Skip to content

Commit

Permalink
Evaluate ACL rules in both directions
Browse files Browse the repository at this point in the history 
Since ACL rules are now bidirectional, we should evaluate them
in both directions for possible RI connections.

Change-Id: Ibb8ba78d74e825744bc45ae3a8151c61ca8ccd20
Closes-Bug: 1767052
  • Loading branch information
Sachin Bansal committed Apr 27, 2018
1 parent 927bda8 commit d9ea000
Showing 1 changed file with 42 additions and 34 deletions.
76 changes: 42 additions & 34 deletions src/config/schema-transformer/config_db.py
View file
Expand Up @@ -1263,41 +1263,49 @@ def evaluate(self):
action = arule.get_action_list()
if action.simple_action == 'deny':
continue
connected_network = None
connected_networks = set()
if self.me(match.dst_address.virtual_network):
connected_network = match.src_address.virtual_network
elif self.me(match.src_address.virtual_network):
connected_network = match.dst_address.virtual_network
if action.apply_service:
# if a service was applied, the ACL should have a
# pass action, and we should not make a connection
# between the routing instances
action.simple_action = "pass"
action.apply_service = []
if self.multi_policy_service_chains_enabled:
other_vn = VirtualNetworkST.get(connected_network)
if not other_vn:
continue
# check to see if service chain(s) between the two
# networks associated with a policy has service of
# type 'in-network-nat, in which case we shouldn't
# connect the two networks directly
nat_service = False
sc_list = self.service_chains[connected_network]
for sc in sc_list:
if sc is not None and sc.created:
right_si_name = sc.service_list[-1]
right_si = ServiceInstanceST.get(right_si_name)
if right_si.get_service_mode() == 'in-network-nat':
nat_service = True
break

if other_vn.multi_policy_service_chains_enabled and not nat_service:
self.add_connection(connected_network)
continue

if connected_network and action.simple_action:
self.add_connection(connected_network)
connected_networks.add(
match.src_address.virtual_network)
if self.me(match.src_address.virtual_network):
connected_networks.add(
match.dst_address.virtual_network)
for connected_network in connected_networks:
if action.apply_service:
# if a service was applied, the ACL should have a
# pass action, and we should not make a connection
# between the routing instances
action.simple_action = "pass"
action.apply_service = []
if self.multi_policy_service_chains_enabled:
other_vn = VirtualNetworkST.get(
connected_network)
if not other_vn:
continue
# check to see if service chain(s) between the
# two networks associated with a policy has
# service of type 'in-network-nat, in which
# case we shouldn't connect the two networks
# directly
nat_service = False
sc_list = self.service_chains[connected_network]
for sc in sc_list:
if sc is not None and sc.created:
right_si_name = sc.service_list[-1]
right_si = ServiceInstanceST.get(
right_si_name)
if (right_si.get_service_mode() ==
'in-network-nat'):
nat_service = True
break

if (other_vn.multi_policy_service_chains_enabled
and not nat_service):
self.add_connection(connected_network)
continue

if action.simple_action:
self.add_connection(connected_network)

# end for acl_rule_list
# end for policy_rule_entries.policy_rule
Expand Down

0 comments on commit d9ea000

Please sign in to comment.