Keeping the load balancer firewall on edge

When the load balancer is created, it will create a default firewall rule on edge. But when the fip is created or deleted, the driver will also update the firewall rule on this edge, at this time, the lb firewall rule will be flushed. Change-Id: I84bb2cf5ddcc1bb448f138e024bb361a1b4eee82
2016-03-31 13:24:48 +08:00 · 2016-03-31 13:24:48 +08:00 · f072b73781
parent e0bd8f4c87
commit f072b73781
3 changed files with 24 additions and 4 deletions
--- a/vmware_nsx/db/nsxv_db.py
+++ b/vmware_nsx/db/nsxv_db.py
@ -465,7 +465,7 @@ def add_nsxv_edge_firewallrule_binding(session, map_info):
    with session.begin(subtransactions=True):
        binding = nsxv_models.NsxvEdgeFirewallRuleBinding(
            rule_id=map_info['rule_id'],
-            rule_vseid=map_info['rule_vseid'],
+            rule_vse_id=map_info['rule_vseid'],
            edge_id=map_info['edge_id'])
        session.add(binding)
    return binding
@ -490,7 +490,7 @@ def get_nsxv_edge_firewallrule_binding_by_vseid(
    with session.begin(subtransactions=True):
        try:
            return (session.query(nsxv_models.NsxvEdgeFirewallRuleBinding).
-                    filter_by(edge_id=edge_id, rule_vseid=rule_vseid).one())
+                    filter_by(edge_id=edge_id, rule_vse_id=rule_vseid).one())
        except exc.NoResultFound:
            msg = _("Rule Resource binding not found!")
            raise nsx_exc.NsxPluginException(err_msg=msg)
--- a/vmware_nsx/plugins/nsx_v/plugin.py
+++ b/vmware_nsx/plugins/nsx_v/plugin.py
@ -86,6 +86,7 @@ from vmware_nsx.plugins.nsx_v import managers
 from vmware_nsx.plugins.nsx_v import md_proxy as nsx_v_md_proxy
 from vmware_nsx.plugins.nsx_v.vshield.common import (
    constants as vcns_const)
+from vmware_nsx.plugins.nsx_v.vshield import edge_firewall_driver
 from vmware_nsx.plugins.nsx_v.vshield import edge_utils
 from vmware_nsx.plugins.nsx_v.vshield import securitygroup_utils
 from vmware_nsx.plugins.nsx_v.vshield import vcns_driver
@ -2104,6 +2105,23 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
        nosnat_fw_rules = self._get_nosnat_subnets_fw_rules(
            context, router)
        fake_fw_rules.extend(nosnat_fw_rules)
+
+        # Get the load balancer rules in case they are refreshed
+        edge_id = self._get_edge_id_by_rtr_id(context, router_id)
+        lb_rules = nsxv_db.get_nsxv_lbaas_loadbalancer_binding_by_edge(
+                context.session, edge_id)
+        for rule in lb_rules:
+            vsm_rule = self.nsx_v.vcns.get_firewall_rule(
+                    edge_id, rule['edge_fw_rule_id'])[1]
+            lb_fw_rule = {
+                'action': edge_firewall_driver.FWAAS_ALLOW,
+                'enabled': vsm_rule['enabled'],
+                'destination_ip_address': vsm_rule['destination']['ipAddress'],
+                'name': vsm_rule['name'],
+                'ruleTag': vsm_rule['ruleTag']
+            }
+            fake_fw_rules.append(lb_fw_rule)
+
        # TODO(berlin): Add fw rules if fw service is supported
        fake_fw = {'firewall_rule_list': fake_fw_rules}
        edge_utils.update_firewall(self.nsx_v, context, router_id, fake_fw,
--- a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
+++ b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py
@ -152,9 +152,11 @@ class EdgeFirewallDriver(db_base_plugin_v2.NeutronDbPluginV2):
        ruleTag = 1
        vcns_rules = []
        for rule in firewall['firewall_rule_list']:
-            vcns_rule = self._convert_firewall_rule(context, rule, ruleTag)
+            tag = rule.get('ruleTag', ruleTag)
+            vcns_rule = self._convert_firewall_rule(context, rule, tag)
            vcns_rules.append(vcns_rule)
-            ruleTag += 1
+            if not rule.get('ruleTag'):
+                ruleTag += 1
        if allow_external:
            vcns_rules.append(
                {'action': "accept",