From e08912439e00909c791f6787cce51329b0836901 Mon Sep 17 00:00:00 2001 From: Armando Migliaccio Date: Tue, 31 Jan 2012 15:35:44 +0000 Subject: [PATCH] bug 923798: On XenServer the DomU firewall driver fails with NotImplementedError Move _provider_rules in the base class. This should be enough to deal with most distros on which a domU is based on. Change-Id: I738116c5f330c2493c62d8f1f3da39abb3c3ad11 --- nova/virt/firewall.py | 53 ++++++++++++++++++++++++++++++++--- nova/virt/libvirt/firewall.py | 50 --------------------------------- nova/virt/xenapi/firewall.py | 2 +- 3 files changed, 50 insertions(+), 55 deletions(-) diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py index 604aa101a94..2af28d7f1c6 100644 --- a/nova/virt/firewall.py +++ b/nova/virt/firewall.py @@ -100,7 +100,7 @@ def instance_filter_exists(self, instance, network_info): class IptablesFirewallDriver(FirewallDriver): - """ Driver which enforces security groups through iptables rules. """ + """Driver which enforces security groups through iptables rules.""" def __init__(self, **kwargs): from nova.network import linux_net @@ -118,7 +118,7 @@ def setup_basic_filtering(self, instance, network_info): pass def apply_instance_filter(self, instance, network_info): - """No-op. Everything is done in prepare_instance_filter""" + """No-op. Everything is done in prepare_instance_filter.""" pass def unfilter_instance(self, instance, network_info): @@ -146,7 +146,7 @@ def _create_filter(self, ips, chain_name): def _filters_for_instance(self, chain_name, network_info): """Creates a rule corresponding to each ip that defines a jump to the corresponding instance - chain for all the traffic - destined to that ip""" + destined to that ip.""" ips_v4 = [ip['ip'] for (_n, mapping) in network_info for ip in mapping['ips']] ipv4_rules = self._create_filter(ips_v4, chain_name) @@ -395,4 +395,49 @@ def _build_provider_fw_rules(self): @staticmethod def _provider_rules(): """Generate a list of rules from provider for IP4 & IP6.""" - raise NotImplementedError() + ctxt = context.get_admin_context() + ipv4_rules = [] + ipv6_rules = [] + rules = db.provider_fw_rule_get_all(ctxt) + for rule in rules: + LOG.debug(_('Adding provider rule: %s'), rule['cidr']) + version = netutils.get_ip_version(rule['cidr']) + if version == 4: + fw_rules = ipv4_rules + else: + fw_rules = ipv6_rules + + protocol = rule['protocol'] + if version == 6 and protocol == 'icmp': + protocol = 'icmpv6' + + args = ['-p', protocol, '-s', rule['cidr']] + + if protocol in ['udp', 'tcp']: + if rule['from_port'] == rule['to_port']: + args += ['--dport', '%s' % (rule['from_port'],)] + else: + args += ['-m', 'multiport', + '--dports', '%s:%s' % (rule['from_port'], + rule['to_port'])] + elif protocol == 'icmp': + icmp_type = rule['from_port'] + icmp_code = rule['to_port'] + + if icmp_type == -1: + icmp_type_arg = None + else: + icmp_type_arg = '%s' % icmp_type + if not icmp_code == -1: + icmp_type_arg += '/%s' % icmp_code + + if icmp_type_arg: + if version == 4: + args += ['-m', 'icmp', '--icmp-type', + icmp_type_arg] + elif version == 6: + args += ['-m', 'icmp6', '--icmpv6-type', + icmp_type_arg] + args += ['-j DROP'] + fw_rules += [' '.join(args)] + return ipv4_rules, ipv6_rules diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py index 3e299b9328b..7045b4abcb8 100644 --- a/nova/virt/libvirt/firewall.py +++ b/nova/virt/libvirt/firewall.py @@ -489,53 +489,3 @@ def unfilter_instance(self, instance, network_info): def instance_filter_exists(self, instance, network_info): """Check nova-instance-instance-xxx exists""" return self.nwfilter.instance_filter_exists(instance, network_info) - - @staticmethod - def _provider_rules(): - """Generate a list of rules from provider for IP4 & IP6.""" - ctxt = context.get_admin_context() - ipv4_rules = [] - ipv6_rules = [] - rules = db.provider_fw_rule_get_all(ctxt) - for rule in rules: - LOG.debug(_('Adding provider rule: %s'), rule['cidr']) - version = netutils.get_ip_version(rule['cidr']) - if version == 4: - fw_rules = ipv4_rules - else: - fw_rules = ipv6_rules - - protocol = rule['protocol'] - if version == 6 and protocol == 'icmp': - protocol = 'icmpv6' - - args = ['-p', protocol, '-s', rule['cidr']] - - if protocol in ['udp', 'tcp']: - if rule['from_port'] == rule['to_port']: - args += ['--dport', '%s' % (rule['from_port'],)] - else: - args += ['-m', 'multiport', - '--dports', '%s:%s' % (rule['from_port'], - rule['to_port'])] - elif protocol == 'icmp': - icmp_type = rule['from_port'] - icmp_code = rule['to_port'] - - if icmp_type == -1: - icmp_type_arg = None - else: - icmp_type_arg = '%s' % icmp_type - if not icmp_code == -1: - icmp_type_arg += '/%s' % icmp_code - - if icmp_type_arg: - if version == 4: - args += ['-m', 'icmp', '--icmp-type', - icmp_type_arg] - elif version == 6: - args += ['-m', 'icmp6', '--icmpv6-type', - icmp_type_arg] - args += ['-j DROP'] - fw_rules += [' '.join(args)] - return ipv4_rules, ipv6_rules diff --git a/nova/virt/xenapi/firewall.py b/nova/virt/xenapi/firewall.py index 41d67de5c9d..82311522020 100644 --- a/nova/virt/xenapi/firewall.py +++ b/nova/virt/xenapi/firewall.py @@ -33,7 +33,7 @@ class Dom0IptablesFirewallDriver(IptablesFirewallDriver): - """ IptablesFirewallDriver class + """ Dom0IptablesFirewallDriver class This class provides an implementation for nova.virt.Firewall using iptables. This class is meant to be used with the xenapi