From f072b73781edaea197c6cceb2b13e6d7e1bf1775 Mon Sep 17 00:00:00 2001 From: yuyangbj Date: Thu, 31 Mar 2016 13:24:48 +0800 Subject: [PATCH] Keeping the load balancer firewall on edge When the load balancer is created, it will create a default firewall rule on edge. But when the fip is created or deleted, the driver will also update the firewall rule on this edge, at this time, the lb firewall rule will be flushed. Change-Id: I84bb2cf5ddcc1bb448f138e024bb361a1b4eee82 --- vmware_nsx/db/nsxv_db.py | 4 ++-- vmware_nsx/plugins/nsx_v/plugin.py | 18 ++++++++++++++++++ .../nsx_v/vshield/edge_firewall_driver.py | 6 ++++-- 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/vmware_nsx/db/nsxv_db.py b/vmware_nsx/db/nsxv_db.py index 2c5b985975..42975c87e9 100644 --- a/vmware_nsx/db/nsxv_db.py +++ b/vmware_nsx/db/nsxv_db.py @@ -465,7 +465,7 @@ def add_nsxv_edge_firewallrule_binding(session, map_info): with session.begin(subtransactions=True): binding = nsxv_models.NsxvEdgeFirewallRuleBinding( rule_id=map_info['rule_id'], - rule_vseid=map_info['rule_vseid'], + rule_vse_id=map_info['rule_vseid'], edge_id=map_info['edge_id']) session.add(binding) return binding @@ -490,7 +490,7 @@ def get_nsxv_edge_firewallrule_binding_by_vseid( with session.begin(subtransactions=True): try: return (session.query(nsxv_models.NsxvEdgeFirewallRuleBinding). - filter_by(edge_id=edge_id, rule_vseid=rule_vseid).one()) + filter_by(edge_id=edge_id, rule_vse_id=rule_vseid).one()) except exc.NoResultFound: msg = _("Rule Resource binding not found!") raise nsx_exc.NsxPluginException(err_msg=msg) diff --git a/vmware_nsx/plugins/nsx_v/plugin.py b/vmware_nsx/plugins/nsx_v/plugin.py index c1957d3723..64ba0a8934 100644 --- a/vmware_nsx/plugins/nsx_v/plugin.py +++ b/vmware_nsx/plugins/nsx_v/plugin.py @@ -86,6 +86,7 @@ from vmware_nsx.plugins.nsx_v import managers from vmware_nsx.plugins.nsx_v import md_proxy as nsx_v_md_proxy from vmware_nsx.plugins.nsx_v.vshield.common import ( constants as vcns_const) +from vmware_nsx.plugins.nsx_v.vshield import edge_firewall_driver from vmware_nsx.plugins.nsx_v.vshield import edge_utils from vmware_nsx.plugins.nsx_v.vshield import securitygroup_utils from vmware_nsx.plugins.nsx_v.vshield import vcns_driver @@ -2104,6 +2105,23 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin, nosnat_fw_rules = self._get_nosnat_subnets_fw_rules( context, router) fake_fw_rules.extend(nosnat_fw_rules) + + # Get the load balancer rules in case they are refreshed + edge_id = self._get_edge_id_by_rtr_id(context, router_id) + lb_rules = nsxv_db.get_nsxv_lbaas_loadbalancer_binding_by_edge( + context.session, edge_id) + for rule in lb_rules: + vsm_rule = self.nsx_v.vcns.get_firewall_rule( + edge_id, rule['edge_fw_rule_id'])[1] + lb_fw_rule = { + 'action': edge_firewall_driver.FWAAS_ALLOW, + 'enabled': vsm_rule['enabled'], + 'destination_ip_address': vsm_rule['destination']['ipAddress'], + 'name': vsm_rule['name'], + 'ruleTag': vsm_rule['ruleTag'] + } + fake_fw_rules.append(lb_fw_rule) + # TODO(berlin): Add fw rules if fw service is supported fake_fw = {'firewall_rule_list': fake_fw_rules} edge_utils.update_firewall(self.nsx_v, context, router_id, fake_fw, diff --git a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py index 38378eada5..fb2274950a 100644 --- a/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py +++ b/vmware_nsx/plugins/nsx_v/vshield/edge_firewall_driver.py @@ -152,9 +152,11 @@ class EdgeFirewallDriver(db_base_plugin_v2.NeutronDbPluginV2): ruleTag = 1 vcns_rules = [] for rule in firewall['firewall_rule_list']: - vcns_rule = self._convert_firewall_rule(context, rule, ruleTag) + tag = rule.get('ruleTag', ruleTag) + vcns_rule = self._convert_firewall_rule(context, rule, tag) vcns_rules.append(vcns_rule) - ruleTag += 1 + if not rule.get('ruleTag'): + ruleTag += 1 if allow_external: vcns_rules.append( {'action': "accept",