The nova.virt.firewall
Module¶
-
class
FirewallDriver
¶ Bases:
object
Firewall Driver base class.
Defines methods that any driver providing security groups should implement.
-
apply_instance_filter
(instance, network_info)¶ Apply instance filter.
Once this method returns, the instance should be firewalled appropriately. This method should as far as possible be a no-op. It’s vastly preferred to get everything set up in prepare_instance_filter.
-
filter_defer_apply_off
()¶ Turn off deferral of IPTables rules and apply the rules now.
-
filter_defer_apply_on
()¶ Defer application of IPTables rules.
-
instance_filter_exists
(instance, network_info)¶ Check nova-instance-instance-xxx exists.
-
prepare_instance_filter
(instance, network_info)¶ Prepare filters for the instance.
At this point, the instance isn’t running yet.
-
refresh_instance_security_rules
(instance)¶ Refresh security group rules from data store
Gets called when an instance gets added to or removed from the security group the instance is a member of or if the group gains or looses a rule.
-
refresh_security_group_rules
(security_group_id)¶ Refresh security group rules from data store
Gets called when a rule has been added to or removed from the security group.
-
setup_basic_filtering
(instance, network_info)¶ Create rules to block spoofing and allow dhcp.
This gets called when spawning an instance, before
prepare_instance_filter()
.
-
unfilter_instance
(instance, network_info)¶ Stop filtering instance.
-
-
class
IptablesFirewallDriver
(**kwargs)¶ Bases:
nova.virt.firewall.FirewallDriver
Driver which enforces security groups through iptables rules.
-
add_filters_for_instance
(instance, network_info, inst_ipv4_rules, inst_ipv6_rules)¶
-
apply_instance_filter
(instance, network_info)¶ No-op. Everything is done in prepare_instance_filter.
-
do_refresh_instance_rules
(instance)¶
-
do_refresh_security_group_rules
(security_group)¶
-
filter_defer_apply_off
()¶
-
filter_defer_apply_on
()¶
-
instance_filter_exists
(instance, network_info)¶
-
instance_rules
(instance, network_info)¶
-
prepare_instance_filter
(instance, network_info)¶
-
refresh_instance_security_rules
(instance)¶
-
refresh_security_group_rules
(security_group)¶
-
remove_filters_for_instance
(instance)¶
-
setup_basic_filtering
(instance, network_info)¶
-
unfilter_instance
(instance, network_info)¶
-
-
class
NoopFirewallDriver
(*args, **kwargs)¶ Bases:
object
Firewall driver which just provides No-op methods.
-
instance_filter_exists
(instance, network_info)¶
-
-
load_driver
(default, *args, **kwargs)¶