neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall module¶
- class neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall.FWGPortMap¶
Bases:
object- create_port(port, port_dict)¶
- delete_fwg(fwg_id)¶
- get_fwg(fwg_id)¶
- get_or_create_fwg(fwg_id)¶
- remove_port(port)¶
- update_members(fwg_id, members)¶
- update_port(port, port_dict)¶
- update_rules(fwg_id, ingress_rules, egress_rules)¶
- class neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall.FirewallGroup(id_)¶
Bases:
object- get_ethertype_filtered_addresses(ethertype, exclude_addresses=None)¶
- update_rules(ingress_rules, egress_rules)¶
Update firewall group with ingress/egress rules.
If a rule has a protocol field, it is normalized to a number here in order to ease later processing.
- class neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall.OFPort(port_dict, ovs_port, vlan_tag)¶
Bases:
object- property all_allowed_macs¶
- property ipv4_addresses¶
- property ipv6_addresses¶
- update(port_dict)¶
- class neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall.OVSFirewallDriver(agent_api, sg_with_ovs=False)¶
Bases:
FirewallL2DriverBase- REQUIRED_PROTOCOLS = ['OpenFlow10', 'OpenFlow11', 'OpenFlow12', 'OpenFlow13', 'OpenFlow14']¶
- add_flows_from_rules(port)¶
- create_firewall_group(ports_for_fwg, firewall_group)¶
Called when a firewall group is created.
- create_rules_generator_for_port(port)¶
Returns a generator emitting rules valid for further processing
Injects necessary fields to feed one-by-one to rules module to transform into valid openflow rules.
- delete_all_port_flows(port)¶
Delete all flows for given port
- delete_firewall_group(ports_for_fwg, firewall_group)¶
Called when a firewall group is deleted.
- filter_defer_apply_off()¶
Turn off deferral of rules and apply the rules now.
- filter_defer_apply_on()¶
Defer application of filtering rule.
- get_ofport(port)¶
- get_or_create_ofport(port)¶
Get ofport specified by port[‘device’], checking and reflecting ofport changes. If ofport is nonexistent, create and return one.
- get_ovs_port(port_id)¶
- static initialize_bridge(int_br)¶
- initialize_port_flows(port)¶
Set base flows for port
- Parameters:
port – OFPort instance
- is_port_managed(port)¶
- property ports¶
Returns filtered ports.
- prepare_port_filter(port)¶
- process_trusted_ports(ports)¶
Pass packets from these ports directly to ingress pipeline.
- provides_arp_spoofing_protection = True¶
- remove_port_filter(port)¶
Remove port from firewall
All flows related to this port are removed from ovs. Port is also removed from ports managed by this firewall.
- remove_trusted_ports(port_ids)¶
- update_firewall_group(ports_for_fwg, firewall_group)¶
Called when a firewall group is updated.
- update_firewall_group_rules(fwg_id, ingress_rules, egress_rules)¶
- update_port_filter(port)¶
Update rules for given port
Current existing filtering rules are removed and new ones are generated based on current loaded firewall group rules and members.
Note: port no security should be handled by security group in co-existence mode, otherwise fwg will handle it.
- neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall.create_reg_numbers(flow_params)¶
Replace reg_(port|net) values with defined register numbers
