Nova antispoofing

Add-ability-to-still-use-Nova-firewall-with-Neutron-.patch

From: =?UTF-8?q?Mathieu=20Gagn=C3=A9?= <mgagne@iweb.com>
Date: Thu, 10 Jul 2014 14:22:01 -0400
Subject: Add ability to still use Nova firewall with Neutron security group

We need the Nova firewall to add anti-spoofing rules and for Ceilometer
to indirectly set the correct resource id for Nova network samples.
---
 nova/tests/virt/libvirt/test_libvirt_vif.py |    8 --------
 nova/virt/libvirt/vif.py                    |    2 --
 2 files changed, 10 deletions(-)

diff --git a/nova/tests/virt/libvirt/test_libvirt_vif.py b/nova/tests/virt/libvirt/test_libvirt_vif.py
index ed78a5c..babf92a 100644
--- a/nova/tests/virt/libvirt/test_libvirt_vif.py
+++ b/nova/tests/virt/libvirt/test_libvirt_vif.py
@@ -718,14 +718,6 @@ class LibvirtVifTestCase(test.TestCase):
         self._assertTypeAndMacEquals(node, "bridge", "source", "bridge",
                                      self.vif_ovs_hybrid, br_want, 0)
 
-    def test_direct_plug_with_port_filter_cap_no_nova_firewall(self):
-        d = vif.LibvirtGenericVIFDriver(self._get_conn())
-        br_want = self.vif_midonet['devname']
-        xml = self._get_instance_xml(d, self.vif_ovs_filter_cap)
-        node = self._get_node(xml)
-        self._assertTypeAndMacEquals(node, "ethernet", "target", "dev",
-                                     self.vif_ovs_filter_cap, br_want)
-
     def _check_neutron_hybrid_driver(self, d, vif, br_want):
         self.flags(firewall_driver="nova.virt.firewall.IptablesFirewallDriver")
         xml = self._get_instance_xml(d, vif)
diff --git a/nova/virt/libvirt/vif.py b/nova/virt/libvirt/vif.py
index f37b769..6ea46c8 100644
--- a/nova/virt/libvirt/vif.py
+++ b/nova/virt/libvirt/vif.py
@@ -154,8 +154,6 @@ class LibvirtGenericVIFDriver(LibvirtBaseVIFDriver):
                 ("qvo%s" % iface_id)[:network_model.NIC_NAME_LEN])
 
     def get_firewall_required(self, vif):
-        if vif.is_neutron_filtering_enabled():
-            return False
         if CONF.firewall_driver != "nova.virt.firewall.NoopFirewallDriver":
             return True
         return False

Add-iWeb-version-of-NWFilterFirewall-driver.patch

From: =?UTF-8?q?Mathieu=20Gagn=C3=A9?= <mgagne@iweb.com>
Date: Thu, 1 Aug 2013 19:18:01 +0000
Subject: Add iWeb version of NWFilterFirewall driver

---
 nova/virt/libvirt/iweb/__init__.py |    2 +
 nova/virt/libvirt/iweb/firewall.py |   80 ++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 nova/virt/libvirt/iweb/__init__.py
 create mode 100644 nova/virt/libvirt/iweb/firewall.py

diff --git a/nova/virt/libvirt/iweb/__init__.py b/nova/virt/libvirt/iweb/__init__.py
new file mode 100644
index 0000000..ed03b6a
--- /dev/null
+++ b/nova/virt/libvirt/iweb/__init__.py
@@ -0,0 +1,2 @@
+# Non-empty file
+
diff --git a/nova/virt/libvirt/iweb/firewall.py b/nova/virt/libvirt/iweb/firewall.py
new file mode 100644
index 0000000..7c68614
--- /dev/null
+++ b/nova/virt/libvirt/iweb/firewall.py
@@ -0,0 +1,80 @@
+from nova.openstack.common import log as logging
+from nova.openstack.common.gettextutils import _
+from nova.virt.firewall import FirewallDriver
+from nova.virt.libvirt.firewall import NWFilterFirewall as BaseNWFilterFirewall
+
+LOG = logging.getLogger(__name__)
+
+
+class NWFilterFirewall(BaseNWFilterFirewall):
+
+    def _ensure_static_filters(self):
+        """Static filters are filters that have no need to be IP aware.
+
+        There is no configuration or tuneability of these filters, so they
+        can be set up once and forgotten about.
+
+        """
+
+        if self.static_filters_configured:
+            return
+
+        filter_set = ['no-mac-spoofing',
+                      'no-ip-spoofing',
+                      'no-arp-spoofing']
+
+        # NOTE(mgagne): Apply nova-no-nd-reflection filter irregardless
+        # of CONF.use_ipv6.
+        self._define_filter(self.nova_no_nd_reflection_filter)
+        filter_set.append('nova-no-nd-reflection')
+
+        self._define_filter(self._filter_container('nova-nodhcp', filter_set))
+        filter_set.append('allow-dhcp-server')
+        self._define_filter(self._filter_container('nova-base', filter_set))
+        self._define_filter(self._filter_container('nova-vpn',
+                                                   ['allow-dhcp-server']))
+        self._define_filter(self.nova_dhcp_filter)
+
+        self.static_filters_configured = True
+
+
+class BasicFirewallDriver(FirewallDriver):
+
+    def __init__(self, virtapi, execute=None, **kwargs):
+        super(BasicFirewallDriver, self).__init__(virtapi)
+        self.nwfilter = NWFilterFirewall(virtapi, kwargs['get_connection'])
+        self.instances = {}
+
+    def prepare_instance_filter(self, instance, network_info):
+        self.instances[instance['id']] = instance
+
+    def unfilter_instance(self, instance, network_info):
+        if self.instances.pop(instance['id'], None):
+            self.nwfilter.unfilter_instance(instance, network_info)
+        else:
+            LOG.info(_('Attempted to unfilter instance which is not '
+                     'filtered'), instance=instance)
+
+    def apply_instance_filter(self, instance, network_info):
+        pass
+
+    def refresh_security_group_rules(self, security_group_id):
+        pass
+
+    def refresh_security_group_members(self, security_group_id):
+        pass
+
+    def refresh_instance_security_rules(self, instance):
+        pass
+
+    def refresh_provider_fw_rules(self):
+        pass
+
+    def setup_basic_filtering(self, instance, network_info):
+        """Set up basic NWFilter."""
+        self.nwfilter.setup_basic_filtering(instance, network_info)
+
+    def instance_filter_exists(self, instance, network_info):
+        """Check libvirt-xxx exists."""
+        return self.nwfilter.instance_filter_exists(instance, network_info)
+