diff options
| author | Todd Willey <todd@ansolabs.com> | 2011-01-25 15:56:55 -0800 |
|---|---|---|
| committer | Todd Willey <todd@ansolabs.com> | 2011-01-25 15:56:55 -0800 |
| commit | 5fdf1132f3418c1f6ecaa5593835536db9895085 (patch) | |
| tree | 4c39262cdbabec3f069af493aeb6c2d069af7614 | |
| parent | 7ff50565f33f3e854fe6261bb6c7be36f1ddbd9b (diff) | |
| download | nova-5fdf1132f3418c1f6ecaa5593835536db9895085.tar.gz nova-5fdf1132f3418c1f6ecaa5593835536db9895085.tar.xz nova-5fdf1132f3418c1f6ecaa5593835536db9895085.zip | |
Change how libvirt firewall drivers work to have meaningful flags.
| -rw-r--r-- | nova/tests/test_virt.py | 7 | ||||
| -rw-r--r-- | nova/virt/libvirt_conn.py | 29 |
2 files changed, 25 insertions, 11 deletions
diff --git a/nova/tests/test_virt.py b/nova/tests/test_virt.py index 0b9b847a0..1760b73ab 100644 --- a/nova/tests/test_virt.py +++ b/nova/tests/test_virt.py @@ -221,7 +221,12 @@ class IptablesFirewallTestCase(test.TestCase): self.project = self.manager.create_project('fake', 'fake', 'fake') self.context = context.RequestContext('fake', 'fake') self.network = utils.import_object(FLAGS.network_manager) - self.fw = libvirt_conn.IptablesFirewallDriver() + + class Mock(object): + pass + self.fake_libvirt_connection = Mock() + self.fw = libvirt_conn.IptablesFirewallDriver( + get_connection=lambda: self.fake_libvirt_connection) def tearDown(self): self.manager.delete_project(self.project) diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 548d82ba9..bf2714c25 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -149,13 +149,8 @@ class LibvirtConnection(object): self._wrapped_conn = None self.read_only = read_only - self.nwfilter = NWFilterFirewall(self._get_connection) - - if not FLAGS.firewall_driver: - self.firewall_driver = self.nwfilter - self.nwfilter.handle_security_groups = True - else: - self.firewall_driver = utils.import_object(FLAGS.firewall_driver) + fw_class = utils.import_class(FLAGS.firewall_driver) + self.firewall_driver = fw_class(get_connection=self._get_connection) def init_host(self): pass @@ -386,7 +381,7 @@ class LibvirtConnection(object): instance['id'], power_state.NOSTATE, 'launching') - self.nwfilter.setup_basic_filtering(instance) + self.firewall_driver.setup_basic_filtering(instance) self.firewall_driver.prepare_instance_filter(instance) self._create_image(instance, xml) self._conn.createXML(xml, 0) @@ -882,6 +877,15 @@ class FirewallDriver(object): the security group.""" raise NotImplementedError() + def setup_basic_filtering(self, instance): + """Create rules to block spoofing and allow dhcp. + + This gets called when spawning an instance, before + :method:`prepare_instance_filter`. + + """ + raise NotImplementedError() + class NWFilterFirewall(FirewallDriver): """ @@ -929,7 +933,7 @@ class NWFilterFirewall(FirewallDriver): """ - def __init__(self, get_connection): + def __init__(self, get_connection, **kwargs): self._libvirt_get_connection = get_connection self.static_filters_configured = False self.handle_security_groups = False @@ -1170,9 +1174,14 @@ class NWFilterFirewall(FirewallDriver): class IptablesFirewallDriver(FirewallDriver): - def __init__(self, execute=None): + def __init__(self, execute=None, **kwargs): self.execute = execute or utils.execute self.instances = {} + self.nwfilter = NWFilterFirewall(kwargs['get_connection']) + + def setup_basic_filtering(self, instance): + """Use NWFilter from libvirt for this.""" + return self.nwfilter.setup_basic_filtering(instance) def apply_instance_filter(self, instance): """No-op. Everything is done in prepare_instance_filter""" |