Commit Graph

50 Commits

Author SHA1 Message Date
OpenStack Release Bot 64d7cd2d60 Update master for stable/2024.1
Add file to the reno documentation build to show release notes for
stable/2024.1.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2024.1.

Sem-Ver: feature
Change-Id: If74eaf7f7d10994ec91e2ec676bb6eb4b2f484a6
2024-03-14 06:17:57 +00:00
OpenStack Release Bot 960530916d Update master for stable/2023.2
Add file to the reno documentation build to show release notes for
stable/2023.2.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.

Sem-Ver: feature
Change-Id: I5f7c8b7b019852558289e94dd18d4867b033b3cb
2023-09-15 13:55:02 +00:00
OpenStack Release Bot bc64e84851 Update master for stable/2023.1
Add file to the reno documentation build to show release notes for
stable/2023.1.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.1.

Sem-Ver: feature
Change-Id: I63a4a2131a6d569a120346dc20e8a413cdae93f4
2023-03-01 09:33:31 +00:00
OpenStack Release Bot e629c35656 Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.

Sem-Ver: feature
Change-Id: I37f7771e52e7f6d624bedca57b8c5186bf6be0cb
2022-09-14 13:43:44 +00:00
Ghanshyam Mann 1b4a84527c Update python testing as per zed cycle teting runtime
In Zed cycle, we have dropped the python 3.6/3.7[1] testing
and its support. Add release notes and update the python
classifier for the same.

[1] https://governance.openstack.org/tc/reference/runtimes/zed.html

Change-Id: Ib04b560408ccf22c86e899e15fbcbe86b53f636e
2022-05-11 22:18:19 -05:00
shanyunfan33 179019f82e remove unicode from code
remove unicode from code

Change-Id: I3e32aea0439f68e48c6ff178c50e8a91ac5415e4
2022-05-04 23:36:42 +00:00
ZhouHeng a9f26b81e2 revive neutron-fwaas project
This reverts commit caae7b6a6f.

Reason for revert:
Many users still need L3 firewalls and Inspur team wants to maintain
this project.
Neutron drivers team discussed the topic of the maintenance of
neutron-fwaas, and agreed to include neutron-fwaas again to Neutron
stadium[1].

Some updates have been made:
Remove use "autonested_transaction" method, see more [2]
Replace "neutron_lib.callbacks.registry.notify" with "registry.publish"
Replace rootwrap execution with privsep context execution.
Ensure db Models and migration scripts are sync, set table
firewall_group_port_associations_v2's two columns nullable=False

[1] https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-01-28-14.00.log.html#l-14
[2] https://review.opendev.org/c/openstack/neutron-lib/+/761728

Change-Id: I14f551c199d9badcf25b9e65c954c012326d27cd
2022-03-01 01:01:47 +00:00
Slawek Kaplonski caae7b6a6f Retire neutron-fwaas project
Governance change is proposed at [1] and project config patch is
proposed at [2]

[1] https://review.opendev.org/735828
[2] https://review.opendev.org/#/c/735812/

Change-Id: I561504160e5548c54d1af31821c3366ab34cf0ec
2020-06-16 12:38:31 +02:00
OpenStack Proposal Bot 94c0d54ded Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Ifee70c64b57e39214980781ad0d64e7ecdf70eb1
2020-04-16 06:42:10 +00:00
Slawek Kaplonski 5e6c048856 Deprecate neutron-fwaas as stadium project
It's sad but as we still don't have any maintainers for this project,
I think it's time to start process of deprecating this as part of
the Neutron stadium.

Change-Id: I8c8fc6b5ab8a169a0f4a7d77153bb1dfc1530b8e
2020-02-21 16:33:14 +01:00
caoyuan feb290fa19 Drop Python 2 Support
1. It's Ussuri. We can *finally* stop testing Python 2 [1]. Time to party.
We don't attempt any cleanup but simply stop testing with Python 2,
indicate that we only support Python 3 via 'setup.cfg' and remove any
Python 2 only dependencies.

This should free up a significant amount of resources from the gate and
let us start using Python 3 idioms in our code. Win-win.

2. Cleanup basepython from individual testenv sections

3. From this point on the codebase will be incompatible with python2

[1] https://governance.openstack.org/tc/resolutions/20180529-python2-deprecation-timeline.html#python2-deprecation-timeline

Change-Id: Ia08c363263aaa406d0bf55e10ce8258695387578
2020-01-22 10:53:44 -05:00
David Homolka f28c59df2b Default firewall group rules from configuration file
Add new options to neutron_fwaas.conf for using in Default firewall group
rules. Separate ingress and egress: action, source ipv4, source ipv6,
source port, destination ipv4, destination ipv6, destination port.
Shared options for ingress and egress: protocol, enabled and shared.

New options are used in _create_default_firewall_rules and default
value are same as before this change, ingress (deny all),
egress (allow all).

Change-Id: Ic48872f3b7dfd4a87065799b7d3656de3d06e4c3
Closes-Bug: #1799358
2019-09-11 11:07:59 +02:00
OpenStack Release Bot 9838f99d4c Update master for stable/stein
Add file to the reno documentation build to show release notes for
stable/stein.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/stein.

Change-Id: Ieb0ff6ce51300e1ded939da4df5634e0683ef60a
Sem-Ver: feature
2019-03-22 00:22:35 +00:00
Adit Sarfaty e7f2f781ee FWaaS v1->v2 DB migration
FWaaS V1 is expected to be deleted on the Stein cycle.
This patch introduces a new tool the DB migration from FWaaS v1 to FWaaS V2.

Run this tool using: neutron-fwaas-migrate-v1-to-v2 --neutron-db-connection=<neutron database connection string>

Change-Id: I663c173a594137056c96ad4c4b60e810059fb6fa
2019-02-03 08:13:56 +00:00
Nguyen Phuong An 0e968fa0c7 Removing FWaaS v1 source code
As German Eichberger's email at
https://markmail.org/message/2kva4b3lwgddyeau. So This patch intend to
removes source code related FWaaS V1.

Change-Id: I4e440c854e5aa11193d38946e659481f4fefded2
2019-02-02 02:27:14 +09:00
OpenStack Release Bot 55254d4bd8 Update reno for stable/rocky
Change-Id: I0b857ba7cc162143f145f97b16a828873eb0ad73
2018-08-09 21:53:13 +00:00
Yushiro FURUKAWA 5b3ac1ebda Add releasenote for FWaaS v2 logging
This commit adds releasenote for FWaaS v2 logging feature[1].

[1] https://specs.openstack.org/openstack/neutron-specs/specs/rocky/extend-logging-framework-to-support-for-FWaaS-v2.html

Partial-Bug: #1720727
Change-Id: Ib7df1d574004f3a0eb45786c3995d715022dc46d
2018-08-09 20:06:40 +09:00
OpenStack Proposal Bot a42b27f56e Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: Ie737eed36c0ce8703f3f5a7cc08bc1545fa038b7
2018-05-01 07:43:38 +00:00
OpenStack Proposal Bot 07a6a0528f Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I957570afd9b642aaba76a56629af1e2212eac9bf
2018-03-01 06:40:28 +00:00
OpenStack Release Bot 3976042bef Update reno for stable/queens
Change-Id: Id3b09b3ca93d82012dad20298cc6114a2c43fcb9
2018-02-09 16:35:14 +00:00
Nguyen Phuong An 358c2edb53 Validating if a port is supported by FWaaS L2 driver
Currently, FWaaS L2 driver based OVS only works correctly with
VM ports, which are landed at compute nodes with:
    * mechanism_drivers=openvswitch
    * firewall_driver=noop or openvswitch for security group

If you try to add a VM port to a FWG, which is landed at compute
nodes with:
    * mechanism_drivers=linuxbridge and firewall_driver=iptables
    * mechanism_drivers=openvswitch and firewall_driver=iptables_hybrid
Then, FWaaS V2 API  won't work correctly.

So this patch validates if VM ports are supported fully by FWaaS L2
driver at this moment. In the future, if FWaaS L2 driver can support
not only hybrid port but also other ports, we can remove this validation.

Change-Id: Ib0a85b55840d8dfe6bcae91484a0440902d3c49a
Closes-Bug: #1746855
2018-02-05 13:07:12 +07:00
Nguyen Phuong An 66d4431f99 Remove disable option for default FWG and allow only on VM ports
Currently, auto associate default FWG works only one time and the logic
is broken if the new port is a DHCP port or router port. This patch
fixes the problem by validating if a port is a VM port or not,
ignores port binding failed or unbound and also adds trusted port
handling. In addition, for security perspective,
'auto_associate_default_firewall_group' CfgOpt is no longer used.
Automatic association with default firewall group with VM port
works by default.

Closes-Bug: #1746404
Co-Authored-By: Yushiro FURUKAWA<y.furukawa_2@jp.fujitsu.com>
Co-Authored-By: Chandan Dutta Chowdhury<chandanc@juniper.net>
Change-Id: Ib567c0e0333335a99b851162d87f17f1a8ceb2dd
2018-02-04 15:06:07 +00:00
Zuul 469593e84d Merge "Adding new tables for future consumption" 2018-01-18 16:59:58 +00:00
Nguyen Phuong An 63c843130b Adding new tables for future consumption
In ovsfw code, we've introduced new tables ACCEPTED_EGRESS_TRAFFIC_TABLE,
ACCEPTED_INGRESS_TRAFFIC_TABLE, DROPPED_TRAFFIC_TABLE for future
consumption like logging [1]. This patch adopts that to firewall driver
based OVS, then the issue related to security group logging which is specified
in release note of co-existence patch will be fixed.

[1] 65bde9f769

Co-Authored-By: Chandan Dutta Chowdhury <chandanc@juniper.net>

Change-Id: Ie673de416b67aceb2401d6fb8485dcb4f36a3d07
2018-01-18 13:46:23 +07:00
Yushiro FURUKAWA 816dce17e1 Apply default firewall group for new VM ports
The default fwg will be applied to all new VM ports within
a project if option auto_association_default_firewall_group
is enabled. This provides a way for a tenant network admin
to define a tenant wide firewall policy that applies to all
new VM ports.

Co-Authored-By: Nguyen Phuong An <AnNP@vn.fujitsu.com>

Partial-Implements: blueprint fwaas-api-2.0
Change-Id: I9e897444cd63e44c3274cdc9efedb35f8b325d1f
2018-01-17 15:52:02 +09:00
Nguyen Phuong An 4d64670274 Co-existing between fwg and sg
The current driver is implemeted at [1], which will work
in standalone mode. However, the most important function of
fwaas v2 is "defense in depth". So this patch will enable
fwg and sg to co-exist. That means a packet must be allowed
by both of them.

[1]https://review.openstack.org/#/c/447251/

Co-Authored-By: Chandan Dutta Chowdhury <chandanc@juniper.net>

Change-Id: I3dc11c96637df765afa6abcc6ac9b24f942e53f7
2017-12-29 14:30:10 +07:00
OpenStack Proposal Bot 586b269a0f Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: I64a80cc2052dcdb01ea0113dd508a823f02a049a
2017-12-13 06:05:29 +00:00
Yushiro FURUKAWA b0b8d9e8df Add reno for "OVS based l2 Firewall driver for FWaaS v2"
This commit adds releasenote for https://review.openstack.org/#/c/447251

Change-Id: I70e2a6514459a0993246bb7cdcab9c2dae2344ea
Partial-Implements: blueprint fwaas-api-2.0
2017-12-06 17:57:38 +09:00
OpenStack Proposal Bot 74eac2ca29 Imported Translations from Zanata
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html

Change-Id: If381d85152e469601d8987a051e00a99b4327a0d
2017-11-20 06:28:32 +00:00
Andreas Jaeger d5e0033bdd Remove setting of version/release from releasenotes
Release notes are version independent, so remove version/release
values. We've found that projects now require the service package
to be installed in order to build release notes, and this is entirely
due to the current convention of pulling in the version information.

Release notes should not need installation in order to build, so this
unnecessary version setting needs to be removed.

This is needed for new release notes publishing, see
I56909152975f731a9d2c21b2825b972195e48ee8 and the discussion starting
at
http://lists.openstack.org/pipermail/openstack-dev/2017-November/124480.html
.

Change-Id: Ib19f7ea4ea136180f38bc78389f51b6b5d179ab8
2017-11-16 20:34:33 +01:00
Jenkins 102860c4a4 Merge "FW rule applied incorrectly if port specified is a range" 2017-08-23 03:16:06 +00:00
Cuong Nguyen f589293aec FW rule applied incorrectly if port specified is a range
When creating a firewall rule with port specified as a range of values,
e.g. [1], conntrack command for deleting current conntrack entries is
applied to the first number in the range, e.g. port #8778 in [1],
instead of the range of ports 8778:9000.

This incorrect behavior occurs because conntrack-tools
does not understand the port as a range of values.
This patch set fixes that issue by following the same method as done
in the netlink implementation in [2].

[1] "neutron firewall-rule-create --protocol tcp --action allow
--ip-version 4 --destination-port 8778:9000 --enabled True"
[2] https://review.openstack.org/#/c/438445/

Closes-Bug: #1702242
Co-Authored-By: Vu Cong Tuan <tuanvc@vn.fujitsu.com>
Change-Id: Ib17db09069a07f35109357d20b67b1acfa85c1a4
2017-08-18 09:14:12 +00:00
OpenStack Proposal Bot d5224f1935 Imported Translations from Zanata
For more information about this automatic import see:
http://docs.openstack.org/developer/i18n/reviewing-translation-import.html

Change-Id: I34115b32ff5d0168c0b3965c7cc97c6d58e7adcd
2017-08-17 06:54:26 +00:00
Jenkins 49d0aacec6 Merge "Update reno for stable/pike" 2017-08-16 20:27:50 +00:00
Andreas Jaeger 0258c4f22f fix releasenotes build
Releasenotes build currently fails with:

releasenotes/source/index.rst:13:Explicit markup ends without a blank
line; unexpected unindent

Fix this.

Change-Id: Ic083f2770992cdf36ddbba2c43609fabfd6a8353
2017-08-14 22:39:02 +02:00
OpenStack Release Bot dc3f001439 Update reno for stable/pike
Change-Id: I0634ea7d79d214deec86786332ec18eec3e8555c
2017-08-11 08:58:30 +00:00
Van Hung Pham 47378eec71 Switch from oslosphinx to openstackdocstheme
As part of the docs migration work[0] for Pike we need to switch to use
the openstackdocstheme.

[0]https://review.openstack.org/#/c/472275/

Change-Id: I75401744192375079eab8462065eeb87995c5706
2017-07-05 04:54:40 +09:00
Vikash082 93da2295df Added neutron_fwaas.conf file for Firewall config
Operators can configure service_provider and
other configuration of firewall using this file.

Change-Id: Icf957d9103f8ceb61709036fa4818af798e3fcd7
Closes-Bug: #1560892
2017-05-24 10:51:42 +05:30
OpenStack Release Bot 405291456d Update reno for stable/ocata
Change-Id: I1e7894b9f3542681e6e087e84e4a01d2096cf1b5
2017-02-04 01:03:46 +00:00
Andreas Jaeger 13168c003e Enable release notes translation
Releasenote translation publishing is being prepared. 'locale_dirs'
needs to be defined in conf.py to generate translated version of the
release notes.

Note that this repository might not get translated release notes - or
no translations at all - but we add the entry here nevertheless to
prepare for it.

Change-Id: Ib60ba3d2159de9869f30cf6087efb688bd762b76
2016-10-06 20:33:08 +02:00
Davanum Srinivas 795afd7388 Update reno for stable/newton
Change-Id: I3ad8a63362e24d35cbcec61718f2b1634b9ef939
2016-09-16 16:18:49 +00:00
Nate Johnston e2ea1e36c6 Add reno note for FWaaS v2
None of the existing release notes mention FWaaS v2, so a separate
release note is being added to debut it and describe the extent of its
implementation.

Change-Id: Iba874d49591f2f37a8623c1910cfcbb68634fa2f
2016-09-09 16:26:30 +00:00
Sridar Kandaswamy f6aed8b66a Remove vendor driver: vyatta from community repo
Vendor drivers are being removed from the community repo and
they can continue to be hosted in respective vendor repos. This
has been discussed and communicated during the Mitaka release
and time given until the Newton release.

Change-Id: I9a64db228bcd9313c04d238c39ae1c53be89e339
2016-08-28 21:46:53 -07:00
Tim Swanson 2be5839e5b Remove Cisco driver from neutron-fwaas repo.
The Cisco driver is being relocated to the networking-cisco
repo.  This removes the driver from the neutron-fwaas
repo.

Change-Id: I0767852e2b5643c1aa45c8d58a430c3e3f5d6d36
2016-08-26 16:20:33 -07:00
Sridar Kandaswamy ca7c5c2b72 Remove vendor driver: vArmour from community repo
Vendor drivers are being removed from the community repo and
they can continue to be hosted in respective vendor repos. This
has been discussed and communicated during the Mitaka release
and time given until the Newton release.

Change-Id: Id60a2cdb225a2acfa28efcf54f5bcae8cf9cf55a
2016-08-25 21:40:31 -07:00
Sean M. Collins 3f6777d5b8 Delete mcafee FwaaS driver
I3a38904d8d5192170384d4db3fa461e801c48a4e highlights that this driver
does not conform with newer versions of pylint.

The driver itself was merged last year, and has not had any significant
changes.

Frankly, if anyone cares about this driver, now is the time to speak up.

Change-Id: Id144d179830ab51cb3370da65f640b81fa12008c
Co-Authored-By: Kyle Mestery <mestery@mestery.com>
Signed-off-by: Kyle Mestery <mestery@mestery.com>
2016-06-30 08:38:13 -05:00
Thierry Carrez 9858111d1c Update reno for stable/mitaka
Change-Id: I6a1777e415f3447b0cde56e9289b96ff7e5922cd
2016-03-16 17:17:53 +00:00
James Arendt e338df4244 FWaaS quota registration
Builds on prior attempts to register FWaaS resources to the quota
engine, such as commit Ia4d6b9a65acd1111a050dc73b63a1f0ce619cb55
which had to be reverted for bug 1513280 for failing gate via commit
28948f6559.

Since with router insertion a user can have a separate firewall
and policy per targeted router in their tenant, the original
fixes which had defaults of only 1 were too low.

Also added the release notes and updated the options to reflect
the quota.

Change-Id: I68a5538f7bc8df78212633c73eeca0eaae0d8455
Closes-Bug: #1399280
2016-02-13 19:17:43 -08:00
Martin Hickey 93883c17db Automatically generate neutron FWaaS configuration files
This adds a new tox environment, genconfig, which generates sample
neutron FWaaS configuration file using oslo-config-generator.

Partially-Implements: blueprint autogen-neutron-conf-file

Change-Id: I8e9113dfb88e5290f6eedd012d1a52fc35c3c88c
Partial-bug: #1199963
2015-12-07 10:50:11 +00:00
Kyle Mestery bffe8c1175 Add reno for release notes management
Change-Id: Ice756c9d916e6a8686c2b56da361b376db14b158
Signed-off-by: Kyle Mestery <mestery@mestery.com>
2015-12-04 10:17:19 -06:00