This reverts commit caae7b6a6f.
Reason for revert:
Many users still need L3 firewalls and Inspur team wants to maintain
this project.
Neutron drivers team discussed the topic of the maintenance of
neutron-fwaas, and agreed to include neutron-fwaas again to Neutron
stadium[1].
Some updates have been made:
Remove use "autonested_transaction" method, see more [2]
Replace "neutron_lib.callbacks.registry.notify" with "registry.publish"
Replace rootwrap execution with privsep context execution.
Ensure db Models and migration scripts are sync, set table
firewall_group_port_associations_v2's two columns nullable=False
[1] https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-01-28-14.00.log.html#l-14
[2] https://review.opendev.org/c/openstack/neutron-lib/+/761728
Change-Id: I14f551c199d9badcf25b9e65c954c012326d27cd
This commit converts the existing neutron-fwaas policy.json
into policy-in-code.
policy.json for testing is also removed. As a result, setup_config()
in neutron_fwaas.tests.base.NeutronDbPluginV2TestCase is no longer
required now (as the content of setup_config() is now same as that
in neutron).
Partially Implements: blueprint neutron-policy-in-code
Change-Id: I67be3a21f19e3f793312d64d358452ee4531c080
There is no need to import the corresponding unit test
in the neutron repo [1], as they just tests the policy engine
is worked correctly.
[1] a51271d760/neutron/tests/unit/test_policy.py (L273-L284)
Change-Id: I6dc6b2295a605444c918e44949f4b1485177e82e
Partial-Bug: #1703347
Operators can configure service_provider and
other configuration of firewall using this file.
Change-Id: Icf957d9103f8ceb61709036fa4818af798e3fcd7
Closes-Bug: #1560892
This reverts commit 6d5afd1a6f.
Because Netlink solution moves privileged privsep process into netns
without moving it back to root netns which could break other methods
using privileged process in neutron.
A follow-up change will rethink Netlink solution to correct its netns
management and improves code documentation/coverage/safety.
This change doesn't revert requirements.txt. It will allow to backport
the revert of this change (ie: allow to backport the rethinked Netlink
solution).
Partial-Bug: #1664294
Change-Id: I0c2d3b90a5799ce8d3baf4d20e95b352d12dbdc7
When the Firewall is updated, the conntrack entries will be deleted
by conntrack-tools with each rule associated with each firewall rules.
In large scale system, updating so much rules will call a large number
of subprocesses to implement the "conntrack -D" commands. That will
consume the system resource and time.
This patch proves of using Netlink to delete conntrack entries when updating
firewall-rules.
Using Netlink will save about 90 percent of time that used by conntrack-tools.
For detail information, visit: https://goo.gl/3tm9Fx
Change-Id: I5babfd02090547ad886552201f843fa34761ce8a
Co-Authored-By: Cao Xuan Hoang <hoangcx@vn.fujitsu.com>
This patch adds fwaas-privsep.filters to FWaaS repository to be
easier to maintain. It also helps avoid making Neutron be inversely
depended on FWaaS when perform privsep configuration as in
https://review.openstack.org/#/c/392014/.
Change-Id: I71308130fbcc861a167371339c89a47410b8d09a
This sets up a new devstack keyword - q-fwaas-v1 - in addition to the
existing q-fwaas plugin. The q-fwaas keyword configures the devstack
plugin to support FWaaS v2. FWaaS v2 is the future, and should be the
default for development at this point. But the new keyword, q-fwaas-v1,
will set things up for FWaaS v1, and there is also q-fwaas-v2 to
explicitly select FWaaS v2.
Also ensure that /etc/neutron/policy.d gets set up for FWaaS
policy.json.
Depends-On: I88be1670a42fcca4aba3b643a1c5a072ce0d1035
Needed-By: I07a4e5a54c0ad862de791b655445e01f805981e4
Change-Id: If35ca26028ddedcf1bc22dd8749cb11c69a1ccbb
This change migrates the FWaaS policy.json entries from the Neutron
policy.json, and into the FWaaS repository. It also adds entries for
FWaaS v2.
Change-Id: Idd8993da78dbd779e2b3d38a4039dabf60d416d5
Oslo config generator was introduced in patch [1] to
automatically generate the sample Neutron FWaaS configuration
files.
This patch removes the static example configuration files from
the repository as they are now redundant.
[1] https://review.openstack.org/#/c/251974/
DocImpact: Update the docs that FWaaS no longer includes static example
configuration files. Instead, use tools/generate_config_file_samples.sh
to generate them and the files generated now end with .sample extension.
Change-Id: I31be3295606ba25929e9af9f40a035ff2b615234
Partially-Implements: blueprint autogen-neutron-conf-file
Partial-bug: #1199963
Depends-On: Ic8208850a27408c8fbeed80ecdb43345aa7dfaa4
This adds a new tox environment, genconfig, which generates sample
neutron FWaaS configuration file using oslo-config-generator.
Partially-Implements: blueprint autogen-neutron-conf-file
Change-Id: I8e9113dfb88e5290f6eedd012d1a52fc35c3c88c
Partial-bug: #1199963
blueprint: quantum-fwaas-agent
This is the first iteration of the FWaaS Agent with some basic
functionality to enable integration of Plugin - Agent - Driver.
An inheritance approach is taken with the L3 Agent to enable the
agent side messaging.
Unit tests, included, coverage being increased
Change-Id: Ib0970fdc4ad1ac53df66fba172a5a7f7d7ee3f1b