policy_constants.NAT_FIREWALL_MATCH_INTERNAL)
|
firewall_match=firewall_match)
|
||||||
|
|
||||||
def _get_snat_rule_id(self, subnet):
|
def _get_snat_rule_id(self, subnet):
|
||||||
return 'S-' + subnet['id']
|
return 'S-' + subnet['id']
|
||||||
@ -2202,7 +2203,13 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
|||||||
def _get_fip_dnat_rule_id(self, fip_id):
|
def _get_fip_dnat_rule_id(self, fip_id):
|
||||||
return 'D-' + fip_id
|
return 'D-' + fip_id
|
||||||
|
|
||||||
|
def _get_nat_firewall_match(self):
|
||||||
|
if cfg.CONF.nsx_p.firewall_match_internal_addr:
|
||||||
|
return policy_constants.NAT_FIREWALL_MATCH_INTERNAL
|
||||||
|
return policy_constants.NAT_FIREWALL_MATCH_EXTERNAL
|
||||||
|
|
||||||
def _add_fip_nat_rules(self, tier1_id, fip_id, ext_ip, int_ip):
|
def _add_fip_nat_rules(self, tier1_id, fip_id, ext_ip, int_ip):
|
||||||
|
firewall_match = self._get_nat_firewall_match()
|
||||||
with policy_trans.NsxPolicyTransaction():
|
with policy_trans.NsxPolicyTransaction():
|
||||||
self.nsxpolicy.tier1_nat_rule.create_or_overwrite(
|
self.nsxpolicy.tier1_nat_rule.create_or_overwrite(
|
||||||
'snat for fip %s' % fip_id,
|
'snat for fip %s' % fip_id,
|
||||||
@ -2212,7 +2219,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
|||||||
translated_network=ext_ip,
|
translated_network=ext_ip,
|
||||||
source_network=int_ip,
|
source_network=int_ip,
|
||||||
sequence_number=NAT_RULE_PRIORITY_FIP,
|
sequence_number=NAT_RULE_PRIORITY_FIP,
|
||||||
firewall_match=policy_constants.NAT_FIREWALL_MATCH_INTERNAL)
|
firewall_match=firewall_match)
|
||||||
self.nsxpolicy.tier1_nat_rule.create_or_overwrite(
|
self.nsxpolicy.tier1_nat_rule.create_or_overwrite(
|
||||||
'dnat for fip %s' % fip_id,
|
'dnat for fip %s' % fip_id,
|
||||||
tier1_id,
|
tier1_id,
|
||||||
@ -2221,7 +2228,7 @@ class NsxPolicyPlugin(nsx_plugin_common.NsxPluginV3Base):
|
|||||||
translated_network=int_ip,
|
translated_network=int_ip,
|
||||||
destination_network=ext_ip,
|
destination_network=ext_ip,
|
||||||
sequence_number=NAT_RULE_PRIORITY_FIP,
|
sequence_number=NAT_RULE_PRIORITY_FIP,
|
||||||
firewall_match=policy_constants.NAT_FIREWALL_MATCH_INTERNAL)
|
firewall_match=firewall_match)
|
||||||
|
|
||||||
def _delete_fip_nat_rules(self, tier1_id, fip_id):
|
def _delete_fip_nat_rules(self, tier1_id, fip_id):
|
||||||
with policy_trans.NsxPolicyTransaction():
|
with policy_trans.NsxPolicyTransaction():
|
||||||
|
@ -24,6 +24,9 @@ from vmware_nsx.shell.admin.plugins.common import utils as admin_utils
|
|||||||
from vmware_nsx.shell.admin.plugins.nsxp.resources import utils as p_utils
|
from vmware_nsx.shell.admin.plugins.nsxp.resources import utils as p_utils
|
||||||
from vmware_nsx.shell import resources as shell
|
from vmware_nsx.shell import resources as shell
|
||||||
|
|
||||||
|
from vmware_nsxlib.v3.policy import constants as policy_constants
|
||||||
|
from vmware_nsxlib.v3.policy import transaction as policy_trans
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
@ -114,6 +117,48 @@ def update_tier0(resource, event, trigger, **kwargs):
|
|||||||
LOG.info("Done.")
|
LOG.info("Done.")
|
||||||
|
|
||||||
|
|
||||||
|
@admin_utils.output_header
|
||||||
|
def update_nat_firewall_match(resource, event, trigger, **kwargs):
|
||||||
|
"""Update the firewall_match value in neutron nat rules with a new value"""
|
||||||
|
errmsg = ("Need to specify internal/external firewall_match value. "
|
||||||
|
"Add --property firewall-match=<match>")
|
||||||
|
if not kwargs.get('property'):
|
||||||
|
LOG.error("%s", errmsg)
|
||||||
|
return
|
||||||
|
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
|
||||||
|
firewall_match_str = properties.get('firewall-match')
|
||||||
|
if (not firewall_match_str or
|
||||||
|
firewall_match_str.lower() not in ('internal', 'external')):
|
||||||
|
LOG.error("%s", errmsg)
|
||||||
|
return
|
||||||
|
|
||||||
|
if firewall_match_str.lower() == 'internal':
|
||||||
|
new_firewall_match = policy_constants.NAT_FIREWALL_MATCH_INTERNAL
|
||||||
|
old_firewall_match = policy_constants.NAT_FIREWALL_MATCH_EXTERNAL
|
||||||
|
else:
|
||||||
|
new_firewall_match = policy_constants.NAT_FIREWALL_MATCH_EXTERNAL
|
||||||
|
old_firewall_match = policy_constants.NAT_FIREWALL_MATCH_INTERNAL
|
||||||
|
|
||||||
|
nsxpolicy = p_utils.get_connected_nsxpolicy()
|
||||||
|
plugin = RoutersPlugin()
|
||||||
|
ctx = context.get_admin_context()
|
||||||
|
neutron_routers = plugin.get_routers(ctx)
|
||||||
|
for router in neutron_routers:
|
||||||
|
rules = nsxpolicy.tier1_nat_rule.list(router['id'])
|
||||||
|
for rule in rules:
|
||||||
|
with policy_trans.NsxPolicyTransaction():
|
||||||
|
if rule['firewall_match'] == old_firewall_match:
|
||||||
|
nsxpolicy.tier1_nat_rule.update(
|
||||||
|
router['id'], rule['id'],
|
||||||
|
firewall_match=new_firewall_match)
|
||||||
|
|
||||||
|
LOG.info("Done.")
|
||||||
|
|
||||||
|
|
||||||
registry.subscribe(update_tier0,
|
registry.subscribe(update_tier0,
|
||||||
constants.ROUTERS,
|
constants.ROUTERS,
|
||||||
shell.Operations.UPDATE_TIER0.value)
|
shell.Operations.UPDATE_TIER0.value)
|
||||||
|
|
||||||
|
registry.subscribe(update_nat_firewall_match,
|
||||||
|
constants.ROUTERS,
|
||||||
|
shell.Operations.UPDATE_FIREWALL_MATCH.value)
|
||||||
|
@ -72,6 +72,7 @@ class Operations(enum.Enum):
|
|||||||
VALIDATE = 'validate'
|
VALIDATE = 'validate'
|
||||||
REUSE = 'reuse'
|
REUSE = 'reuse'
|
||||||
UPDATE_TIER0 = 'update-tier0'
|
UPDATE_TIER0 = 'update-tier0'
|
||||||
|
UPDATE_FIREWALL_MATCH = 'update-nat-firewall-match'
|
||||||
|
|
||||||
|
|
||||||
ops = [op.value for op in Operations]
|
ops = [op.value for op in Operations]
|
||||||
@ -262,7 +263,8 @@ nsxp_resources = {
|
|||||||
[Operations.LIST.value]),
|
[Operations.LIST.value]),
|
||||||
constants.ROUTERS: Resource(constants.ROUTERS,
|
constants.ROUTERS: Resource(constants.ROUTERS,
|
||||||
[Operations.LIST.value,
|
[Operations.LIST.value,
|
||||||
Operations.UPDATE_TIER0.value]),
|
Operations.UPDATE_TIER0.value,
|
||||||
|
Operations.UPDATE_FIREWALL_MATCH.value]),
|
||||||
constants.CERTIFICATE: Resource(constants.CERTIFICATE,
|
constants.CERTIFICATE: Resource(constants.CERTIFICATE,
|
||||||
[Operations.GENERATE.value,
|
[Operations.GENERATE.value,
|
||||||
Operations.SHOW.value,
|
Operations.SHOW.value,
|
||||||
|
@ -56,7 +56,7 @@ from vmware_nsx.tests import unit as vmware
|
|||||||
from vmware_nsx.tests.unit.common_plugin import common_v3
|
from vmware_nsx.tests.unit.common_plugin import common_v3
|
||||||
from vmware_nsxlib.v3 import exceptions as nsxlib_exc
|
from vmware_nsxlib.v3 import exceptions as nsxlib_exc
|
||||||
from vmware_nsxlib.v3 import nsx_constants
|
from vmware_nsxlib.v3 import nsx_constants
|
||||||
from vmware_nsxlib.v3.policy import constants as policy_constants
|
from vmware_nsxlib.v3.policy import constants as pol_const
|
||||||
from vmware_nsxlib.v3 import utils as nsxlib_utils
|
from vmware_nsxlib.v3 import utils as nsxlib_utils
|
||||||
|
|
||||||
|
|
||||||
@ -117,7 +117,7 @@ class NsxPPluginTestCaseMixin(
|
|||||||
return_value=-1).start()
|
return_value=-1).start()
|
||||||
mock.patch("vmware_nsxlib.v3.policy.core_resources."
|
mock.patch("vmware_nsxlib.v3.policy.core_resources."
|
||||||
"NsxPolicyResourceBase._wait_until_realized",
|
"NsxPolicyResourceBase._wait_until_realized",
|
||||||
return_value={'state': policy_constants.STATE_REALIZED}
|
return_value={'state': pol_const.STATE_REALIZED}
|
||||||
).start()
|
).start()
|
||||||
mock.patch("vmware_nsxlib.v3.policy.core_resources."
|
mock.patch("vmware_nsxlib.v3.policy.core_resources."
|
||||||
"NsxPolicyTier1Api.update_transport_zone").start()
|
"NsxPolicyTier1Api.update_transport_zone").start()
|
||||||
@ -1218,14 +1218,14 @@ class NsxPTestSecurityGroup(common_v3.FixExternalNetBaseTest,
|
|||||||
sg_id = sg['security_group']['id']
|
sg_id = sg['security_group']['id']
|
||||||
nsx_name = utils.get_name_and_uuid(name, sg_id)
|
nsx_name = utils.get_name_and_uuid(name, sg_id)
|
||||||
group_create.assert_called_once_with(
|
group_create.assert_called_once_with(
|
||||||
nsx_name, policy_constants.DEFAULT_DOMAIN, group_id=sg_id,
|
nsx_name, pol_const.DEFAULT_DOMAIN, group_id=sg_id,
|
||||||
description=description,
|
description=description,
|
||||||
conditions=[mock.ANY], tags=mock.ANY)
|
conditions=[mock.ANY], tags=mock.ANY)
|
||||||
comm_map_create.assert_called_once_with(
|
comm_map_create.assert_called_once_with(
|
||||||
nsx_name, policy_constants.DEFAULT_DOMAIN, map_id=sg_id,
|
nsx_name, pol_const.DEFAULT_DOMAIN, map_id=sg_id,
|
||||||
description=description,
|
description=description,
|
||||||
tags=mock.ANY,
|
tags=mock.ANY,
|
||||||
category=policy_constants.CATEGORY_ENVIRONMENT)
|
category=pol_const.CATEGORY_ENVIRONMENT)
|
||||||
|
|
||||||
def _create_provider_security_group(self):
|
def _create_provider_security_group(self):
|
||||||
body = {'security_group': {'name': 'provider-deny',
|
body = {'security_group': {'name': 'provider-deny',
|
||||||
@ -2296,3 +2296,27 @@ class NsxPTestL3NatTestCase(NsxPTestL3NatTest,
|
|||||||
self._delete('routers', r['router']['id'])
|
self._delete('routers', r['router']['id'])
|
||||||
routers = self.plugin.get_routers(self.ctx)
|
routers = self.plugin.get_routers(self.ctx)
|
||||||
self.assertEqual(0, len(routers))
|
self.assertEqual(0, len(routers))
|
||||||
|
|
||||||
|
def _test_nat_rules_firewall_match(self, config_val, call_val):
|
||||||
|
cfg.CONF.set_override('firewall_match_internal_addr', config_val,
|
||||||
|
'nsx_p')
|
||||||
|
with self.subnet(cidr='20.0.0.0/24') as subnet:
|
||||||
|
self._set_net_external(subnet['subnet']['network_id'])
|
||||||
|
with mock.patch("vmware_nsxlib.v3.policy.core_resources."
|
||||||
|
"NsxPolicyTier1NatRuleApi."
|
||||||
|
"create_or_overwrite") as add_func,\
|
||||||
|
self.floatingip_with_assoc():
|
||||||
|
add_func.assert_called_with(
|
||||||
|
mock.ANY, mock.ANY, action='DNAT',
|
||||||
|
destination_network=mock.ANY,
|
||||||
|
firewall_match=call_val,
|
||||||
|
nat_rule_id=mock.ANY, sequence_number=mock.ANY,
|
||||||
|
translated_network=mock.ANY)
|
||||||
|
|
||||||
|
def test_nat_rules_firewall_match_internal(self):
|
||||||
|
self._test_nat_rules_firewall_match(
|
||||||
|
True, pol_const.NAT_FIREWALL_MATCH_INTERNAL)
|
||||||
|
|
||||||
|
def test_nat_rules_firewall_match_external(self):
|
||||||
|
self._test_nat_rules_firewall_match(
|
||||||
|
False, pol_const.NAT_FIREWALL_MATCH_EXTERNAL)
|
||||||
|
Loading…
Reference in New Issue
Block a user