Add file to the reno documentation build to show release notes for
stable/2024.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2024.1.
Sem-Ver: feature
Change-Id: If74eaf7f7d10994ec91e2ec676bb6eb4b2f484a6
Add file to the reno documentation build to show release notes for
stable/2023.2.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.
Sem-Ver: feature
Change-Id: I5f7c8b7b019852558289e94dd18d4867b033b3cb
Add file to the reno documentation build to show release notes for
stable/2023.1.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.1.
Sem-Ver: feature
Change-Id: I63a4a2131a6d569a120346dc20e8a413cdae93f4
Add file to the reno documentation build to show release notes for
stable/zed.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.
Sem-Ver: feature
Change-Id: I37f7771e52e7f6d624bedca57b8c5186bf6be0cb
In Zed cycle, we have dropped the python 3.6/3.7[1] testing
and its support. Add release notes and update the python
classifier for the same.
[1] https://governance.openstack.org/tc/reference/runtimes/zed.html
Change-Id: Ib04b560408ccf22c86e899e15fbcbe86b53f636e
This reverts commit caae7b6a6f.
Reason for revert:
Many users still need L3 firewalls and Inspur team wants to maintain
this project.
Neutron drivers team discussed the topic of the maintenance of
neutron-fwaas, and agreed to include neutron-fwaas again to Neutron
stadium[1].
Some updates have been made:
Remove use "autonested_transaction" method, see more [2]
Replace "neutron_lib.callbacks.registry.notify" with "registry.publish"
Replace rootwrap execution with privsep context execution.
Ensure db Models and migration scripts are sync, set table
firewall_group_port_associations_v2's two columns nullable=False
[1] https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-01-28-14.00.log.html#l-14
[2] https://review.opendev.org/c/openstack/neutron-lib/+/761728
Change-Id: I14f551c199d9badcf25b9e65c954c012326d27cd
It's sad but as we still don't have any maintainers for this project,
I think it's time to start process of deprecating this as part of
the Neutron stadium.
Change-Id: I8c8fc6b5ab8a169a0f4a7d77153bb1dfc1530b8e
1. It's Ussuri. We can *finally* stop testing Python 2 [1]. Time to party.
We don't attempt any cleanup but simply stop testing with Python 2,
indicate that we only support Python 3 via 'setup.cfg' and remove any
Python 2 only dependencies.
This should free up a significant amount of resources from the gate and
let us start using Python 3 idioms in our code. Win-win.
2. Cleanup basepython from individual testenv sections
3. From this point on the codebase will be incompatible with python2
[1] https://governance.openstack.org/tc/resolutions/20180529-python2-deprecation-timeline.html#python2-deprecation-timeline
Change-Id: Ia08c363263aaa406d0bf55e10ce8258695387578
Add new options to neutron_fwaas.conf for using in Default firewall group
rules. Separate ingress and egress: action, source ipv4, source ipv6,
source port, destination ipv4, destination ipv6, destination port.
Shared options for ingress and egress: protocol, enabled and shared.
New options are used in _create_default_firewall_rules and default
value are same as before this change, ingress (deny all),
egress (allow all).
Change-Id: Ic48872f3b7dfd4a87065799b7d3656de3d06e4c3
Closes-Bug: #1799358
Add file to the reno documentation build to show release notes for
stable/stein.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.
Change-Id: Ieb0ff6ce51300e1ded939da4df5634e0683ef60a
Sem-Ver: feature
FWaaS V1 is expected to be deleted on the Stein cycle.
This patch introduces a new tool the DB migration from FWaaS v1 to FWaaS V2.
Run this tool using: neutron-fwaas-migrate-v1-to-v2 --neutron-db-connection=<neutron database connection string>
Change-Id: I663c173a594137056c96ad4c4b60e810059fb6fa
As German Eichberger's email at
https://markmail.org/message/2kva4b3lwgddyeau. So This patch intend to
removes source code related FWaaS V1.
Change-Id: I4e440c854e5aa11193d38946e659481f4fefded2
Currently, FWaaS L2 driver based OVS only works correctly with
VM ports, which are landed at compute nodes with:
* mechanism_drivers=openvswitch
* firewall_driver=noop or openvswitch for security group
If you try to add a VM port to a FWG, which is landed at compute
nodes with:
* mechanism_drivers=linuxbridge and firewall_driver=iptables
* mechanism_drivers=openvswitch and firewall_driver=iptables_hybrid
Then, FWaaS V2 API won't work correctly.
So this patch validates if VM ports are supported fully by FWaaS L2
driver at this moment. In the future, if FWaaS L2 driver can support
not only hybrid port but also other ports, we can remove this validation.
Change-Id: Ib0a85b55840d8dfe6bcae91484a0440902d3c49a
Closes-Bug: #1746855
Currently, auto associate default FWG works only one time and the logic
is broken if the new port is a DHCP port or router port. This patch
fixes the problem by validating if a port is a VM port or not,
ignores port binding failed or unbound and also adds trusted port
handling. In addition, for security perspective,
'auto_associate_default_firewall_group' CfgOpt is no longer used.
Automatic association with default firewall group with VM port
works by default.
Closes-Bug: #1746404
Co-Authored-By: Yushiro FURUKAWA<y.furukawa_2@jp.fujitsu.com>
Co-Authored-By: Chandan Dutta Chowdhury<chandanc@juniper.net>
Change-Id: Ib567c0e0333335a99b851162d87f17f1a8ceb2dd
In ovsfw code, we've introduced new tables ACCEPTED_EGRESS_TRAFFIC_TABLE,
ACCEPTED_INGRESS_TRAFFIC_TABLE, DROPPED_TRAFFIC_TABLE for future
consumption like logging [1]. This patch adopts that to firewall driver
based OVS, then the issue related to security group logging which is specified
in release note of co-existence patch will be fixed.
[1] 65bde9f769
Co-Authored-By: Chandan Dutta Chowdhury <chandanc@juniper.net>
Change-Id: Ie673de416b67aceb2401d6fb8485dcb4f36a3d07
The default fwg will be applied to all new VM ports within
a project if option auto_association_default_firewall_group
is enabled. This provides a way for a tenant network admin
to define a tenant wide firewall policy that applies to all
new VM ports.
Co-Authored-By: Nguyen Phuong An <AnNP@vn.fujitsu.com>
Partial-Implements: blueprint fwaas-api-2.0
Change-Id: I9e897444cd63e44c3274cdc9efedb35f8b325d1f
The current driver is implemeted at [1], which will work
in standalone mode. However, the most important function of
fwaas v2 is "defense in depth". So this patch will enable
fwg and sg to co-exist. That means a packet must be allowed
by both of them.
[1]https://review.openstack.org/#/c/447251/
Co-Authored-By: Chandan Dutta Chowdhury <chandanc@juniper.net>
Change-Id: I3dc11c96637df765afa6abcc6ac9b24f942e53f7
Release notes are version independent, so remove version/release
values. We've found that projects now require the service package
to be installed in order to build release notes, and this is entirely
due to the current convention of pulling in the version information.
Release notes should not need installation in order to build, so this
unnecessary version setting needs to be removed.
This is needed for new release notes publishing, see
I56909152975f731a9d2c21b2825b972195e48ee8 and the discussion starting
at
http://lists.openstack.org/pipermail/openstack-dev/2017-November/124480.html
.
Change-Id: Ib19f7ea4ea136180f38bc78389f51b6b5d179ab8
When creating a firewall rule with port specified as a range of values,
e.g. [1], conntrack command for deleting current conntrack entries is
applied to the first number in the range, e.g. port #8778 in [1],
instead of the range of ports 8778:9000.
This incorrect behavior occurs because conntrack-tools
does not understand the port as a range of values.
This patch set fixes that issue by following the same method as done
in the netlink implementation in [2].
[1] "neutron firewall-rule-create --protocol tcp --action allow
--ip-version 4 --destination-port 8778:9000 --enabled True"
[2] https://review.openstack.org/#/c/438445/
Closes-Bug: #1702242
Co-Authored-By: Vu Cong Tuan <tuanvc@vn.fujitsu.com>
Change-Id: Ib17db09069a07f35109357d20b67b1acfa85c1a4
As part of the docs migration work[0] for Pike we need to switch to use
the openstackdocstheme.
[0]https://review.openstack.org/#/c/472275/
Change-Id: I75401744192375079eab8462065eeb87995c5706
Operators can configure service_provider and
other configuration of firewall using this file.
Change-Id: Icf957d9103f8ceb61709036fa4818af798e3fcd7
Closes-Bug: #1560892
Releasenote translation publishing is being prepared. 'locale_dirs'
needs to be defined in conf.py to generate translated version of the
release notes.
Note that this repository might not get translated release notes - or
no translations at all - but we add the entry here nevertheless to
prepare for it.
Change-Id: Ib60ba3d2159de9869f30cf6087efb688bd762b76
None of the existing release notes mention FWaaS v2, so a separate
release note is being added to debut it and describe the extent of its
implementation.
Change-Id: Iba874d49591f2f37a8623c1910cfcbb68634fa2f
Vendor drivers are being removed from the community repo and
they can continue to be hosted in respective vendor repos. This
has been discussed and communicated during the Mitaka release
and time given until the Newton release.
Change-Id: I9a64db228bcd9313c04d238c39ae1c53be89e339
The Cisco driver is being relocated to the networking-cisco
repo. This removes the driver from the neutron-fwaas
repo.
Change-Id: I0767852e2b5643c1aa45c8d58a430c3e3f5d6d36
Vendor drivers are being removed from the community repo and
they can continue to be hosted in respective vendor repos. This
has been discussed and communicated during the Mitaka release
and time given until the Newton release.
Change-Id: Id60a2cdb225a2acfa28efcf54f5bcae8cf9cf55a
I3a38904d8d5192170384d4db3fa461e801c48a4e highlights that this driver
does not conform with newer versions of pylint.
The driver itself was merged last year, and has not had any significant
changes.
Frankly, if anyone cares about this driver, now is the time to speak up.
Change-Id: Id144d179830ab51cb3370da65f640b81fa12008c
Co-Authored-By: Kyle Mestery <mestery@mestery.com>
Signed-off-by: Kyle Mestery <mestery@mestery.com>
Builds on prior attempts to register FWaaS resources to the quota
engine, such as commit Ia4d6b9a65acd1111a050dc73b63a1f0ce619cb55
which had to be reverted for bug 1513280 for failing gate via commit
28948f6559.
Since with router insertion a user can have a separate firewall
and policy per targeted router in their tenant, the original
fixes which had defaults of only 1 were too low.
Also added the release notes and updated the options to reflect
the quota.
Change-Id: I68a5538f7bc8df78212633c73eeca0eaae0d8455
Closes-Bug: #1399280
This adds a new tox environment, genconfig, which generates sample
neutron FWaaS configuration file using oslo-config-generator.
Partially-Implements: blueprint autogen-neutron-conf-file
Change-Id: I8e9113dfb88e5290f6eedd012d1a52fc35c3c88c
Partial-bug: #1199963