Revision b2791a77
b/snf-cyclades-app/conf/20-snf-cyclades-app-api.conf | ||
---|---|---|
49 | 49 |
#DEFAULT_MAC_FILTERED_BRIDGE = 'prv0' |
50 | 50 |
# |
51 | 51 |
# |
52 |
## Firewalling |
|
52 |
## Firewall tags should contain '%d' to be filled with the NIC |
|
53 |
## index. |
|
53 | 54 |
#GANETI_FIREWALL_ENABLED_TAG = 'synnefo:network:0:protected' |
54 | 55 |
#GANETI_FIREWALL_DISABLED_TAG = 'synnefo:network:0:unprotected' |
55 | 56 |
#GANETI_FIREWALL_PROTECTED_TAG = 'synnefo:network:0:limited' |
b/snf-cyclades-app/synnefo/api/servers.py | ||
---|---|---|
693 | 693 |
profile = args.get("profile") |
694 | 694 |
if profile is None: |
695 | 695 |
raise faults.BadRequest("Missing 'profile' attribute") |
696 |
servers.set_firewall_profile(vm, profile=profile) |
|
696 |
index = args.get("index", 0) |
|
697 |
servers.set_firewall_profile(vm, profile=profile, index=index) |
|
697 | 698 |
return HttpResponse(status=202) |
698 | 699 |
|
699 | 700 |
|
b/snf-cyclades-app/synnefo/app_settings/default/api.py | ||
---|---|---|
21 | 21 |
# network of this list. If the special network ID "SNF:ANY_PUBLIC" is used, |
22 | 22 |
# Cyclades will automatically choose a public network and connect the server to |
23 | 23 |
# it. |
24 |
DEFAULT_INSTANCE_NETWORKS=["SNF:ANY_PUBLIC"]
|
|
24 |
DEFAULT_INSTANCE_NETWORKS = ["SNF:ANY_PUBLIC"]
|
|
25 | 25 |
|
26 | 26 |
# Maximum allowed network size for private networks. |
27 | 27 |
MAX_CIDR_BLOCK = 22 |
... | ... | |
48 | 48 |
DEFAULT_MAC_FILTERED_BRIDGE = 'prv0' |
49 | 49 |
|
50 | 50 |
|
51 |
# Firewalling |
|
52 |
GANETI_FIREWALL_ENABLED_TAG = 'synnefo:network:0:protected' |
|
53 |
GANETI_FIREWALL_DISABLED_TAG = 'synnefo:network:0:unprotected' |
|
54 |
GANETI_FIREWALL_PROTECTED_TAG = 'synnefo:network:0:limited' |
|
51 |
# Firewalling. Firewall tags should contain '%d' to be filled with the NIC |
|
52 |
# index. |
|
53 |
GANETI_FIREWALL_ENABLED_TAG = 'synnefo:network:%d:protected' |
|
54 |
GANETI_FIREWALL_DISABLED_TAG = 'synnefo:network:%d:unprotected' |
|
55 |
GANETI_FIREWALL_PROTECTED_TAG = 'synnefo:network:%d:limited' |
|
55 | 56 |
|
56 | 57 |
# The default firewall profile that will be in effect if no tags are defined |
57 | 58 |
DEFAULT_FIREWALL_PROFILE = 'DISABLED' |
b/snf-cyclades-app/synnefo/logic/backend.py | ||
---|---|---|
761 | 761 |
dry_run=settings.TEST) |
762 | 762 |
|
763 | 763 |
|
764 |
def set_firewall_profile(vm, profile): |
|
764 |
def set_firewall_profile(vm, profile, index=0):
|
|
765 | 765 |
try: |
766 |
tag = _firewall_tags[profile] |
|
766 |
tag = _firewall_tags[profile] % index
|
|
767 | 767 |
except KeyError: |
768 | 768 |
raise ValueError("Unsopported Firewall Profile: %s" % profile) |
769 | 769 |
|
770 |
log.debug("Setting tag of VM %s to %s", vm, profile)
|
|
770 |
log.debug("Setting tag of VM %s, NIC index %d, to %s", vm, index, profile)
|
|
771 | 771 |
|
772 | 772 |
with pooled_rapi_client(vm) as client: |
773 |
# Delete all firewall tags |
|
774 |
for t in _firewall_tags.values(): |
|
775 |
client.DeleteInstanceTags(vm.backend_vm_id, [t], |
|
773 |
# Delete previous firewall tags |
|
774 |
old_tags = client.GetInstanceTags(vm.backend_vm_id) |
|
775 |
delete_tags = [(t % index) for t in _firewall_tags.values() |
|
776 |
if (t % index) in old_tags] |
|
777 |
if delete_tags: |
|
778 |
client.DeleteInstanceTags(vm.backend_vm_id, delete_tags, |
|
776 | 779 |
dry_run=settings.TEST) |
777 | 780 |
|
778 | 781 |
client.AddInstanceTags(vm.backend_vm_id, [tag], dry_run=settings.TEST) |
b/snf-cyclades-app/synnefo/logic/servers.py | ||
---|---|---|
332 | 332 |
|
333 | 333 |
|
334 | 334 |
@server_command("SET_FIREWALL_PROFILE") |
335 |
def set_firewall_profile(vm, profile): |
|
336 |
log.info("Setting VM %s firewall %s", vm, profile)
|
|
335 |
def set_firewall_profile(vm, profile, index=0):
|
|
336 |
log.info("Setting VM %s, NIC index %s, firewall %s", vm, index, profile)
|
|
337 | 337 |
|
338 | 338 |
if profile not in [x[0] for x in NetworkInterface.FIREWALL_PROFILES]: |
339 | 339 |
raise faults.BadRequest("Unsupported firewall profile") |
340 |
backend.set_firewall_profile(vm, profile) |
|
340 |
backend.set_firewall_profile(vm, profile=profile, index=index)
|
|
341 | 341 |
return None |
342 | 342 |
|
343 | 343 |
|
Also available in: Unified diff