OpenvSwitch.rb

Modified file /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb - Oriol Marti, 03/02/2013 10:39 PM

       # -------------------------------------------------------------------------- #
       # Copyright 2002-2012, OpenNebula Project Leads (OpenNebula.org)             #
       #                                                                            #
       # Licensed under the Apache License, Version 2.0 (the "License"); you may    #
       # not use this file except in compliance with the License. You may obtain    #
       # a copy of the License at                                                   #
       #                                                                            #
       # http://www.apache.org/licenses/LICENSE-2.0                                 #
       #                                                                            #
       # Unless required by applicable law or agreed to in writing, software        #
       # distributed under the License is distributed on an "AS IS" BASIS,          #
       # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
       # See the License for the specific language governing permissions and        #
       # limitations under the License.                                             #
       #--------------------------------------------------------------------------- #
       require 'OpenNebulaNetwork'
       class OpenvSwitchVLAN < OpenNebulaNetwork
           FIREWALL_PARAMS =  [:black_ports_tcp,
                               :black_ports_udp,
                               :icmp]
           XPATH_FILTER = "TEMPLATE/NIC"
           def initialize(vm, deploy_id = nil, hypervisor = nil)
               super(vm,XPATH_FILTER,deploy_id,hypervisor)
           end
           def activate
               process do |nic|
                   @nic = nic
                   # Apply VLAN
                   tag_vlan if @nic[:vlan] == "YES"
                   # Prevent Mac-spoofing
                   mac_spoofing
                   # Apply Firewall
                   configure_fw if FIREWALL_PARAMS & @nic.keys != []
               end
               return 0
           end
           def deactivate
               process do |nic|
                   @nic = nic
                   # Remove flows
                   del_flows
               end
           end
           def tag_vlan
               cmd =  "#{COMMANDS[:ovs_vsctl]} set Port #{@nic[:tap]} "
               cmd << "tag=#{vlan}"
               run cmd
           end
           def mac_spoofing
               add_flow("in_port=#{port},dl_src=#{@nic[:mac]}",:normal,40000)
               add_flow("in_port=#{port}",:drop,39000)
           end
           def configure_fw
               # TCP
               if range = @nic[:black_ports_tcp]
                   if range? range
                       range.split(",").each do |p|
                           if @nic[:vlan] == "YES"
                               add_flow("tcp,dl_dst=#{@nic[:mac]},tp_dst=#{p},dl_vlan=#{vlan}",:drop)
                           else
                               add_flow("tcp,dl_dst=#{@nic[:mac]},tp_dst=#{p}",:drop)
                           end
                       end
                   end
               end
               # UDP
               if range = @nic[:black_ports_udp]
                   if range? range
                       range.split(",").each do |p|
                           if @nic[:vlan] == "YES"
                               add_flow("udp,dl_dst=#{@nic[:mac]},tp_dst=#{p},dl_vlan=#{vlan}",:drop)
                           else
                               add_flow("udp,dl_dst=#{@nic[:mac]},tp_dst=#{p}",:drop)
                           end
                       end
                   end
               end
               # ICMP
               if @nic[:icmp]
                   if %w(no drop).include? @nic[:icmp].downcase
                       if @nic[:vlan] == "YES"
                           add_flow("icmp,dl_dst=#{@nic[:mac]},dl_vlan=#{vlan}",:drop)
                       else
                           add_flow("icmp,dl_dst=#{@nic[:mac]}",:drop)
                       end
                   end
               end
           end
           def del_flows
               in_port = ""
               dump_flows = "#{COMMANDS[:ovs_ofctl]} dump-flows #{@nic[:bridge]}"
               `#{dump_flows}`.lines do |flow|
                   next unless flow.match("#{@nic[:mac]}")
                   flow = flow.split.select{|e| e.match(@nic[:mac])}.first
                   if in_port.empty? and (m = flow.match(/in_port=(\d+)/))
                       in_port = m[1]
                   end
                   del_flow flow
               end
               del_flow "in_port=#{in_port}" if !in_port.empty?
           end
           def add_flow(filter,action,priority=nil)
               priority = (priority.to_s.empty? ? "" : "priority=#{priority},")
               run "#{COMMANDS[:ovs_ofctl]} add-flow " <<
                   "#{@nic[:bridge]} #{filter},#{priority}actions=#{action}"
           end
           def del_flow(filter)
               filter.gsub!(/priority=(\d+)/,"")
               run "#{COMMANDS[:ovs_ofctl]} del-flows " <<
                   "#{@nic[:bridge]} #{filter}"
           end
           def run(cmd)
               OpenNebula.exec_and_log(cmd)
           end
           def port
               return @nic[:port] if @nic[:port]
               dump_ports = `#{COMMANDS[:ovs_ofctl]} \
                             dump-ports #{@nic[:bridge]} #{@nic[:tap]}`
               @nic[:port] = dump_ports.scan(/^\s*port\s*(\d+):/).flatten.first
           end
           def vlan
               if @nic[:vlan_id]
                   return @nic[:vlan_id]
               else
                   return CONF[:start_vlan] + @nic[:network_id].to_i
               end
           end
           def range?(range)
               !range.match(/^\d+(,\d+)*$/).nil?
           end
       end