2
# Licensed under the Apache License, Version 2.0 (the "License"); you may
3
# not use this file except in compliance with the License. You may obtain
4
# a copy of the License at
6
# http://www.apache.org/licenses/LICENSE-2.0
8
# Unless required by applicable law or agreed to in writing, software
9
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
10
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
11
# License for the specific language governing permissions and limitations
14
from heat.common.i18n import _
15
from heat.engine import attributes
16
from heat.engine import constraints
17
from heat.engine import properties
18
from heat.engine.resources.neutron import neutron
19
from heat.engine import support
22
class Firewall(neutron.NeutronResource):
24
A resource for the Firewall resource in Neutron FWaaS.
28
NAME, DESCRIPTION, ADMIN_STATE_UP, FIREWALL_POLICY_ID,
31
'name', 'description', 'admin_state_up', 'firewall_policy_id',
36
NAME_ATTR, DESCRIPTION_ATTR, ADMIN_STATE_UP_ATTR,
37
FIREWALL_POLICY_ID_ATTR, SHARED_ATTR, STATUS, TENANT_ID, SHOW,
39
'name', 'description', 'admin_state_up',
40
'firewall_policy_id', 'shared', 'status', 'tenant_id', 'show',
44
NAME: properties.Schema(
45
properties.Schema.STRING,
46
_('Name for the firewall.'),
49
DESCRIPTION: properties.Schema(
50
properties.Schema.STRING,
51
_('Description for the firewall.'),
54
ADMIN_STATE_UP: properties.Schema(
55
properties.Schema.BOOLEAN,
56
_('Administrative state of the firewall. If false (down), '
57
'firewall does not forward packets and will drop all '
58
'traffic to/from VMs behind the firewall.'),
62
FIREWALL_POLICY_ID: properties.Schema(
63
properties.Schema.STRING,
64
_('The ID of the firewall policy that this firewall is '
69
SHARED: properties.Schema(
70
properties.Schema.BOOLEAN,
71
_('Whether this firewall should be shared across all tenants. '
72
'NOTE: The default policy setting in Neutron restricts usage '
73
'of this property to administrative users only.'),
76
support_status=support.SupportStatus(version='2015.1'),
81
NAME_ATTR: attributes.Schema(
82
_('Name for the firewall.')
84
DESCRIPTION_ATTR: attributes.Schema(
85
_('Description of the firewall.')
87
ADMIN_STATE_UP_ATTR: attributes.Schema(
88
_('The administrative state of the firewall.')
90
FIREWALL_POLICY_ID_ATTR: attributes.Schema(
91
_('Unique identifier of the firewall policy used to create '
94
SHARED_ATTR: attributes.Schema(
95
_('Shared status of this firewall.')
97
STATUS: attributes.Schema(
98
_('The status of the firewall.')
100
TENANT_ID: attributes.Schema(
101
_('Id of the tenant owning the firewall.')
103
SHOW: attributes.Schema(
108
def _show_resource(self):
109
return self.neutron().show_firewall(self.resource_id)['firewall']
111
def handle_create(self):
112
props = self.prepare_properties(
114
self.physical_resource_name())
115
firewall = self.neutron().create_firewall({'firewall': props})[
117
self.resource_id_set(firewall['id'])
119
def handle_update(self, json_snippet, tmpl_diff, prop_diff):
121
self.neutron().update_firewall(
122
self.resource_id, {'firewall': prop_diff})
124
def handle_delete(self):
125
client = self.neutron()
127
client.delete_firewall(self.resource_id)
128
except Exception as ex:
129
self.client_plugin().ignore_not_found(ex)
134
class FirewallPolicy(neutron.NeutronResource):
136
A resource for the FirewallPolicy resource in Neutron FWaaS.
140
NAME, DESCRIPTION, SHARED, AUDITED, FIREWALL_RULES,
142
'name', 'description', 'shared', 'audited', 'firewall_rules',
146
NAME_ATTR, DESCRIPTION_ATTR, FIREWALL_RULES_ATTR, SHARED_ATTR,
147
AUDITED_ATTR, TENANT_ID,
149
'name', 'description', 'firewall_rules', 'shared',
150
'audited', 'tenant_id',
153
properties_schema = {
154
NAME: properties.Schema(
155
properties.Schema.STRING,
156
_('Name for the firewall policy.'),
159
DESCRIPTION: properties.Schema(
160
properties.Schema.STRING,
161
_('Description for the firewall policy.'),
164
SHARED: properties.Schema(
165
properties.Schema.BOOLEAN,
166
_('Whether this policy should be shared across all tenants.'),
170
AUDITED: properties.Schema(
171
properties.Schema.BOOLEAN,
172
_('Whether this policy should be audited. When set to True, '
173
'each time the firewall policy or the associated firewall '
174
'rules are changed, this attribute will be set to False and '
175
'will have to be explicitly set to True through an update '
180
FIREWALL_RULES: properties.Schema(
181
properties.Schema.LIST,
182
_('An ordered list of firewall rules to apply to the firewall.'),
188
attributes_schema = {
189
NAME_ATTR: attributes.Schema(
190
_('Name for the firewall policy.')
192
DESCRIPTION_ATTR: attributes.Schema(
193
_('Description of the firewall policy.')
195
FIREWALL_RULES_ATTR: attributes.Schema(
196
_('List of firewall rules in this firewall policy.')
198
SHARED_ATTR: attributes.Schema(
199
_('Shared status of this firewall policy.')
201
AUDITED_ATTR: attributes.Schema(
202
_('Audit status of this firewall policy.')
204
TENANT_ID: attributes.Schema(
205
_('Id of the tenant owning the firewall policy.')
209
def _show_resource(self):
210
return self.neutron().show_firewall_policy(self.resource_id)[
213
def handle_create(self):
214
props = self.prepare_properties(
216
self.physical_resource_name())
217
firewall_policy = self.neutron().create_firewall_policy(
218
{'firewall_policy': props})['firewall_policy']
219
self.resource_id_set(firewall_policy['id'])
221
def handle_update(self, json_snippet, tmpl_diff, prop_diff):
223
self.neutron().update_firewall_policy(
224
self.resource_id, {'firewall_policy': prop_diff})
226
def handle_delete(self):
227
client = self.neutron()
229
client.delete_firewall_policy(self.resource_id)
230
except Exception as ex:
231
self.client_plugin().ignore_not_found(ex)
236
class FirewallRule(neutron.NeutronResource):
238
A resource for the FirewallRule resource in Neutron FWaaS.
242
NAME, DESCRIPTION, SHARED, PROTOCOL, IP_VERSION,
243
SOURCE_IP_ADDRESS, DESTINATION_IP_ADDRESS, SOURCE_PORT,
244
DESTINATION_PORT, ACTION, ENABLED,
246
'name', 'description', 'shared', 'protocol', 'ip_version',
247
'source_ip_address', 'destination_ip_address', 'source_port',
248
'destination_port', 'action', 'enabled',
252
NAME_ATTR, DESCRIPTION_ATTR, FIREWALL_POLICY_ID, SHARED_ATTR,
253
PROTOCOL_ATTR, IP_VERSION_ATTR, SOURCE_IP_ADDRESS_ATTR,
254
DESTINATION_IP_ADDRESS_ATTR, SOURCE_PORT_ATTR, DESTINATION_PORT_ATTR,
255
ACTION_ATTR, ENABLED_ATTR, POSITION, TENANT_ID,
257
'name', 'description', 'firewall_policy_id', 'shared',
258
'protocol', 'ip_version', 'source_ip_address',
259
'destination_ip_address', 'source_port', 'destination_port',
260
'action', 'enabled', 'position', 'tenant_id',
263
properties_schema = {
264
NAME: properties.Schema(
265
properties.Schema.STRING,
266
_('Name for the firewall rule.'),
269
DESCRIPTION: properties.Schema(
270
properties.Schema.STRING,
271
_('Description for the firewall rule.'),
274
SHARED: properties.Schema(
275
properties.Schema.BOOLEAN,
276
_('Whether this rule should be shared across all tenants.'),
280
PROTOCOL: properties.Schema(
281
properties.Schema.STRING,
282
_('Protocol for the firewall rule.'),
284
constraints.AllowedValues(['tcp', 'udp', 'icmp', 'any']),
289
IP_VERSION: properties.Schema(
290
properties.Schema.STRING,
291
_('Internet protocol version.'),
294
constraints.AllowedValues(['4', '6']),
298
SOURCE_IP_ADDRESS: properties.Schema(
299
properties.Schema.STRING,
300
_('Source IP address or CIDR.'),
303
DESTINATION_IP_ADDRESS: properties.Schema(
304
properties.Schema.STRING,
305
_('Destination IP address or CIDR.'),
308
SOURCE_PORT: properties.Schema(
309
properties.Schema.STRING,
310
_('Source port number or a range.'),
313
DESTINATION_PORT: properties.Schema(
314
properties.Schema.STRING,
315
_('Destination port number or a range.'),
318
ACTION: properties.Schema(
319
properties.Schema.STRING,
320
_('Action to be performed on the traffic matching the rule.'),
323
constraints.AllowedValues(['allow', 'deny']),
327
ENABLED: properties.Schema(
328
properties.Schema.BOOLEAN,
329
_('Whether this rule should be enabled.'),
335
attributes_schema = {
336
NAME_ATTR: attributes.Schema(
337
_('Name for the firewall rule.')
339
DESCRIPTION_ATTR: attributes.Schema(
340
_('Description of the firewall rule.')
342
FIREWALL_POLICY_ID: attributes.Schema(
343
_('Unique identifier of the firewall policy to which this '
344
'firewall rule belongs.')
346
SHARED_ATTR: attributes.Schema(
347
_('Shared status of this firewall rule.')
349
PROTOCOL_ATTR: attributes.Schema(
350
_('Protocol value for this firewall rule.')
352
IP_VERSION_ATTR: attributes.Schema(
353
_('Ip_version for this firewall rule.')
355
SOURCE_IP_ADDRESS_ATTR: attributes.Schema(
356
_('Source ip_address for this firewall rule.')
358
DESTINATION_IP_ADDRESS_ATTR: attributes.Schema(
359
_('Destination ip_address for this firewall rule.')
361
SOURCE_PORT_ATTR: attributes.Schema(
362
_('Source port range for this firewall rule.')
364
DESTINATION_PORT_ATTR: attributes.Schema(
365
_('Destination port range for this firewall rule.')
367
ACTION_ATTR: attributes.Schema(
368
_('Allow or deny action for this firewall rule.')
370
ENABLED_ATTR: attributes.Schema(
371
_('Indicates whether this firewall rule is enabled or not.')
373
POSITION: attributes.Schema(
374
_('Position of the rule within the firewall policy.')
376
TENANT_ID: attributes.Schema(
377
_('Id of the tenant owning the firewall.')
381
def _show_resource(self):
382
return self.neutron().show_firewall_rule(
383
self.resource_id)['firewall_rule']
385
def handle_create(self):
386
props = self.prepare_properties(
388
self.physical_resource_name())
389
if props.get(self.PROTOCOL) == 'any':
390
props[self.PROTOCOL] = None
391
firewall_rule = self.neutron().create_firewall_rule(
392
{'firewall_rule': props})['firewall_rule']
393
self.resource_id_set(firewall_rule['id'])
395
def handle_update(self, json_snippet, tmpl_diff, prop_diff):
397
if prop_diff.get(self.PROTOCOL) == 'any':
398
prop_diff[self.PROTOCOL] = None
399
self.neutron().update_firewall_rule(
400
self.resource_id, {'firewall_rule': prop_diff})
402
def handle_delete(self):
403
client = self.neutron()
405
client.delete_firewall_rule(self.resource_id)
406
except Exception as ex:
407
self.client_plugin().ignore_not_found(ex)
412
def resource_mapping():
414
'OS::Neutron::Firewall': Firewall,
415
'OS::Neutron::FirewallPolicy': FirewallPolicy,
416
'OS::Neutron::FirewallRule': FirewallRule,