[DevStack] Configure iptables_v2 firewall driver for FWaaS V2.

Currently DevStack configures iptables v1 firewall driver for
both FWaaS versions. In case of V2 it means that all calls to
firewall group related driver methods are handled by the
FwaasDriverBase metaclass and are actually no-op.

Also updated FWaaS V2 scenario test to configure firewall rule
that'd allow SSH.

Change-Id: I0bdb4998f21d65564a30b6faa0250aad68f5c7b2
(cherry picked from commit 21d18e303c)

devstack/plugin.sh

@@ -37,6 +37,7 @@ function configure_fwaas_v1() {
     neutron_fwaas_configure_driver fwaas
     iniset_multiline $Q_L3_CONF_FILE fwaas agent_version v1
     iniset_multiline $Q_L3_CONF_FILE fwaas conntrack_driver conntrack
+    iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER_V1
 }
 
 function configure_fwaas_v2() {
@@ -44,6 +45,7 @@ function configure_fwaas_v2() {
     cp $NEUTRON_FWAAS_DIR/etc/neutron_fwaas.conf.sample $NEUTRON_FWAAS_CONF
     neutron_fwaas_configure_driver fwaas_v2
     iniset_multiline $Q_L3_CONF_FILE fwaas agent_version v2
+    iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER_V2
 }
 
 function neutron_fwaas_generate_config_files {
@@ -85,7 +87,6 @@ function neutron_fwaas_configure_driver {
     plugin_agent_add_l3_agent_extension $1
     configure_l3_agent
     iniset_multiline $Q_L3_CONF_FILE fwaas enabled True
-    iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER
 }
 
 # check for service enabled

devstack/settings

@@ -1,4 +1,5 @@
-FWAAS_DRIVER=${FWAAS_DRIVER:-iptables}
+FWAAS_DRIVER_V1=${FWAAS_DRIVER_V1:-iptables}
+FWAAS_DRIVER_V2=${FWAAS_DRIVER_V2:-iptables_v2}
 FWAAS_PLUGIN_V1=${FWAAS_PLUGIN:-neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin}
 FWAAS_PLUGIN_V2=${FWAAS_PLUGIN:-neutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2}
 

neutron_fwaas/tests/tempest_plugin/tests/scenario/test_fwaas_v2.py

@@ -224,8 +224,13 @@ class TestFWaaS_v2(base.FWaaSScenarioTest_V2):
             private_key=topology['private_key2'])
 
         # Scenario 1: Add allow ICMP rules between the two VMs.
-        fw_rule = self.create_firewall_rule(action="allow", protocol="icmp")
-        fw_policy = self.create_firewall_policy(firewall_rules=[fw_rule['id']])
+        fw_allow_icmp_rule = self.create_firewall_rule(action="allow",
+                                                       protocol="icmp")
+        fw_allow_ssh_rule = self.create_firewall_rule(action="allow",
+                                                      protocol="tcp",
+                                                      destination_port=22)
+        fw_policy = self.create_firewall_policy(
+            firewall_rules=[fw_allow_icmp_rule['id'], fw_allow_ssh_rule['id']])
         fw_group = self.create_firewall_group(
             ports=[
                 topology['router_portid_1'],
@@ -233,8 +238,9 @@ class TestFWaaS_v2(base.FWaaSScenarioTest_V2):
             ingress_firewall_policy_id=fw_policy['id'],
             egress_firewall_policy_id=fw_policy['id'])
         self._wait_firewall_group_ready(fw_group['id'])
-        LOG.debug('fw_rule: %s\nfw_policy: %s\nfw_group: %s\n',
-                  fw_rule, fw_policy, fw_group)
+        LOG.debug('fw_allow_icmp_rule: %s\nfw_allow_ssh_rule: %s\n'
+                  'fw_policy: %s\nfw_group: %s\n',
+                  fw_allow_icmp_rule, fw_allow_ssh_rule, fw_policy, fw_group)
 
         # Check the connectivity between VM1 and VM2. It should Pass.
         self._check_connectivity_between_internal_networks(