Commit Graph

16 Commits

Author SHA1 Message Date
ZhouHeng a9f26b81e2 revive neutron-fwaas project
This reverts commit caae7b6a6f.

Reason for revert:
Many users still need L3 firewalls and Inspur team wants to maintain
this project.
Neutron drivers team discussed the topic of the maintenance of
neutron-fwaas, and agreed to include neutron-fwaas again to Neutron
stadium[1].

Some updates have been made:
Remove use "autonested_transaction" method, see more [2]
Replace "neutron_lib.callbacks.registry.notify" with "registry.publish"
Replace rootwrap execution with privsep context execution.
Ensure db Models and migration scripts are sync, set table
firewall_group_port_associations_v2's two columns nullable=False

[1] https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-01-28-14.00.log.html#l-14
[2] https://review.opendev.org/c/openstack/neutron-lib/+/761728

Change-Id: I14f551c199d9badcf25b9e65c954c012326d27cd
2022-03-01 01:01:47 +00:00
Slawek Kaplonski caae7b6a6f Retire neutron-fwaas project
Governance change is proposed at [1] and project config patch is
proposed at [2]

[1] https://review.opendev.org/735828
[2] https://review.opendev.org/#/c/735812/

Change-Id: I561504160e5548c54d1af31821c3366ab34cf0ec
2020-06-16 12:38:31 +02:00
Akihiro Motoki 3288743827 Convert policy.json into policy-in-code
This commit converts the existing neutron-fwaas policy.json
into policy-in-code.

policy.json for testing is also removed. As a result, setup_config()
in neutron_fwaas.tests.base.NeutronDbPluginV2TestCase is no longer
required now (as the content of setup_config() is now same as that
in neutron).

Partially Implements: blueprint neutron-policy-in-code
Change-Id: I67be3a21f19e3f793312d64d358452ee4531c080
2018-12-27 15:31:04 +00:00
Akihiro Motoki 355b250b10 Move remaining policy rules specific to neutron-fwaas
There is no need to import the corresponding unit test
in the neutron repo [1], as they just tests the policy engine
is worked correctly.

[1] a51271d760/neutron/tests/unit/test_policy.py (L273-L284)

Change-Id: I6dc6b2295a605444c918e44949f4b1485177e82e
Partial-Bug: #1703347
2017-07-10 20:16:23 +00:00
Vikash082 93da2295df Added neutron_fwaas.conf file for Firewall config
Operators can configure service_provider and
other configuration of firewall using this file.

Change-Id: Icf957d9103f8ceb61709036fa4818af798e3fcd7
Closes-Bug: #1560892
2017-05-24 10:51:42 +05:30
reedip 1723762cf1 Migrate Public attribute to shared in Policy.json
Change-Id: I364620b03ea07f4c22f647985db5fc815b55e64a
Closes-Bug: #1676922
2017-04-14 21:54:02 +00:00
Cedric Brandily 01ae5e7ec0 Revert "Netlink solution to improve FWaaS performance"
This reverts commit 6d5afd1a6f.

Because Netlink solution moves privileged privsep process into netns
without moving it back to root netns which could break other methods
using privileged process in neutron.

A follow-up change will rethink Netlink solution to correct its netns
management and improves code documentation/coverage/safety.

This change doesn't revert requirements.txt. It will allow to backport
the revert of this change (ie: allow to backport the rethinked Netlink
solution).

Partial-Bug: #1664294
Change-Id: I0c2d3b90a5799ce8d3baf4d20e95b352d12dbdc7
2017-02-16 21:44:50 +01:00
Margaret Frances e7ebbebb39 Update policy.json for FWaaS v2
This commit supports FWaaS v2 CLI as OSC plugin[1].
[1] http://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html

Added our policy to the DB unit tests
Amended tempest to avoid failure

Co-Authored-By: Yushiro Furukawa <y.furukawa_2@jp.fujitsu.com>
Co-Authored-By: German Eichberger <german.eichberger@rackspace.com>

Change-Id: I3d2ef99f60af2a05b5d38ebdc90f818541317e8c
Partial-Implements: blueprint fwaas-api-2.0
Depends-On: I7b4108772e8370e8f51971caf40ecd23e9f977e9
Depends-On: I57504f97ac39b5b7d301fd5cc88228a121f0677e
Closes-Bug: #1609686
2017-01-26 15:40:36 +09:00
Ha Van Tu 6d5afd1a6f Netlink solution to improve FWaaS performance
When the Firewall is updated, the conntrack entries will be deleted
by conntrack-tools with each rule associated with each firewall rules.
In large scale system, updating so much rules will call a large number
of subprocesses to implement the "conntrack -D" commands. That will
consume the system resource and time.

This patch proves of using Netlink to delete conntrack entries when updating
firewall-rules.

Using Netlink will save about 90 percent of time that used by conntrack-tools.

For detail information, visit: https://goo.gl/3tm9Fx

Change-Id: I5babfd02090547ad886552201f843fa34761ce8a
Co-Authored-By: Cao Xuan Hoang <hoangcx@vn.fujitsu.com>
2017-01-25 15:53:31 +07:00
Ha Van Tu 27b0fff119 Privsep configuration for neutron-fwaas
This patch adds fwaas-privsep.filters to FWaaS repository to be
easier to maintain. It also helps avoid making Neutron be inversely
depended on FWaaS when perform privsep configuration as in
https://review.openstack.org/#/c/392014/.

Change-Id: I71308130fbcc861a167371339c89a47410b8d09a
2017-01-04 18:10:47 +07:00
Nate Johnston a66f3a68bf Add devstack plugin support for fwaas v2
This sets up a new devstack keyword - q-fwaas-v1 - in addition to the
existing q-fwaas plugin.  The q-fwaas keyword configures the devstack
plugin to support FWaaS v2.  FWaaS v2 is the future, and should be the
default for development at this point.  But the new keyword, q-fwaas-v1,
will set things up for FWaaS v1, and there is also q-fwaas-v2 to
explicitly select FWaaS v2.

Also ensure that /etc/neutron/policy.d gets set up for FWaaS
policy.json.

Depends-On: I88be1670a42fcca4aba3b643a1c5a072ce0d1035
Needed-By: I07a4e5a54c0ad862de791b655445e01f805981e4
Change-Id: If35ca26028ddedcf1bc22dd8749cb11c69a1ccbb
2016-09-23 19:38:29 +00:00
Nate Johnston 68b4bcaae5 Migrate FWaaS policy.json to FWaaS repo
This change migrates the FWaaS policy.json entries from the Neutron
policy.json, and into the FWaaS repository.  It also adds entries for
FWaaS v2.

Change-Id: Idd8993da78dbd779e2b3d38a4039dabf60d416d5
2016-09-01 13:41:42 +00:00
Martin Hickey 6713d0ac33 Remove Neutron FWaaS static example configuration files
Oslo config generator was introduced in patch [1] to
automatically generate the sample Neutron FWaaS configuration
files.

This patch removes the static example configuration files from
the repository as they are now redundant.

[1] https://review.openstack.org/#/c/251974/

DocImpact: Update the docs that FWaaS no longer includes static example
configuration files. Instead, use tools/generate_config_file_samples.sh
to generate them and the files generated now end with .sample extension.

Change-Id: I31be3295606ba25929e9af9f40a035ff2b615234
Partially-Implements: blueprint autogen-neutron-conf-file
Partial-bug: #1199963
Depends-On: Ic8208850a27408c8fbeed80ecdb43345aa7dfaa4
2015-12-08 20:02:33 +00:00
Martin Hickey 93883c17db Automatically generate neutron FWaaS configuration files
This adds a new tox environment, genconfig, which generates sample
neutron FWaaS configuration file using oslo-config-generator.

Partially-Implements: blueprint autogen-neutron-conf-file

Change-Id: I8e9113dfb88e5290f6eedd012d1a52fc35c3c88c
Partial-bug: #1199963
2015-12-07 10:50:11 +00:00
Doug Wiegley 9f1f6cf5d9 Fix python path in ini file
Change-Id: I934cea427b9ea941e446c04e6e8754676769a4fb
2014-12-09 21:37:35 -07:00
Sridar Kandaswamy 14208b5e79 Firewall as a Service (FWaaS) Agent
blueprint: quantum-fwaas-agent

This is the first iteration of the FWaaS Agent with some basic
functionality to enable integration of Plugin - Agent - Driver.

An inheritance approach is taken with the L3 Agent to enable the
agent side messaging.

Unit tests, included, coverage being increased

Change-Id: Ib0970fdc4ad1ac53df66fba172a5a7f7d7ee3f1b
2013-08-11 10:56:37 -07:00