Created
March 9, 2015 18:09
-
-
Save mgagne/b3a3da4b5223ec98e52e to your computer and use it in GitHub Desktop.
Nova antispoofing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From: =?UTF-8?q?Mathieu=20Gagn=C3=A9?= <mgagne@iweb.com> | |
Date: Thu, 10 Jul 2014 14:22:01 -0400 | |
Subject: Add ability to still use Nova firewall with Neutron security group | |
We need the Nova firewall to add anti-spoofing rules and for Ceilometer | |
to indirectly set the correct resource id for Nova network samples. | |
--- | |
nova/tests/virt/libvirt/test_libvirt_vif.py | 8 -------- | |
nova/virt/libvirt/vif.py | 2 -- | |
2 files changed, 10 deletions(-) | |
diff --git a/nova/tests/virt/libvirt/test_libvirt_vif.py b/nova/tests/virt/libvirt/test_libvirt_vif.py | |
index ed78a5c..babf92a 100644 | |
--- a/nova/tests/virt/libvirt/test_libvirt_vif.py | |
+++ b/nova/tests/virt/libvirt/test_libvirt_vif.py | |
@@ -718,14 +718,6 @@ class LibvirtVifTestCase(test.TestCase): | |
self._assertTypeAndMacEquals(node, "bridge", "source", "bridge", | |
self.vif_ovs_hybrid, br_want, 0) | |
- def test_direct_plug_with_port_filter_cap_no_nova_firewall(self): | |
- d = vif.LibvirtGenericVIFDriver(self._get_conn()) | |
- br_want = self.vif_midonet['devname'] | |
- xml = self._get_instance_xml(d, self.vif_ovs_filter_cap) | |
- node = self._get_node(xml) | |
- self._assertTypeAndMacEquals(node, "ethernet", "target", "dev", | |
- self.vif_ovs_filter_cap, br_want) | |
- | |
def _check_neutron_hybrid_driver(self, d, vif, br_want): | |
self.flags(firewall_driver="nova.virt.firewall.IptablesFirewallDriver") | |
xml = self._get_instance_xml(d, vif) | |
diff --git a/nova/virt/libvirt/vif.py b/nova/virt/libvirt/vif.py | |
index f37b769..6ea46c8 100644 | |
--- a/nova/virt/libvirt/vif.py | |
+++ b/nova/virt/libvirt/vif.py | |
@@ -154,8 +154,6 @@ class LibvirtGenericVIFDriver(LibvirtBaseVIFDriver): | |
("qvo%s" % iface_id)[:network_model.NIC_NAME_LEN]) | |
def get_firewall_required(self, vif): | |
- if vif.is_neutron_filtering_enabled(): | |
- return False | |
if CONF.firewall_driver != "nova.virt.firewall.NoopFirewallDriver": | |
return True | |
return False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From: =?UTF-8?q?Mathieu=20Gagn=C3=A9?= <mgagne@iweb.com> | |
Date: Thu, 1 Aug 2013 19:18:01 +0000 | |
Subject: Add iWeb version of NWFilterFirewall driver | |
--- | |
nova/virt/libvirt/iweb/__init__.py | 2 + | |
nova/virt/libvirt/iweb/firewall.py | 80 ++++++++++++++++++++++++++++++++++++ | |
2 files changed, 82 insertions(+) | |
create mode 100644 nova/virt/libvirt/iweb/__init__.py | |
create mode 100644 nova/virt/libvirt/iweb/firewall.py | |
diff --git a/nova/virt/libvirt/iweb/__init__.py b/nova/virt/libvirt/iweb/__init__.py | |
new file mode 100644 | |
index 0000000..ed03b6a | |
--- /dev/null | |
+++ b/nova/virt/libvirt/iweb/__init__.py | |
@@ -0,0 +1,2 @@ | |
+# Non-empty file | |
+ | |
diff --git a/nova/virt/libvirt/iweb/firewall.py b/nova/virt/libvirt/iweb/firewall.py | |
new file mode 100644 | |
index 0000000..7c68614 | |
--- /dev/null | |
+++ b/nova/virt/libvirt/iweb/firewall.py | |
@@ -0,0 +1,80 @@ | |
+from nova.openstack.common import log as logging | |
+from nova.openstack.common.gettextutils import _ | |
+from nova.virt.firewall import FirewallDriver | |
+from nova.virt.libvirt.firewall import NWFilterFirewall as BaseNWFilterFirewall | |
+ | |
+LOG = logging.getLogger(__name__) | |
+ | |
+ | |
+class NWFilterFirewall(BaseNWFilterFirewall): | |
+ | |
+ def _ensure_static_filters(self): | |
+ """Static filters are filters that have no need to be IP aware. | |
+ | |
+ There is no configuration or tuneability of these filters, so they | |
+ can be set up once and forgotten about. | |
+ | |
+ """ | |
+ | |
+ if self.static_filters_configured: | |
+ return | |
+ | |
+ filter_set = ['no-mac-spoofing', | |
+ 'no-ip-spoofing', | |
+ 'no-arp-spoofing'] | |
+ | |
+ # NOTE(mgagne): Apply nova-no-nd-reflection filter irregardless | |
+ # of CONF.use_ipv6. | |
+ self._define_filter(self.nova_no_nd_reflection_filter) | |
+ filter_set.append('nova-no-nd-reflection') | |
+ | |
+ self._define_filter(self._filter_container('nova-nodhcp', filter_set)) | |
+ filter_set.append('allow-dhcp-server') | |
+ self._define_filter(self._filter_container('nova-base', filter_set)) | |
+ self._define_filter(self._filter_container('nova-vpn', | |
+ ['allow-dhcp-server'])) | |
+ self._define_filter(self.nova_dhcp_filter) | |
+ | |
+ self.static_filters_configured = True | |
+ | |
+ | |
+class BasicFirewallDriver(FirewallDriver): | |
+ | |
+ def __init__(self, virtapi, execute=None, **kwargs): | |
+ super(BasicFirewallDriver, self).__init__(virtapi) | |
+ self.nwfilter = NWFilterFirewall(virtapi, kwargs['get_connection']) | |
+ self.instances = {} | |
+ | |
+ def prepare_instance_filter(self, instance, network_info): | |
+ self.instances[instance['id']] = instance | |
+ | |
+ def unfilter_instance(self, instance, network_info): | |
+ if self.instances.pop(instance['id'], None): | |
+ self.nwfilter.unfilter_instance(instance, network_info) | |
+ else: | |
+ LOG.info(_('Attempted to unfilter instance which is not ' | |
+ 'filtered'), instance=instance) | |
+ | |
+ def apply_instance_filter(self, instance, network_info): | |
+ pass | |
+ | |
+ def refresh_security_group_rules(self, security_group_id): | |
+ pass | |
+ | |
+ def refresh_security_group_members(self, security_group_id): | |
+ pass | |
+ | |
+ def refresh_instance_security_rules(self, instance): | |
+ pass | |
+ | |
+ def refresh_provider_fw_rules(self): | |
+ pass | |
+ | |
+ def setup_basic_filtering(self, instance, network_info): | |
+ """Set up basic NWFilter.""" | |
+ self.nwfilter.setup_basic_filtering(instance, network_info) | |
+ | |
+ def instance_filter_exists(self, instance, network_info): | |
+ """Check libvirt-xxx exists.""" | |
+ return self.nwfilter.instance_filter_exists(instance, network_info) | |
+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment