You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by mu...@apache.org on 2014/03/14 12:27:11 UTC
[12/14] git commit: updated refs/heads/master to 7d20b08
findbug fixes, added some comments, bug fixes
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/9a97ba76
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/9a97ba76
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/9a97ba76
Branch: refs/heads/master
Commit: 9a97ba76d382d9f13d2bde73aed6dfdeb4047118
Parents: e487b24
Author: Murali Reddy <mu...@gmail.com>
Authored: Fri Mar 14 15:51:49 2014 +0530
Committer: Murali Reddy <mu...@gmail.com>
Committed: Fri Mar 14 16:56:39 2014 +0530
----------------------------------------------------------------------
.../xen/resource/CitrixResourceBase.java | 11 +-
.../cloud/network/guru/OvsGuestNetworkGuru.java | 1 +
.../network/ovs/OvsNetworkTopologyGuruImpl.java | 21 +-
.../cloud/network/ovs/OvsTunnelManagerImpl.java | 56 +++--
.../xenserver/cloudstack_pluginlib.py | 236 +++++++++++--------
5 files changed, 193 insertions(+), 132 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9a97ba76/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
index 57debc6..d1e1716 100644
--- a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
+++ b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
@@ -1147,7 +1147,11 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
if (vmSpec != null) {
vifr.otherConfig.put("cloudstack-vm-id", vmSpec.getUuid());
}
+
+ // OVS plugin looks at network UUID in the vif 'otherconfig' details to group VIF's & tunnel ports as part of tier
+ // when bridge is setup for distributed routing
vifr.otherConfig.put("cloudstack-network-id", nic.getNetworkUuid());
+
vifr.network = getNetwork(conn, nic);
if (nic.getNetworkRateMbps() != null && nic.getNetworkRateMbps().intValue() != -1) {
@@ -5285,7 +5289,7 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
Connection conn = getConnection();
try {
Network nw = findOrCreateTunnelNetwork(conn, cmd.getBridgeName());
- String bridgeName = nw.getBridge(conn);;
+ String bridgeName = nw.getBridge(conn);
String result = callHostPlugin(conn, "ovstunnel", "configure_ovs_bridge_for_network_topology", "bridge",
bridgeName, "config", cmd.getVpcConfigInJson(), "host-id", ((Long)cmd.getHostId()).toString());
if (result.startsWith("SUCCESS")) {
@@ -5302,8 +5306,11 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
public Answer execute(OvsVpcRoutingPolicyConfigCommand cmd) {
Connection conn = getConnection();
try {
+ Network nw = findOrCreateTunnelNetwork(conn, cmd.getBridgeName());
+ String bridgeName = nw.getBridge(conn);
+
String result = callHostPlugin(conn, "ovstunnel", "configure_ovs_bridge_for_routing_policies", "bridge",
- cmd.getBridgeName(), "host-id", ((Long)cmd.getHostId()).toString(), "config",
+ bridgeName, "host-id", ((Long)cmd.getHostId()).toString(), "config",
cmd.getVpcConfigInJson());
if (result.startsWith("SUCCESS")) {
return new Answer(cmd, true, result);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9a97ba76/plugins/network-elements/ovs/src/com/cloud/network/guru/OvsGuestNetworkGuru.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/ovs/src/com/cloud/network/guru/OvsGuestNetworkGuru.java b/plugins/network-elements/ovs/src/com/cloud/network/guru/OvsGuestNetworkGuru.java
index 9d2efe6..de74108 100644
--- a/plugins/network-elements/ovs/src/com/cloud/network/guru/OvsGuestNetworkGuru.java
+++ b/plugins/network-elements/ovs/src/com/cloud/network/guru/OvsGuestNetworkGuru.java
@@ -151,6 +151,7 @@ public class OvsGuestNetworkGuru extends GuestNetworkGuru {
implemented.setBroadcastDomainType(BroadcastDomainType.Vswitch);
+ // for the networks that are part of VPC enabled for distributed routing use scheme vs://vpcid.GRE key for network
if (network.getVpcId() != null && isVpcEnabledForDistributedRouter(network.getVpcId())) {
String keyStr = BroadcastDomainType.getValue(implemented.getBroadcastUri());
Long vpcid= network.getVpcId();
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9a97ba76/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsNetworkTopologyGuruImpl.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsNetworkTopologyGuruImpl.java b/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsNetworkTopologyGuruImpl.java
index 740df80..ab08d26 100644
--- a/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsNetworkTopologyGuruImpl.java
+++ b/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsNetworkTopologyGuruImpl.java
@@ -91,6 +91,9 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor
return vpcHostIds;
}
+ /**
+ * get the list of VPC id's of the vpc's for which one or more VM's from the VPC are running on the host
+ */
@Override
public List<Long> getVpcOnHost(long hostId) {
List<Long> vpcIds = new ArrayList<>();
@@ -109,6 +112,9 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor
return vpcIds;
}
+ /**
+ * get the list of all active Vm id's in a network
+ */
@Override
public List<Long> getAllActiveVmsInNetwork(long networkId) {
List <Long> vmIds = new ArrayList<>();
@@ -117,7 +123,6 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor
VirtualMachine.State.Migrating);
// Find routers for the network
List<DomainRouterVO> routers = _routerDao.findByNetwork(networkId);
- List<VMInstanceVO> ins = new ArrayList<VMInstanceVO>();
if (vms != null) {
for (UserVmVO vm : vms) {
@@ -132,6 +137,9 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor
return vmIds;
}
+ /**
+ * get the list of all active Vm id's in the VPC for all ther tiers
+ */
@Override
public List<Long> getAllActiveVmsInVpc(long vpcId) {
@@ -148,6 +156,9 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor
return vmIds;
}
+ /**
+ * get the list of all Vm id's in the VPC for all the tiers that are running on the host
+ */
@Override
public List<Long> getActiveVmsInVpcOnHost(long vpcId, long hostId) {
Set<Long> vmIdsSet = new HashSet<>();
@@ -163,6 +174,9 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor
return vmIds;
}
+ /**
+ * get the list of all Vm id's in the network that are running on the host
+ */
@Override
public List<Long> getActiveVmsInNetworkOnHost(long networkId, long hostId) {
List <Long> vmIds = new ArrayList<>();
@@ -171,7 +185,6 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor
VirtualMachine.State.Migrating);
// Find routers for the network
List<DomainRouterVO> routers = _routerDao.findByNetwork(networkId);
- List<VMInstanceVO> ins = new ArrayList<VMInstanceVO>();
if (vms != null) {
for (UserVmVO vm : vms) {
@@ -188,13 +201,15 @@ public class OvsNetworkTopologyGuruImpl extends ManagerBase implements OvsNetwor
return vmIds;
}
+ /**
+ * get the list of all Vpc id's in which, a VM has a nic in the network that is part of VPC
+ */
@Override
public List<Long> getVpcIdsVmIsPartOf(long vmId) {
List<Long> vpcIds = new ArrayList<>();
List<NicVO> nics = _nicDao.listByVmId(vmId);
if (nics == null)
return null;
-
for (Nic nic: nics) {
Network network = _networkDao.findById(nic.getNetworkId());
if (network != null && network.getTrafficType() == Networks.TrafficType.Guest && network.getVpcId() != null) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9a97ba76/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsTunnelManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsTunnelManagerImpl.java b/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsTunnelManagerImpl.java
index 30088aa..21e9058 100644
--- a/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsTunnelManagerImpl.java
+++ b/plugins/network-elements/ovs/src/com/cloud/network/ovs/OvsTunnelManagerImpl.java
@@ -665,7 +665,6 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage
public boolean postStateTransitionEvent(VirtualMachine.State oldState, VirtualMachine.Event event,
VirtualMachine.State newState, VirtualMachine vm,
boolean status, Object opaque) {
-
if (!status) {
return false;
}
@@ -720,7 +719,7 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage
public boolean sendVpcTopologyChangeUpdate(OvsVpcPhysicalTopologyConfigCommand updateCmd, long hostId, String bridgeName) {
try {
- s_logger.debug("Sending VPC topology update to the host " + hostId);
+ s_logger.debug("Sending VPC topology change update to the host " + hostId);
updateCmd.setHostId(hostId);
updateCmd.setBridgeName(bridgeName);
Answer ans = _agentMgr.send(hostId, updateCmd);
@@ -732,7 +731,7 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage
return false;
}
} catch (Exception e) {
- s_logger.debug("Failed to updated the host " + hostId + " with latest VPC topology." );
+ s_logger.debug("Failed to updated the host " + hostId + " with latest VPC topology.", e );
return false;
}
}
@@ -797,6 +796,7 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage
vmInstance.getHostId(), vmNics.toArray(new OvsVpcPhysicalTopologyConfigCommand.Nic[vmNics.size()]));
vms.add(vm);
}
+
return new OvsVpcPhysicalTopologyConfigCommand(
hosts.toArray(new OvsVpcPhysicalTopologyConfigCommand.Host[hosts.size()]),
tiers.toArray(new OvsVpcPhysicalTopologyConfigCommand.Tier[tiers.size()]),
@@ -804,47 +804,58 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage
vpc.getCidr());
}
- // Subscriber to ACL replace events. On acl replace event, if the vpc is enabled for distributed routing
- // send the ACL update to all the hosts on which VPC spans
+ // Subscriber to ACL replace events. On acl replace event, if the vpc for the tier is enabled for
+ // distributed routing send the ACL update to all the hosts on which VPC spans
public class NetworkAclEventsSubscriber implements MessageSubscriber {
@Override
public void onPublishMessage(String senderAddress, String subject, Object args) {
- NetworkVO network = (NetworkVO) args;
- String bridgeName=generateBridgeNameForVpc(network.getVpcId());
- if (network.getVpcId() != null & isVpcEnabledForDistributedRouter(network.getVpcId())) {
- long vpcId = network.getVpcId();
- OvsVpcRoutingPolicyConfigCommand cmd = prepareVpcRoutingPolicyUpdate(vpcId);
- List<Long> vpcSpannedHostIds = _ovsNetworkToplogyGuru.getVpcSpannedHosts(vpcId);
- for (Long id: vpcSpannedHostIds) {
- if (!sendVpcRoutingPolicyChangeUpdate(cmd, id, bridgeName)) {
- s_logger.debug("Failed to send VPC routing policy change update to host : " + id +
- ". But moving on with sending the host updates to the rest of the hosts.");
+ try {
+ NetworkVO network = (NetworkVO) args;
+ String bridgeName=generateBridgeNameForVpc(network.getVpcId());
+ if (network.getVpcId() != null & isVpcEnabledForDistributedRouter(network.getVpcId())) {
+ long vpcId = network.getVpcId();
+ OvsVpcRoutingPolicyConfigCommand cmd = prepareVpcRoutingPolicyUpdate(vpcId);
+ List<Long> vpcSpannedHostIds = _ovsNetworkToplogyGuru.getVpcSpannedHosts(vpcId);
+ for (Long id: vpcSpannedHostIds) {
+ if (!sendVpcRoutingPolicyChangeUpdate(cmd, id, bridgeName)) {
+ s_logger.debug("Failed to send VPC routing policy change update to host : " + id +
+ ". But moving on with sending the updates to the rest of the hosts.");
+ }
}
}
+ } catch (Exception e) {
+ s_logger.debug("Failed to send VPC routing policy change updates all hosts in vpc", e);
}
}
}
private OvsVpcRoutingPolicyConfigCommand prepareVpcRoutingPolicyUpdate(long vpcId) {
- VpcVO vpc = _vpcDao.findById(vpcId);
- assert (vpc != null): "invalid vpc id";
+
List<OvsVpcRoutingPolicyConfigCommand.Acl> acls = new ArrayList<>();
List<OvsVpcRoutingPolicyConfigCommand.Tier> tiers = new ArrayList<>();
+ VpcVO vpc = _vpcDao.findById(vpcId);
List<? extends Network> vpcNetworks = _vpcMgr.getVpcNetworks(vpcId);
+ assert (vpc != null && (vpcNetworks != null && !vpcNetworks.isEmpty())): "invalid vpc id";
+
for (Network network : vpcNetworks) {
Long networkAclId = network.getNetworkACLId();
+ if (networkAclId == null)
+ continue;
NetworkACLVO networkAcl = _networkACLDao.findById(networkAclId);
List<OvsVpcRoutingPolicyConfigCommand.AclItem> aclItems = new ArrayList<>();
List<NetworkACLItemVO> aclItemVos = _networkACLItemDao.listByACL(networkAclId);
for (NetworkACLItemVO aclItem : aclItemVos) {
String[] sourceCidrs = aclItem.getSourceCidrList().toArray(new String[aclItem.getSourceCidrList().size()]);
+
aclItems.add(new OvsVpcRoutingPolicyConfigCommand.AclItem(
aclItem.getNumber(), aclItem.getUuid(), aclItem.getAction().name(),
aclItem.getTrafficType().name(),
- aclItem.getSourcePortStart().toString(), aclItem.getSourcePortEnd().toString(),
- aclItem.getProtocol(), sourceCidrs));
+ ((aclItem.getSourcePortStart() != null) ?aclItem.getSourcePortStart().toString() :null),
+ ((aclItem.getSourcePortEnd() != null) ?aclItem.getSourcePortEnd().toString() :null),
+ aclItem.getProtocol(),
+ sourceCidrs));
}
OvsVpcRoutingPolicyConfigCommand.Acl acl = new OvsVpcRoutingPolicyConfigCommand.Acl(networkAcl.getUuid(),
@@ -862,10 +873,9 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage
return cmd;
}
-
public boolean sendVpcRoutingPolicyChangeUpdate(OvsVpcRoutingPolicyConfigCommand updateCmd, long hostId, String bridgeName) {
try {
- s_logger.debug("Sending VPC routing policy change update to the host " + hostId);
+ s_logger.debug("Sending VPC routing policies change update to the host " + hostId);
updateCmd.setHostId(hostId);
updateCmd.setBridgeName(bridgeName);
Answer ans = _agentMgr.send(hostId, updateCmd);
@@ -873,11 +883,11 @@ public class OvsTunnelManagerImpl extends ManagerBase implements OvsTunnelManage
s_logger.debug("Successfully updated the host " + hostId + " with latest VPC routing policies." );
return true;
} else {
- s_logger.debug("Failed to update the host " + hostId + " with latest routing policy." );
+ s_logger.debug("Failed to update the host " + hostId + " with latest routing policies." );
return false;
}
} catch (Exception e) {
- s_logger.debug("Failed to updated the host " + hostId + " with latest routing policy." );
+ s_logger.debug("Failed to updated the host " + hostId + " with latest routing policies due to" , e );
return false;
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9a97ba76/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
----------------------------------------------------------------------
diff --git a/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py b/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
index 1c9d513..4ebb435 100644
--- a/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
+++ b/scripts/vm/hypervisor/xenserver/cloudstack_pluginlib.py
@@ -321,62 +321,66 @@ def configure_bridge_for_network_topology(bridge, this_host_id, json_config):
logging.debug("WARNING:Can't find VPC info in json config file")
return "FAILURE:IMPROPER_JSON_CONFG_FILE"
- # get the list of Vm's in the VPC from the JSON config
- this_host_vms = get_vms_on_host(vpconfig, this_host_id)
-
- for vm in this_host_vms:
- for nic in vm.nics:
- mac_addr = nic.macaddress
- ip = nic.ipaddress
- vif_name = get_vif_name_from_macaddress(mac_addr)
- of_port = get_ofport_for_vif(vif_name)
- network = get_network_details(vpconfig, nic.networkuuid)
-
- # Add flow rule in L2 look up table, if the destination mac = MAC of the nic send packet on the found OFPORT
- add_mac_lookup_table_entry(bridge, mac_addr, of_port)
-
- # Add flow rule in L3 look up table: if the destination IP = VM's IP then modify the packet
- # to set DST MAC = VM's MAC, SRC MAC=tier gateway MAC and send to egress table
- add_ip_lookup_table_entry(bridge, ip, network.gatewaymac, mac_addr)
-
- # Add flow entry to send with intra tier traffic from the NIC to L2 lookup path)
- action_str = "table=0, in_port=%s," %of_port + " ip, nw_dst=%s," %network.cidr + " actions=resubmit(,1)"
- addflow = [OFCTL_PATH, "add-flow", bridge, action_str]
- do_cmd(addflow)
-
- #add flow entry to send inter-tier traffic from the NIC to egress ACL table(to L3 lookup path)
- action_str = "table=0, in_port=%s," % of_port + " ip, dl_dst=%s," %network.gatewaymac +\
- "nw_dst=%s," %vpconfig.cidr + "actions=resubmit(,3)"
- addflow = [OFCTL_PATH, "add-flow", bridge, action_str]
-
- do_cmd(addflow)
-
- # get the list of hosts on which VPC spans from the JSON config
- vpc_spanning_hosts = vpconfig.hosts
-
- for host in vpc_spanning_hosts:
- if str(this_host_id) == str(host.hostid):
- continue
- other_host_vms = get_vms_on_host(vpconfig, host.hostid)
- for vm in other_host_vms:
+ try:
+ # get the list of Vm's in the VPC from the JSON config
+ this_host_vms = get_vms_on_host(vpconfig, this_host_id)
+
+ for vm in this_host_vms:
for nic in vm.nics:
mac_addr = nic.macaddress
ip = nic.ipaddress
+ vif_name = get_vif_name_from_macaddress(mac_addr)
+ of_port = get_ofport_for_vif(vif_name)
network = get_network_details(vpconfig, nic.networkuuid)
- gre_key = network.grekey
- # generate tunnel name from tunnel naming convention
- tunnel_name = "t%s-%s-%s" % (gre_key, this_host_id, host.hostid)
- of_port = get_ofport_for_vif(tunnel_name)
-
- # Add flow rule in L2 look up table, if the destination mac = MAC of the nic send packet tunnel port
+ # Add flow rule in L2 look up table, if the destination mac = MAC of the nic send packet on the found OFPORT
add_mac_lookup_table_entry(bridge, mac_addr, of_port)
- # Add flow tule in L3 look up table: if the destination IP = VM's IP then modify the packet
- # set DST MAC = VM's MAC, SRC MAC=tier gateway MAC and send to egress table
+ # Add flow rule in L3 look up table: if the destination IP = VM's IP then modify the packet
+ # to set DST MAC = VM's MAC, SRC MAC=tier gateway MAC and send to egress table
add_ip_lookup_table_entry(bridge, ip, network.gatewaymac, mac_addr)
- return "SUCCESS: successfully configured bridge as per the VPC topology"
+ # Add flow entry to send with intra tier traffic from the NIC to L2 lookup path)
+ action_str = "table=0, in_port=%s," %of_port + " ip, nw_dst=%s," %network.cidr + " actions=resubmit(,1)"
+ addflow = [OFCTL_PATH, "add-flow", bridge, action_str]
+ do_cmd(addflow)
+
+ #add flow entry to send inter-tier traffic from the NIC to egress ACL table(to L3 lookup path)
+ action_str = "table=0, in_port=%s," % of_port + " ip, dl_dst=%s," %network.gatewaymac +\
+ "nw_dst=%s," %vpconfig.cidr + "actions=resubmit(,3)"
+ addflow = [OFCTL_PATH, "add-flow", bridge, action_str]
+
+ do_cmd(addflow)
+
+ # get the list of hosts on which VPC spans from the JSON config
+ vpc_spanning_hosts = vpconfig.hosts
+
+ for host in vpc_spanning_hosts:
+ if str(this_host_id) == str(host.hostid):
+ continue
+ other_host_vms = get_vms_on_host(vpconfig, host.hostid)
+ for vm in other_host_vms:
+ for nic in vm.nics:
+ mac_addr = nic.macaddress
+ ip = nic.ipaddress
+ network = get_network_details(vpconfig, nic.networkuuid)
+ gre_key = network.grekey
+
+ # generate tunnel name from tunnel naming convention
+ tunnel_name = "t%s-%s-%s" % (gre_key, this_host_id, host.hostid)
+ of_port = get_ofport_for_vif(tunnel_name)
+
+ # Add flow rule in L2 look up table, if the destination mac = MAC of the nic send packet tunnel port
+ add_mac_lookup_table_entry(bridge, mac_addr, of_port)
+
+ # Add flow tule in L3 look up table: if the destination IP = VM's IP then modify the packet
+ # set DST MAC = VM's MAC, SRC MAC=tier gateway MAC and send to egress table
+ add_ip_lookup_table_entry(bridge, ip, network.gatewaymac, mac_addr)
+
+ return "SUCCESS: successfully configured bridge as per the VPC topology"
+ except:
+ logging.debug("An unexpected error occurred while configuring bridge as per VPC topology.")
+ raise
def get_acl(vpcconfig, required_acl_id):
acls = vpcconfig.acls
@@ -392,60 +396,84 @@ def configure_ovs_bridge_for_routing_policies(bridge, json_config):
logging.debug("WARNING:Can't find VPC info in json config file")
return "FAILURE:IMPROPER_JSON_CONFG_FILE"
- # First flush current egress ACL's before re-applying the ACL's
- del_flows(bridge, table=3)
-
- egress_rules_added = False
- ingress_rules_added = False
-
- tiers = vpconfig.tiers
- for tier in tiers:
- tier_cidr = tier.cidr
- acl = get_acl(vpconfig, tier.aclid)
- acl_items = acl.aclitems
-
- for acl_item in acl_items:
- number = acl_item.number
- action = acl_item.action
- direction = acl_item.direction
- source_port_start = acl_item.sourceportstart
- source_port_end = acl_item.sourceportend
- protocol = acl_item.protocol
- source_cidrs = acl_item.sourcecidrs
- acl_priority = 1000 + number
- for source_cidr in source_cidrs:
- if direction is "ingress":
- ingress_rules_added = True
- # add flow rule to do action (allow/deny) for flows where source IP of the packet is in
- # source_cidr and destination ip is in tier_cidr
- port = source_port_start
- while (port < source_port_end):
- if action is "deny":
- add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port,
- nw_proto=protocol, actions='drop')
- if action is "allow":
- add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port,
- nw_proto=protocol, actions='resubmit(,1)')
- port = port + 1
-
- elif direction in "egress":
- egress_rules_added = True
- # add flow rule to do action (allow/deny) for flows where destination IP of the packet is in
- # source_cidr and source ip is in tier_cidr
- port = source_port_start
- while (port < source_port_end):
- if action is "deny":
- add_flow(bridge, priority= acl_priority, table=5, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port,
- nw_proto=protocol, actions='drop')
- if action is "allow":
- add_flow(bridge, priority= acl_priority, table=5, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port,
- nw_proto=protocol, actions='resubmit(,1)')
- port = port + 1
-
- if egress_rules_added is False:
- # add a default rule in egress table to forward packet to L3 lookup table
- add_flow(bridge, priority=0, table=3, actions='resubmit(,4)')
-
- if ingress_rules_added is False:
- # add a default rule in egress table drop packets
- add_flow(bridge, priority=0, table=5, actions='drop')
\ No newline at end of file
+ try:
+ # First flush current egress ACL's before re-applying the ACL's
+ del_flows(bridge, table=3)
+
+ egress_rules_added = False
+ ingress_rules_added = False
+
+ tiers = vpconfig.tiers
+ for tier in tiers:
+ tier_cidr = tier.cidr
+ acl = get_acl(vpconfig, tier.aclid)
+ acl_items = acl.aclitems
+
+ for acl_item in acl_items:
+ number = acl_item.number
+ action = acl_item.action
+ direction = acl_item.direction
+ source_port_start = acl_item.sourceportstart
+ source_port_end = acl_item.sourceportend
+ protocol = acl_item.protocol
+ source_cidrs = acl_item.sourcecidrs
+ acl_priority = 1000 + number
+ for source_cidr in source_cidrs:
+ if direction is "ingress":
+ ingress_rules_added = True
+
+ if source_port_start is None and source_port_end is None:
+ if action is "deny":
+ add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr,
+ nw_proto=protocol, actions='drop')
+ if action is "allow":
+ add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr,
+ nw_proto=protocol, actions='resubmit(,1)')
+ continue
+
+ # add flow rule to do action (allow/deny) for flows where source IP of the packet is in
+ # source_cidr and destination ip is in tier_cidr
+ port = source_port_start
+ while (port < source_port_end):
+ if action is "deny":
+ add_flow(bridge, priority= acl_priority, table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port,
+ nw_proto=protocol, actions='drop')
+ if action is "allow":
+ add_flow(bridge, priority= acl_priority,table=5, nw_src=source_cidr, nw_dst=tier_cidr, tp_dst=port,
+ nw_proto=protocol, actions='resubmit(,1)')
+ port = port + 1
+
+ elif direction in "egress":
+ egress_rules_added = True
+
+ if source_port_start is None and source_port_end is None:
+ if action is "deny":
+ add_flow(bridge, priority= acl_priority, table=3, nw_src=source_cidr, nw_dst=tier_cidr,
+ nw_proto=protocol, actions='drop')
+ if action is "allow":
+ add_flow(bridge, priority= acl_priority,table=3, nw_src=source_cidr, nw_dst=tier_cidr,
+ nw_proto=protocol, actions='resubmit(,1)')
+ continue
+
+ # add flow rule to do action (allow/deny) for flows where destination IP of the packet is in
+ # source_cidr and source ip is in tier_cidr
+ port = source_port_start
+ while (port < source_port_end):
+ if action is "deny":
+ add_flow(bridge, priority= acl_priority, table=3, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port,
+ nw_proto=protocol, actions='drop')
+ if action is "allow":
+ add_flow(bridge, priority= acl_priority, table=3, nw_src=tier_cidr, nw_dst=source_cidr, tp_dst=port,
+ nw_proto=protocol, actions='resubmit(,1)')
+ port = port + 1
+
+ if egress_rules_added is False:
+ # add a default rule in egress table to forward packet to L3 lookup table
+ add_flow(bridge, priority=0, table=3, actions='resubmit(,4)')
+
+ if ingress_rules_added is False:
+ # add a default rule in egress table drop packets
+ add_flow(bridge, priority=0, table=5, actions='drop')
+ except:
+ logging.debug("An unexpected error occurred while configuring bridge as per VPC's routing policies.")
+ raise
\ No newline at end of file