← Back to branch summary

~niedbalski/ubuntu/vivid/neutron/fixes-1447803

« back to all changes in this revision

Viewing changes to neutron/db/firewall/firewall_db.py

  • Committer: Package Import Robot
  • Author(s): James Page
  • Date: 2014-10-03 18:45:23 UTC
  • mfrom: (1.1.15)
  • Revision ID: package-import@ubuntu.com-20141003184523-4mt6dy1q3j8n30c9
Tags: 1:2014.2~rc1-0ubuntu1
https://launchpad.net/bugs/1323729
* New upstream release candidate:
  - d/p/*: Refreshed.
  - d/control: Add python-requests-mock to BD's.
  - d/control: Align versioned requirements with upstream.
* Transition linuxbridge and openvswitch plugin users to modular
  layer 2 plugin (LP: #1323729):
  - d/control: Mark removed plugin packages as transitional, depend
    on neutron-plugin-ml2, mark oldlibs/extra.
  - d/neutron-plugin-{linuxbridge,openvswitch}.install: Drop.
  - d/control: Depend on neutron-plugin-ml2 for linuxbridge
    agent package.
  - d/neutron-plugin-linuxbridge-agent.upstart: Use ml2 plugin
    configuration files.

Show diffs side-by-side

added added

removed removed

Lines of Context:
neutron/db/firewall/firewall_db.py
12
12
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13
13
#    License for the specific language governing permissions and limitations
14
14
#    under the License.
15
 
#
16
 
# @author: Sumit Naiksatam, sumitnaiksatam@gmail.com, Big Switch Networks, Inc.
17
15
 
18
16
from oslo.config import cfg
19
17
 
164
162
               'enabled': firewall_rule['enabled']}
165
163
        return self._fields(res, fields)
166
164
 
167
 
    def _set_rules_for_policy(self, context, firewall_policy_db, rule_id_list):
 
165
    def _check_firewall_rule_conflict(self, fwr_db, fwp_db):
 
166
        if not fwr_db['shared']:
 
167
            if fwr_db['tenant_id'] != fwp_db['tenant_id']:
 
168
                raise firewall.FirewallRuleConflict(
 
169
                    firewall_rule_id=fwr_db['id'],
 
170
                    tenant_id=fwr_db['tenant_id'])
 
171
 
 
172
    def _set_rules_for_policy(self, context, firewall_policy_db, fwp):
 
173
        rule_id_list = fwp['firewall_rules']
168
174
        fwp_db = firewall_policy_db
169
175
        with context.session.begin(subtransactions=True):
170
176
            if not rule_id_list:
188
194
                            fwp_db['id']):
189
195
                        raise firewall.FirewallRuleInUse(
190
196
                            firewall_rule_id=fwrule_id)
 
197
                if 'shared' in fwp:
 
198
                    if fwp['shared'] and not rules_dict[fwrule_id]['shared']:
 
199
                        raise firewall.FirewallRuleSharingConflict(
 
200
                            firewall_rule_id=fwrule_id,
 
201
                            firewall_policy_id=fwp_db['id'])
 
202
                elif fwp_db['shared'] and not rules_dict[fwrule_id]['shared']:
 
203
                    raise firewall.FirewallRuleSharingConflict(
 
204
                        firewall_rule_id=fwrule_id,
 
205
                        firewall_policy_id=fwp_db['id'])
 
206
            for fwr_db in rules_in_db:
 
207
                self._check_firewall_rule_conflict(fwr_db, fwp_db)
191
208
            # New list of rules is valid so we will first reset the existing
192
209
            # list and then add each rule in order.
193
210
            # Note that the list could be empty in which case we interpret
198
215
            fwp_db.firewall_rules.reorder()
199
216
            fwp_db.audited = False
200
217
 
 
218
    def _check_unshared_rules_for_policy(self, fwp_db, fwp):
 
219
        if fwp['shared']:
 
220
            rules_in_db = fwp_db['firewall_rules']
 
221
            for fwr_db in rules_in_db:
 
222
                if not fwr_db['shared']:
 
223
                    raise firewall.FirewallPolicySharingConflict(
 
224
                        firewall_rule_id=fwr_db['id'],
 
225
                        firewall_policy_id=fwp_db['id'])
 
226
 
201
227
    def _process_rule_for_policy(self, context, firewall_policy_id,
202
228
                                 firewall_rule_db, position):
203
229
        with context.session.begin(subtransactions=True):
270
296
    def delete_firewall(self, context, id):
271
297
        LOG.debug(_("delete_firewall() called"))
272
298
        with context.session.begin(subtransactions=True):
273
 
            fw_query = context.session.query(
274
 
                Firewall).with_lockmode('update')
275
 
            firewall_db = fw_query.filter_by(id=id).one()
276
299
            # Note: Plugin should ensure that it's okay to delete if the
277
300
            # firewall is active
278
 
            context.session.delete(firewall_db)
 
301
            count = context.session.query(Firewall).filter_by(id=id).delete()
 
302
            if not count:
 
303
                raise firewall.FirewallNotFound(firewall_id=id)
279
304
 
280
305
    def get_firewall(self, context, id, fields=None):
281
306
        LOG.debug(_("get_firewall() called"))
304
329
                                    description=fwp['description'],
305
330
                                    shared=fwp['shared'])
306
331
            context.session.add(fwp_db)
307
 
            self._set_rules_for_policy(context, fwp_db,
308
 
                                       fwp['firewall_rules'])
 
332
            self._set_rules_for_policy(context, fwp_db, fwp)
309
333
            fwp_db.audited = fwp['audited']
310
334
        return self._make_firewall_policy_dict(fwp_db)
311
335
 
314
338
        fwp = firewall_policy['firewall_policy']
315
339
        with context.session.begin(subtransactions=True):
316
340
            fwp_db = self._get_firewall_policy(context, id)
317
 
            if 'firewall_rules' in fwp:
318
 
                self._set_rules_for_policy(context, fwp_db,
319
 
                                           fwp['firewall_rules'])
 
341
            # check any existing rules are not shared
 
342
            if 'shared' in fwp and 'firewall_rules' not in fwp:
 
343
                self._check_unshared_rules_for_policy(fwp_db, fwp)
 
344
            elif 'firewall_rules' in fwp:
 
345
                self._set_rules_for_policy(context, fwp_db, fwp)
320
346
                del fwp['firewall_rules']
321
347
            if 'audited' not in fwp or fwp['audited']:
322
348
                fwp['audited'] = False
356
382
        fwr = firewall_rule['firewall_rule']
357
383
        self._validate_fwr_protocol_parameters(fwr)
358
384
        tenant_id = self._get_tenant_id_for_create(context, fwr)
 
385
        if not fwr['protocol'] and (fwr['source_port'] or
 
386
                fwr['destination_port']):
 
387
            raise firewall.FirewallRuleWithPortWithoutProtocolInvalid()
359
388
        src_port_min, src_port_max = self._get_min_max_ports_from_range(
360
389
            fwr['source_port'])
361
390
        dst_port_min, dst_port_max = self._get_min_max_ports_from_range(
383
412
    def update_firewall_rule(self, context, id, firewall_rule):
384
413
        LOG.debug(_("update_firewall_rule() called"))
385
414
        fwr = firewall_rule['firewall_rule']
 
415
        fwr_db = self._get_firewall_rule(context, id)
 
416
        if fwr_db.firewall_policy_id:
 
417
            fwp_db = self._get_firewall_policy(context,
 
418
                                               fwr_db.firewall_policy_id)
 
419
            if 'shared' in fwr and not fwr['shared']:
 
420
                if fwr_db['tenant_id'] != fwp_db['tenant_id']:
 
421
                    raise firewall.FirewallRuleInUse(firewall_rule_id=id)
386
422
        if 'source_port' in fwr:
387
423
            src_port_min, src_port_max = self._get_min_max_ports_from_range(
388
424
                fwr['source_port'])
396
432
            fwr['destination_port_range_max'] = dst_port_max
397
433
            del fwr['destination_port']
398
434
        with context.session.begin(subtransactions=True):
399
 
            fwr_db = self._get_firewall_rule(context, id)
 
435
            protocol = fwr.get('protocol', fwr_db['protocol'])
 
436
            if not protocol:
 
437
                sport = fwr.get('source_port_range_min',
 
438
                                fwr_db['source_port_range_min'])
 
439
                dport = fwr.get('destination_port_range_min',
 
440
                                fwr_db['destination_port_range_min'])
 
441
                if sport or dport:
 
442
                    raise firewall.FirewallRuleWithPortWithoutProtocolInvalid()
400
443
            fwr_db.update(fwr)
401
444
            if fwr_db.firewall_policy_id:
402
 
                fwp_db = self._get_firewall_policy(context,
403
 
                                                   fwr_db.firewall_policy_id)
404
445
                fwp_db.audited = False
405
446
        return self._make_firewall_rule_dict(fwr_db)
406
447
 
448
489
            insert_before = False
449
490
        with context.session.begin(subtransactions=True):
450
491
            fwr_db = self._get_firewall_rule(context, firewall_rule_id)
 
492
            fwp_db = self._get_firewall_policy(context, id)
451
493
            if fwr_db.firewall_policy_id:
452
494
                raise firewall.FirewallRuleInUse(firewall_rule_id=fwr_db['id'])
 
495
            self._check_firewall_rule_conflict(fwr_db, fwp_db)
453
496
            if ref_firewall_rule_id:
454
497
                # If reference_firewall_rule_id is set, the new rule
455
498
                # is inserted depending on the value of insert_before.