diff options
| author | Jenkins <jenkins@review.openstack.org> | 2012-01-31 18:28:35 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2012-01-31 18:28:35 +0000 |
| commit | 83320e321a515555edf5eaf9506aec366abca62b (patch) | |
| tree | 5898ae577b01985a444ba91b6d08f19122ad488a /nova | |
| parent | 9dad01cffb21564e9966e2cd19c0df3d7289aab2 (diff) | |
| parent | e08912439e00909c791f6787cce51329b0836901 (diff) | |
| download | nova-83320e321a515555edf5eaf9506aec366abca62b.tar.gz nova-83320e321a515555edf5eaf9506aec366abca62b.tar.xz nova-83320e321a515555edf5eaf9506aec366abca62b.zip | |
Merge "bug 923798: On XenServer the DomU firewall driver fails with NotImplementedError"
Diffstat (limited to 'nova')
| -rw-r--r-- | nova/virt/firewall.py | 53 | ||||
| -rw-r--r-- | nova/virt/libvirt/firewall.py | 50 | ||||
| -rw-r--r-- | nova/virt/xenapi/firewall.py | 2 |
3 files changed, 50 insertions, 55 deletions
diff --git a/nova/virt/firewall.py b/nova/virt/firewall.py index 604aa101a..2af28d7f1 100644 --- a/nova/virt/firewall.py +++ b/nova/virt/firewall.py @@ -100,7 +100,7 @@ class FirewallDriver(object): class IptablesFirewallDriver(FirewallDriver): - """ Driver which enforces security groups through iptables rules. """ + """Driver which enforces security groups through iptables rules.""" def __init__(self, **kwargs): from nova.network import linux_net @@ -118,7 +118,7 @@ class IptablesFirewallDriver(FirewallDriver): pass def apply_instance_filter(self, instance, network_info): - """No-op. Everything is done in prepare_instance_filter""" + """No-op. Everything is done in prepare_instance_filter.""" pass def unfilter_instance(self, instance, network_info): @@ -146,7 +146,7 @@ class IptablesFirewallDriver(FirewallDriver): def _filters_for_instance(self, chain_name, network_info): """Creates a rule corresponding to each ip that defines a jump to the corresponding instance - chain for all the traffic - destined to that ip""" + destined to that ip.""" ips_v4 = [ip['ip'] for (_n, mapping) in network_info for ip in mapping['ips']] ipv4_rules = self._create_filter(ips_v4, chain_name) @@ -395,4 +395,49 @@ class IptablesFirewallDriver(FirewallDriver): @staticmethod def _provider_rules(): """Generate a list of rules from provider for IP4 & IP6.""" - raise NotImplementedError() + ctxt = context.get_admin_context() + ipv4_rules = [] + ipv6_rules = [] + rules = db.provider_fw_rule_get_all(ctxt) + for rule in rules: + LOG.debug(_('Adding provider rule: %s'), rule['cidr']) + version = netutils.get_ip_version(rule['cidr']) + if version == 4: + fw_rules = ipv4_rules + else: + fw_rules = ipv6_rules + + protocol = rule['protocol'] + if version == 6 and protocol == 'icmp': + protocol = 'icmpv6' + + args = ['-p', protocol, '-s', rule['cidr']] + + if protocol in ['udp', 'tcp']: + if rule['from_port'] == rule['to_port']: + args += ['--dport', '%s' % (rule['from_port'],)] + else: + args += ['-m', 'multiport', + '--dports', '%s:%s' % (rule['from_port'], + rule['to_port'])] + elif protocol == 'icmp': + icmp_type = rule['from_port'] + icmp_code = rule['to_port'] + + if icmp_type == -1: + icmp_type_arg = None + else: + icmp_type_arg = '%s' % icmp_type + if not icmp_code == -1: + icmp_type_arg += '/%s' % icmp_code + + if icmp_type_arg: + if version == 4: + args += ['-m', 'icmp', '--icmp-type', + icmp_type_arg] + elif version == 6: + args += ['-m', 'icmp6', '--icmpv6-type', + icmp_type_arg] + args += ['-j DROP'] + fw_rules += [' '.join(args)] + return ipv4_rules, ipv6_rules diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py index 3e299b932..7045b4abc 100644 --- a/nova/virt/libvirt/firewall.py +++ b/nova/virt/libvirt/firewall.py @@ -489,53 +489,3 @@ class IptablesFirewallDriver(base_firewall.IptablesFirewallDriver): def instance_filter_exists(self, instance, network_info): """Check nova-instance-instance-xxx exists""" return self.nwfilter.instance_filter_exists(instance, network_info) - - @staticmethod - def _provider_rules(): - """Generate a list of rules from provider for IP4 & IP6.""" - ctxt = context.get_admin_context() - ipv4_rules = [] - ipv6_rules = [] - rules = db.provider_fw_rule_get_all(ctxt) - for rule in rules: - LOG.debug(_('Adding provider rule: %s'), rule['cidr']) - version = netutils.get_ip_version(rule['cidr']) - if version == 4: - fw_rules = ipv4_rules - else: - fw_rules = ipv6_rules - - protocol = rule['protocol'] - if version == 6 and protocol == 'icmp': - protocol = 'icmpv6' - - args = ['-p', protocol, '-s', rule['cidr']] - - if protocol in ['udp', 'tcp']: - if rule['from_port'] == rule['to_port']: - args += ['--dport', '%s' % (rule['from_port'],)] - else: - args += ['-m', 'multiport', - '--dports', '%s:%s' % (rule['from_port'], - rule['to_port'])] - elif protocol == 'icmp': - icmp_type = rule['from_port'] - icmp_code = rule['to_port'] - - if icmp_type == -1: - icmp_type_arg = None - else: - icmp_type_arg = '%s' % icmp_type - if not icmp_code == -1: - icmp_type_arg += '/%s' % icmp_code - - if icmp_type_arg: - if version == 4: - args += ['-m', 'icmp', '--icmp-type', - icmp_type_arg] - elif version == 6: - args += ['-m', 'icmp6', '--icmpv6-type', - icmp_type_arg] - args += ['-j DROP'] - fw_rules += [' '.join(args)] - return ipv4_rules, ipv6_rules diff --git a/nova/virt/xenapi/firewall.py b/nova/virt/xenapi/firewall.py index 41d67de5c..823115220 100644 --- a/nova/virt/xenapi/firewall.py +++ b/nova/virt/xenapi/firewall.py @@ -33,7 +33,7 @@ FLAGS = flags.FLAGS class Dom0IptablesFirewallDriver(IptablesFirewallDriver): - """ IptablesFirewallDriver class + """ Dom0IptablesFirewallDriver class This class provides an implementation for nova.virt.Firewall using iptables. This class is meant to be used with the xenapi |