summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2018-04-26 11:38:18 +0000
committerGerrit Code Review <review@openstack.org>2018-04-26 11:38:18 +0000
commit4a8d0f98881db17558aa28506391d3a73fbcd7fe (patch)
treee104b6661ab181754e1f2325857ca60a3bfbf474
parentfb7c7e48933e5ee6035a51ba6747bedf59d3001b (diff)
parent8b2c40366b3b65876e5465efae05b171be1bc473 (diff)
Merge "ovs-fw: Apply openflow rules immediately during update"
-rw-r--r--neutron/agent/linux/openvswitch_firewall/firewall.py7
-rw-r--r--neutron/tests/common/conn_testers.py3
-rw-r--r--neutron/tests/common/net_helpers.py6
-rw-r--r--neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py10
4 files changed, 24 insertions, 2 deletions
diff --git a/neutron/agent/linux/openvswitch_firewall/firewall.py b/neutron/agent/linux/openvswitch_firewall/firewall.py
index d11275e..87e487d 100644
--- a/neutron/agent/linux/openvswitch_firewall/firewall.py
+++ b/neutron/agent/linux/openvswitch_firewall/firewall.py
@@ -575,6 +575,13 @@ class OVSFirewallDriver(firewall.FirewallDriver):
575 def _update_flows_for_port(self, of_port, old_of_port): 575 def _update_flows_for_port(self, of_port, old_of_port):
576 with self.update_cookie_context(): 576 with self.update_cookie_context():
577 self._set_port_filters(of_port) 577 self._set_port_filters(of_port)
578 # Flush the flows caused by changes made to deferred bridge. The reason
579 # is that following delete_all_port_flows() call uses --strict
580 # parameter that cannot be combined with other non-strict rules, hence
581 # all parameters with --strict are applied right away. In order to
582 # avoid applying delete rules with --strict *before*
583 # _set_port_filters() we dump currently cached flows here.
584 self.int_br.apply_flows()
578 self.delete_all_port_flows(old_of_port) 585 self.delete_all_port_flows(old_of_port)
579 # Rewrite update cookie with default cookie 586 # Rewrite update cookie with default cookie
580 self._set_port_filters(of_port) 587 self._set_port_filters(of_port)
diff --git a/neutron/tests/common/conn_testers.py b/neutron/tests/common/conn_testers.py
index 1d8b7a4..fd6de6e 100644
--- a/neutron/tests/common/conn_testers.py
+++ b/neutron/tests/common/conn_testers.py
@@ -308,7 +308,8 @@ class ConnectionTester(fixtures.Fixture):
308 except KeyError: 308 except KeyError:
309 src_namespace, dst_address = self._get_namespace_and_address( 309 src_namespace, dst_address = self._get_namespace_and_address(
310 direction) 310 direction)
311 pinger = net_helpers.Pinger(src_namespace, dst_address) 311 pinger = net_helpers.Pinger(
312 src_namespace, dst_address, interval=0.3)
312 self._pingers[direction] = pinger 313 self._pingers[direction] = pinger
313 return pinger 314 return pinger
314 315
diff --git a/neutron/tests/common/net_helpers.py b/neutron/tests/common/net_helpers.py
index 6f8af60..303d1ca 100644
--- a/neutron/tests/common/net_helpers.py
+++ b/neutron/tests/common/net_helpers.py
@@ -352,7 +352,8 @@ class Pinger(object):
352 r'.* Destination .* Unreachable') 352 r'.* Destination .* Unreachable')
353 TIMEOUT = 15 353 TIMEOUT = 15
354 354
355 def __init__(self, namespace, address, count=None, timeout=1): 355 def __init__(self, namespace, address, count=None, timeout=1,
356 interval=None):
356 self.proc = None 357 self.proc = None
357 self.namespace = namespace 358 self.namespace = namespace
358 self.address = address 359 self.address = address
@@ -361,6 +362,7 @@ class Pinger(object):
361 self.destination_unreachable = False 362 self.destination_unreachable = False
362 self.sent = 0 363 self.sent = 0
363 self.received = 0 364 self.received = 0
365 self.interval = interval
364 366
365 def _wait_for_death(self): 367 def _wait_for_death(self):
366 is_dead = lambda: self.proc.poll() is not None 368 is_dead = lambda: self.proc.poll() is not None
@@ -390,6 +392,8 @@ class Pinger(object):
390 cmd = [ping_exec, self.address, '-W', str(self.timeout)] 392 cmd = [ping_exec, self.address, '-W', str(self.timeout)]
391 if self.count: 393 if self.count:
392 cmd.extend(['-c', str(self.count)]) 394 cmd.extend(['-c', str(self.count)])
395 if self.interval:
396 cmd.extend(['-i', str(self.interval)])
393 self.proc = RootHelperProcess(cmd, namespace=self.namespace) 397 self.proc = RootHelperProcess(cmd, namespace=self.namespace)
394 398
395 def stop(self): 399 def stop(self):
diff --git a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
index 67d46fb..0685ae8 100644
--- a/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
+++ b/neutron/tests/unit/agent/linux/openvswitch_firewall/test_firewall.py
@@ -609,6 +609,16 @@ class TestOVSFirewallDriver(base.BaseTestCase):
609 self.firewall.update_port_filter(port_dict) 609 self.firewall.update_port_filter(port_dict)
610 self.assertTrue(self.mock_bridge.br.delete_flows.called) 610 self.assertTrue(self.mock_bridge.br.delete_flows.called)
611 611
612 def test_update_port_filter_applies_added_flows(self):
613 """Check flows are applied right after _set_flows is called."""
614 port_dict = {'device': 'port-id',
615 'security_groups': [1]}
616 self._prepare_security_group()
617 self.firewall.prepare_port_filter(port_dict)
618 with self.firewall.defer_apply():
619 self.firewall.update_port_filter(port_dict)
620 self.assertEqual(2, self.mock_bridge.apply_flows.call_count)
621
612 def test_remove_port_filter(self): 622 def test_remove_port_filter(self):
613 port_dict = {'device': 'port-id', 623 port_dict = {'device': 'port-id',
614 'security_groups': [1]} 624 'security_groups': [1]}