From 405694501df4e94e9498a9fb8cd44b1e5e905beb Mon Sep 17 00:00:00 2001 From: "yatin.kumbhare" Date: Wed, 4 Feb 2015 15:23:30 +0530 Subject: [PATCH 1/2] Implementes filters for describe_network_acls Also, replace_network_acl_association api will not be functional without filters on describe_network_acls api. boto 2.12.0 doesn't support filters for describe_network_acls api. To support filters and replace_network_acl_association api, use boto 2.27.0 Not all filters are implemented for describe_network_acls. Remaining filters would be part of other commits --- nova/api/ec2/vpc.py | 39 +++++++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/nova/api/ec2/vpc.py b/nova/api/ec2/vpc.py index 3f201b6d2f4..641fd4b8157 100644 --- a/nova/api/ec2/vpc.py +++ b/nova/api/ec2/vpc.py @@ -1128,9 +1128,9 @@ def _populate_default_rule(self, direction, rule_idx, action): port_range = {'start_port': 0, 'end_port': 65535} rule = {'direction': '>', 'protocol': 'any', - 'dst_addresses': [dst], 'action_list': None, - 'rule_uuid': rule_uuid, 'dst_ports': [port_range], - 'application': [], 'action_list': {'simple_action': action}, + 'dst_addresses': [dst], 'rule_uuid': rule_uuid, + 'dst_ports': [port_range], 'application': [], + 'action_list': {'simple_action': action}, 'rule_sequence': None, 'src_addresses': [src], 'src_ports': [port_range]} @@ -1252,8 +1252,13 @@ def delete_network_acl(self, context, **kwargs): return {'return': 'true'} def describe_network_acls(self, context, **kwargs): - if 'acl_id' in kwargs: - acl_id = kwargs.get('acl_id') + if 'filter' in kwargs: + filters = kwargs['filter'] + else: + filters = [] + + if 'network_acl_id' in kwargs: + acl_id = kwargs.get('network_acl_id')[0] acls = [] neutron = neutronv2.get_client(context) @@ -1264,7 +1269,7 @@ def describe_network_acls(self, context, **kwargs): for pol in policys['policys']: acl = {} - if 'acl_id' in kwargs and pol['name'] != acl_id: + if 'network_acl_id' in kwargs and pol['name'] != acl_id: continue if not pol['name'].startswith('acl-'): continue @@ -1329,6 +1334,28 @@ def describe_network_acls(self, context, **kwargs): acl['associationSet'].append(assoc) acls.append(acl) + # check for passed filters + idx_to_delete = [] + for idx, entry in enumerate(acls): + for filter_entry in filters: + if filter_entry['name'] == 'vpc-id': + vpc_id = filter_entry['value']['1'] + if entry['vpc_id'] != vpc_id: + idx_to_delete.append(idx) + if filter_entry['name'] == 'network-acl-ids': + acl_id = filter_entry['value']['1'] + if entry['network_acl_id'] != acl_id: + idx_to_delete.append(idx) + if filter_entry['name'] == 'association.subnet-id': + subnet_id = filter_entry['value']['1'] + if ('associationSet' not in entry or + entry['associationSet'][0]['subnetId'] != subnet_id): + idx_to_delete.append(idx) + + # removing records, not matching filters + idx_to_delete = list(set(idx_to_delete)) + for idx in idx_to_delete[::-1]: + del acls[idx] return {'networkAclSet': acls} From 081455093ac32d7947a78a63822a9d1d4b0a8c76 Mon Sep 17 00:00:00 2001 From: "yatin.kumbhare" Date: Fri, 13 Feb 2015 11:39:16 +0530 Subject: [PATCH 2/2] Implements filters for describe-network-acl --- nova/api/ec2/vpc.py | 62 +++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 57 insertions(+), 5 deletions(-) diff --git a/nova/api/ec2/vpc.py b/nova/api/ec2/vpc.py index 641fd4b8157..d0e6a6fd4cb 100644 --- a/nova/api/ec2/vpc.py +++ b/nova/api/ec2/vpc.py @@ -1137,7 +1137,7 @@ def _populate_default_rule(self, direction, rule_idx, action): return rule def create_network_acl(self, context, **kwargs): - vpc_id = kwargs.get('vpc_id')[0] + vpc_id = kwargs.get('vpc_id') # get project id tenant_id = self._get_tenantid_from_vpcid(vpc_id, context) @@ -1275,10 +1275,10 @@ def describe_network_acls(self, context, **kwargs): continue acl['vpc_id'] = pol['fq_name'][1] - acl['default'] = 'false' + acl['default'] = 'False' acl['network_acl_id'] = pol['name'] if pol['name'] == 'acl-default': - acl['default'] = 'true' + acl['default'] = 'True' acl['entrySet'] = [] if pol['entries'] and 'policy_rule' in pol['entries']: @@ -1296,7 +1296,7 @@ def describe_network_acls(self, context, **kwargs): entry['ruleAction'] = 'allow' if rule['rule_uuid'].startswith('egress-'): - entry['egress'] = 'true' + entry['egress'] = True entry['portRange'] = { 'from': rule['dst_ports'][0]['start_port'], 'to': rule['dst_ports'][0]['end_port']} @@ -1305,7 +1305,7 @@ def describe_network_acls(self, context, **kwargs): str(cidr['ip_prefix_len']) entry['cidrBlock'] = cidr_str else: - entry['egress'] = 'false' + entry['egress'] = False cidr = rule['src_addresses'][0]['subnet'] cidr_str = cidr['ip_prefix'] + '/' + \ str(cidr['ip_prefix_len']) @@ -1351,6 +1351,58 @@ def describe_network_acls(self, context, **kwargs): if ('associationSet' not in entry or entry['associationSet'][0]['subnetId'] != subnet_id): idx_to_delete.append(idx) + if filter_entry['name'] == 'association.association-id': + assoc_id = filter_entry['value']['1'] + if ('associationSet' not in entry or + entry['associationSet'][0]['networkAclAssociationId'] + != assoc_id): + idx_to_delete.append(idx) + if filter_entry['name'] == 'default': + default = filter_entry['value']['1'] + if str(default) not in entry['default']: + idx_to_delete.append(idx) + if filter_entry['name'] == 'entry.protocol': + protocol = filter_entry['value']['1'] + result = [ True for rule in entry['entrySet'] + if protocol == rule['protocol']] + if not result: + idx_to_delete.append(idx) + if filter_entry['name'] == 'entry.cidr': + cidr = filter_entry['value']['1'] + result = [ True for rule in entry['entrySet'] + if cidr == rule['cidrBlock']] + if not result: + idx_to_delete.append(idx) + if filter_entry['name'] == 'entry.rule-number': + rule_number = filter_entry['value']['1'] + result = [ True for rule in entry['entrySet'] + if rule_number == int(rule['ruleNumber'])] + if not result: + idx_to_delete.append(idx) + if filter_entry['name'] == 'entry.rule-action': + rule_action = filter_entry['value']['1'] + result = [ True for rule in entry['entrySet'] + if rule_action == rule['ruleAction']] + if not result: + idx_to_delete.append(idx) + if filter_entry['name'] == 'entry.port-range.from': + port_range_from = filter_entry['value']['1'] + result = [ True for rule in entry['entrySet'] + if port_range_from == int(rule['portRange']['from'])] + if not result: + idx_to_delete.append(idx) + if filter_entry['name'] == 'entry.port-range.to': + port_range_to = filter_entry['value']['1'] + result = [ True for rule in entry['entrySet'] + if port_range_to == int(rule['portRange']['to'])] + if not result: + idx_to_delete.append(idx) + if filter_entry['name'] == 'entry.egress': + egress = filter_entry['value']['1'] + result = [ True for rule in entry['entrySet'] + if egress == rule['egress']] + if not result: + idx_to_delete.append(idx) # removing records, not matching filters idx_to_delete = list(set(idx_to_delete))