x
/
group-based-policy
Code Issues Proposed changes

Also add those DHCP rules to the default SG 

We need this when the optimized DHCP is off.

Change-Id: I830a36cda43088a44ebbec8e828d6f55a2088dc7
This commit is contained in:
Kent Wu 2017-11-22 16:33:15 -08:00
parent 6a7e95e0b8
commit 0f46a0d9d3
2 changed files with 72 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
gbpservice/neutron/plugins/ml2plus/drivers/apic_aim/mechanism_driver.py
View File

@ -205,9 +205,9 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
self._ensure_common_tenant(aim_ctx)
self._ensure_unrouted_vrf(aim_ctx)
self._ensure_any_filter(aim_ctx)
self._setup_default_arp_security_group_rules(aim_ctx)
self._setup_default_arp_dhcp_security_group_rules(aim_ctx)
def _setup_default_arp_security_group_rules(self, aim_ctx):
def _setup_default_arp_dhcp_security_group_rules(self, aim_ctx):
sg_name = self._default_sg_name
dname = aim_utils.sanitize_display_name('DefaultSecurityGroup')
sg = aim_resource.SecurityGroup(
@ -221,7 +221,7 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
self.aim.create(aim_ctx, sg_subject, overwrite=True)
dname = aim_utils.sanitize_display_name(
'DefaultSecurityGroupEgressRule')
'DefaultSecurityGroupArpEgressRule')
arp_egress_rule = aim_resource.SecurityGroupRule(
tenant_name=COMMON_TENANT_NAME,
security_group_name=sg_name,
@ -234,7 +234,7 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
self.aim.create(aim_ctx, arp_egress_rule, overwrite=True)
dname = aim_utils.sanitize_display_name(
'DefaultSecurityGroupIngressRule')
'DefaultSecurityGroupArpIngressRule')
arp_ingress_rule = aim_resource.SecurityGroupRule(
tenant_name=COMMON_TENANT_NAME,
security_group_name=sg_name,
@ -246,6 +246,38 @@ class ApicMechanismDriver(api_plus.MechanismDriver,
conn_track='normal')
self.aim.create(aim_ctx, arp_ingress_rule, overwrite=True)
dname = aim_utils.sanitize_display_name(
'DefaultSecurityGroupDhcpEgressRule')
dhcp_egress_rule = aim_resource.SecurityGroupRule(
tenant_name=COMMON_TENANT_NAME,
security_group_name=sg_name,
security_group_subject_name='default',
name='dhcp_egress',
display_name=dname,
direction='egress',
ethertype='ipv4',
ip_protocol='udp',
from_port='67',
to_port='67',
conn_track='normal')
self.aim.create(aim_ctx, dhcp_egress_rule, overwrite=True)
dname = aim_utils.sanitize_display_name(
'DefaultSecurityGroupDhcpIngressRule')
dhcp_ingress_rule = aim_resource.SecurityGroupRule(
tenant_name=COMMON_TENANT_NAME,
security_group_name=sg_name,
security_group_subject_name='default',
name='dhcp_ingress',
display_name=dname,
direction='ingress',
ethertype='ipv4',
ip_protocol='udp',
from_port='68',
to_port='68',
conn_track='normal')
self.aim.create(aim_ctx, dhcp_ingress_rule, overwrite=True)
def _setup_keystone_notification_listeners(self):
targets = [oslo_messaging.Target(
exchange=self.keystone_notification_exchange,

38
gbpservice/neutron/tests/unit/plugins/ml2plus/test_apic_aim.py
View File

@ -859,7 +859,7 @@ class TestAimMapping(ApicAimTestCase):
self.assertEqual('default', sg_rule.security_group_subject_name)
self.assertEqual('arp_egress', sg_rule.name)
self.assertEqual(
'DefaultSecurityGroupEgressRule', sg_rule.display_name)
'DefaultSecurityGroupArpEgressRule', sg_rule.display_name)
self.assertEqual('egress', sg_rule.direction)
self.assertEqual('arp', sg_rule.ethertype)
self.assertEqual([], sg_rule.remote_ips)
@ -875,7 +875,7 @@ class TestAimMapping(ApicAimTestCase):
self.assertEqual('default', sg_rule.security_group_subject_name)
self.assertEqual('arp_ingress', sg_rule.name)
self.assertEqual(
'DefaultSecurityGroupIngressRule', sg_rule.display_name)
'DefaultSecurityGroupArpIngressRule', sg_rule.display_name)
self.assertEqual('ingress', sg_rule.direction)
self.assertEqual('arp', sg_rule.ethertype)
self.assertEqual([], sg_rule.remote_ips)
@ -883,6 +883,40 @@ class TestAimMapping(ApicAimTestCase):
self.assertEqual('unspecified', sg_rule.to_port)
self.assertEqual('normal', sg_rule.conn_track)
# Check DHCP egress SecurityGroupRule.
sg_rule = self._get_sg_rule(
'dhcp_egress', 'default', sg_aname, 'common')
self.assertEqual('common', sg_rule.tenant_name)
self.assertEqual(sg_aname, sg_rule.security_group_name)
self.assertEqual('default', sg_rule.security_group_subject_name)
self.assertEqual('dhcp_egress', sg_rule.name)
self.assertEqual(
'DefaultSecurityGroupDhcpEgressRule', sg_rule.display_name)
self.assertEqual('egress', sg_rule.direction)
self.assertEqual('ipv4', sg_rule.ethertype)
self.assertEqual('udp', sg_rule.ip_protocol)
self.assertEqual([], sg_rule.remote_ips)
self.assertEqual('67', sg_rule.from_port)
self.assertEqual('67', sg_rule.to_port)
self.assertEqual('normal', sg_rule.conn_track)
# Check DHCP ingress SecurityGroupRule.
sg_rule = self._get_sg_rule(
'dhcp_ingress', 'default', sg_aname, 'common')
self.assertEqual('common', sg_rule.tenant_name)
self.assertEqual(sg_aname, sg_rule.security_group_name)
self.assertEqual('default', sg_rule.security_group_subject_name)
self.assertEqual('dhcp_ingress', sg_rule.name)
self.assertEqual(
'DefaultSecurityGroupDhcpIngressRule', sg_rule.display_name)
self.assertEqual('ingress', sg_rule.direction)
self.assertEqual('ipv4', sg_rule.ethertype)
self.assertEqual('udp', sg_rule.ip_protocol)
self.assertEqual([], sg_rule.remote_ips)
self.assertEqual('68', sg_rule.from_port)
self.assertEqual('68', sg_rule.to_port)
self.assertEqual('normal', sg_rule.conn_track)
def test_network_lifecycle(self):
# Test create.
net = self._make_network(self.fmt, 'net1', True)['network']