Merge "[Admin-Util] NSX-V|Reorder L3 firewall sections"
This commit is contained in:
commit
264add749a
@ -181,6 +181,10 @@ Security Groups, Firewall and Spoofguard
|
||||
|
||||
nsxadmin -r security-groups -o migrate-to-policy --property policy-id=policy-10 --property security-group-id=733f0741-fa2c-4b32-811c-b78e4dc8ec39
|
||||
|
||||
- Reorder the nsx L3 firewall sections to correctly support the policy security groups
|
||||
|
||||
nsxadmin -r firewall-sections -o nsx-reorder
|
||||
|
||||
Metadata
|
||||
~~~~~~~~
|
||||
|
||||
|
@ -641,6 +641,12 @@ class Vcns(object):
|
||||
uri = FIREWALL_PREFIX
|
||||
return self.do_request(HTTP_GET, uri, decode=False, format='xml')
|
||||
|
||||
def update_dfw_config(self, request, h):
|
||||
uri = FIREWALL_PREFIX
|
||||
headers = self._get_section_header(None, h)
|
||||
return self.do_request(HTTP_PUT, uri, request, format='xml',
|
||||
decode=False, encode=False, headers=headers)
|
||||
|
||||
def get_section_id(self, section_name):
|
||||
"""Retrieve the id of a section from nsx."""
|
||||
h, firewall_config = self.get_dfw_config()
|
||||
|
@ -128,6 +128,38 @@ class NsxFirewallAPI(object):
|
||||
'id': sec_id})
|
||||
return sections
|
||||
|
||||
def reorder_fw_sections(self):
|
||||
# read all the sections
|
||||
h, firewall_config = self.vcns.get_dfw_config()
|
||||
root = et.fromstring(firewall_config)
|
||||
|
||||
for child in root:
|
||||
if str(child.tag) == 'layer3Sections':
|
||||
# go over the L3 sections and reorder them.
|
||||
# policy sections should come first
|
||||
sections = list(child.iter('section'))
|
||||
regular_sections = []
|
||||
policy_sections = []
|
||||
|
||||
for sec in sections:
|
||||
if sec.attrib.get('managedBy') == 'NSX Service Composer':
|
||||
policy_sections.append(sec)
|
||||
else:
|
||||
regular_sections.append(sec)
|
||||
child.remove(sec)
|
||||
|
||||
if not policy_sections:
|
||||
LOG.info(_LI("No need to reorder the firewall sections."))
|
||||
return
|
||||
|
||||
# reorder the sections to have the policy sections first
|
||||
reordered_sections = policy_sections + regular_sections
|
||||
child.extend(reordered_sections)
|
||||
|
||||
# update the new order of sections in the backend
|
||||
self.vcns.update_dfw_config(et.tostring(root), h)
|
||||
LOG.info(_LI("L3 Firewall sections were reordered."))
|
||||
|
||||
|
||||
neutron_sg = NeutronSecurityGroupDB()
|
||||
nsxv_firewall = NsxFirewallAPI()
|
||||
@ -219,6 +251,12 @@ def list_missing_firewall_sections(resource, event, trigger, **kwargs):
|
||||
return bool(missing_sections_info)
|
||||
|
||||
|
||||
@admin_utils.list_mismatches_handler(constants.FIREWALL_SECTIONS)
|
||||
@admin_utils.output_header
|
||||
def reorder_firewall_sections(resource, event, trigger, **kwargs):
|
||||
nsxv_firewall.reorder_fw_sections()
|
||||
|
||||
|
||||
@admin_utils.fix_mismatches_handler(constants.SECURITY_GROUPS)
|
||||
@admin_utils.output_header
|
||||
def fix_security_groups(resource, event, trigger, **kwargs):
|
||||
@ -325,3 +363,7 @@ def migrate_sg_to_policy(resource, event, trigger, **kwargs):
|
||||
registry.subscribe(migrate_sg_to_policy,
|
||||
constants.SECURITY_GROUPS,
|
||||
shell.Operations.MIGRATE_TO_POLICY.value)
|
||||
|
||||
registry.subscribe(reorder_firewall_sections,
|
||||
constants.FIREWALL_SECTIONS,
|
||||
shell.Operations.NSX_REORDER.value)
|
||||
|
@ -47,6 +47,7 @@ class Operations(enum.Enum):
|
||||
NSX_UPDATE_ALL = 'nsx-update-all'
|
||||
NSX_UPDATE_SECRET = 'nsx-update-secret'
|
||||
NSX_RECREATE = 'nsx-recreate'
|
||||
NSX_REORDER = 'nsx-reorder'
|
||||
MIGRATE_TO_DYNAMIC_CRITERIA = 'migrate-to-dynamic-criteria'
|
||||
NSX_MIGRATE_V_V3 = 'nsx-migrate-v-v3'
|
||||
MIGRATE_TO_POLICY = 'migrate-to-policy'
|
||||
@ -132,7 +133,8 @@ nsxv_resources = {
|
||||
Operations.MIGRATE_TO_POLICY.value]),
|
||||
constants.FIREWALL_SECTIONS: Resource(constants.FIREWALL_SECTIONS,
|
||||
[Operations.LIST.value,
|
||||
Operations.LIST_MISMATCHES.value]),
|
||||
Operations.LIST_MISMATCHES.value,
|
||||
Operations.NSX_REORDER.value]),
|
||||
constants.FIREWALL_NSX_GROUPS: Resource(
|
||||
constants.FIREWALL_NSX_GROUPS, [Operations.LIST.value,
|
||||
Operations.LIST_MISMATCHES.value]),
|
||||
|
Loading…
x
Reference in New Issue
Block a user