Drivers for FWaaS V1/V2 for the NSX-TV plugin
Those drivers are just wrappers calling the right driver according to
the project of the firewall object.
Change-Id: Ia073da9c91cb4d69d772b3e0d0ab6f5c3fd60795
When adding a GW to the distributed router, and checking for FWaaS
rules, we need to use the neutron router ID and not the plr id
as the FWaaS is unaware of the plr.
Change-Id: I1c61aa90a283e8718aaad35ac63f430d30a99a6f
For DHCP relay support, and possibly other features, there is a need to
add specific allow rules to the router firewall between the FWaas v1/v2
rules, and the default drop rule.
This patch set the structure to do that, without actually adding new rules.
In case of FWaaS v2 the additional rules are per router interface.
Change-Id: I63d754495f56ec9081d84dcea6fb688ee1c41dbd
Fail the router create/update with a driver error in case the added router
belongs to a diffeeret project.
For example - the metadata-proxy router.
Theneutron_fwaas code allows it and ignores this router, but in our case it is
better to fail and set the router in error state, just like we do for other
unsupported routers.
In addition - If the router is in error state, or not supported by the driver,
do not add it's rules to the backend, but also do not fail.
Change-Id: Ia6a8cccf5d90d19c31e961901441007d8484c73e
Adding FW rules to protect the traffic north-south behind a T1 router.
This will be done only if a firewall was attached to the router.
This includes:
- FWaaS rules
- Drop all default rule
When the firewall is deleted or the router removed from it,
a default allow all rule will be set.
For the rotuer firewall to work, the rotuer NAT rules should set
nat-bypass=False.
Change-Id: Iba03db8ca67ee10d1c54b96fb41a888cb549684d
When attaching a firewall to an unsupported router type, we should
raise an exception, causing the firewall to become inactive.
Change-Id: Ia32ac4e7092138794825b9692d98073745dbb426
In case FWaaS is enabled, but a router is not assigned to and firewall,
the Allow-external traffic rule should be added to the edge firewall, just like
when FWaaS is disabled.
Change-Id: Id59b467c530ac0aa6070539358481e41be4623d6
Reorder the FW rules on the edge, so that internal & MD proxy traffic
will always be allowed, but other traffic will go through the FWaaS rules.
In additon support the case of firewall policy with no rules,
and do not add the firewall rules if the router has no external gateway.
Change-Id: Ia4afad53a4b68f87947eec9d0d25007128b174e9
The nsx-v FWaaS driver will add the configured firewall rules to
the router edges.
Currently there is not support for shared routers.
The rules will be edded after the current rules (NAT, LBaaS, external traffic)
for exclusive routers edges and distributed routers PLR edged.
Change-Id: I82ba90070ef4e739a0b5c4463ef03a807e26adfb
Adit Sarfaty