neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall module¶

class neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall.FWGPortMap¶

Bases: object

create_port(port, port_dict)¶

delete_fwg(fwg_id)¶

get_fwg(fwg_id)¶

get_or_create_fwg(fwg_id)¶

remove_port(port)¶

update_members(fwg_id, members)¶

update_port(port, port_dict)¶

update_rules(fwg_id, ingress_rules, egress_rules)¶

class neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall.FirewallGroup(id_)¶

Bases: object

get_ethertype_filtered_addresses(ethertype, exclude_addresses=None)¶

update_rules(ingress_rules, egress_rules)¶

Update firewall group with ingress/egress rules.

If a rule has a protocol field, it is normalized to a number here in order to ease later processing.

class neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall.OFPort(port_dict, ovs_port, vlan_tag)¶

Bases: object

all_allowed_macs¶

ipv4_addresses¶

ipv6_addresses¶

update(port_dict)¶

class neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall.OVSFirewallDriver(agent_api, sg_with_ovs=False)¶

Bases: neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.driver_base.FirewallL2DriverBase

REQUIRED_PROTOCOLS = ['OpenFlow10', 'OpenFlow11', 'OpenFlow12', 'OpenFlow13', 'OpenFlow14']¶

add_flows_from_rules(port)¶

create_firewall_group(ports_for_fwg, firewall_group)¶

Called when a firewall group is created.

create_rules_generator_for_port(port)¶

Returns a generator emitting rules valid for further processing

Injects necessary fields to feed one-by-one to rules module to transform into valid openflow rules.

delete_all_port_flows(port)¶

Delete all flows for given port

delete_firewall_group(ports_for_fwg, firewall_group)¶

Called when a firewall group is deleted.

filter_defer_apply_off()¶

Turn off deferral of rules and apply the rules now.

filter_defer_apply_on()¶

Defer application of filtering rule.

get_ofport(port)¶

get_or_create_ofport(port)¶

Get ofport specified by port[‘device’], checking and reflecting ofport changes. If ofport is nonexistent, create and return one.

get_ovs_port(port_id)¶

static initialize_bridge(int_br)¶

initialize_port_flows(port)¶

Set base flows for port

Parameters:	port – OFPort instance

is_port_managed(port)¶

ports¶

prepare_port_filter(port)¶

process_trusted_ports(ports)¶

Pass packets from these ports directly to ingress pipeline.

provides_arp_spoofing_protection = True¶

remove_port_filter(port)¶

Remove port from firewall

All flows related to this port are removed from ovs. Port is also removed from ports managed by this firewall.

remove_trusted_ports(port_ids)¶

update_firewall_group(ports_for_fwg, firewall_group)¶

Called when a firewall group is updated.

update_firewall_group_rules(fwg_id, ingress_rules, egress_rules)¶

update_port_filter(port)¶

Update rules for given port

Current existing filtering rules are removed and new ones are generated based on current loaded firewall group rules and members.

Note: port no security should be handled by security group in co-existence mode, otherwise fwg will handle it.

neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.l2.openvswitch_firewall.firewall.create_reg_numbers(flow_params)¶

Replace reg_(port|net) values with defined register numbers