NVP Router: Do no perfom SNAT on E-W traffic

Bug 1130053

This patch ensures 'No Snat' rules are enforced in order to avoid source
natting on east-west traffic.

Change-Id: I967e72e7b6bc8e2763c0fbdf6deeafb43ff27f54

diff --git a/quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py b/quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py
index 3ec2ddda8e6d3adf05ab69f84a4ed95a99dcab41..93cc945e4996b5282516d9e2bf082518961c2c78 100644 (file)
--- a/quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py
+++ b/quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py
@@ -71,6 +71,7 @@ from quantum.plugins.nicira.nicira_nvp_plugin import NvpApiClient
 from quantum.plugins.nicira.nicira_nvp_plugin import nvplib
 
 LOG = logging.getLogger("QuantumPlugin")
+NVP_NOSNAT_RULES_ORDER = 10
 NVP_FLOATINGIP_NAT_RULES_ORDER = 200
 NVP_EXTGW_NAT_RULES_ORDER = 255
 
@@ -1667,7 +1668,7 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
             cluster, context, router_id, port,
             "PatchAttachment", ls_port['uuid'],
             subnet_ids=[subnet_id])
-
+        subnet = self._get_subnet(context, subnet_id)
         # If there is an external gateway we need to configure the SNAT rule.
         # Fetch router from DB
         router = self._get_router(context, router_id)
@@ -1677,11 +1678,14 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
             # In that case we will consider only the first one
             if gw_port.get('fixed_ips'):
                 snat_ip = gw_port['fixed_ips'][0]['ip_address']
-                subnet = self._get_subnet(context, subnet_id)
                 nvplib.create_lrouter_snat_rule(
                     cluster, router_id, snat_ip, snat_ip,
                     order=NVP_EXTGW_NAT_RULES_ORDER,
                     match_criteria={'source_ip_addresses': subnet['cidr']})
+        nvplib.create_lrouter_nosnat_rule(
+            cluster, router_id,
+            order=NVP_NOSNAT_RULES_ORDER,
+            match_criteria={'destination_ip_addresses': subnet['cidr']})
 
         # Ensure the NVP logical router has a connection to a 'metadata access'
         # network (with a proxy listening on its DHCP port), by creating it
@@ -1761,6 +1765,12 @@ class NvpPluginV2(db_base_plugin_v2.QuantumDbPluginV2,
                     cluster, router_id, "SourceNatRule",
                     max_num_expected=1, min_num_expected=1,
                     source_ip_addresses=subnet['cidr'])
+            # Relax the minimum expected number as the nosnat rules
+            # do not exist in 2.x deployments
+            nvplib.delete_nat_rules_by_match(
+                cluster, router_id, "NoSourceNatRule",
+                max_num_expected=1, min_num_expected=0,
+                destination_ip_addresses=subnet['cidr'])
             nvplib.delete_router_lport(cluster, router_id, lrouter_port_id)
         except NvpApiClient.ResourceNotFound:
             raise nvp_exc.NvpPluginException(

diff --git a/quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py b/quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py
index 0bbabd5984a3e6a5361a288f6354be7e1b2ac895..6ca93fc0774ff995f32e1e97b2c5ea8cfedff612 100644 (file)
--- a/quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py
+++ b/quantum/plugins/nicira/nicira_nvp_plugin/nvplib.py
@@ -1124,6 +1124,11 @@ def _build_snat_rule_obj(min_src_ip, max_src_ip, nat_match_obj):
             "match": nat_match_obj}
 
 
+def create_lrouter_nosnat_rule_v2(cluster, _router_id, _match_criteria=None):
+    LOG.info(_("No SNAT rules cannot be applied as they are not available in "
+               "this version of the NVP platform"))
+
+
 def create_lrouter_snat_rule_v2(cluster, router_id,
                                 min_src_ip, max_src_ip, match_criteria=None):
 
@@ -1147,6 +1152,18 @@ def create_lrouter_dnat_rule_v2(cluster, router_id, dst_ip,
     return _create_lrouter_nat_rule(cluster, router_id, nat_rule_obj)
 
 
+def create_lrouter_nosnat_rule_v3(cluster, router_id, order=None,
+                                  match_criteria=None):
+    nat_match_obj = _create_nat_match_obj(**match_criteria)
+    nat_rule_obj = {
+        "type": "NoSourceNatRule",
+        "match": nat_match_obj
+    }
+    if order:
+        nat_rule_obj['order'] = order
+    return _create_lrouter_nat_rule(cluster, router_id, nat_rule_obj)
+
+
 def create_lrouter_snat_rule_v3(cluster, router_id, min_src_ip, max_src_ip,
                                 order=None, match_criteria=None):
     nat_match_obj = _create_nat_match_obj(**match_criteria)
@@ -1182,6 +1199,11 @@ def create_lrouter_snat_rule(cluster, *args, **kwargs):
     pass
 
 
+@version_dependent
+def create_lrouter_nosnat_rule(cluster, *args, **kwargs):
+    pass
+
+
 def delete_nat_rules_by_match(cluster, router_id, rule_type,
                               max_num_expected,
                               min_num_expected=0,
@@ -1283,7 +1305,9 @@ NVPLIB_FUNC_DICT = {
     'create_lrouter_dnat_rule': {2: create_lrouter_dnat_rule_v2,
                                  3: create_lrouter_dnat_rule_v3},
     'create_lrouter_snat_rule': {2: create_lrouter_snat_rule_v2,
-                                 3: create_lrouter_snat_rule_v3}
+                                 3: create_lrouter_snat_rule_v3},
+    'create_lrouter_nosnat_rule': {2: create_lrouter_nosnat_rule_v2,
+                                   3: create_lrouter_nosnat_rule_v3}
 }