mgagne/gist:9359d92e86c3b7467c31 Secret

## gistfile1.py
from nova.openstack.common import log as logging
from nova.virt.firewall import FirewallDriver
from nova.virt.libvirt.firewall import NWFilterFirewall as BaseNWFilterFirewall

LOG = logging.getLogger(__name__)


class NWFilterFirewall(BaseNWFilterFirewall):

    def _ensure_static_filters(self):
        """Static filters are filters that have no need to be IP aware.

        There is no configuration or tuneability of these filters, so they
        can be set up once and forgotten about.

        """

        if self.static_filters_configured:
            return

        filter_set = ['no-mac-spoofing',
                      'no-ip-spoofing',
                      'no-arp-spoofing']

        # NOTE(mgagne): Apply nova-no-nd-reflection filter irregardless
        # of CONF.use_ipv6.
        self._define_filter(self.nova_no_nd_reflection_filter)
        filter_set.append('nova-no-nd-reflection')

        self._define_filter(self._filter_container('nova-nodhcp', filter_set))
        filter_set.append('allow-dhcp-server')
        self._define_filter(self._filter_container('nova-base', filter_set))
        self._define_filter(self._filter_container('nova-vpn',
                                                   ['allow-dhcp-server']))
        self._define_filter(self.nova_dhcp_filter)

        self.static_filters_configured = True


class BasicFirewallDriver(FirewallDriver):

    def __init__(self, virtapi, execute=None, **kwargs):
        super(BasicFirewallDriver, self).__init__(virtapi)
        self.nwfilter = NWFilterFirewall(virtapi, kwargs['get_connection'])
        self.instances = {}

    def prepare_instance_filter(self, instance, network_info):
        self.instances[instance['id']] = instance

    def unfilter_instance(self, instance, network_info):
        if self.instances.pop(instance['id'], None):
            self.nwfilter.unfilter_instance(instance, network_info)
        else:
            LOG.info(_('Attempted to unfilter instance which is not '
                     'filtered'), instance=instance)

    def apply_instance_filter(self, instance, network_info):
        pass

    def refresh_security_group_rules(self, security_group_id):
        pass

    def refresh_security_group_members(self, security_group_id):
        pass

    def refresh_instance_security_rules(self, instance):
        pass

    def refresh_provider_fw_rules(self):
        pass

    def setup_basic_filtering(self, instance, network_info):
        """Set up basic NWFilter."""
        self.nwfilter.setup_basic_filtering(instance, network_info)

    def instance_filter_exists(self, instance, network_info):
        """Check libvirt-xxx exists."""
        return self.nwfilter.instance_filter_exists(instance, network_info)
	from nova.openstack.common import log as logging
	from nova.virt.firewall import FirewallDriver
	from nova.virt.libvirt.firewall import NWFilterFirewall as BaseNWFilterFirewall

	LOG = logging.getLogger(__name__)


	class NWFilterFirewall(BaseNWFilterFirewall):

	def _ensure_static_filters(self):
	"""Static filters are filters that have no need to be IP aware.

	There is no configuration or tuneability of these filters, so they
	can be set up once and forgotten about.

	"""

	if self.static_filters_configured:
	return

	filter_set = ['no-mac-spoofing',
	'no-ip-spoofing',
	'no-arp-spoofing']

	# NOTE(mgagne): Apply nova-no-nd-reflection filter irregardless
	# of CONF.use_ipv6.
	self._define_filter(self.nova_no_nd_reflection_filter)
	filter_set.append('nova-no-nd-reflection')

	self._define_filter(self._filter_container('nova-nodhcp', filter_set))
	filter_set.append('allow-dhcp-server')
	self._define_filter(self._filter_container('nova-base', filter_set))
	self._define_filter(self._filter_container('nova-vpn',
	['allow-dhcp-server']))
	self._define_filter(self.nova_dhcp_filter)

	self.static_filters_configured = True


	class BasicFirewallDriver(FirewallDriver):

	def __init__(self, virtapi, execute=None, **kwargs):
	super(BasicFirewallDriver, self).__init__(virtapi)
	self.nwfilter = NWFilterFirewall(virtapi, kwargs['get_connection'])
	self.instances = {}

	def prepare_instance_filter(self, instance, network_info):
	self.instances[instance['id']] = instance

	def unfilter_instance(self, instance, network_info):
	if self.instances.pop(instance['id'], None):
	self.nwfilter.unfilter_instance(instance, network_info)
	else:
	LOG.info(_('Attempted to unfilter instance which is not '
	'filtered'), instance=instance)

	def apply_instance_filter(self, instance, network_info):
	pass

	def refresh_security_group_rules(self, security_group_id):
	pass

	def refresh_security_group_members(self, security_group_id):
	pass

	def refresh_instance_security_rules(self, instance):
	pass

	def refresh_provider_fw_rules(self):
	pass

	def setup_basic_filtering(self, instance, network_info):
	"""Set up basic NWFilter."""
	self.nwfilter.setup_basic_filtering(instance, network_info)

	def instance_filter_exists(self, instance, network_info):
	"""Check libvirt-xxx exists."""
	return self.nwfilter.instance_filter_exists(instance, network_info)