Lines Matching refs:port
56 PF based logic to add correct rules on guest instance's port.
62 # List of port which has security group
77 def prepare_port_filter(self, port):
78 LOG.debug("Preparing device (%s) filter", port['device'])
79 self._setup_pf_rules(port)
81 def apply_port_filter(self, port):
88 def update_port_filter(self, port):
89 LOG.debug("Updating device (%s) filter", port['device'])
90 self._setup_pf_rules(port, update=True)
92 def remove_port_filter(self, port):
93 LOG.debug("Removing device (%s) filter", port['device'])
94 self.unfiltered_ports.pop(port['device'], None)
95 self.filtered_ports.pop(port['device'], None)
96 self._remove_rule_port_sec(port)
121 def _remove_rule_port_sec(self, port):
122 device_name = self.portid_to_devname.pop(port['id'], None)
124 LOG.info(_LI("Could not find port: %s. Failed to remove PF rules "
125 "for that port"), port['id'])
150 def _setup_pf_rules(self, port, update=False):
151 if not firewall.port_sec_enabled(port):
152 self.unfiltered_ports[port['device']] = port
153 self.filtered_ports.pop(port['device'], None)
154 self._remove_rule_port_sec(port)
156 self.filtered_ports[port['device']] = port
157 self.unfiltered_ports.pop(port['device'], None)
159 self._remove_rule_port_sec(port)
160 self._add_rules_by_security_group(port, firewall.INGRESS_DIRECTION)
161 self._add_rules_by_security_group(port, firewall.EGRESS_DIRECTION)
163 def _get_device_name(self, port):
165 device_name = bridge.get_port_by_id(port['id'])
182 def _select_sgr_by_direction(self, port, direction):
184 for rule in port.get('security_group_rules', [])
187 def _spoofing_rule(self, port, device_name, ipv4_rules, ipv6_rules):
191 ipv4_rules.append('pass out on %s proto udp from 0.0.0.0/32 port 68 '
192 'to 255.255.255.255/32 port 67 label "%s"' %
205 ipv4_rules.append('pass out on %s proto udp from port 68 to port 67 '
209 # Drop Router Advts from the port.
218 ipv6_rules.append('pass out on %s inet6 proto udp from port 546 '
219 'to port 547 label "%s"' %
224 ipv4_rules.append('block out quick on %s proto udp from port 67 '
225 'to port 68 label "%s"' %
228 'from port 547 to port 546 label "%s"' %
240 def _select_sg_rules_for_port(self, port, direction):
241 """Select rules from the security groups the port is member of."""
242 port_sg_ids = port.get('security_groups', [])
250 rule, port, direction))
253 def _expand_sg_rule_with_remote_ips(self, rule, port, direction):
258 port_ips = port.get('fixed_ips', [])
272 def _get_remote_sg_ids(self, port, direction=None):
273 sg_ids = port.get('security_groups', [])
284 def _add_pf_rules(self, port, device_name, direction, ipv4_pf_rules,
307 self.portid_to_devname[port['id']] = device_name
321 def _add_rules_by_security_group(self, port, direction):
322 LOG.debug("Adding rules for Port: %s", port)
324 device_name = self._get_device_name(port)
326 LOG.info(_LI("Could not find port: %s on the OVS bridge. Failed "
327 "to add PF rules for that port"), port['id'])
329 # select rules for current port and direction
330 security_group_rules = self._select_sgr_by_direction(port, direction)
331 security_group_rules += self._select_sg_rules_for_port(port, direction)
343 self._add_fixed_egress_rules(port, device_name, ipv4_pf_rules,
359 self._add_pf_rules(port, device_name, direction, ipv4_pf_rules,
362 def _add_fixed_egress_rules(self, port, device_name, ipv4_pf_rules,
364 self._spoofing_rule(port, device_name, ipv4_pf_rules, ipv6_pf_rules)
376 pf_rule.append('port %s' % port_range_min)
378 pf_rule.append('port %s:%s' % (port_range_min,