[DevStack] Configure iptables_v2 firewall driver for FWaaS V2.
Currently DevStack configures iptables v1 firewall driver for
both FWaaS versions. In case of V2 it means that all calls to
firewall group related driver methods are handled by the
FwaasDriverBase metaclass and are actually no-op.
Also updated FWaaS V2 scenario test to configure firewall rule
that'd allow SSH.
Change-Id: I0bdb4998f21d65564a30b6faa0250aad68f5c7b2
(cherry picked from commit 21d18e303c
)
This commit is contained in:
parent
734e02ad61
commit
2c47f7122c
|
@ -37,6 +37,7 @@ function configure_fwaas_v1() {
|
|||
neutron_fwaas_configure_driver fwaas
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas agent_version v1
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas conntrack_driver conntrack
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER_V1
|
||||
}
|
||||
|
||||
function configure_fwaas_v2() {
|
||||
|
@ -44,6 +45,7 @@ function configure_fwaas_v2() {
|
|||
cp $NEUTRON_FWAAS_DIR/etc/neutron_fwaas.conf.sample $NEUTRON_FWAAS_CONF
|
||||
neutron_fwaas_configure_driver fwaas_v2
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas agent_version v2
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER_V2
|
||||
}
|
||||
|
||||
function neutron_fwaas_generate_config_files {
|
||||
|
@ -85,7 +87,6 @@ function neutron_fwaas_configure_driver {
|
|||
plugin_agent_add_l3_agent_extension $1
|
||||
configure_l3_agent
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas enabled True
|
||||
iniset_multiline $Q_L3_CONF_FILE fwaas driver $FWAAS_DRIVER
|
||||
}
|
||||
|
||||
# check for service enabled
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
FWAAS_DRIVER=${FWAAS_DRIVER:-iptables}
|
||||
FWAAS_DRIVER_V1=${FWAAS_DRIVER_V1:-iptables}
|
||||
FWAAS_DRIVER_V2=${FWAAS_DRIVER_V2:-iptables_v2}
|
||||
FWAAS_PLUGIN_V1=${FWAAS_PLUGIN:-neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin}
|
||||
FWAAS_PLUGIN_V2=${FWAAS_PLUGIN:-neutron_fwaas.services.firewall.fwaas_plugin_v2.FirewallPluginV2}
|
||||
|
||||
|
|
|
@ -224,8 +224,13 @@ class TestFWaaS_v2(base.FWaaSScenarioTest_V2):
|
|||
private_key=topology['private_key2'])
|
||||
|
||||
# Scenario 1: Add allow ICMP rules between the two VMs.
|
||||
fw_rule = self.create_firewall_rule(action="allow", protocol="icmp")
|
||||
fw_policy = self.create_firewall_policy(firewall_rules=[fw_rule['id']])
|
||||
fw_allow_icmp_rule = self.create_firewall_rule(action="allow",
|
||||
protocol="icmp")
|
||||
fw_allow_ssh_rule = self.create_firewall_rule(action="allow",
|
||||
protocol="tcp",
|
||||
destination_port=22)
|
||||
fw_policy = self.create_firewall_policy(
|
||||
firewall_rules=[fw_allow_icmp_rule['id'], fw_allow_ssh_rule['id']])
|
||||
fw_group = self.create_firewall_group(
|
||||
ports=[
|
||||
topology['router_portid_1'],
|
||||
|
@ -233,8 +238,9 @@ class TestFWaaS_v2(base.FWaaSScenarioTest_V2):
|
|||
ingress_firewall_policy_id=fw_policy['id'],
|
||||
egress_firewall_policy_id=fw_policy['id'])
|
||||
self._wait_firewall_group_ready(fw_group['id'])
|
||||
LOG.debug('fw_rule: %s\nfw_policy: %s\nfw_group: %s\n',
|
||||
fw_rule, fw_policy, fw_group)
|
||||
LOG.debug('fw_allow_icmp_rule: %s\nfw_allow_ssh_rule: %s\n'
|
||||
'fw_policy: %s\nfw_group: %s\n',
|
||||
fw_allow_icmp_rule, fw_allow_ssh_rule, fw_policy, fw_group)
|
||||
|
||||
# Check the connectivity between VM1 and VM2. It should Pass.
|
||||
self._check_connectivity_between_internal_networks(
|
||||
|
|
Loading…
Reference in New Issue