Change to support custom nw filters.

This change is a refactoring of NWFilterFirewall to
create a distinct function to define base nw filters.
The new function is called get_base_filter_list.  This
provides a convenient way to subclass NWFilterFirewall
and redefine get_base_filter_list to add your own custom
base filters.

Change-Id: Ida94148fcb870830ae675839ab4f900ad798d9bb
Fixes: bug #1103086

1 files changed, 19 insertions, 6 deletions

diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index c47056ff2..08ec096dc 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -117,18 +117,31 @@ class NWFilterFirewall(base_firewall.FirewallDriver):
             if mapping['dhcp_server']:
                 allow_dhcp = True
                 break
+
+        base_filter = self.get_base_filter_list(instance, allow_dhcp)
+
+        for (network, mapping) in network_info:
+            nic_id = mapping['mac'].replace(':', '')
+            instance_filter_name = self._instance_filter_name(instance, nic_id)
+            self._define_filter(self._filter_container(instance_filter_name,
+                                                       base_filter))
+
+    def get_base_filter_list(self, instance, allow_dhcp):
+        """
+        Obtain a list of base filters to apply to an instance.
+        The return value should be a list of strings, each
+        specifying a filter name.  Subclasses can override this
+        function to add additional filters as needed.  Additional
+        filters added to the list must also be correctly defined
+        within the subclass.
+        """
         if pipelib.is_vpn_image(instance['image_ref']):
             base_filter = 'nova-vpn'
         elif allow_dhcp:
             base_filter = 'nova-base'
         else:
             base_filter = 'nova-nodhcp'
-
-        for (network, mapping) in network_info:
-            nic_id = mapping['mac'].replace(':', '')
-            instance_filter_name = self._instance_filter_name(instance, nic_id)
-            self._define_filter(self._filter_container(instance_filter_name,
-                                                       [base_filter]))
+        return [base_filter]
 
     def _ensure_static_filters(self):
         """Static filters are filters that have no need to be IP aware.