The nova.virt.firewall Module

class FirewallDriver(virtapi)

Bases: object

Firewall Driver base class.

Defines methods that any driver providing security groups and provider firewall functionality should implement.

apply_instance_filter(instance, network_info)

Apply instance filter.

Once this method returns, the instance should be firewalled appropriately. This method should as far as possible be a no-op. It’s vastly preferred to get everything set up in prepare_instance_filter.

filter_defer_apply_off()

Turn off deferral of IPTables rules and apply the rules now.

filter_defer_apply_on()

Defer application of IPTables rules.

instance_filter_exists(instance, network_info)

Check nova-instance-instance-xxx exists.

prepare_instance_filter(instance, network_info)

Prepare filters for the instance.

At this point, the instance isn’t running yet.

refresh_instance_security_rules(instance)

Refresh security group rules from data store

Gets called when an instance gets added to or removed from the security group the instance is a member of or if the group gains or looses a rule.

refresh_provider_fw_rules()

Refresh common rules for all hosts/instances from data store.

Gets called when a rule has been added to or removed from the list of rules (via admin api).

refresh_security_group_members(security_group_id)

Refresh security group members from data store

Gets called when an instance gets added to or removed from the security group.

refresh_security_group_rules(security_group_id)

Refresh security group rules from data store

Gets called when a rule has been added to or removed from the security group.

setup_basic_filtering(instance, network_info)

Create rules to block spoofing and allow dhcp.

This gets called when spawning an instance, before prepare_instance_filter().

unfilter_instance(instance, network_info)

Stop filtering instance.

class IptablesFirewallDriver(virtapi, **kwargs)

Bases: nova.virt.firewall.FirewallDriver

Driver which enforces security groups through iptables rules.

add_filters_for_instance(instance, network_info, inst_ipv4_rules, inst_ipv6_rules)
apply_instance_filter(instance, network_info)

No-op. Everything is done in prepare_instance_filter.

do_refresh_instance_rules(instance)
do_refresh_security_group_rules(security_group)
filter_defer_apply_off()
filter_defer_apply_on()
instance_filter_exists(instance, network_info)
instance_rules(instance, network_info)
prepare_instance_filter(instance, network_info)
refresh_instance_security_rules(instance)
refresh_provider_fw_rules()

See FirewallDriver docs.

refresh_security_group_members(security_group)
refresh_security_group_rules(security_group)
remove_filters_for_instance(instance)
setup_basic_filtering(instance, network_info)
unfilter_instance(instance, network_info)
class NoopFirewallDriver(*args, **kwargs)

Bases: object

Firewall driver which just provides No-op methods.

instance_filter_exists(instance, network_info)
load_driver(default, *args, **kwargs)

Previous topic

The nova.virt.fake Module

Next topic

The nova.virt.hardware Module

Project Source

This Page