The nova.virt.firewall Module¶
-
class
FirewallDriver¶ Bases:
objectFirewall Driver base class.
Defines methods that any driver providing security groups should implement.
-
apply_instance_filter(instance, network_info)¶ Apply instance filter.
Once this method returns, the instance should be firewalled appropriately. This method should as far as possible be a no-op. It’s vastly preferred to get everything set up in prepare_instance_filter.
-
filter_defer_apply_off()¶ Turn off deferral of IPTables rules and apply the rules now.
-
filter_defer_apply_on()¶ Defer application of IPTables rules.
-
instance_filter_exists(instance, network_info)¶ Check nova-instance-instance-xxx exists.
-
prepare_instance_filter(instance, network_info)¶ Prepare filters for the instance.
At this point, the instance isn’t running yet.
-
refresh_instance_security_rules(instance)¶ Refresh security group rules from data store
Gets called when an instance gets added to or removed from the security group the instance is a member of or if the group gains or looses a rule.
-
refresh_security_group_rules(security_group_id)¶ Refresh security group rules from data store
Gets called when a rule has been added to or removed from the security group.
-
setup_basic_filtering(instance, network_info)¶ Create rules to block spoofing and allow dhcp.
This gets called when spawning an instance, before
prepare_instance_filter().
-
unfilter_instance(instance, network_info)¶ Stop filtering instance.
-
-
class
IptablesFirewallDriver(**kwargs)¶ Bases:
nova.virt.firewall.FirewallDriverDriver which enforces security groups through iptables rules.
-
add_filters_for_instance(instance, network_info, inst_ipv4_rules, inst_ipv6_rules)¶
-
apply_instance_filter(instance, network_info)¶ No-op. Everything is done in prepare_instance_filter.
-
do_refresh_instance_rules(instance)¶
-
do_refresh_security_group_rules(security_group)¶
-
filter_defer_apply_off()¶
-
filter_defer_apply_on()¶
-
instance_filter_exists(instance, network_info)¶
-
instance_rules(instance, network_info)¶
-
prepare_instance_filter(instance, network_info)¶
-
refresh_instance_security_rules(instance)¶
-
refresh_security_group_rules(security_group)¶
-
remove_filters_for_instance(instance)¶
-
setup_basic_filtering(instance, network_info)¶
-
unfilter_instance(instance, network_info)¶
-
-
class
NoopFirewallDriver(*args, **kwargs)¶ Bases:
objectFirewall driver which just provides No-op methods.
-
instance_filter_exists(instance, network_info)¶
-
-
load_driver(default, *args, **kwargs)¶