1 files changed, 39 insertions, 4 deletions

diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py
index b784c5a00..1ae5f7094 100644
--- a/nova/api/ec2/admin.py
+++ b/nova/api/ec2/admin.py
@@ -21,7 +21,10 @@ Admin API controller, exposed through http via the api worker.
 """
 
 import base64
+import IPy
+import urllib
 
+from nova import compute
 from nova import db
 from nova import exception
 from nova import log as logging
@@ -70,6 +73,9 @@ class AdminController(object):
     def __str__(self):
         return 'AdminController'
 
+    def __init__(self):
+        self.compute_api = compute.API()
+
     def describe_user(self, _context, name, **_kwargs):
         """Returns user data, including access and secret keys."""
         return user_dict(manager.AuthManager().get_user(name))
@@ -210,10 +216,39 @@ class AdminController(object):
         """Returns status info for single node."""
         return host_dict(db.host_get(name))
 
+    def _provider_fw_rule_exists(context, rule):
+        for old_rule in db.provider_fw_rule_get_all(context):
+            for key in ('cidr', 'from_port', 'to_port', 'protocol'):
+                dupe = True
+                if rule[key] != old_rule[key]:
+                    dupe = False
+            if dupe:
+                return dupe
+        return False
+
+
     def block_external_addresses(self, context, cidr):
         """Add provider-level firewall rules to block incoming traffic."""
-        LOG.audit(_("Blocking access to all projects incoming from %s"),
+        LOG.audit(_("Blocking traffic to all projects incoming from %s"),
                   cidr, context=context)
-        raise NotImplementedError(_("Awaiting implementation."))
-        # TODO(todd): implement
-        # return {'status': 'OK', 'message': 'Disabled (number) IPs'}
+        rule = {'cidr': IPy.IP(urllib.unquote(cidr).decode())}
+        tcp_rule = rule.copy()
+        tcp_rule.update({"protocol": "TCP", "from_port": 1, "to_port": 65535})
+        udp_rule = rule.copy()
+        udp_rule.update({"protocol": "UDP", "from_port": 1, "to_port": 65535})
+        icmp_rule = rule.copy()
+        icmp_rule.update({"protocol": "ICMP", "from_port": -1, "to_port": -1})
+        rules_added = 0
+        if not self._provider_fw_rule_exists(context, tcp_rule):
+            db.provider_fw_rule_create(context, tcp_rule)
+            rules_added += 1
+        if not self._provider_fw_rule_exists(context, udp_rule):
+            db.provider_fw_rule_create(context, udp_rule)
+            rules_added += 1
+        if not self._provider_fw_rule_exists(context, icmp_rule):
+            db.provider_fw_rule_create(context, icmp_rule)
+            rules_added += 1
+        if rules_added == 0:
+            raise exception.ApiError(_('Duplicate rule'))
+        self.compute_api.trigger_provider_fw_rules_refresh(context)
+        return {'status': 'OK', 'message': 'Disabled (number) IPs'}