Add a config parameter to enable/disable iptables firewall implementation

Change-Id: I14b0fb11edd3d62d7e237cfad79b71a8bf86e855

gbpservice/neutron/plugins/ml2plus/drivers/apic_aim/config.py

@@ -36,6 +36,10 @@ apic_opts = [
                 help=("This will enable purging all the resources including "
                       "the tenant once a keystone project.deleted "
                       "notification is received.")),
+    cfg.BoolOpt('enable_iptables_firewall',
+                default=False,
+                help=("This will enable the iptables firewall implementation "
+                      "on those compute nodes.")),
 ]
 
 

gbpservice/neutron/plugins/ml2plus/drivers/apic_aim/mechanism_driver.py

@@ -197,6 +197,8 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
                                                apic_optimized_dhcp_lease_time)
         self.enable_keystone_notification_purge = (cfg.CONF.ml2_apic_aim.
                                             enable_keystone_notification_purge)
+        self.enable_iptables_firewall = (cfg.CONF.ml2_apic_aim.
+                                         enable_iptables_firewall)
         local_api.QUEUE_OUT_OF_PROCESS_NOTIFICATIONS = True
         self._setup_default_arp_security_group_rules()
 
@@ -1700,10 +1702,13 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
                 return True
 
     def _complete_binding(self, context, segment):
+        enable_firewall = False
+        if self.enable_iptables_firewall:
+            enable_firewall = self.sg_enabled
         context.set_binding(
             segment[api.ID], portbindings.VIF_TYPE_OVS,
-            {portbindings.CAP_PORT_FILTER: False,
-             portbindings.OVS_HYBRID_PLUG: False})
+            {portbindings.CAP_PORT_FILTER: enable_firewall,
+             portbindings.OVS_HYBRID_PLUG: enable_firewall})
 
     @property
     def plugin(self):

gbpservice/neutron/tests/unit/plugins/ml2plus/test_apic_aim.py

@@ -3295,6 +3295,18 @@ class TestPortBinding(ApicAimTestCase):
         self.assertEqual({'port_filter': False, 'ovs_hybrid_plug': False},
                          port['binding:vif_details'])
 
+    def test_bind_opflex_agent_with_firewall_enabled(self):
+        self.driver.enable_iptables_firewall = True
+        self._register_agent('host1', AGENT_CONF_OPFLEX)
+        net = self._make_network(self.fmt, 'net1', True)
+        self._make_subnet(self.fmt, net, '10.0.1.1', '10.0.1.0/24')
+        port = self._make_port(self.fmt, net['network']['id'])['port']
+        port_id = port['id']
+        port = self._bind_port_to_host(port_id, 'host1')['port']
+        self.assertEqual('ovs', port['binding:vif_type'])
+        self.assertEqual({'port_filter': True, 'ovs_hybrid_plug': True},
+                         port['binding:vif_details'])
+
     def test_bind_unsupported_vnic_type(self):
         net = self._make_network(self.fmt, 'net1', True)
         self._make_subnet(self.fmt, net, '10.0.1.1', '10.0.1.0/24')