findbug fixes, added some comments, bug fixes
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/9a97ba76 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/9a97ba76 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/9a97ba76 Branch: refs/heads/resize-root Commit: 9a97ba76d382d9f13d2bde73aed6dfdeb4047118 Parents: e487b24 Author: Murali Reddy <muralimmre...@gmail.com> Authored: Fri Mar 14 15:51:49 2014 +0530 Committer: Murali Reddy <muralimmre...@gmail.com> Committed: Fri Mar 14 16:56:39 2014 +0530 ---------------------------------------------------------------------- .../xen/resource/CitrixResourceBase.java | 11 +- .../cloud/network/guru/OvsGuestNetworkGuru.java | 1 + .../network/ovs/OvsNetworkTopologyGuruImpl.java | 21 +- .../cloud/network/ovs/OvsTunnelManagerImpl.java | 56 +++-- .../xenserver/cloudstack_pluginlib.py | 236 +++++++++++-------- 5 files changed, 193 insertions(+), 132 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9a97ba76/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java ---------------------------------------------------------------------- diff --git a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java index 57debc6..d1e1716 100644 --- a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java +++ b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java @@ -1147,7 +1147,11 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe if (vmSpec != null) { vifr.otherConfig.put("cloudstack-vm-id", vmSpec.getUuid()); } + + // OVS plugin looks at network UUID in the vif 'otherconfig' details to group VIF's & tunnel ports as part of tier + // when bridge is setup for distributed routing vifr.otherConfig.put("cloudstack-network-id", nic.getNetworkUuid()); + vifr.network = getNetwork(conn, nic); if (nic.getNetworkRateMbps() != null && nic.getNetworkRateMbps().intValue() != -1) { @@ -5285,7 +5289,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe Connection conn = getConnection(); try { Network nw = findOrCreateTunnelNetwork(conn, cmd.getBridgeName()); - String bridgeName = nw.getBridge(conn);; + String bridgeName = nw.getBridge(conn); String result = callHostPlugin(conn, "ovstunnel", "configure_ovs_bridge_for_network_topology", "bridge", bridgeName, "config", cmd.getVpcConfigInJson(), "host-id", ((Long)cmd.getHostId()).toString()); if (result.startsWith("SUCCESS")) { @@ -5302,8 +5306,11 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe public Answer execute(OvsVpcRoutingPolicyConfigCommand cmd) { Connection conn = getConnection(); try { + Network nw = findOrCreateTunnelNetwork(conn, cmd.getBridgeName()); + String bridgeName = nw.getBridge(conn); + String result = callHostPlugin(conn, "ovstunnel", "configure_ovs_bridge_for_routing_policies", "bridge", - cmd.getBridgeName(), "host-id", ((Long)cmd.getHostId()).toString(), "config", + bridgeName, "host-id", ((Long)cmd.getHostId()).toString(), "config", cmd.getVpcConfigInJson()); if (result.startsWith("SUCCESS")) { return new Answer(cmd, true, result); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9a97ba76/plugins/network-elements/ovs/src/com/cloud/network/guru/OvsGuestNetworkGuru.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/ovs/src/com/cloud/network/guru/OvsGuestNetworkGuru.java b/plugins/network-elements/ovs/src/com/cloud/network/guru/OvsGuestNetworkGuru.java index 9d2efe6..de74108 100644 --- a/plugins/network-elements/ovs/src/com/cloud/network/guru/OvsGuestNetworkGuru.java +++ b/plugins/network-elements/ovs/src/com/cloud/network/guru/OvsGuestNetworkGuru.java @@ -151,6 +151,7 @@ public class OvsGuestNetworkGuru extends GuestNetworkGuru { implemented.setBroadcastDomainType(BroadcastDomainType.Vswitch); + // for the networks that are part of VPC enabled for distributed routing use scheme vs://vpcid.GRE key for network if (network.getVpcId() != null && isVpcEnabledForDistributedRouter(network.getVpcId())) { String keyStr = BroadcastDomainType.getValue(implemented.getBroadcastUri()); Long vpcid= network.getVpcId(); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9a97ba76/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsNetworkTopologyGuruImpl.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsNetworkTopologyGuruImpl.java b/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsNetworkTopologyGuruImpl.java index 740df80..ab08d26 100644 --- a/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsNetworkTopologyGuruImpl.java +++ b/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsNetworkTopologyGuruImpl.java @@ -91,6 +91,9 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor return vpcHostIds; } + /** + * get the list of VPC id's of the vpc's for which one or more VM's from the VPC are running on the host + */ @Override public List<Long> getVpcOnHost(long hostId) { List<Long> vpcIds = new ArrayList<>(); @@ -109,6 +112,9 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor return vpcIds; } + /** + * get the list of all active Vm id's in a network + */ @Override public List<Long> getAllActiveVmsInNetwork(long networkId) { List <Long> vmIds = new ArrayList<>(); @@ -117,7 +123,6 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor VirtualMachine.State.Migrating); // Find routers for the network List<DomainRouterVO> routers = _routerDao.findByNetwork(networkId); - List<VMInstanceVO> ins = new ArrayList<VMInstanceVO>(); if (vms != null) { for (UserVmVO vm : vms) { @@ -132,6 +137,9 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor return vmIds; } + /** + * get the list of all active Vm id's in the VPC for all ther tiers + */ @Override public List<Long> getAllActiveVmsInVpc(long vpcId) { @@ -148,6 +156,9 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor return vmIds; } + /** + * get the list of all Vm id's in the VPC for all the tiers that are running on the host + */ @Override public List<Long> getActiveVmsInVpcOnHost(long vpcId, long hostId) { Set<Long> vmIdsSet = new HashSet<>(); @@ -163,6 +174,9 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor return vmIds; } + /** + * get the list of all Vm id's in the network that are running on the host + */ @Override public List<Long> getActiveVmsInNetworkOnHost(long networkId, long hostId) { List <Long> vmIds = new ArrayList<>(); @@ -171,7 +185,6 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor VirtualMachine.State.Migrating); // Find routers for the network List<DomainRouterVO> routers = _routerDao.findByNetwork(networkId); - List<VMInstanceVO> ins = new ArrayList<VMInstanceVO>(); if (vms != null) { for (UserVmVO vm : vms) { @@ -188,13 +201,15 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor return vmIds; } + /** + * get the list of all Vpc id's in which, a VM has a nic in the network that is part of VPC + */ @Override public List<Long> getVpcIdsVmIsPartOf(long vmId) { List<Long> vpcIds = new ArrayList<>(); List<NicVO> nics = _nicDao.listByVmId(vmId); if (nics == null) return null; - for (Nic nic: nics) { Network network = _networkDao.findById(nic.getNetworkId()); if (network != null && network.getTrafficType() == Networks.TrafficType.Guest && network.getVpcId() != null) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9a97ba76/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsTunnelManagerImpl.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsTunnelManagerImpl.java b/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsTunnelManagerImpl.java index 30088aa..21e9058 100644 --- a/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsTunnelManagerImpl.java +++ b/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsTunnelManagerImpl.java @@ -665,7 +665,6 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage public boolean postStateTransitionEvent(VirtualMachine.State oldState, VirtualMachine.Event event, VirtualMachine.State newState, VirtualMachine vm, boolean status, Object opaque) { - if (!status) { return false; } @@ -720,7 +719,7 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage public boolean sendVpcTopologyChangeUpdate(OvsVpcPhysicalTopologyConfigCommand updateCmd, long hostId, String bridgeName) { try { - s_logger.debug("Sending VPC topology update to the host " + hostId); + s_logger.debug("Sending VPC topology change update to the host " + hostId); updateCmd.setHostId(hostId); updateCmd.setBridgeName(bridgeName); Answer ans = _agentMgr.send(hostId, updateCmd); @@ -732,7 +731,7 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage return false; } } catch (Exception e) { - s_logger.debug("Failed to updated the host " + hostId + " with latest VPC topology." ); + s_logger.debug("Failed to updated the host " + hostId + " with latest VPC topology.", e ); return false; } } @@ -797,6 +796,7 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage vmInstance.getHostId(), vmNics.toArray(new OvsVpcPhysicalTopologyConfigCommand.Nic[vmNics.size()])); vms.add(vm); } + return new OvsVpcPhysicalTopologyConfigCommand( hosts.toArray(new OvsVpcPhysicalTopologyConfigCommand.Host[hosts.size()]), tiers.toArray(new OvsVpcPhysicalTopologyConfigCommand.Tier[tiers.size()]), @@ -804,47 +804,58 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage vpc.getCidr()); } - // Subscriber to ACL replace events. On acl replace event, if the vpc is enabled for distributed routing - // send the ACL update to all the hosts on which VPC spans + // Subscriber to ACL replace events. On acl replace event, if the vpc for the tier is enabled for + // distributed routing send the ACL update to all the hosts on which VPC spans public class NetworkAclEventsSubscriber implements MessageSubscriber { @Override public void onPublishMessage(String senderAddress, String subject, Object args) { - NetworkVO network = (NetworkVO) args; - String bridgeName=generateBridgeNameForVpc(network.getVpcId()); - if (network.getVpcId() != null & isVpcEnabledForDistributedRouter(network.getVpcId())) { - long vpcId = network.getVpcId(); - OvsVpcRoutingPolicyConfigCommand cmd = prepareVpcRoutingPolicyUpdate(vpcId); - List<Long> vpcSpannedHostIds = _ovsNetworkToplogyGuru.getVpcSpannedHosts(vpcId); - for (Long id: vpcSpannedHostIds) { - if (!sendVpcRoutingPolicyChangeUpdate(cmd, id, bridgeName)) { - s_logger.debug("Failed to send VPC routing policy change update to host : " + id + - ". But moving on with sending the host updates to the rest of the hosts."); + try { + NetworkVO network = (NetworkVO) args; + String bridgeName=generateBridgeNameForVpc(network.getVpcId()); + if (network.getVpcId() != null & isVpcEnabledForDistributedRouter(network.getVpcId())) { + long vpcId = network.getVpcId(); + OvsVpcRoutingPolicyConfigCommand cmd = prepareVpcRoutingPolicyUpdate(vpcId); + List<Long> vpcSpannedHostIds = _ovsNetworkToplogyGuru.getVpcSpannedHosts(vpcId); + for (Long id: vpcSpannedHostIds) { + if (!sendVpcRoutingPolicyChangeUpdate(cmd, id, bridgeName)) { + s_logger.debug("Failed to send VPC routing policy change update to host : " + id + + ". But moving on with sending the updates to the rest of the hosts."); + } } } + } catch (Exception e) { + s_logger.debug("Failed to send VPC routing policy change updates all hosts in vpc", e); } } } private OvsVpcRoutingPolicyConfigCommand prepareVpcRoutingPolicyUpdate(long vpcId) { - VpcVO vpc = _vpcDao.findById(vpcId); - assert (vpc != null): "invalid vpc id"; + List<OvsVpcRoutingPolicyConfigCommand.Acl> acls = new ArrayList<>(); List<OvsVpcRoutingPolicyConfigCommand.Tier> tiers = new ArrayList<>(); + VpcVO vpc = _vpcDao.findById(vpcId); List<? extends Network> vpcNetworks = _vpcMgr.getVpcNetworks(vpcId); + assert (vpc != null && (vpcNetworks != null && !vpcNetworks.isEmpty())): "invalid vpc id"; + for (Network network : vpcNetworks) { Long networkAclId = network.getNetworkACLId(); + if (networkAclId == null) + continue; NetworkACLVO networkAcl = _networkACLDao.findById(networkAclId); List<OvsVpcRoutingPolicyConfigCommand.AclItem> aclItems = new ArrayList<>(); List<NetworkACLItemVO> aclItemVos = _networkACLItemDao.listByACL(networkAclId); for (NetworkACLItemVO aclItem : aclItemVos) { String[] sourceCidrs = aclItem.getSourceCidrList().toArray(new String[aclItem.getSourceCidrList().size()]); + aclItems.add(new OvsVpcRoutingPolicyConfigCommand.AclItem( aclItem.getNumber(), aclItem.getUuid(), aclItem.getAction().name(), aclItem.getTrafficType().name(), - aclItem.getSourcePortStart().toString(), aclItem.getSourcePortEnd().toString(), - aclItem.getProtocol(), sourceCidrs)); + ((aclItem.getSourcePortStart() != null) ?aclItem.getSourcePortStart().toString() :null), + ((aclItem.getSourcePortEnd() != null) ?aclItem.getSourcePortEnd().toString() :null), + aclItem.getProtocol(), + sourceCidrs)); } OvsVpcRoutingPolicyConfigCommand.Acl acl = new OvsVpcRoutingPolicyConfigCommand.Acl(networkAcl.getUuid(), @@ -862,10 +873,9 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage return cmd; } - public boolean sendVpcRoutingPolicyChangeUpdate(OvsVpcRoutingPolicyConfigCommand updateCmd, long hostId, String bridgeName) { try { - s_logger.debug("Sending VPC routing policy change update to the host " + hostId); + s_logger.debug("Sending VPC routing policies change update to the host " + hostId); updateCmd.setHostId(hostId); updateCmd.setBridgeName(bridgeName); Answer ans = _agentMgr.send(hostId, updateCmd); @@ -873,11 +883,11 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage s_logger.debug("Successfully updated the host " + hostId + " with latest VPC routing policies." ); return true; } else { - s_logger.debug("Failed to update the host " + hostId + " with latest routing policy." ); + s_logger.debug("Failed to update the host " + hostId + " with latest routing policies." ); return false; } } catch (Exception e) { - s_logger.debug("Failed to updated the host " + hostId + " with latest routing policy." ); + s_logger.debug("Failed to updated the host " + hostId + " with latest routing policies due to" , e ); return false; } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9a97ba76/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py ---------------------------------------------------------------------- diff --git a/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py b/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py index 1c9d513..4ebb435 100644 --- a/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py +++ b/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py @@ -321,62 +321,66 @@ def configure_bridge_for_network_topology(bridge, this_host_id, json_config): logging.debug("WARNING:Can't find VPC info in json config file") return "FAILURE:IMPROPER_JSON_CONFG_FILE" - # get the list of Vm's in the VPC from the JSON config - this_host_vms = get_vms_on_host(vpconfig, this_host_id) - - for vm in this_host_vms: - for nic in vm.nics: - mac_addr = nic.macaddress - ip = nic.ipaddress - vif_name = get_vif_name_from_macaddress(mac_addr) - of_port = get_ofport_for_vif(vif_name) - network = get_network_details(vpconfig, nic.networkuuid) - - # Add flow rule in L2 look up table, if the destination mac = MAC of the nic send packet on the found OFPORT - add_mac_lookup_table_entry(bridge, mac_addr, of_port) - - # Add flow rule in L3 look up table: if the destination IP = VM's IP then modify the packet - # to set DST MAC = VM's MAC, SRC MAC=tier gateway MAC and send to egress table - add_ip_lookup_table_entry(bridge, ip, network.gatewaymac, mac_addr) - - # Add flow entry to send with intra tier traffic from the NIC to L2 lookup path) - action_str = "table=0, in_port=%s," %of_port + " ip, nw_dst=%s," %network.cidr + " actions=resubmit(,1)" - addflow = [OFCTL_PATH, "add-flow", bridge, action_str] - do_cmd(addflow) - - #add flow entry to send inter-tier traffic from the NIC to egress ACL table(to L3 lookup path) - action_str = "table=0, in_port=%s," % of_port + " ip, dl_dst=%s," %network.gatewaymac +\ - "nw_dst=%s," %vpconfig.cidr + "actions=resubmit(,3)" - addflow = [OFCTL_PATH, "add-flow", bridge, action_str] - - do_cmd(addflow) - - # get the list of hosts on which VPC spans from the JSON config - vpc_spanning_hosts = vpconfig.hosts - - for host in vpc_spanning_hosts: - if str(this_host_id) == str(host.hostid): - continue - other_host_vms = get_vms_on_host(vpconfig, host.hostid) - for vm in other_host_vms: + try: + # get the list of Vm's in the VPC from the JSON config + this_host_vms = get_vms_on_host(vpconfig, this_host_id) + + for vm in this_host_vms: for nic in vm.nics: mac_addr = nic.macaddress ip = nic.ipaddress + vif_name = get_vif_name_from_macaddress(mac_addr) + of_port = get_ofport_for_vif(vif_name) network = get_network_details(vpconfig, nic.networkuuid) - gre_key = network.grekey - # generate tunnel name from tunnel naming convention - tunnel_name = "t%s-%s-%s" % (gre_key, this_host_id, host.hostid) - of_port = get_ofport_for_vif(tunnel_name) - - # Add flow rule in L2 look up table, if the destination mac = MAC of the nic send packet tunnel port + # Add flow rule in L2 look up table, if the destination mac = MAC of the nic send packet on the found OFPORT add_mac_lookup_table_entry(bridge, mac_addr, of_port) - # Add flow tule in L3 look up table: if the destination IP = VM's IP then modify the packet - # set DST MAC = VM's MAC, SRC MAC=tier gateway MAC and send to egress table + # Add flow rule in L3 look up table: if the destination IP = VM's IP then modify the packet + # to set DST MAC = VM's MAC, SRC MAC=tier gateway MAC and send to egress table add_ip_lookup_table_entry(bridge, ip, network.gatewaymac, mac_addr) - return "SUCCESS: successfully configured bridge as per the VPC topology" + # Add flow entry to send with intra tier traffic from the NIC to L2 lookup path) + action_str = "table=0, in_port=%s," %of_port + " ip, nw_dst=%s," %network.cidr + " actions=resubmit(,1)" + addflow = [OFCTL_PATH, "add-flow", bridge, action_str] + do_cmd(addflow) + + #add flow entry to send inter-tier traffic from the NIC to egress ACL table(to L3 lookup path) + action_str = "table=0, in_port=%s," % of_port + " ip, dl_dst=%s," %network.gatewaymac +\ + "nw_dst=%s," %vpconfig.cidr + "actions=resubmit(,3)" + addflow = [OFCTL_PATH, "add-flow", bridge, action_str] + + do_cmd(addflow) + + # get the list of hosts on which VPC spans from the JSON config + vpc_spanning_hosts = vpconfig.hosts + + for host in vpc_spanning_hosts: + if str(this_host_id) == str(host.hostid): + continue + other_host_vms = get_vms_on_host(vpconfig, host.hostid) + for vm in other_host_vms: + for nic in vm.nics: + mac_addr = nic.macaddress + ip = nic.ipaddress + network = get_network_details(vpconfig, nic.networkuuid) + gre_key = network.grekey + + # generate tunnel name from tunnel naming convention + tunnel_name = "t%s-%s-%s" % (gre_key, this_host_id, host.hostid) + of_port = get_ofport_for_vif(tunnel_name) + + # Add flow rule in L2 look up table, if the destination mac = MAC of the nic send packet tunnel port + add_mac_lookup_table_entry(bridge, mac_addr, of_port) + + # Add flow tule in L3 look up table: if the destination IP = VM's IP then modify the packet + # set DST MAC = VM's MAC, SRC MAC=tier gateway MAC and send to egress table + add_ip_lookup_table_entry(bridge, ip, network.gatewaymac, mac_addr) + + return "SUCCESS: successfully configured bridge as per the VPC topology" + except: + logging.debug("An unexpected error occurred while configuring bridge as per VPC topology.") + raise def get_acl(vpcconfig, required_acl_id): acls = vpcconfig.acls @@ -392,60 +396,84 @@ def configure_ovs_bridge_for_routing_policies(bridge, json_config): logging.debug("WARNING:Can't find VPC info in json config file") return "FAILURE:IMPROPER_JSON_CONFG_FILE" - # First flush current egress ACL's before re-applying the ACL's - del_flows(bridge, table=3) - - egress_rules_added = False - ingress_rules_added = False - - tiers = vpconfig.tiers - for tier in tiers: - tier_cidr = tier.cidr - acl = get_acl(vpconfig, tier.aclid) - acl_items = acl.aclitems - - for acl_item in acl_items: - number = acl_item.number - action = acl_item.action - direction = acl_item.direction - source_port_start = acl_item.sourceportstart - source_port_end = acl_item.sourceportend - protocol = acl_item.protocol - source_cidrs = acl_item.sourcecidrs - acl_priority = 1000 + number - for source_cidr in source_cidrs: - if direction is "ingress": - ingress_rules_added = True - # add flow rule to do action (allow/deny) for flows where source IP of the packet is in - # source_cidr and destination ip is in tier_cidr - port = source_port_start - while (port < source_port_end): - if action is "deny": - add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port, - nw_proto=protocol, actions='drop') - if action is "allow": - add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port, - nw_proto=protocol, actions='resubmit(,1)') - port = port + 1 - - elif direction in "egress": - egress_rules_added = True - # add flow rule to do action (allow/deny) for flows where destination IP of the packet is in - # source_cidr and source ip is in tier_cidr - port = source_port_start - while (port < source_port_end): - if action is "deny": - add_flow(bridge, priority= acl_priority, table=5, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port, - nw_proto=protocol, actions='drop') - if action is "allow": - add_flow(bridge, priority= acl_priority, table=5, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port, - nw_proto=protocol, actions='resubmit(,1)') - port = port + 1 - - if egress_rules_added is False: - # add a default rule in egress table to forward packet to L3 lookup table - add_flow(bridge, priority=0, table=3, actions='resubmit(,4)') - - if ingress_rules_added is False: - # add a default rule in egress table drop packets - add_flow(bridge, priority=0, table=5, actions='drop') \ No newline at end of file + try: + # First flush current egress ACL's before re-applying the ACL's + del_flows(bridge, table=3) + + egress_rules_added = False + ingress_rules_added = False + + tiers = vpconfig.tiers + for tier in tiers: + tier_cidr = tier.cidr + acl = get_acl(vpconfig, tier.aclid) + acl_items = acl.aclitems + + for acl_item in acl_items: + number = acl_item.number + action = acl_item.action + direction = acl_item.direction + source_port_start = acl_item.sourceportstart + source_port_end = acl_item.sourceportend + protocol = acl_item.protocol + source_cidrs = acl_item.sourcecidrs + acl_priority = 1000 + number + for source_cidr in source_cidrs: + if direction is "ingress": + ingress_rules_added = True + + if source_port_start is None and source_port_end is None: + if action is "deny": + add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr, + nw_proto=protocol, actions='drop') + if action is "allow": + add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr, + nw_proto=protocol, actions='resubmit(,1)') + continue + + # add flow rule to do action (allow/deny) for flows where source IP of the packet is in + # source_cidr and destination ip is in tier_cidr + port = source_port_start + while (port < source_port_end): + if action is "deny": + add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port, + nw_proto=protocol, actions='drop') + if action is "allow": + add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port, + nw_proto=protocol, actions='resubmit(,1)') + port = port + 1 + + elif direction in "egress": + egress_rules_added = True + + if source_port_start is None and source_port_end is None: + if action is "deny": + add_flow(bridge, priority= acl_priority, table=3, nw_src=source_cidr, nw_dst=tier_cidr, + nw_proto=protocol, actions='drop') + if action is "allow": + add_flow(bridge, priority= acl_priority,table=3, nw_src=source_cidr, nw_dst=tier_cidr, + nw_proto=protocol, actions='resubmit(,1)') + continue + + # add flow rule to do action (allow/deny) for flows where destination IP of the packet is in + # source_cidr and source ip is in tier_cidr + port = source_port_start + while (port < source_port_end): + if action is "deny": + add_flow(bridge, priority= acl_priority, table=3, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port, + nw_proto=protocol, actions='drop') + if action is "allow": + add_flow(bridge, priority= acl_priority, table=3, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port, + nw_proto=protocol, actions='resubmit(,1)') + port = port + 1 + + if egress_rules_added is False: + # add a default rule in egress table to forward packet to L3 lookup table + add_flow(bridge, priority=0, table=3, actions='resubmit(,4)') + + if ingress_rules_added is False: + # add a default rule in egress table drop packets + add_flow(bridge, priority=0, table=5, actions='drop') + except: + logging.debug("An unexpected error occurred while configuring bridge as per VPC's routing policies.") + raise \ No newline at end of file
