hacking 3.0.x is too old.
Try to synchronize pylint ignore and extension list with
other Networking projects.
With new pip the order of packages is not relevant, so the
related comment from requirements.txts is removed, see pip
documentation:
https://pip.pypa.io/en/stable/cli/pip_install/#installation-order
Change-Id: I99a2d30149088d3d71d56351d180e665c38686ef
This removed usage of LBaaS constants from unit tests. LBaaS was
retired some time ago and these constants will be removed.
Change-Id: I2951c866cdfbd88bcba9fb8d299f592cd6a44dff
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py38 and later, we can use the
standard lib unittest.mock module instead.
Change-Id: I009b6e65424ba3b662949baa1226fbf0ff14af80
Since [1] (release 1.11.0), the Alembic operations "now enforce
keyword-only arguments as passed as keyword and not positionally"
(from the commit message).
This change is compatible with the previous versions (as confirmed
in the CI).
[1]df75e85489
Closes-Bug: #2019948
Change-Id: Iedf9a47a80a2775f73e7873ce3e55c4152d0f564
If the status of the firewall group is consistent with the status
to be updated, there is no need to notify the plugin to update the
status.
The processing of the agent requires a certain amount of time. If
firewall group is updated during this period, updating the firewall
group status at this time may cause the firewall group to be in an
incorrect state.
Partial-Bug: #2021457
Change-Id: I316827259367d78d7dbb57888ad41408d44c43f6
Currently, we determine that the firewall group is in use based on
its ACTIVE status. But the firewall group may have just updated
the port and is currently PENDING_UPDATE status, deletion should
not be allowed at this time.
This patch changes the judgment method for deleting firewall
groups, no longer based on their status. But like other neutron
resources, based on whether or not they are associated.
Closes-Bug: #2018967
Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/883826
Change-Id: Ib7ab0daf9f6de45125ffc9408f865fc0964ff339
These exception definitions are already in neutral-lib.
And it has already been directly referenced in neutron lib
in the code.
Change-Id: I9f0d5efc3d86bdab97a188ea880780b19e2a7e43
Now, this patch will support standard_attrs for
firewall_group/firewall_rule/firewall_policy.
Closes-Bug: #1986906
Change-Id: Ib7b06d604a0950a104215bcf4386e14b77d20d12
Neutron recently merged a commit enabling secure rbacs by default
[1], breaking several unit tests of networking-fwaas.
This patch changes the necessary test calls to be admin and
requires neutron >= 23.0.0.0b2.
[1]670cc383e0
Related-Bug: #2019097
Change-Id: I60ad379f9fc94919581f461fd6a731cfe4baba30
In some logs before other SqlAlchemy tracebacks the missing of
this method is reported.
Change-Id: I36b2083ab3432080857d8ce97ea96f9b5acc87fe
Related-Bug: #2006683
The work for making routed networks work with multiple segments per
host, introduced new signature for VlanManager.get, requesting
segmentation_id, make neutron-fwaas code compatible with it.
With oslo.db 12.1.0 some unit tests started to fail, with using the
CONTEXT_R/W session we can fix it.
Adopt dsvm-functional target name as [0] changed in Neutron, so the new
name of the target is dsvm-functional-gate.
[0]: https://review.opendev.org/c/openstack/neutron/+/856262
Change-Id: Ie7459974f6f2358c8d9c37e66aa9cda530ecefc0
Related-Bug: #1956435
Related-Bug: #1764738
Library "distutils" will be marked as deprecated in Python 3.10:
https://peps.python.org/pep-0386/
This patch does the following replacements, that provide the same
functionality and API:
- distutils.spawn.find_executable -> shutil.which
Change-Id: Ib9cf36a70b6e5aba93f87e6be5c2636599166de2
Closes-Bug: #1973780
Neutron code migrated to SQLAlchemy 2.0[1], the goal of this
patch is to make the fwaas plugin code compliant with
SQLAlchemy 2.0.
[1] https://review.opendev.org/c/openstack/neutron/+/833247
Related-Bug: #1964575
Change-Id: If3e996740d4b5024e9c798227d0a58ceb09eb1d6
When apply firewall group to a port with rule have dest port large than
source port, neutron-openvswitch-agent raise error 'port_max' is smaller
than 'port_min'. It because key 'port_range_max' is assigned by
source_port_range_max. Fix hard code 'port_range_max' to key_max.
Change-Id: I32d9efd857932547a13d275b8a4f294e03fe7535
Closes-Bug: #1869121
All setUp and tearDown methods must upcall using the super()
method.tearDown methods should be avoided and addCleanup calls
should be preferred[1].
[1] https://github.com/openstack/neutron/blob/master/HACKING.rst
Change-Id: Idef345a44cc9f926c61af342729736d1f9245036
This reverts commit caae7b6a6f.
Reason for revert:
Many users still need L3 firewalls and Inspur team wants to maintain
this project.
Neutron drivers team discussed the topic of the maintenance of
neutron-fwaas, and agreed to include neutron-fwaas again to Neutron
stadium[1].
Some updates have been made:
Remove use "autonested_transaction" method, see more [2]
Replace "neutron_lib.callbacks.registry.notify" with "registry.publish"
Replace rootwrap execution with privsep context execution.
Ensure db Models and migration scripts are sync, set table
firewall_group_port_associations_v2's two columns nullable=False
[1] https://meetings.opendev.org/meetings/neutron_drivers/2022/neutron_drivers.2022-01-28-14.00.log.html#l-14
[2] https://review.opendev.org/c/openstack/neutron-lib/+/761728
Change-Id: I14f551c199d9badcf25b9e65c954c012326d27cd
L3AgentExtensionAPI now takes the new parameter 'router_factory'.
This API change breaks the test cases, so pass None to initialize
the class to aovid the failure.
Depends-On: https://review.openstack.org/#/c/620349/
Change-Id: Iaf3a8071eb6eec8c0c7240d1a0a5d057f7b152d2
Add new options to neutron_fwaas.conf for using in Default firewall group
rules. Separate ingress and egress: action, source ipv4, source ipv6,
source port, destination ipv4, destination ipv6, destination port.
Shared options for ingress and egress: protocol, enabled and shared.
New options are used in _create_default_firewall_rules and default
value are same as before this change, ingress (deny all),
egress (allow all).
Change-Id: Ic48872f3b7dfd4a87065799b7d3656de3d06e4c3
Closes-Bug: #1799358
When restarting l3 agent, it will detect whether the
router is updated. If the port in the firewall group is
not updated, it will also change its status. This patch
skips updating the status of firewall group which has no ports.
Change-Id: Ife294430409a9fb2944917a28a08323f41c89c0d
Closes-Bug:#1783327
When updating only the policy in firewall group, the 'del-port-ids'
and 'add-port-ids' return empty list, which causes the fwg status
to be inactive and iptables in the router namespace are not changed.
This patch fixes the above problem.
Change-Id: I1a4bc0a8258fbbc340825cccb6d287c94304d3c5
Closes-Bug: #1836015
If 'local_output_log_base' is specified, logging can use the
'logging_default_format_string' configuration in l3_agent.ini
like ovs firewall log. It can also set the log level based on
whether debug is enabled.
Change-Id: I7f10361b41acf58987399ea9e0c5720a9129a39b
When removing a port from the firewall group, the last port is detected as
true or false based on the old port and the new port, but it ignores the
specific number of ports, which causes the fwg status to be inactive regardless
of whether there is a port after the firewall group is reset.
Change-Id: I887e06893f3e11031548767272e95afee40462d8
Closes-Bug: #1817455
As privsep communicates with main process via socket, data passed
through this socket must be string type in Python 3. This patch
converts bytes to string, then privsep works correctly.
Change-Id: Ia6fa9a230853311849e327029ef7f0ad7d5d0451
Rule tuples used there may contains None as elements sometimes.
In such case if None and str values are compared in python 3
TypeError exception is raised.
This patch fixes it by using helper function which replace
None values with empty string before list of tuples is sorted.
Change-Id: I3212851ce34047772c4f837631f519d656d366a7
When a firewall group has few ports, and some of those are removed
the status of the firewall group should not become INACTIVE
Change-Id: Ie3c0538ca31af9abb1b8c1cc5e4f6c3df9b16a1c
Closes-Bug: #1832450