equal
deleted
inserted
replaced
262 |
262 |
263 # for each of the internal ports, add Policy Based |
263 # for each of the internal ports, add Policy Based |
264 # Routing (PBR) rule |
264 # Routing (PBR) rule |
265 for port in ri.internal_ports: |
265 for port in ri.internal_ports: |
266 internal_dlname = self.get_internal_device_name(port['id']) |
266 internal_dlname = self.get_internal_device_name(port['id']) |
267 rules = ['pass in on %s to %s:%s from any to any' % |
267 rules = ['pass in on %s to %s:%s from any to !%s' % |
268 (internal_dlname, external_dlname, gw_ip)] |
268 (internal_dlname, external_dlname, gw_ip, |
|
269 port['subnet']['cidr'])] |
269 ipversion = netaddr.IPNetwork(port['subnet']['cidr']).version |
270 ipversion = netaddr.IPNetwork(port['subnet']['cidr']).version |
270 ri.ipfilters_manager.add_ipf_rules(rules, ipversion) |
271 ri.ipfilters_manager.add_ipf_rules(rules, ipversion) |
271 |
272 |
272 def external_gateway_removed(self, ri, ex_gw_port, |
273 def external_gateway_removed(self, ri, ex_gw_port, |
273 external_dlname, internal_cidrs): |
274 external_dlname, internal_cidrs): |
275 gw_ip = ex_gw_port['subnet']['gateway_ip'] |
276 gw_ip = ex_gw_port['subnet']['gateway_ip'] |
276 if gw_ip: |
277 if gw_ip: |
277 # remove PBR rules |
278 # remove PBR rules |
278 for port in ri.internal_ports: |
279 for port in ri.internal_ports: |
279 internal_dlname = self.get_internal_device_name(port['id']) |
280 internal_dlname = self.get_internal_device_name(port['id']) |
280 rules = ['pass in on %s to %s:%s from any to any' % |
281 rules = ['pass in on %s to %s:%s from any to !%s' % |
281 (internal_dlname, external_dlname, gw_ip)] |
282 (internal_dlname, external_dlname, gw_ip, |
|
283 port['subnet']['cidr'])] |
282 ipversion = netaddr.IPNetwork(port['subnet']['cidr']).version |
284 ipversion = netaddr.IPNetwork(port['subnet']['cidr']).version |
283 ri.ipfilters_manager.remove_ipf_rules(rules, ipversion) |
285 ri.ipfilters_manager.remove_ipf_rules(rules, ipversion) |
284 |
286 |
285 cmd = ['/usr/bin/pfexec', '/usr/sbin/route', 'delete', 'default', |
287 cmd = ['/usr/bin/pfexec', '/usr/sbin/route', 'delete', 'default', |
286 gw_ip] |
288 gw_ip] |
357 # network |
359 # network |
358 ex_gw_port = ri.ex_gw_port |
360 ex_gw_port = ri.ex_gw_port |
359 ex_gw_ip = (ex_gw_port['subnet']['gateway_ip'] if ex_gw_port else None) |
361 ex_gw_ip = (ex_gw_port['subnet']['gateway_ip'] if ex_gw_port else None) |
360 if ex_gw_ip: |
362 if ex_gw_ip: |
361 external_dlname = self.get_external_device_name(ex_gw_port['id']) |
363 external_dlname = self.get_external_device_name(ex_gw_port['id']) |
362 rules.append('pass in on %s to %s:%s from any to any' % |
364 rules.append('pass in on %s to %s:%s from any to !%s' % |
363 (internal_dlname, external_dlname, ex_gw_ip)) |
365 (internal_dlname, external_dlname, ex_gw_ip, |
|
366 port_subnet)) |
364 |
367 |
365 ipversion = netaddr.IPNetwork(port_subnet).version |
368 ipversion = netaddr.IPNetwork(port_subnet).version |
366 ri.ipfilters_manager.add_ipf_rules(rules, ipversion) |
369 ri.ipfilters_manager.add_ipf_rules(rules, ipversion) |
367 |
370 |
368 def internal_network_removed(self, ri, port): |
371 def internal_network_removed(self, ri, port): |
382 # external network addition |
385 # external network addition |
383 ex_gw_port = ri.ex_gw_port |
386 ex_gw_port = ri.ex_gw_port |
384 ex_gw_ip = (ex_gw_port['subnet']['gateway_ip'] if ex_gw_port else None) |
387 ex_gw_ip = (ex_gw_port['subnet']['gateway_ip'] if ex_gw_port else None) |
385 if ex_gw_ip: |
388 if ex_gw_ip: |
386 external_dlname = self.get_external_device_name(ex_gw_port['id']) |
389 external_dlname = self.get_external_device_name(ex_gw_port['id']) |
387 rules.append('pass in on %s to %s:%s from any to any' % |
390 rules.append('pass in on %s to %s:%s from any to !%s' % |
388 (internal_dlname, external_dlname, ex_gw_ip)) |
391 (internal_dlname, external_dlname, ex_gw_ip, |
|
392 port_subnet)) |
389 ipversion = netaddr.IPNetwork(port['subnet']['cidr']).version |
393 ipversion = netaddr.IPNetwork(port['subnet']['cidr']).version |
390 ri.ipfilters_manager.remove_ipf_rules(rules, ipversion) |
394 ri.ipfilters_manager.remove_ipf_rules(rules, ipversion) |
391 |
395 |
392 # remove the ippool |
396 # remove the ippool |
393 ri.ipfilters_manager.remove_ippool(block_pname, None) |
397 ri.ipfilters_manager.remove_ippool(block_pname, None) |