Merge "[Admin-Util] NSX-V|Reorder L3 firewall sections"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
264add749a
@ -181,6 +181,10 @@ Security Groups, Firewall and Spoofguard
|
|||||||
|
|
||||||
nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-10 --property security-group-id=733f0741-fa2c-4b32-811c-b78e4dc8ec39
|
nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-10 --property security-group-id=733f0741-fa2c-4b32-811c-b78e4dc8ec39
|
||||||
|
|
||||||
|
- Reorder the nsx L3 firewall sections to correctly support the policy security groups
|
||||||
|
|
||||||
|
nsxadmin -r firewall-sections -o nsx-reorder
|
||||||
|
|
||||||
Metadata
|
Metadata
|
||||||
~~~~~~~~
|
~~~~~~~~
|
||||||
|
|
||||||
|
|||||||
@ -641,6 +641,12 @@ class Vcns(object):
|
|||||||
uri = FIREWALL_PREFIX
|
uri = FIREWALL_PREFIX
|
||||||
return self.do_request(HTTP_GET, uri, decode=False, format='xml')
|
return self.do_request(HTTP_GET, uri, decode=False, format='xml')
|
||||||
|
|
||||||
|
def update_dfw_config(self, request, h):
|
||||||
|
uri = FIREWALL_PREFIX
|
||||||
|
headers = self._get_section_header(None, h)
|
||||||
|
return self.do_request(HTTP_PUT, uri, request, format='xml',
|
||||||
|
decode=False, encode=False, headers=headers)
|
||||||
|
|
||||||
def get_section_id(self, section_name):
|
def get_section_id(self, section_name):
|
||||||
"""Retrieve the id of a section from nsx."""
|
"""Retrieve the id of a section from nsx."""
|
||||||
h, firewall_config = self.get_dfw_config()
|
h, firewall_config = self.get_dfw_config()
|
||||||
|
|||||||
@ -128,6 +128,38 @@ class NsxFirewallAPI(object):
|
|||||||
'id': sec_id})
|
'id': sec_id})
|
||||||
return sections
|
return sections
|
||||||
|
|
||||||
|
def reorder_fw_sections(self):
|
||||||
|
# read all the sections
|
||||||
|
h, firewall_config = self.vcns.get_dfw_config()
|
||||||
|
root = et.fromstring(firewall_config)
|
||||||
|
|
||||||
|
for child in root:
|
||||||
|
if str(child.tag) == 'layer3Sections':
|
||||||
|
# go over the L3 sections and reorder them.
|
||||||
|
# policy sections should come first
|
||||||
|
sections = list(child.iter('section'))
|
||||||
|
regular_sections = []
|
||||||
|
policy_sections = []
|
||||||
|
|
||||||
|
for sec in sections:
|
||||||
|
if sec.attrib.get('managedBy') == 'NSX Service Composer':
|
||||||
|
policy_sections.append(sec)
|
||||||
|
else:
|
||||||
|
regular_sections.append(sec)
|
||||||
|
child.remove(sec)
|
||||||
|
|
||||||
|
if not policy_sections:
|
||||||
|
LOG.info(_LI("No need to reorder the firewall sections."))
|
||||||
|
return
|
||||||
|
|
||||||
|
# reorder the sections to have the policy sections first
|
||||||
|
reordered_sections = policy_sections + regular_sections
|
||||||
|
child.extend(reordered_sections)
|
||||||
|
|
||||||
|
# update the new order of sections in the backend
|
||||||
|
self.vcns.update_dfw_config(et.tostring(root), h)
|
||||||
|
LOG.info(_LI("L3 Firewall sections were reordered."))
|
||||||
|
|
||||||
|
|
||||||
neutron_sg = NeutronSecurityGroupDB()
|
neutron_sg = NeutronSecurityGroupDB()
|
||||||
nsxv_firewall = NsxFirewallAPI()
|
nsxv_firewall = NsxFirewallAPI()
|
||||||
@ -219,6 +251,12 @@ def list_missing_firewall_sections(resource, event, trigger, **kwargs):
|
|||||||
return bool(missing_sections_info)
|
return bool(missing_sections_info)
|
||||||
|
|
||||||
|
|
||||||
|
@admin_utils.list_mismatches_handler(constants.FIREWALL_SECTIONS)
|
||||||
|
@admin_utils.output_header
|
||||||
|
def reorder_firewall_sections(resource, event, trigger, **kwargs):
|
||||||
|
nsxv_firewall.reorder_fw_sections()
|
||||||
|
|
||||||
|
|
||||||
@admin_utils.fix_mismatches_handler(constants.SECURITY_GROUPS)
|
@admin_utils.fix_mismatches_handler(constants.SECURITY_GROUPS)
|
||||||
@admin_utils.output_header
|
@admin_utils.output_header
|
||||||
def fix_security_groups(resource, event, trigger, **kwargs):
|
def fix_security_groups(resource, event, trigger, **kwargs):
|
||||||
@ -325,3 +363,7 @@ def migrate_sg_to_policy(resource, event, trigger, **kwargs):
|
|||||||
registry.subscribe(migrate_sg_to_policy,
|
registry.subscribe(migrate_sg_to_policy,
|
||||||
constants.SECURITY_GROUPS,
|
constants.SECURITY_GROUPS,
|
||||||
shell.Operations.MIGRATE_TO_POLICY.value)
|
shell.Operations.MIGRATE_TO_POLICY.value)
|
||||||
|
|
||||||
|
registry.subscribe(reorder_firewall_sections,
|
||||||
|
constants.FIREWALL_SECTIONS,
|
||||||
|
shell.Operations.NSX_REORDER.value)
|
||||||
|
|||||||
@ -47,6 +47,7 @@ class Operations(enum.Enum):
|
|||||||
NSX_UPDATE_ALL = 'nsx-update-all'
|
NSX_UPDATE_ALL = 'nsx-update-all'
|
||||||
NSX_UPDATE_SECRET = 'nsx-update-secret'
|
NSX_UPDATE_SECRET = 'nsx-update-secret'
|
||||||
NSX_RECREATE = 'nsx-recreate'
|
NSX_RECREATE = 'nsx-recreate'
|
||||||
|
NSX_REORDER = 'nsx-reorder'
|
||||||
MIGRATE_TO_DYNAMIC_CRITERIA = 'migrate-to-dynamic-criteria'
|
MIGRATE_TO_DYNAMIC_CRITERIA = 'migrate-to-dynamic-criteria'
|
||||||
NSX_MIGRATE_V_V3 = 'nsx-migrate-v-v3'
|
NSX_MIGRATE_V_V3 = 'nsx-migrate-v-v3'
|
||||||
MIGRATE_TO_POLICY = 'migrate-to-policy'
|
MIGRATE_TO_POLICY = 'migrate-to-policy'
|
||||||
@ -132,7 +133,8 @@ nsxv_resources = {
|
|||||||
Operations.MIGRATE_TO_POLICY.value]),
|
Operations.MIGRATE_TO_POLICY.value]),
|
||||||
constants.FIREWALL_SECTIONS: Resource(constants.FIREWALL_SECTIONS,
|
constants.FIREWALL_SECTIONS: Resource(constants.FIREWALL_SECTIONS,
|
||||||
[Operations.LIST.value,
|
[Operations.LIST.value,
|
||||||
Operations.LIST_MISMATCHES.value]),
|
Operations.LIST_MISMATCHES.value,
|
||||||
|
Operations.NSX_REORDER.value]),
|
||||||
constants.FIREWALL_NSX_GROUPS: Resource(
|
constants.FIREWALL_NSX_GROUPS: Resource(
|
||||||
constants.FIREWALL_NSX_GROUPS, [Operations.LIST.value,
|
constants.FIREWALL_NSX_GROUPS, [Operations.LIST.value,
|
||||||
Operations.LIST_MISMATCHES.value]),
|
Operations.LIST_MISMATCHES.value]),
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user