From 2e5ae7a8c83ca68708b61bf20a58f82fc7da980f Mon Sep 17 00:00:00 2001 From: Adit Sarfaty Date: Tue, 24 Jan 2017 00:00:17 +0200 Subject: [PATCH] [Admin-Util] NSX-V|Reorder L3 firewall sections This is a new utility for the policy security groups support. The order of NSX firewall sections depends on when the first policy was created. This utility reorders the sections so that policy sections are above regular security groups sections. Usage: nsxadmin -r firewall-sections -o nsx-reorder Output example: NSX Plugin in use: nsxv ==== [REORDER] Firewall Sections ==== L3 Firewall sections were reordered. Change-Id: I96e8845b2ef618955dc061fbdcd53b2cf924126b --- doc/source/admin_util.rst | 4 ++ vmware_nsx/plugins/nsx_v/vshield/vcns.py | 6 +++ .../plugins/nsxv/resources/securitygroups.py | 42 +++++++++++++++++++ vmware_nsx/shell/resources.py | 4 +- 4 files changed, 55 insertions(+), 1 deletion(-) diff --git a/doc/source/admin_util.rst b/doc/source/admin_util.rst index 5311fccbaa..dfa7490d72 100644 --- a/doc/source/admin_util.rst +++ b/doc/source/admin_util.rst @@ -177,6 +177,10 @@ Security Groups, Firewall and Spoofguard nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-10 --property security-group-id=733f0741-fa2c-4b32-811c-b78e4dc8ec39 +- Reorder the nsx L3 firewall sections to correctly support the policy security groups + + nsxadmin -r firewall-sections -o nsx-reorder + Metadata ~~~~~~~~ diff --git a/vmware_nsx/plugins/nsx_v/vshield/vcns.py b/vmware_nsx/plugins/nsx_v/vshield/vcns.py index f0cdde4116..99087dd65e 100644 --- a/vmware_nsx/plugins/nsx_v/vshield/vcns.py +++ b/vmware_nsx/plugins/nsx_v/vshield/vcns.py @@ -641,6 +641,12 @@ class Vcns(object): uri = FIREWALL_PREFIX return self.do_request(HTTP_GET, uri, decode=False, format='xml') + def update_dfw_config(self, request, h): + uri = FIREWALL_PREFIX + headers = self._get_section_header(None, h) + return self.do_request(HTTP_PUT, uri, request, format='xml', + decode=False, encode=False, headers=headers) + def get_section_id(self, section_name): """Retrieve the id of a section from nsx.""" h, firewall_config = self.get_dfw_config() diff --git a/vmware_nsx/shell/admin/plugins/nsxv/resources/securitygroups.py b/vmware_nsx/shell/admin/plugins/nsxv/resources/securitygroups.py index e34911d75d..cc8c2e3038 100644 --- a/vmware_nsx/shell/admin/plugins/nsxv/resources/securitygroups.py +++ b/vmware_nsx/shell/admin/plugins/nsxv/resources/securitygroups.py @@ -128,6 +128,38 @@ class NsxFirewallAPI(object): 'id': sec_id}) return sections + def reorder_fw_sections(self): + # read all the sections + h, firewall_config = self.vcns.get_dfw_config() + root = et.fromstring(firewall_config) + + for child in root: + if str(child.tag) == 'layer3Sections': + # go over the L3 sections and reorder them. + # policy sections should come first + sections = list(child.iter('section')) + regular_sections = [] + policy_sections = [] + + for sec in sections: + if sec.attrib.get('managedBy') == 'NSX Service Composer': + policy_sections.append(sec) + else: + regular_sections.append(sec) + child.remove(sec) + + if not policy_sections: + LOG.info(_LI("No need to reorder the firewall sections.")) + return + + # reorder the sections to have the policy sections first + reordered_sections = policy_sections + regular_sections + child.extend(reordered_sections) + + # update the new order of sections in the backend + self.vcns.update_dfw_config(et.tostring(root), h) + LOG.info(_LI("L3 Firewall sections were reordered.")) + neutron_sg = NeutronSecurityGroupDB() nsxv_firewall = NsxFirewallAPI() @@ -219,6 +251,12 @@ def list_missing_firewall_sections(resource, event, trigger, **kwargs): return bool(missing_sections_info) +@admin_utils.list_mismatches_handler(constants.FIREWALL_SECTIONS) +@admin_utils.output_header +def reorder_firewall_sections(resource, event, trigger, **kwargs): + nsxv_firewall.reorder_fw_sections() + + @admin_utils.fix_mismatches_handler(constants.SECURITY_GROUPS) @admin_utils.output_header def fix_security_groups(resource, event, trigger, **kwargs): @@ -325,3 +363,7 @@ def migrate_sg_to_policy(resource, event, trigger, **kwargs): registry.subscribe(migrate_sg_to_policy, constants.SECURITY_GROUPS, shell.Operations.MIGRATE_TO_POLICY.value) + +registry.subscribe(reorder_firewall_sections, + constants.FIREWALL_SECTIONS, + shell.Operations.NSX_REORDER.value) diff --git a/vmware_nsx/shell/resources.py b/vmware_nsx/shell/resources.py index c26096c836..a6ca2d147d 100644 --- a/vmware_nsx/shell/resources.py +++ b/vmware_nsx/shell/resources.py @@ -46,6 +46,7 @@ class Operations(enum.Enum): NSX_UPDATE_ALL = 'nsx-update-all' NSX_UPDATE_SECRET = 'nsx-update-secret' NSX_RECREATE = 'nsx-recreate' + NSX_REORDER = 'nsx-reorder' MIGRATE_TO_DYNAMIC_CRITERIA = 'migrate-to-dynamic-criteria' NSX_MIGRATE_V_V3 = 'nsx-migrate-v-v3' MIGRATE_TO_POLICY = 'migrate-to-policy' @@ -130,7 +131,8 @@ nsxv_resources = { Operations.MIGRATE_TO_POLICY.value]), constants.FIREWALL_SECTIONS: Resource(constants.FIREWALL_SECTIONS, [Operations.LIST.value, - Operations.LIST_MISMATCHES.value]), + Operations.LIST_MISMATCHES.value, + Operations.NSX_REORDER.value]), constants.FIREWALL_NSX_GROUPS: Resource( constants.FIREWALL_NSX_GROUPS, [Operations.LIST.value, Operations.LIST_MISMATCHES.value]),