Skip to content

Commit

Permalink
Add explicit egress rules to nvp security profile
Browse files Browse the repository at this point in the history 
The following commit  7e26074 changed the previous behavior of quantum
security groups by explicitly adding egress rules to the security profile.
When these rules are removed the vm is no longer able to send traffic out.

This patch adds these rules for NVP. One thing to note in the patch
is that now a bunk rule of IPv4 127.0.0.1/32 is added to each security
profile. The reason for this is by default NVP security profiles allow
all egress traffic until a rule is added and then it just lets traffic
matching those rules out. Adding this bunk rule achieves this behavior
that quantum now uses.

Fixes bug 1150378

Change-Id: I005880fcf39d539ae99be428d75c43cc0b39a7b6
  • Loading branch information
@aaronorosen
aaronorosen committed Mar 8, 2013
1 parent 0f38e10 commit 6bb31ed
Showing 1 changed file with 22 additions and 11 deletions.
33 changes: 22 additions & 11 deletions quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py
View file
Expand Up @@ -1049,31 +1049,38 @@ def set_tenant_id_tag(tenant_id, taglist=None):
def create_security_profile(cluster, tenant_id, security_profile):
path = "/ws.v1/security-profile"
tags = set_tenant_id_tag(tenant_id)
# Allow all dhcp responses in
dhcp = {'logical_port_egress_rules': [{'ethertype': 'IPv4',
'protocol': 17,
'port_range_min': 68,
'port_range_max': 68,
'ip_prefix': '0.0.0.0/0'}],
'logical_port_ingress_rules': []}
# Allow all dhcp responses and all ingress traffic
hidden_rules = {'logical_port_egress_rules':
[{'ethertype': 'IPv4',
'protocol': constants.UDP_PROTOCOL,
'port_range_min': constants.DHCP_RESPONSE_PORT,
'port_range_max': constants.DHCP_RESPONSE_PORT,
'ip_prefix': '0.0.0.0/0'}],
'logical_port_ingress_rules':
[{'ethertype': 'IPv4'},
{'ethertype': 'IPv6'}]}
try:
display_name = _check_and_truncate_name(security_profile.get('name'))
body = mk_body(
tags=tags, display_name=display_name,
logical_port_ingress_rules=dhcp['logical_port_ingress_rules'],
logical_port_egress_rules=dhcp['logical_port_egress_rules'])
logical_port_ingress_rules=(
hidden_rules['logical_port_ingress_rules']),
logical_port_egress_rules=hidden_rules['logical_port_egress_rules']
)
rsp = do_request(HTTP_POST, path, body, cluster=cluster)
except NvpApiClient.NvpApiException as e:
LOG.error(format_exception("Unknown", e, locals()))
raise exception.QuantumException()
if security_profile.get('name') == 'default':
# If security group is default allow ip traffic between
# members of the same security profile.
# members of the same security profile is allowed and ingress traffic
# from the switch
rules = {'logical_port_egress_rules': [{'ethertype': 'IPv4',
'profile_uuid': rsp['uuid']},
{'ethertype': 'IPv6',
'profile_uuid': rsp['uuid']}],
'logical_port_ingress_rules': []}
'logical_port_ingress_rules': [{'ethertype': 'IPv4'},
{'ethertype': 'IPv6'}]}

update_security_group_rules(cluster, rsp['uuid'], rules)
LOG.debug(_("Created Security Profile: %s"), rsp)
Expand All @@ -1089,6 +1096,10 @@ def update_security_group_rules(cluster, spid, rules):
'port_range_min': constants.DHCP_RESPONSE_PORT,
'port_range_max': constants.DHCP_RESPONSE_PORT,
'ip_prefix': '0.0.0.0/0'})
# If there are no ingress rules add bunk rule to drop all ingress traffic
if not len(rules['logical_port_ingress_rules']):
rules['logical_port_ingress_rules'].append(
{'ethertype': 'IPv4', 'ip_prefix': '127.0.0.1/32'})
try:
body = mk_body(
logical_port_ingress_rules=rules['logical_port_ingress_rules'],
Expand Down

0 comments on commit 6bb31ed

Please sign in to comment.