-
-
Save mgagne/9359d92e86c3b7467c31 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from nova.openstack.common import log as logging | |
from nova.virt.firewall import FirewallDriver | |
from nova.virt.libvirt.firewall import NWFilterFirewall as BaseNWFilterFirewall | |
LOG = logging.getLogger(__name__) | |
class NWFilterFirewall(BaseNWFilterFirewall): | |
def _ensure_static_filters(self): | |
"""Static filters are filters that have no need to be IP aware. | |
There is no configuration or tuneability of these filters, so they | |
can be set up once and forgotten about. | |
""" | |
if self.static_filters_configured: | |
return | |
filter_set = ['no-mac-spoofing', | |
'no-ip-spoofing', | |
'no-arp-spoofing'] | |
# NOTE(mgagne): Apply nova-no-nd-reflection filter irregardless | |
# of CONF.use_ipv6. | |
self._define_filter(self.nova_no_nd_reflection_filter) | |
filter_set.append('nova-no-nd-reflection') | |
self._define_filter(self._filter_container('nova-nodhcp', filter_set)) | |
filter_set.append('allow-dhcp-server') | |
self._define_filter(self._filter_container('nova-base', filter_set)) | |
self._define_filter(self._filter_container('nova-vpn', | |
['allow-dhcp-server'])) | |
self._define_filter(self.nova_dhcp_filter) | |
self.static_filters_configured = True | |
class BasicFirewallDriver(FirewallDriver): | |
def __init__(self, virtapi, execute=None, **kwargs): | |
super(BasicFirewallDriver, self).__init__(virtapi) | |
self.nwfilter = NWFilterFirewall(virtapi, kwargs['get_connection']) | |
self.instances = {} | |
def prepare_instance_filter(self, instance, network_info): | |
self.instances[instance['id']] = instance | |
def unfilter_instance(self, instance, network_info): | |
if self.instances.pop(instance['id'], None): | |
self.nwfilter.unfilter_instance(instance, network_info) | |
else: | |
LOG.info(_('Attempted to unfilter instance which is not ' | |
'filtered'), instance=instance) | |
def apply_instance_filter(self, instance, network_info): | |
pass | |
def refresh_security_group_rules(self, security_group_id): | |
pass | |
def refresh_security_group_members(self, security_group_id): | |
pass | |
def refresh_instance_security_rules(self, instance): | |
pass | |
def refresh_provider_fw_rules(self): | |
pass | |
def setup_basic_filtering(self, instance, network_info): | |
"""Set up basic NWFilter.""" | |
self.nwfilter.setup_basic_filtering(instance, network_info) | |
def instance_filter_exists(self, instance, network_info): | |
"""Check libvirt-xxx exists.""" | |
return self.nwfilter.instance_filter_exists(instance, network_info) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment